#### Abstract

The cloud-assisted Internet of Things (CIoT) is booming, which utilizes powerful data processing capabilities of the cloud platform to solve massive Internet of Things (IoT) data. However, the CIoT faces new security challenges, such as the confidentiality of the outsourced data. Data encryption is a fundamental technique that can guarantee the confidentiality of outsourced data, but it limits target encrypted data retrieval from cloud platform. Public key encryption with keyword search (PEKS) provides a promising solution to address this problem. In PEKS, a cloud server can be authorized to search the keyword in encrypted documents and retrieve associated encrypted documents for the receiver. However, most existing PEKS schemes merely focus on keyword search function while ignoring the associated documents encryption/decryption function. Thus, in practice, a PEKS scheme must cooperate with another separated public key encryption (PKE) scheme to fulfill a completely secure data sharing scheme. To address this problem, in this paper, we propose a secure data sharing scheme with designated server that combines PKE scheme with PEKS scheme, which provides both keyword search and documents encryption/decryption functions. Furthermore, only the designated server can search the keyword via encrypted documents for enhanced security in our work. Moreover, our scheme also satisfies the public verifiability of search results, which includes both keywords and documents ciphertexts’ correctness and integrity. As to the security, our scheme provides stronger indistinguishability security of document and keyword in the proposed security model.

#### 1. Introduction

Cloud storage has been widely deployed in daily life. As a promising application, cloud-assisted Internet of Things (CIoT) have utilized cloud storage to store their data to reduce the burden of data processing, as shown in Figure 1. In CIoT, users rely on the cloud platform to complete the data storage and data sharing. Generally, data is migrated from the user to a cloud server, in which the cloud server is widely recognized as an honest-but-curious party. However, the cloud storage is provided by a third party and the user’s data may have private information. Therefore, the user should encrypt the data prior to uploading it to cloud server for protecting data confidentiality. Unfortunately, this approach eliminates the data search service provided by modern search engines, which inevitably makes the effective data search function become a challenging research problem. A trivial solution is that we download the full encrypted data and then decrypt it to obtain the plaintext data. Of course, it needs to occupy a large amount of local storage space and communication consumption. Another trivial solution is that the user sends the private key to cloud server. The server decrypts the encrypted data in the cloud, searches for the user in plaintext, and retrieves the intended data. This solution solves the above problem, but it compromises data privacy, which violates the original intention of data encryption. Focusing on the aforementioned problem, searchable encryption was proposed. Searchable encryption enables a data receiver to authorize the cloud server to search in encrypted documents, where encrypted documents are not needed to be decrypted. Searchable encryption is mainly divided into two techniques, which are symmetric searchable encryption (SSE) and public key encryption with keyword search (PEKS). In SSE, a shared key is required to achieve data sharing function in the cloud platform. PEKS was proposed in 2004 by Boneh et al. [1], which can realize the keyword search function and eliminate complicated key management in cloud platform.

The general PEKS system includes three participants, i.e., a data sender, a data receiver, and a cloud server. Data sender encrypts keywords index using receiver’s public key and uploads keyword ciphertexts to cloud server. The data receiver uses its private key to generate a keyword trapdoor and transmits trapdoor to cloud server. Cloud server uses the trapdoor to match the keyword ciphertext; if the keyword in the ciphertext and the keyword in the trapdoor are identical, its outputs are equal; otherwise, its outputs are not equal.

However, PEKS mainly focuses on the keyword search process and omits the associated documents encryption/decryption process, which only explains using a standard encryption scheme to encrypt associated documents. However, in the actual applications, the documents encryption/decryption is indispensable, since the corresponding documents are what we really need. Therefore, it is essential and meaningful to combine the public key encryption (PKE) scheme with the PEKS scheme to form a completely secure data sharing scheme. For this reason, a completed scheme named integrated PKE and PEKS scheme is suggested, which combines PEKS with PKE to encrypt keyword and its corresponding document message together. The PEKS-PKE system includes three participants, i.e., a data sender, a data receiver, and a cloud server. Data sender encrypts message using receiver’s public key . It also encrypts keyword with receiver’s public key and appends to the resulting message ciphertext and then uploads encrypted message and keywords to cloud server. Receiver generates the trapdoor with its private key and uploads to cloud server. The cloud server matches the keyword trapdoor with encrypted keywords , and if the same keyword is used, it outputs and returns to receiver; else, it outputs and returns . The data receiver uses its private key to decrypt the message ciphertext .

This integrated scheme PEKS-PKE can provide keyword search function and message encryption/decryption function. Most of PEKS schemes after Boneh’s scheme do not introduce how to achieve this completed scheme.

