1 Introduction

The development of Internet of things (IoT) makes data exchange more frequently. In the IoT scenario, information security is related to enterprises [1] and individuals [2]. In addition, the cloud computing can provide stable storage and efficient computation for data users (smart phones, smart watches, etc). Information stored on cloud servers is exposed to distributed and dynamic network environment [3]. In an open network environment, the security and privacy of data [4] will be greatly threatened in the data storage [5,6,7,8,9], data access [10, 11], data search [12,13,14,15], data processing [16], data transmission [17,18,19] and data sharing [20]. It is a good solution to encrypt data before uploading data. Furthermore, the sharing of data is another very interesting topic. In order to access the data more efficiently, the notion of attribute-base encryption (ABE) [21] is proposed.

In ABE system, the secret key does not involve the identity of users. To prevent the abuse of the secret key, traceable ABE schemes [22,23,24] are proposed. When a large amount of ciphertext data is stored on the server, data access control [25] and finding the data that users need [26] are problems that have to be taken into consideration. Fortunately, searchable ABE [27, 28] can solve these problems well. ABE, however, requires a lot of computation, especially in the decryption stage. In the ABE system, some work [29, 30] is done to improve the efficiency of ABE. In order to further improve efficiency and make full use of cloud computing technology, a lot of computation can be outsourced to cloud servers to reduce the computational pressure of terminals [31,32,33,34]. Therefore, the outsourcing decryption of ABE [35, 36] can break the bottleneck of the efficiency of ABE.

In order to solve the above problems, we put forward the flexible keyword search scheme over encrypted data with outsourced decryption for IoT. Our scheme has the following three advantages: First, the attribute-based encryption technology is applied, by which only users whose attributes meet the access control structure can access the sharing data. Second, the reciprocal mapping of Lagrange polynomials technology is employed to implement keyword search in a large number of ciphertext data. Third, the decryption of ciphertext is outsourced to improve the efficiency of decryption on the client side.

2 Preliminaries

We give the relevant knowledge that will be used in the construction and proof of the following scheme in this section.

2.1 Bilinear pairing

Let G1 and G2 represent the multiplicative cyclic groups with the prime order p. The generator of G1 is g. A bilinear pair e : G1 × G1G2 has the following properties [37]:

  1. 1.

    Bilinear: e(ua, vb) = e(u, v)ab, where a, bZp, u, vG1.

  2. 2.

    Non-degenerate: ∃u, vG1, make e(u, v) ≠ 1.

  3. 3.

    Computability: ∀u, vG1, e(u, v) can be calculated in the polynomial time.

2.2 Access control tree

Let x express a node in an access control tree T. For each non-leaf node, there is a relationship between the threshold value kx and its m child nodes 0 < kxm. kx = 1 and kx = m represent an or gate and an and gate, respectively. For each leaf node x that is regarded as an attribute, its threshold value is 1. The function pa(x) is defined as the parent of node x. the function att(x) is defined as the attribute value for the leaf node x. The function index(x) returns the number that the node x is numbered from 1 to m.

2.3 Satisfying an access control tree

Let Tx be the subtree of the root node t at node x. Hence, T and Tt are the same. When the attribute set Y satisfies the access control tree Tx, Tx(Y ) = 1. Tx(Y ) is obtained by the following recursive algorithm: For a leaf node, when att(x) ∈ Y, Tx(Y ) = 1. For a non-leaf node x, if there are at least kx child nodes returning 1, Tx(Y ) = 1.

2.4 Lagrange interpolation polynomials

In the following, we can get k polynomials of degree k − 1 from k different numbers xi, where i = 1,2,...,k [38].

$$ f_{i}(x)=\prod\limits_{1\leq j\neq i\leq k}\frac{x-x_{j}}{x_{i}-x_{j}}=\sum\limits_{j = 1}^{k}a_{i,j}x^{j-1}, $$
(1)
$$f_{i}(x_{j})=\left\{\begin{array}{ll} 1, & j=i\\ 0, & j\neq i. \end{array}\right. $$

Then, \(F_{t}(x_{i})=x^{t-1}_{i}\), 1 ≤ ik can be obtained from the constant t(1 ≤ tk) and polynomial \(F_{t}(x)=\sum \limits _{i = 1}^{k}x_{i}^{t-1}f_{i}(x)\). Obviously, for the two functions Ft(x) and xt− 1 with the same k points, their maximum degree is k − 1, and we have

$$\begin{array}{@{}rcl@{}} F_{t}(x)&=&\left( \sum\limits_{i = 1}^{k}x^{t-1}_{i}a_{i,1}\right)+\left( \sum\limits_{i = 1}^{k}x^{t-1}_{i}a_{i,2}\right)x+\cdots\\&&+\left( \sum\limits_{i = 1}^{k}x^{t-1}_{i}a_{i,k}\right)x^{k-1}=x^{t-1}, \end{array} $$
(2)

then

$$\sum\limits_{i = 1}^{k}x^{t-1}_{i}a_{i,j}=\left\{\begin{array}{llll} 1,& j=t\\ 0,& j\neq t. \end{array}\right. $$

The two mappings \(\hat {r}\) and \(\hat {R}\) on \({G^{k}_{1}}\) can be constructed from the definition of fi(x) as follows.

\(\hat {r}\): \({G_{1}^{k}}\rightarrow {G_{1}^{k}}\) is defined as follows: (r1,⋯,rk) → (R1,⋯,Rk), where \(R_{j}=\prod \limits _{i = 1}^{k}r^{a_{i,j}}_{i}\), j = 1,2,⋯,k.

\(\hat {R}\): \({G_{1}^{k}}\rightarrow {G_{1}^{k}}\) is defined as follows: (R1,⋯,Rk) → (r1,⋯,rk), where \(r_{j}=\prod \limits _{j = 1}^{k}R^{x_{i}^{j-1}}_{j}\), i = 1,2,⋯,k.

\(\hat {R}\) and \(\hat {r}\) are reciprocal: If G1, fi(x), \(\hat {R}\) and \(\hat {r}\) are as defined above, then \(\hat {R}(\hat {r})= 1\), \(\hat {r}(\hat {R})= 1\). Let \(\hat {R}_{i}\) denote the i-th component of \(\hat {R}\), then \(\hat {R}_{i}(R_{1},{\cdots } ,R_{k})=r_{i}\).

2.5 The truncated (t, q, ε)-ABDHE assumption

Given \((g,g^{a},g^{a^{2}},\cdots ,g^{a^{q}},g^{\prime },g^{\prime a^{q + 2}},T)\), where TG2, g = gz, zZp. If \(T=e(g,g^{\prime })^{a^{q + 1}}\), output 1, otherwise output 0 [39]. Define an arbitrary polynomial-time adversary B’s advantage function \(Adv^{q-ABDHE}_{B}\) as

$$\begin{array}{@{}rcl@{}} |P_{r}[B(g,g^{a},g^{a^{2}}\cdots,g^{a^{q}},g^{\prime},g^{\prime a^{q + 2}},e(g,g^{\prime})^{a^{q + 1}})]\\-P_{r}[B(g,g^{a},g^{a^{2}}\cdots,g^{a^{q}},g^{\prime},g^{\prime a^{q + 2}},T)]|. \end{array} $$

If in time t, \(Adv^{q-ABDHE}_{B}<\varepsilon \), then the (t, q, ε)-ABDHE assumption is said to hold on (G1, G2).

2.6 Decisional BDH assumption

Randomly choose a, b, c, zZp. Suppose g is a generator of G1. The advantage \(Adv_{B}^{DBHD}\) [40] of an arbitrary polynomial time adversary B is defined as

$$|Pr[B(g^{a},g^{b},g^{c},e(g,g)^{abc})= 0]-Pr[B(g^{a},g^{b},g^{c},e(g,g)^{z})= 0]|. $$

If \(Adv_{B}^{DBHD}\) is negligible, the DBDH assumption holds.

3 Model and definition

We mainly introduce the system architecture, the system scheme and the security model in this part.

3.1 System architecture

The system architecture is shown in Fig. 1. CT is the ciphertext, I is the keyword index, T is the trapdoor, PT is the partial ciphertext, TK is the transformation key, and SK is the secret key. The following entities are involved in this system.