When searching the keyword in the cloud, we generally assume that the cloud server is honest but curious, which means that it performs the search operation honestly; actually it is curious about the keyword content. However, in practical applications, the server may not always behave honestly. Generally, the cloud server is managed and operated by a business company. The company may delete encrypted data for their benefits for releasing storage space. In addition, the server may be broken into by malicious intruder Eve or it may unintentionally delete data. When performing a search operation, the server may return the part of the search results to deceive the receiver. Since the receiver does not know the content of the encrypted document, or even whether the encrypted document is associated with the keyword; this poses a threat to the receiver’s data correctness and integrity. In addition to, the receiver may declare that the cloud server has lost some data or returned incorrect search results and doubt about the behavior of cloud server even if the provider has performed all required operations honestly. This will cause disputes. Therefore, if there is an honest-but-curious third party who can verify the integrity and correctness of the search results in a public manner, we can entrust the cloud server honestly performs the keyword search operation and solves the dispute with receiver.

Considering a specific scenario, Personal Health Record (PHR) is confidential documens to anyone except the patient and the chief physician. In order to protect patients’ privacy, patients need to encrypt the PHR data prior to uploading it to cloud server. We can use a PEKS scheme to solve keyword search problem in encrypted PHR. However, the above PEKS requires that the cloud server is totally trusted; that is, it honestly stores the encrypted documents, performs the search operation, and returns the encrypted PHR. We know that it is not practical to assume a cloud platform is honest for a hospital. Generally, the hospital will outsource the construction of the cloud platform to a professional company and the physical control of the encrypted PHR belongs to professional company. Therefore, the cloud platform may delete some encrypted PHR to release their storage space for their economic benefits. They may want to perform the dishonest search operation to deceive the chief physician and the patient. The chief physician does not know the correctness and integrity of the search results, and it is in charge of the diagnosis and treatment of patients. When the encrypted PHR search results are incomplete, the chief physician may make incorrect diagnostic results with serious consequences. Furthermore, once there is a medical negligence, the chief physician may unilaterally declare that the cloud server has lost some data or returned incorrect search results and deliberately pass the buck to the cloud service provider even if the provider has performed all required operations honestly. A straightforward solution is that the patient sends the PHR integrity evidence to the chief physician. The chief physician downloads the total encrypted data and then checks the integrity. This solution has two drawbacks. One drawback is that it breaks the asymmetry of PEKS, and on the other hand it is too expensive for the communication cost.

From the above discussion, we can know that it is importance of combining PKE and PEKS with providing the public verifiability under the untrusted cloud platform. Maintaining the privacy and public verifiability of search results are exciting and unresolved research problems.

Recently, Zhang et al. [2] proposed a public verifiable searchable encryption scheme. The scheme discussed the correctness of the returned keyword ciphertexts and lacked the integrity of both documents and keywords ciphertexts.

In 2018, we proposed a PEKS with public verifiability scheme [3]. Our scheme achieves the correctness and integrity of keywords ciphertext. However, when the cloud server is not honest, we only discuss keywords ciphertext is incomplete, since the corresponding encrypted documents are what we really need. That is to say, when cloud server returns encrypted document, it also may return another uncorrelated encrypted document with a corrected keyword ciphertext. In this case, the cloud server can also pass the verification by sweeping attack. In addition, the taggen phase lacks an index label and it will reduce the efficiency of verification. Furthermore, the tag only includes the keyword and the corresponding document serial number, in which it may also let cloud server easily forge the tag. Therefore, in practical applications, the scheme is very fragile. Our previous scheme also only focuses on keyword search function, while ignoring the associated documents encryption/decryption function.

In this paper, we propose a secure data sharing scheme with designated server that captures both functions of PKE and PEKS, which provides the functions both keyword search and documents encryption/decryption. Furthermore, only the designated server can search the keyword for enhanced security. Our scheme can also satisfy the public verifiability of search results, including ciphertexts both documents and keywords, which achieves the correctness and integrity. The scheme is great improvement comparing our previous work.

##### 1.1. Our Contributions

Specifically, our contributions are as follows:

(1) We introduce the definition of secure data sharing scheme with designated server, which satisfies the functions both of keyword search and documents encryption/decryption.

(2) We propose a special secure data sharing scheme with designated server. Our scheme achieves security of the document indistinguishability against chosen ciphertext attack (IND-CCA), keyword indistinguishability against chosen keyword attack (IND-CKA), and trapdoor indistinguishability.

(3) It achieves the public verifiability of search results, which includes both keywords and documents ciphertexts’ correctness and integrity.

(4) Our scheme removes the secure channel between the data receiver and the cloud server, which only the designated server can perform matching operation.

Technical route is as follows: we choose the Variable Hashed Elgamal scheme [4] as document encryption/decryption scheme and the PEKS with a designated tester (dPEKS) scheme as the searchable encryption scheme. These two schemes are basic components. Variable Elgamal scheme is an encryption scheme that provides document ciphertext indistinguishability security against chosen ciphertext attack (IND-CCA). The dPEKS scheme is an searchable encryption scheme that provides keyword ciphertext indistinguishability security against chosen keyword attack(IND-CKA). The trivial solution is to combine Variable Elgamal encryption with dPEKS, but there is a problem that the server is not fully trusted. The server may perform swapping keyword attacks. The swapping keyword attack is that the data receiver gets the document message it does not need. For example, when the receiver searches the document corresponding to the keyword , the server sweeps the documents and returns the document corresponding to the keyword . Therefore, the receiver can not get the document that it really needs. To resist this attack, we need to bind the keyword ciphertext and document ciphertext so that the malicious server cannot perform the sweeping attacks. In addition to, we also need to consider the security of combined scheme.

Since the widely used keyword space is limited, the outside adversary can guess a keyword and generate the keyword ciphertext; if the outside adversary can perform the matching operation, it can get the keyword in the trapdoor until guess the true keyword. We call this attack named offline keyword guessing attack (offline KGA). Therefore, to resist this offline KGA, we generate a key pair for the cloud server. Only the designated server can perform the keyword search operation to avoid outside adversary’s offline KGA. What we need to point out here is that the adversary may get the guessing keyword by comparing two bilinear pairs without generating keyword ciphertext. We also need the trapdoor satisfies trapdoor indistinguishability in proposed scheme to resist offline KGA.

##### 1.2. Related Works

Song et al. [8] proposed the first symmetric searchable encryption (SSE) in 2000. Song’s scheme requires a word-by-word comparison to complete the keyword search operation. After Song’s work, many researchers propose SSE schemes [9–11].

Boneh et al. [1] proposed the first PEKS scheme in 2004. Boneh et al.’s scheme realizes the data sharing and the keyword search functions. In 2005, Abdalla et al. explored the conversion relationship between identity based encryption (IBE) and PEKS [12]. It is shown that an anonymous IBE scheme could be transformed into a PEKS scheme and it proposed a temporary keyword search scheme. In 2008, Baek et al. [5] proposed the PEKS with a designated tester scheme that does not require a secure channel. In 2010, Rhee et al. [13] proposed a scheme that can resist outside attacker’s offline KGA in trapdoor indistinguishability security model. In 2013, Fang et al. [14] proposed a PEKS scheme in the standard model, which can resist outside attacker’s offline KGA. Later, many researchers studied the offline KGA and proposed many schemes [15–20].

In 2014, Zheng et al. [21] proposed the first verifiable attribute-based encryption with keyword search scheme. This scheme flexibly uses bloom filters and signatures to achieve the verifiability. In Zheng et al. scheme, attribute ciphertext and trapdoor are proportional to the number of attributes. It also requires a secure channel and supports the receiver private verification. After this work, many researchers proposed attribute-based encryption with keyword search schemes [22, 23].

In 2006, Baek et al. [24] proposed the first PEKS-PKE scheme. This scheme realizes the functions of document encryption/decryption and keyword search. Baek et al.’s scheme only discusses the security of document and does not involve the security of keyword, and it needs a secure channel. In 2009, Zhang et al. [7] proposed a PEKS-PKE scheme, which involves the security of keyword. It has two public and private key pairs and requires a secure channel. Chen et al. [6] proposed a PEKS-PKE scheme in 2016 and Chen et al.’s general construction leaks the keyword to the server. These three schemes do not discuss the security of trapdoor, and their schemes do not support the correctness and integrity verification of the search results, including the returned ciphertexts both documents and keywords.

##### 1.3. Organization

The paper is organized as follows. Section 1 is the introduction. The scheme definition and security models are described in Section 2. A secure data sharing scheme with designated server is proposed in Section 3. We analyze the security and efficiency of the proposed scheme in Section 3. The paper is concluded in Section 4.

#### 2. Scheme Definition and Security Models

##### 2.1. System Model

The system model of secure data sharing scheme with designated server that supporting public verifiability is shown in Figure 2: there are four participants in this model including a data sender, a receiver, cloud server, and the third party verifier.

First of all, data sender encrypts the document message by using receiver’s public key and encryption algorithm to form message ciphertext , encrypts the corresponding keyword by using cloud server’s public key , receiver’s public key , and encryption algorithm to form keyword ciphertext , then binds the and to form ciphertext , and uploads the ciphertext to cloud server; data sender also uses the cloud server public key , the receiver public key , the keyword , the keyword ciphertext , and corresponding message ciphertext to generate the verification tag and sends the verification tag to third party verifier.

Secondly, the receiver uses its secret key and cloud server’s public key to generate keyword trapdoor with the verification trapdoor and transmits to cloud server. And then, cloud server uses the trapdoor and ciphertext to compute the matching result. If the keyword in the ciphertext and the keyword in the trapdoor are equal, cloud server returns the ciphertext to receiver. Next, to obtain the message , the receiver decrypts the by using its secret key .

In final step, when there is a dispute between cloud server and receiver, the third party verifier uses the verification trapdoor from receiver, the verification tag , and returns the verification result.

##### 2.2. Scheme Definition

*Definition 1. *More specifically, a secure data sharing scheme with designated server consists of the following algorithms:

(1) : on input a security parameter and output a system parameter .

(2) : on input the system parameter and output a pair of public and secret key for the receiver.

(3) : on input the system parameter and output a pair of public and secret key for the cloud server.