  • Data owner (DO): DO provides shared data and specifies the attribute set when encrypting. DO is a terminal device of IoT, such as a smart phone and a smart watch, etc.

  • Data user (DU): DU is a data consumer in the system. When the attributes of DU satisfy the access control structure, he can access data. DU is a terminal device of IoT, such as a smart phone and a smart watch, etc.

  • Attribute Authority (AA): AA manages DO and DU. At the same time, AA is responsible for the distribution of the secret key and the transformation key. AA is a credible entity.

  • Cloud server (CS): CS is responsible for storing the shared ciphertext.

  • Computing server (OS): OS is a computing server that can decrypt the ciphertext partially.

Fig. 1
figure 1

System architecture

Full size image

3.2 System scheme

Our scheme is composed of the following algorithms:

  • Setup(U) → PK, MK: The algorithm takes the global attributes U as input with public parameters PK and the master key MK as output.

  • KeyGen(MK, T) → TK, SK: The algorithm takes the master key MK and the access control structure T as input with the transformation key TK and the secret key SK as output.

  • Enc(Y, m, W1, W2,⋯ ,Wk) → CT, I: The algorithm takes the attribute Y and the message m containing the keywords W1, W2,⋯ ,Wk as input with the ciphertext CT and the keyword index I as output.

  • Trapdoor(SK, W) → TW: The algorithm takes the secret key SK and the keyword W as input with the keyword trapdoor TW as output.

  • Test(I, TW, x) → 0,1: The algorithm takes the keyword index I, the keyword trapdoor TW and the node of user x as input with 0 or 1 as output.

  • Dec(CT, SK, x) → m: The algorithm takes the ciphertext CT, the secret key SK and the node of user x as input with the plaintext m as output.

3.3 Security model

The security model of the scheme is divided into the security model of keywords and the security model of the scheme.

The security model of keywords: A secure model interactive game between an adversary A and a challenger C is as follows:

  • Setup: C calls the algorithm Setup(U) → PK, MK and returns the PK to A.

  • Trapdoor queries: A adaptively asks the C for the trapdoor TW. C calls the algorithm Trapdoor(SK, W) → TW, and returns TW to A.

  • Challenge: A sends a message m containing k + 1 keywords W0, W1,⋯ ,Wk to C. C selects b ∈{0,1} randomly, and then calls the algorithm Enc(Y, m, Wb, W2,⋯ ,Wk) → CT, I. C then returns the I to A. In this process, A cannot ask the key trapdoors of W0 and W1.

  • Phase 2: A does the same inquiry at this stage as the Phase 1.

  • Guess: The result guessed b∈{0,1} is outputted.

The advantage of the adversary A in the game is defined as follows:

$$Pr_{A}=\left|Pr[b^{\prime}=b]-\frac{1}{2}\right|. $$

Definition 1

Suppose that an arbitrary polynomial time adversary A in the time t, does inquiries at least qw times. And A can win the above game with the at most 𝜖 advantage. Then our scheme is the (t, qw, 𝜖) semantic security.

The security model of the scheme: A secure model interactive game between an adversary A and a challenger C is as follows:

  • Init: A declares attributes Y to challenge

  • Setup: C calls the algorithm Setup(U) → PK, MK and returns the PK to A.

  • Phase 1: A queries to C the secret key SK related to the access structure T. C calls the algorithm KeyGen(MK, T) → TK, SK and returns SK to A, where YT.

  • Challenge: A sends two messages m1, m2 containing k keywords W1, W2,⋯ ,Wk to C. C selects b ∈{0,1} randomly, and then calls the algorithm Enc(Y, mb, W1, W2,⋯ ,Wk) → CT, I. C then returns the CT to A.

  • Phase 2: A does the same inquiry at this stage as the Phase 1.

  • Guess: The result guessed b∈{0,1} is outputted.

The advantage of the adversary A in the game is defined as follows:

$$Pr_{A}=|Pr[b^{\prime}=b]-\frac{1}{2}|. $$

Definition 2

Suppose that an arbitrary polynomial time adversary A can win the above game with at most a negligible advantage. Then our scheme is secure in the Selective-Set model.