(4) : on input the system parameter , the cloud server public key , the receiver public key , the keyword , the document message and output a ciphertext , which is message ciphertext, is keyword ciphertext, is a binding tag.

(5) : on input the system parameter , the cloud server public key , the receiver public key , the keyword , the keyword ciphertext and the message ciphertext , which is the serial number of the keyword and is the message serial number corresponded the keyword , and output the verification tag , releases to the third party verifier.

(6) : on input the system parameter , the cloud server public key , the receiver secret key , the keyword , and output the keyword search trapdoor , the verification trapdoor .

(7) : on input the system parameter , the cloud server secret key , the keyword search trapdoor , the ciphertext , and output ciphertext if the keyword in the and the keyword in the are equal; otherwise, output .

(8) : on input the system parameter , the receiver secret key , the ciphertext and output the message or .

(9) : when there is a dispute between cloud server and receiver, the third party verifier inputs the system parameter , the verification trapdoor , the verification tag , output the verification result if satisfies condition; and otherwise.

##### 2.3. Security Model

We define four security models, including the security models of IND-CKA, trapdoor indistinguishability (IND-Trapdoor), IND-CCA, and the public verifiability.

We define the keyword ciphertext semantic security. Any adversary can not distinguish the challenge keyword ciphertext unless the trapdoor is available. Formally, we define security game IND-CKA played between a challenger and adversary .

In IND-CKA 1, the challenger generates the receiver key pair and sends public key to the cloud server adversary . The adversary generates the cloud server key pair and sends public key to the challenger. The adversary can access the trapdoor oracle to get any keyword trapdoor and access the decryption oracle on any ciphertexts and then outputs two distinct challenge keywords and a message , in which . The challenger generates challenge ciphertext of with a random bit and sends it to . During the game, the adversary can adaptively continue the query to decryption oracle and trapdoor oracle unless the challenge keywords. Finally, the adversary outputs a bit as its guess.

In IND-CKA 2, the game played between a challenger and an outside adversary is similar to IND-CKA 1. The details are in the following definition.

*Definition 2 ((IND-CKA) see Boxes 1 and 2). *A secure data sharing scheme with designated server is IND-CKA secure if no probabilistic polynomial time (PPT) adversary can win game IND-CKA 1 and PPT adversary can win game IND-CKA 2 with nonnegligible advantage, where is the challenger, is cloud server, and is the outside adversary (including a receiver).

We define advantage asNext, we define the keyword trapdoor semantic security. Any adversary can not distinguish the challenge trapdoor; that is to say, the challenge trapdoor does not reveal any information about the keyword. The IND-Trapdoor is similar to the IND-CKA 1. The adversary is given the challenge trapdoor instead of the challenge ciphertext. In IND-Trapdoor security model, the challenger generates two key pairs and sends public keys to the adversary . can access the trapdoor oracle to get any keyword trapdoor and outputs two distinct challenge keywords , in which . The challenger generates challenge trapdoor of with a random bit and sends it to . During the game, the adversary can adaptively continue to query trapdoor oracle unless the challenge keywords. Finally, the adversary outputs as its guess.

*Definition 3 ((IND-Trapdoor); see Box 3). *A secure data sharing scheme with designated server satisfies trapdoor indistinguishability if no PPT adversary can win the game IND-Trapdoor with nonnegligible advantage, where is the challenger and is an outside adversary.

We define advantage asAfter that, we define the document message ciphertext semantic security. Any adversary can not distinguish the challenge message ciphertext; even it can access the decryption oracle . Formally, we define security game IND-CCA.

The IND-CCA is similar to the IND-CKA 1. The difference is that the adversary outputs two distinct challenge message and a keyword . The challenger generates challenge ciphertext of with a random bit and sends it to . During the game, the adversary can adaptively continue the query to trapdoor oracle and decryption oracle unless the challenge ciphertext . We omit the details here.

*Definition 4 ((IND-CCA); see Box 4). *A secure data sharing scheme with designated server is IND-CCA secure if no PPT adversary can win the game IND-CCA with nonnegligible advantage, where is the challenger and is an adversary (including the server).

We define advantage asFinally, we define the public verifiability security. Any adversary can not forge a challenge response without the complete ciphertext.

In public verifiability security model, the challenger generates key pairs and sends public keys and secret key to the adversary . The challenger generates a query request and sends it to adversary. The adversary forges challenge response and sends it to challenger. Finally, the challenger outputs a bit as its verification result.

*Definition 5 (see Box 5). *A secure data sharing scheme with designated server satisfies public verifiability security if no PPT adversary can win the game public verifiability (PV) with nonnegligible advantage, where is the challenger and is the cloud server.

We define advantage as

#### 3. A Secure Data Sharing Scheme with Designated Server

In this section, we propose an efficient construction of secure data sharing scheme with designated server.

##### 3.1. Our Construction

Our secure data sharing scheme with designated server is described as follows:

A symmetric bilinear pair is , where , are cyclic multiplicative groups of prime order and is a generator of . Bilinear mapping satisfies the following properties: bilinearity: for any , ; computability: for any , we can effectively calculate ; nondegeneracy: is a generator of .