4 Secure and flexible keyword search over encrypted data in IoT

Our scheme consists of the following six algorithms: System Initialization, Secret Key Distribution, Data Uploading, Trapdoor Generation, Keyword Search, and Data Decryption. In the system initialization phase, AA calls the algorithm Setup(U), then announces the system parameters PK, and saves the system master secret key MK. When users join in the system, the user sends an access control tree to AA, and then AA calls algorithm KeyGen(MK, T) to generate the transformation key TK and the secret key SK. When an user collects data or has data that he wants to share, he calls the algorithm Enc(Y, m, W1, W2,⋯ ,Wk), then uploads the ciphertext CT and the keyword index I to CS. When DU wants to retrieve data, he calls the algorithm Trapdoor(SK, W) to generate a keyword trapdoor TW and sends it to CS. When CS receives the keyword trapdoor TW, it will call the algorithm Test(I, TW, x) to check whether the file that the user wants to search exists. When the searched file exists, CS sends CT to OS, and DU sends TK to OS, then OS carries out the partial decryption, returns the partial ciphertext to DU. Finally, DU decrypts the partial ciphertext again.

4.1 System initialization

AA calls the algorithm Setup(U) → PK, MK, and the concrete process is as follows: Randomly choose \(\alpha ,y\in \mathbb {Z}_{p}\), g2G1 and t1, t2,⋯ ,tn+ 1G1. Compute g0 = gα, \(g_{1}=g^{^{y}}\), and g2 is randomly chosen from \(\mathbb {G}_{1}\). Let N = {1,2,⋯ ,n + 1}. A function F is defined as follows:

$$F(X)=g^{X^{n}}_{2}\prod\limits_{i = 1}^{n + 1}t_{i}^{\triangle_{i,N}(X)}.$$

The system’s public parameters PK and the master secret key MK are as follows:

$$PK = (g_{0},g_{1},g_{2},t_{1},t_{2},\cdots,t_{n + 1}).$$
$$MK=(\alpha,y).$$

4.2 Secret key distribution

In the secret key generation stage, the interaction between AA and users is shown in Fig. 2. When AA receives the access control tree T from the user, AA calls the algorithm KeyGen(MK, T) → TK, SK. Then, TK and SK are returned to users. The concrete algorithm is as follows:

Fig. 2
figure 2

Secret key distribution

Full size image

For every node of the access control tree T, select a polynomial p(x). Here’s the equation dx + 1 = kx, where dx is the degree of p(x) and kx is the threshold value of nodes. For the root node, pt(0) = y. The other points are chosed randomly. For other nodes, px(0) = ppa(x)(index(x)). The other points are chosed randomly. In this way, the polynomials of each node are determined. The transformation key TK is as follows:

$$ TK=\left\{\begin{array}{llll} D_{x}=g_{2}^{\frac{p_{x}(0)}{\beta}}\cdot F(i)^{\frac{r_{x}}{\beta}}, & i=att(x)\\ R_{x}=g^{\frac{r_{x}}{\beta}}, \end{array}\right. $$
(3)

where rx is randomly selected from \(\mathbb {Z}_{p}\). The user’s private key is

$$SK=(z,\beta). $$

4.3 Data uploading

In the encryption stage, the interaction between CS and DO is shown in Fig. 3. DO calls the algorithm Enc(Y, m, W1, W2,⋯ ,Wk) → CT, I, and then uploads the ciphertext CT and the keyword trapdoor I to CS. The concrete process of the algorithm is as follows:

Fig. 3
figure 3

Data uploading

Full size image

First compute H(Wi) = ωi, where i = 1,2⋯ ,k. Next, the mappings \(\hat {r}_{1}\) and \(\hat {R}_{1}\) from \({G^{k}_{1}}\) to \({G^{k}_{1}}\) and the mappings \(\hat {r}_{2}\) and \(\hat {R}_{2}\) from \({G^{k}_{2}}\) to \({G^{k}_{2}}\) will be constructed. Randomly choose sj, cZp, compute \(u_{j}=g_{0}^{s_{j}}g^{-s_{j}\omega _{j}}\), \(v_{j}=e(g,g)^{s_{j}}\), \(m_{j}=e(g,g_{2})^{s_{j}}\), and set \((U_{1},\cdots ,U_{k})=\hat {r}_{1}(u_{1},\cdots ,u_{k})\), \((V_{1},\cdots , V_{k})=\hat {r}_{2}(v_{1},\cdots , v_{k})\), \((M_{1},\cdots , M_{k})=\hat {r}_{2}(m_{1},\cdots , m_{k})\).

Finally, the ciphertext and keyword index are set as follows:

$$CT=(C^{\prime}=e(g_{1},g_{2})^{c}\cdot m, C^{\prime\prime}=g^{c}, \{C_{i}=F(i)^{c}\}_{i\in Y}).$$
$$I_{W}=(C_{u}=\{U_{j}\},C_{v}=\{V_{j}\},C_{m}=\{M_{j}).$$

4.4 Trapdoor generation

In the trapdoor generation phase, the interaction between CS and DU is shown in Fig. 4. DU calls the algorithm Trapdoor(SK, W) → TW, then uploads the keyword trapdoor TW to CS. The keyword Trapdoor TW is generated as follows:

$$T_{W}=[\omega,r_{W},h_{W}],$$

where ω = H(W), rwZp, and \(h_{W}=(g_{2},g^{-r_{W}})^{\frac {1}{z-\omega }}\).

Fig. 4
figure 4

Trapdoor generation

Full size image

4.5 Keyword search

When CS receives the keyword trapdoor TW from DU x, the CS calls algorithm Test(I, TW, x) → 0,1. The concrete process is as follows: First compute the value of U, V, M, where j = 1,2,⋯ ,k:

$$ U=\prod\limits_{j = 1}^{k}U^{\omega^{j-1}}, V=\prod\limits_{j = 1}^{k}V^{\omega^{j-1}}, M=\prod\limits_{j = 1}^{k}M^{\omega^{j-1}}. $$
(4)

If the equation

$$e(U,h_{W})V^{r_{W}}=M $$

holds, the searched file containing the keyword exists; otherwise, it does not exist.

The correctness of the test phase is shown as follows.

Correctness

If WiW1, W2,⋯ ,Wk, then according to the mappings \(\hat {r}\) and \(\hat {R}\), we have

$$ M = \prod\limits_{j = 1}^{k}M^{\omega^{j-1}}\! = \hat{R_{2}}(M_{1},M_{2},\cdots,M_{k})=m_{i}=e(g,g_{2})^{s_{i}}. $$
(5)

Similarly, \(U=g_{0}^{s_{i}}g^{-s_{i}\omega _{i}}\), \(V=e(g,g)^{s_{i}}\). Therefore,

$$\begin{array}{@{}rcl@{}} e(U,h_{W})V^{r_{W}}&=&e(g^{s_{i}}_{0}g^{-s_{i}\omega_{i}},g_{2}^{\frac{1}{\alpha-\omega_{i}}}\cdot g^{\frac{-r_{W}}{\alpha-\omega_{i}}})\cdot e(g,g)^{s_{i}r_{W}} \\ &=&e(g^{s_{i}(\alpha-\omega_{i})},g_{2}^{\frac{1}{(\alpha-\omega_{i})}}\cdot g^{\frac{-r_{W}}{\alpha-\omega_{i}}})\cdot e(g,g)^{s_{i}r_{W}} \\ &=&e(g^{s_{i}},g_{2}g^{-r_{W}})\cdot e(g,g)^{s_{i}r_{W}} \\ &=&e(g,g_{2})^{s_{i}}\cdot e(g,g)^{-s_{i}r_{W}}\cdot e(g,g)^{s_{i}r_{W}} \\ &=&e(g,g_{2})^{s_{i}} \\ &=&M. \end{array} $$

4.6 Data decryption

In the decryption stage, the interaction between CS, OS, and DU is shown in Fig. 5. The decryption stage is divided into two parts: outsourcing decryption and local decryption. DU sends a keyword trapdoor T to CS. If the file exists, CS sends the ciphertext to OS, and DU uploads the transformation key TK to OS. OS decrypts CT partially, and then returns partial ciphertext PT to DU. The concrete process is as follows:

  • Decout(CT, TK, x) → PT: The function Dec(CT, TK, x) is defined as follows:

    When x is a leaf node, where i = att(x), then,

    $$ Dec(CT,TK,x)=\left\{\begin{array}{llll} \frac{e(D_{x},C^{\prime\prime})}{e(R_{x},C_{i})}, & i\in Y\\ \perp, & \text{otherwise} \end{array}\right. $$
    (6)

    If WW1, W2,⋯ ,Wk, we know

    $$\begin{array}{@{}rcl@{}} \frac{e(D_{x},C^{\prime\prime})}{e(R_{x},C_{i})} &=& \frac{e(g_{2}^{\frac{p_{x}(0)}{\beta}}\cdot F(i)^{\frac{r_{x}}{\beta}},g^{c})}{e(g^{\frac{r_{x}}{\beta}},F(i)^{c})} \\ &=& \frac{e(g_{2}^{\frac{p_{x}(0)}{\beta}}\cdot g^{c})\cdot e(F(i)^{\frac{r_{x}}{\beta}},g^{c})}{e(g^{\frac{r_{x}}{\beta}},F(i)^{c})} \\ &=& e(g,g_{2})^{\frac{c\cdot p_{x}(0)}{\beta}}. \end{array} $$

    When x is a non-leaf node, Dec(CT, TK, x) is performed as follows: For each child node x, let \(D_{x^{\prime }}=Dec(CT,TK,x^{\prime })\). If there are k such child nodes, the following operation is performed, otherwise the algorithm will be terminated.

    $$\begin{array}{@{}rcl@{}} D_{x} &=&\left( \prod\limits_{x^{\prime}\in S_{x}}D_{x^{\prime}}^{\bigtriangleup_{i,S^{\prime}_{x}(0)}}\right) \\ &=&\left( \prod\limits_{x^{\prime}\in S_{x}}\left( e(g,g_{2})^{\frac{c\cdot p_{x^{\prime}}(0)}{\beta}}\right)^{\bigtriangleup_{i,S^{\prime}_{x}(0)}}\right)\\ &=&\left( \prod\limits_{x^{\prime}\in S_{x}}\left( e(g,g_{2})^{\frac{c\cdot p_{pa(x^{\prime})}(index(x^{\prime}))}{\beta}}\right)^{\bigtriangleup_{i,S^{\prime}_{x}(0)}}\right) \\ &=&\left( \prod\limits_{x^{\prime}\in S_{x}}e\left( g,g_{2}\right)^{\frac{c\cdot p_{x}(i)\cdot \bigtriangleup_{i,S^{\prime}_{x}(0)}}{\beta}}\right) \\ &=&e(g,g_{2})^{\frac{c\cdot p_{x}(0)}{\beta}}, \end{array} $$

    where \(i=index(x), S^{\prime }_{x}=\{index(x^{\prime }):x^{\prime }\in S_{x}\}\).

    Then, OS can get the partial ciphertext \(PT=Dec(CT,TK,t)=e(g,g_{2})^{\frac {c\cdot y}{\beta }}=e(g_{1},g_{2})^{\frac {c}{\beta }}\) by calling Dec(CT, TK, t), where t is the root node, if and only if the ciphertext satisfies the access control tree.

  • Dec(PT, SK): When receiving the partial ciphertext sent by OS, DU decrypts the partial ciphertext as follows:

    $$m=\frac{C^{\prime}}{PT^{SK}}. $$
Fig. 5
figure 5

Data decryption

Full size image

5 Analysis of our scheme

The security model of the scheme is divided into the security analysis of keywords and the security analysis of the scheme.

5.1 Security analysis of keywords

Theorem 1

Suppose that the (t, q, ε)-ABDHEassumption holds on (G1, G2),then our scheme has semantic security, whereqW = q − 1,ε = ε + 2/p,t = tO(texpq2),texpis the time of the exponential operation onG1.

Proof

The security of our scheme can be reduced to that of the scheme [15], which is denoted by \({\prod }_{L}=(Setup_{L}, KeyGen_{L}, Enc_{L}, Trap_{L}, Test_{L}, Dec_{l})\). Note that the security of the scheme in [15] is based on the (t, q, ε)-ABDHE assumption. The game among adversary A, simulator B and challenger C in [15] is as follows:

Init: :

B calls the C running algorithm SetupL to get the system public parameters PK = (g0, g1, g2, t1, t2,...,tn+ 1). Then, B returns PK to A.