: this algorithm inputs a security parameter and generates symmetric bilinear pair , in which and are two cyclic multiplicative groups of prime order and is generator of . are cryptography hash functions. is a pseudo-random function, . are randomly chosen elements. are bit length. The algorithm outputs the system parameter : this algorithm inputs system parameter , chooses random number , and outputs a pair of public and secret key for the receiver: : this algorithm inputs system parameter , chooses random number , and outputs a pair of public and secret key for the cloud server:: this algorithm inputs system parameter , the cloud server public key , the receiver public key , the keyword , in which are the serial number of the keyword, and the message , in which are the message serial number corresponding to the keyword . It chooses random number and outputs the ciphertext: where message ciphertext is , and keyword ciphertext is and the binding tag is

: this algorithm inputs system parameter , the cloud server public key , the receiver public key , the keyword , the keyword ciphertext , and the message ciphertext , in which are the serial number of the keyword and are the message serial number correspond the keyword . It outputs the verification tag and releases it to the third party verifier. : this algorithm inputs system parameter , the cloud server public key , the receiver secret key , and the keyword and outputs the search trapdoor We have the verification trapdoor : : this algorithm inputs system parameter , the cloud server secret key , the trapdoor , and the ciphertext and outputs ciphertext if and otherwise.

: this algorithm inputs system parameter , the receiver secret key , and the ciphertext and outputs the message if and otherwise.

: when there is a dispute between cloud server and receiver, this algorithm inputs system parameter , the verification trapdoor , the verification tag , and the ciphertext and outputs the verification result if satisfying verification condition, and otherwise. The verification process can be divided into three steps:(i): the third party verifier inputs the system parameter and chooses random number . It keeps the as a secret value and stores it. It outputs the challenge query and sends it to cloud server, (ii): the server inputs the returned ciphertext , the system parameter , and the challenge query . It computes and outputs the challenge response (iii): the third party verifier inputs the system parameter , the verification trapdoor , the verification tag , the challenge response , and the secret value . By the and , if the , it can get the and compute It outputs result , if and otherwise.

##### 3.2. Proof of Construction

In the following theorems, we will prove that our scheme satisfies keyword ciphertext security and trapdoor indistinguishability security, document ciphertext security, and the public verifiability security in the proposed security model.

We will prove that our scheme is based on 1-BDHI, BDH, DDH, and CDH hard problems. and in the following problems are groups of prime order from bilinear paring unless otherwise is specified.

*(1-BDHI)[25]*. The 1-Bilinear Diffie-Hellman Inversion Problem: given the two tuples , where , all polynomial time algorithms compute the value is hard.

*(BDH)[25]*. The Bilinear Diffie-Hellman Problem: given the four tuple , where , all polynomial time algorithms compute the value is hard.

Theorem 6. *Under 1-BDHI and BDH hard problems, the secure data sharing scheme with designated server satisfies the keyword ciphertext indistinguishability in random oracle model.*

*Proof. *(1) Suppose there is a cloud server adversary that can break our scheme in the IND-CKA 1 security model with advantage . In order to solve the 1-BDHI hard problem, let us construct a simulator with a problem instance over the cyclic group . Our goal is to compute the value .

The entire simulation process includes the following phases:*Setup*. Let . The simulator chooses random elements and sets the It randomly chooses , and it sets in which is unknown to simulator . Simulator sends the to the adversary . randomly chooses and sets Adversary sends the to the simulator .*Hash Query**-Query*. The adversary can query to . If there exists a in list, then the simulator responds with ; otherwise, the simulator randomly chooses a value , returns to the adversary , and adds the value to list. The list is initially empty.*-Query*. The adversary can query to . The simulator maintains a list of tuples and the list is initially empty. If there exists a in list, then the simulator responds with ; otherwise, the simulator generates a random coin , . It randomly chooses , sets if , and sets if and adds the value to list.*-Query*. The adversary can query to . If there exists a in list, then the simulator responds with ; otherwise, the simulator randomly chooses a value , returns to the adversary , and adds the value to list. The list is initially empty.*-Query*. The adversary can query to . If there exists a in list, then the simulator responds with ; otherwise, the simulator randomly chooses a value , returns to the adversary , and adds the value to list. The list is initially empty.*Decryption Query*. The adversary can query to decryption oracle. is a decryption query. First, the simulator checks the list, if a tuple exists, and satisfies ; the simulator checks list whether , if it satisfies the condition, and then returns or otherwise returns .*Trapdoor Query*. The adversary can query to trapdoor oracle. First the simulator checks the list; if , the simulation aborts. Otherwise, the simulator computes in which is randomly chosen from . Therefore, the simulator completed the trapdoor query and the trapdoor is correct.*Challenge*. The adversary gives two challenge words , and the message to the simulator , . The simulator returns a ciphertext , in which is randomly chosen. First the simulator checks the list; if both and , the simulation aborts. Otherwise, the simulator selects the , randomly chooses , and computes the ciphertext as and as in which is unknown for simulator . The ciphertext is a correct challenge ciphertext.*Trapdoor Query*. The adversary adaptively makes trapdoor query on ,. The simulator computes the trapdoor as the above trapdoor query.*Decryption Query*. The adversary can query to decryption oracle similar above decryption query.*Guess*. The adversary outputs bit as its guess.

Through the above description, we have completed the simulation process of the scheme and the simulation is correct. Next we will discuss the indistinguishability of the simulation.

When the hash query is not a challenge hash query , the response for the decryption query, trapdoor query, and challenge ciphertext are correct. All random numbers in simulation process are random and independent. Random numbers included Therefore, the simulation of the scheme is indistinguishable.

When the hash query is not a challenge hash query, the challenge ciphertext is randomness. Therefore, the adversary wins the game with an advantage .

As the assumption, from , we can find the BDHI problem solution and the finding probability .

Next we will discuss the successful of the simulation; the simulator does not abort the simulation in trapdoor query and challenge phase. The probability analysis can be seen in the paper [1]. we omit here the probability . Therefore, the simulator solves the advantage of the 1-BDHI hard problem is (2) Suppose there is an outside adversary (including the receiver) that can break our scheme in IND-CKA 2 security model with advantage . In order to solve the BDH hard problem, let us construct a simulator with a problem instance over the cyclic group . Our goal is to compute the value .

The entire simulation process includes the following phases.*Setup*. Let . The simulator randomly chooses , and sets the , and it randomly chooses and sets in which is unknown to the simulator . The simulator sends the to the adversary . The randomly chooses and generates The adversary sends to simulator .*Hash Query**-Query*. The adversary can query to . If there exists a in list, the simulator responds with . Otherwise, the simulator randomly chooses a value and returns to the adversary . It adds the value to list. The list is initially empty.*-Query*. The adversary can query to . The simulator maintains a list of tuples and the list is initially empty. If there exists a in list, the simulator responds with . Otherwise, the simulator randomly chooses , sets , and adds the value to list.*-Query*. The adversary can query to . If there exists a in list, the simulator responds with . Otherwise, the simulator randomly chooses a value , returns to the adversary , and adds the value to list. The list is initially empty.*-query*. The adversary can query to . If there exists a in list, the simulator responds with . Otherwise, the simulator randomly chooses a value , and returns to the adversary and adds the value to list. The list is initially empty.*Decryption Query*. The adversary can query to decryption oracle. is a decryption query. First, the simulator needs check the list, if a tuple exist and satisfie , the simulator checks list and whether ; if it satisfies the condition, returns; otherwise, returns.*Challenge*. The adversary gives two challenge words , and the message to the simulator . The simulator randomly chooses and returns a ciphertext , in which is randomly chosen. The ciphertext as and as in which is unknown for simulator . The ciphertext is a correct challenge ciphertext.*Decryption Query*. The adversary can query to decryption oracle similar above decryption query.*Guess*. The adversary outputs bit as its guess.

Through the above description, we have completed the simulation process of the scheme and the simulation is correct. Next we will discuss the indistinguishability of the simulation.

When the hash query is not a challenge hash query , the response for the decryption query and challenge ciphertext are correct. All random numbers in simulation process are random and independent. Random numbers includes Therefore, the simulation of the scheme is indistinguishable.

When the hash query is not a challenge hash query , the challenge ciphertext is randomness. Therefore, the adversary wins the game with an advantage .

As an assumption, from the challenge hash query , we can find the BDH problem solution and the probability .

Next we will discuss the successful of the simulation; the simulator does not abort the simulation in challenge phase. Therefore, the simulator solves the advantage of the BDH hard problem is Therefore, Theorem 6 has been proven.

We will prove that our schemes are trapdoor indistinguishability following DDH hard problem in Theorem 7.

*(DDH)[25]*. The Diffie-Hellman Hard Problem: given the four tuple , where , all polynomial time algorithms decide the value is hard.

Theorem 7. *Under DDH hard problem, the secure data sharing scheme with designated server satisfies the trapdoor indistinguishability in standard model, where the security reduction loss is .*

*Proof. *Suppose there is an outside adversary that can break our scheme in IND-Trapdoor security model with advantage . In order to solve the DDH hard problem, let us construct a simulator with a problem instance over the cyclic group . Our goal is to decide whether .

The entire simulation process includes the following phases:*Setup*. Let . The simulator randomly chooses and sets The simulator randomly chooses and generates key pair in which is unknown to simulator . The simulator sends and to adversary .*Trapdoor Query*. The adversary can query to trapdoor oracle. The simulator computes in which is randomly chosen from . Therefore, the simulator completed the trapdoor query and the trapdoor is correct.*Challenge*. The adversary gives two challenge words , to the simulator , . is randomly chosen. The simulator returns a trapdoor in which is unknown to simulator and is a component of the DDH challenge.

When is a valid challenge trapdoor for .*Trapdoor Query*. The adversary adaptively makes trapdoor query on , . The simulator computes trapdoor as the above trapdoor query.*Guess*. The adversary outputs bit as its guess.