Trapdoor queries: :

When A inquires about the trapdoor of W ∈{0,1}, B makes the same inquires to C. C executes the algorithm TrapL. Then, C returns \(T_{W}=(\omega ,f_{1}(\omega ),g^{F_{W}(a)},D_{x},R_{x})\) to B. Finally, B returns \(T_{W}=(\omega ,f_{1}(\omega ),g^{F_{W}(a)})\) to A.

Challenge: :

A sends k + 1 keywords W0, W1,⋯ ,Wk. If aH(Wj), where j = 1,2,⋯ ,k, then B makes the same inquires to C. C executes the algorithm EncL. Then, C returns IL = (Cu, Cv, Cm) to B. B returns I = IL = (Cu, Cv, Cm) to A.

Phase 2: :

A does the same inquiry at this stage as the Phase 1.

Guess: :

The result guessed b∈{0,1} is outputted.

Therefore, if the adversary A breaks our scheme with the advantage that can not be ignored, the simulator B will be able to call the challenger C in [15] to break the (t, q, ε)-ABDHE assumption. □

5.2 Security analysis of the scheme

Theorem 2

Our scheme has semantic security under the Decisional BDH assumption.

If the adversary A breaks our system with a non-negligible advantage, the simulator B will break the DecisionalBDH assumption with a non-negligible advantage.

Proof

The interaction between A and B is as follows:

Init: :

A selects the attribute set Y to challenge and sends Y to B.

Setup: :

B randomly generates a, bZp, then let g0 = ga, g1 = gb, where g is the generator of G, and a polynomial f1(x) of degree n will be randomly selected. Make the polynomial f1(x) to satisfy: if xY, u(x) = −xn, otherwise u(x) ≠ − xn. After that, let \(t_{i}=g_{2}^{u(i)}g^{f_{1}(i)}\), where i = 1,2,⋯ ,n + 1, then \(F(i)=g^{i^{n}+u(i)}_{2}g^{f_{1}(i)}\). Then, the public parameter is PK = (g0, g1, t1, t2,⋯ ,tn+ 1). Finally B returns PK to A.

Phase 1: :

A inquires the secret key related to an access structure tree T, where T(Y ) = 0. For each node in T, an polynomial Qx of degree dx is determined by B. We use \(Poly(T_{x},Y,g^{\lambda _{x}})\) to determine the process of accessing the polynomial of node x in T, where Tx expresses the access subtree of the root node, Y is the attribute set and \(\lambda _{x}\in \mathbb {Z}_{p}\). qx is defined the polynomial of the root node x, where qx(0) = λx. If the number hx of children of x satisfies attribute Y , where hx < dx, then for each satisfied child x of x, let \(q_{x}(index(x^{\prime }))=\lambda _{x}^{\prime }\). The procedure randomly selects dxhx points which do not satisfy the attribute. Then, we can recursively call \(Poly(T_{x},Y,g^{\lambda _{x}})\) to determine all polynomials.

For each node in the tree T, Poly(Tx, Y, A) is called to define the polynomial qx. For each leaf node x in T, where T(Y ) = 1, qx is known. Otherwise \(g^{q_{x}(0)}\) is known. Now B defines Qx(⋅) = qx(⋅), Qr(0) = qr(0) = y = c for each node x in T. The secret key of each leaf node is defined as follows:

If iY,

$$\left\{\begin{array}{llll} D_{x}=g_{2}^{Q_{x}(0)}\cdot F(i)^{r_{x}}=g_{2}^{q_{x}(0)}\cdot F(i)^{r_{x}}&\\ R_{x}=g^{r_{x}}, \end{array}\right. $$

where \(r_{x}\in \mathbb {Z}_{p}\)

If iY, where \(g_{3}=g^{Q_{x}(0)}=g^{q_{x}(0)}\),

$$\left\{\begin{array}{llll}D_{x}=g_{3}^{\frac{-f_{2}(i)}{i^{n}+u(i)}}\cdot F(i)^{r_{x}^{\prime}}& \\ R_{x}=g_{3}^{\frac{-1}{i^{n}+u(i)}}\cdot g^{r^{\prime}_{x}}, \end{array}\right.$$

where \(r^{\prime }_{x}\in \mathbb {Z}_{p}\)

Let \(r_{x}=r_{x}^{\prime }-\frac {q(0)}{i+u(i)}\), then

$$\left\{\begin{array}{llll} D_{x}=g_{2}^{q_{x}(0)}F(i)^{r_{x}}\\ R_{x}=g_{3}^{\frac{-1}{i^{n}+u(i)}}g^{r^{\prime}_{x}}=g^{r_{x}}, \end{array}\right. $$

where

$$\begin{array}{@{}rcl@{}} D_{x}&=&g_{3}^{\frac{-f_{1}(i)}{i^{n}+u(i)}}\cdot F(i)^{r^{\prime}_{x}} \\ &=&(g^{q_{x}(0)})^{\frac{-f_{1}(i)}{i^{n}+u(i)}}(g^{i^{n}+u(i)}_{2}g^{f_{1}(i)})^{r_{x}+\frac{q_{x}(0)}{i^{n}+u(i)}} \\ &=&g_{2}^{q_{x}(0)}F(i)^{r_{x}}. \end{array} $$

After that, B randomly selects z, βZp, then calculates \(D^{\prime }_{x}=D_{x}^{\frac {1}{\beta }}\), \(R^{\prime }_{x}=R_{x}^{\frac {1}{\beta }}\), and finally returns \(TK=(D^{\prime }_{x},R^{\prime }_{x})\) and SK = (z, β) to A.

Challenge: :

A sends two messages \(m^{\ast }_{0}\) and \(m^{\ast }_{1}\) with the same length to B. B randomly selects b ∈{0,1} to encrypt \(m^{\ast }_{b}\). The ciphertext is as follows:

$$CT=(C^{\prime}=m^{\ast}_{b}\cdot Z, C^{\prime\prime}=g^{c}),\{C_{i}=F(i)^{c}\}_{i\in Y}, $$

where cZp is selected randomly. Finally, the ciphertext CT is sent to A.

Phase 2: :

A makes the same query as Phase 1.

Challenge: :

A outputs the guess b ∈{0,1}.

If Z = e(g1, g2)c = e(g, g)abc, the ciphertext is a valid ciphertext. Otherwise, Z = e(g1, g2)z is a random number. Therefore, if A can break through our system with the advantage that can not be ignored, then B can solve the Decisional BDH assumption. □

5.3 Efficiency analysis

The proposed scheme can realize one-to-many encryption and multi-keyword search. We compare our scheme with Zhang et al’s scheme [41]. Let tg represent the time of an exponent operation in G. Let tt represent the time for an exponent operation in GT. Let p represent the time of a pairing operation. n is the total number of keywords. k is the number of keywords carried by the ciphertext. The multiplication and hash operation are ignored. The comparison results are displayed in Table 1. For more accurate comparisons, we conducted efficiency tests on the same platform, and the results are shown in Figs. 6 and 7.

Table 1 Efficiency comparison
Full size table
Fig. 6
figure 6

Comparison of the trapdoor generation efficiency

Full size image
Fig. 7
figure 7

Comparison of keyword matching efficiency

Full size image

As shown in Figs. 6 and 7, the performance of our scheme is better than that of the scheme [41] in the threshold generation and keyword matching phases. In addition, the outsourcing technology is used in our scheme. The efficiency of decryption stage does not increase with the increase of the number of attributes. In general, our scheme is feasible in the IoT scenario.

6 Conclusion

In this paper, in order to solve the ciphertext retrieval and the efficiency bottleneck in the IoT scenario, the flexible keyword search scheme over encrypted data with outsourced decryption for IoT is presented. The scheme has the following three features: First, the attribute-based encryption technology is applied, by which only users whose attributes meet the access control structure can access the sharing data. Second, the reciprocal mapping of Lagrange polynomials technology is employed to implement keyword search in a large number of ciphertext data. Third, the decryption of ciphertext is outsourced to improve the efficiency of decryption on the client side. In general, our scheme is feasible in the IoT scenario. In the future work, in order to deal with dishonest calculations in cloud computing, we will verify the correctness of outsourcing calculations.