Through the above description, we have completed the simulation process of the scheme and the simulation is correct. Next we will discuss the indistinguishability of the simulation.

When , the response for trapdoor query and challenge trapdoor are correct. All random numbers in simulation process are random and independent. Random numbers included . So the simulation of the scheme is indistinguishable. The adversary wins the game with a probability of as the breaking assumption.

When , since the challenge trapdoor is randomness for the adversary , therefore, the adversary wins the game with a maximum probability of 1/2.

Next we will discuss the successful of the simulation; the simulator does not abort the simulation in trapdoor query and challenge phase. Therefore, the probability

Therefore, the simulator solves the advantage of the HDH hard problem as follows:

We will prove that our scheme are IND-CCA secure following CDH hard problem in Theorem 8.

*(CDH)[25]*. The Computational Diffie-Hellman Problem: given the three tuple , , where is a general cyclic group of prime order , all polynomial time algorithms compute the value is hard.

Theorem 8. *Under CDH hard problem, the secure data sharing scheme with designated server satisfies document ciphertext indistinguishability in random oracle model, where the security reduction loss is .*

*Proof. *Suppose there is an adversary (including a malicious server) that can break our secure data sharing scheme with designated server in IND-CCA security model with advantage . In order to solve the CDH hard problem, let us construct a simulator with a problem instance over the cyclic group , and our goal is to compute the value .

The entire simulation process includes the following phases.*Setup*. Let . The simulator randomly chooses and sets , In which is unknown to simulator . Simulator sends the to the adversary . randomly chooses and generates It sends to the simulator .*Hash Query**-Query*. The adversary can query to . If , the simulator aborts the simulation. Otherwise, if there exists a in list, the simulator responds with ; otherwise, it randomly chooses a value , returns to the adversary , and adds the value to list. The list is initially empty.*-Query*. The adversary can query to . The simulator maintains a list of tuples and the list is initially empty. If there exists a in list, the simulator responds with . Otherwise, the simulator randomly chooses , sets , and adds the value to list.*-Query*. The adversary can query to . If there exists a in list, the simulator responds with . Otherwise, the simulator randomly chooses a value , returns to the adversary , and adds the value to list. The list is initially empty.*-Query*. The adversary can query to . If , the simulator aborts the simulation. Otherwise, if there exists a in list, the simulator responds with . Otherwise, it randomly chooses a value , returns to the adversary , and adds the value to list. The list is initially empty.*Decryption Query*. The adversary can query to decryption oracle. is a decryption query. First, the simulator needs to check the list; if a tuple exists and satisfies , the simulator checks the list and whether ; if it satisfies the condition, then returns; otherwise returns.*Trapdoor Query*. The adversary can query to trapdoor oracle. The simulator sets is randomly chosen from . Therefore, the simulator completed the trapdoor query and the trapdoor is correct.*Challenge*. The adversary gives two challenge messages and keyword () to the simulator . The simulator returns a ciphertext , in which , and are randomly chosen. The ciphertext is as follows: The simulator randomly chooses , defines and adds the ( does not know the value ) to list.*Trapdoor Query*. The adversary adaptively makes trapdoor query on . The simulator computes trapdoor as the above trapdoor query.*Decryption Query*. The adversary can query to decryption oracle similar to the above decryption query.*Guess*. The adversary outputs bit as its guess.

Through the above description, we have completed the simulation process of the scheme and the simulation is correct. Next we will discuss the indistinguishability of the simulation.

When the hash query is not a challenge hash query , the response for the decryption query, trapdoor query, and challenge ciphertext are correct. All random numbers in simulation process are random and independent. Random numbers include , . So the simulation of the scheme is indistinguishable.

When the hash query is not a challenge hash query , the challenge ciphertext is randomness. Therefore, the adversary wins the game with an advantage .

As an assumption, from , we can find the correct challenge hash query , .

Next we will discuss the successful of the simulation, the simulator dose not abort the simulation in trapdoor query and decryption query.

When the value has been correctly guessed without invoking , the query to decryption oracle will be aborted. Therefore, the probability and the is the number decryption oracle queries.

Therefore, the simulator solves the advantage of the CDH hard problem as follows:

Theorem 9. *Since is a cryptography hash function, the secure data sharing scheme with designated server is public verifiability secure.*

*Proof. *Suppose there is a malicious server that can break our secure data sharing scheme with designated server in public verifiability security model. Let us construct a simulator which simulates the scheme. The adversary can forge a response for the search keyword and satisfy the equation . Since the formula is established, the simulator can compute the equation Therefore, the adversary needs to compute the Since is a cryptography hash function, the probability that adversary outputs and makes the equation equal is negligible.

About the verification tag security, we can also prove the tag security for third party verifier by the security reduction; we omit the details here.

##### 3.3. Performance Analysis

We use Tables 1 and 2 to show two comparisons between our secure data sharing scheme with designated server and previous schemes. In this section, the word abbreviation Trap Ind, Ciph Ind, Offline KGA, PVS, SKA, and keyword Ciph denote trapdoor indistinguishability, ciphertext indistinguishability, offline keyword guessing attacks, public verifiability security, swapping keyword attacks, and keyword ciphertext, respectively. We use to denote a pairing operation, an exponentiation operation in , an exponentiation operation in , a hash operation which map a string to an element of cyclic group, and a multiplication in , respectively. We ignore other hash operation and multiplication.

To evaluate the efficiency of our scheme, we implement these operations on a Core(TM) i7-6500U CPU of 2.50GHz 2.60GHz and 4GB RAM (3.89GB is available) running Ubantu 18.04. We use a Type-A pairing elliptic curve and implemented in the PBC library. For these four schemes, we test the running time of keyword ciphertext generation, trapdoor generation, and test algorithms, respectively.

We first introduce some basic operation symbols. Every basic operation symbol denotes the running time of an operation in Table 4.

From Figures 3 and 4 and Tables 1 and 4, we found that our scheme is efficient in terms of keyword ciphertext generation algorithm compared to BDOP [1], BSW [5], and CZLZ [6]. Since our scheme reduces some modular exponentiation computations and pairing computations, particularly, in CZLZ [6], the scheme requires the most computation cost due to modular exponentiation computations, pairing computations, and hash computations per keyword ciphertext generation. In BDOP [1], the scheme requires the most computation cost due to modular exponentiation computations, pairing computations, and hash computations per keyword ciphertext generation. In BSW [5], the scheme requires the most computation cost due to modular exponentiation computations, pairing computations, and hash computations per keyword ciphertext generation. Our scheme requires the most computation cost due to modular exponentiations computations, pairing computations, and hash computations per keyword ciphertext generation; therefore, our scheme is more efficient in terms of keyword ciphertext generation algorithm. As the number of keywords increases from 20 to 80 in Figure 4, we find that our scheme is also efficient.

From Figures 3 and 5 and Tables 1 and 4, we found that our scheme is slightly higher than in terms of trapdoor generation algorithm. Since our scheme adds modular exponentiation computations compared to BDOP [1] and BSW [5], however, it is worth noting that the trapdoor generation in our scheme is slightly higher than those of existing schemes. Since the BDOP [1], BSW [5], and CZLZ [6] suffer from trapdoor security attack, namely, offline KGA, we remove the secure channel between the cloud server and receiver for reducing the construction of secure channel costs. In addition, we can compress the trapdoor computation time from 7.014 ms to 2.876 ms. Since for the trapdoor , the is the same value for the same keyword, therefore, we can reduce the computation time when using the same keyword.

From Figures 3 and 6 and Tables 1 and 4, we found that our scheme is efficient in terms of test algorithm compared to CZLZ [6], since our scheme reduces pairing computations, modular exponentiation computations, and hash computations. However, our scheme is slightly higher than BDOP [1], since we add the computation than BDOP [1]. But this is because we remove secure channel. In our scheme, only the designated server can search the keyword via encrypted documents and not need a secure channel between cloud server and receiver. The running test algorithm time of our scheme is almost the same as that of the BSW [5]. In addition, cloud computing has the advantages of unlimited capability in terms of both storage and computation. Therefore, it is acceptable to add a little time during the test phase for reducing the cost of establishing a secure channel.

Furthermore, from Table 2, we find that our scheme also offers stronger security than existing schemes, since our scheme satisfies the trapdoor indistinguishability security, ciphertext indistinguishability security, against offline keyword guessing attacks security, public verifiability security, against swapping keyword attacks security than other schemes. From Table 3, we find that our scheme also offers more functionality than existing schemes, since our scheme offers message and keyword encryption, message decryption, and search result’s public verifiability compared to other schemes.

#### 4. Conclusion

We define a secure data sharing scheme with designated server and propose a specific construction. In our framework, the scheme not only realizes document encryption/decryption but also achieves the searchable encryption in the cloud environment. We also proved that our scheme has achieved the security of the document indistinguishability against chosen ciphertext attack, keyword indistinguishability against chosen keyword attack, trapdoor indistinguishability, and public verifiability under the proposed security models. The important property of the proposed scheme is that the search results can achieve public verifiability under dishonesty cloud server model, including ciphertexts both documents and keywords. Of course, this scheme can solve the practical scenario PHR problems in our introduction. Although we propose a DSS scheme with designated server that combines PKE scheme with PEKS scheme, we would consider as a major breakthrough to design a DSS scheme in the standard model and optimize the trapdoor size. In addition, as the increase in the number of receivers will degrade the efficiency of system in our scheme, we would consider constructing a DSS scheme in multireceivers scenario.

#### Data Availability

The data used to support the findings of this study are included in the article.

#### Conflicts of Interest

The authors declare that they have no conflicts of interest.

#### Acknowledgments

This work is supported by the National Nature Science Foundation of China under Grant no. 61772311 and no. 61272091 and the Open Project of the State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences no. 2019-ZD-03.