# A Secure and Efficient Data Sharing and Searching Scheme in Wireless Sensor Networks

^{1}

^{2}

^{3}

^{4}

^{*}

## Abstract

**:**

## 1. Introduction

#### 1.1. Our Contributions

#### 1.2. Related Works

#### 1.3. Organization

## 2. Scheme Definition and Security Models

#### 2.1. System Model

#### 2.2. Algorithm Definitions

- (1)
- $\mathsf{sp}\leftarrow \mathsf{SysGen}\left({\mathsf{1}}^{\mathsf{k}}\right)$: on input a security parameter k and output a system parameter $sp$.
- (2)
- $\mathsf{KeyGen}\left(\mathsf{sp}\right)$:
- $({\mathsf{pk}}_{\mathsf{s},\mathsf{1}},{\mathsf{sk}}_{\mathsf{s},\mathsf{1}}),({\mathsf{pk}}_{\mathsf{s},\mathsf{2}},{\mathsf{sk}}_{\mathsf{s},\mathsf{2}})\leftarrow {\mathsf{KeyGen}}_{{\mathsf{server}}_{\mathsf{1},\mathsf{2}}}\left(\mathsf{sp}\right)$: on input a system parameter $sp$ and output two pairs of public and secret key $(p{k}_{s,1},s{k}_{s,1}),(p{k}_{s,2},s{k}_{s,2})$ for the cloud server 1 and cloud server 2, separately.
- $({\mathsf{pk}}_{\mathsf{r}},{\mathsf{sk}}_{\mathsf{r}})\leftarrow {\mathsf{KeyGen}}_{\mathsf{receiver}}\left(\mathsf{sp}\right)$: on input a system parameter $sp$ and output a pair of public and secret key $(p{k}_{r},s{k}_{r})$ for the receiver.

- (3)
- $({\mathsf{C}}_{\mathsf{1}},{\mathsf{C}}_{\mathsf{2}})\leftarrow \mathsf{PEKS}(\mathsf{sp},{\mathsf{pk}}_{\mathsf{s},\mathsf{1}},{\mathsf{pk}}_{\mathsf{s},\mathsf{2}},{\mathsf{pk}}_{\mathsf{r}},\mathsf{w},\mathsf{M})$: on input a system parameter $sp$, the cloud server 1 public key $p{k}_{s,1}$, the cloud server 2 public key $p{k}_{s,2}$, the receiver public key $p{k}_{r}$, the keyword w, the message M and output the ciphertext ${C}_{1}=Enc(M,p{k}_{r},sp),{C}_{2}=peks(p{k}_{r},p{k}_{s,1},p{k}_{s,2},w,sp)$.
- (4)
- ${\mathsf{C}}_{\mathsf{1}}^{\prime}\leftarrow \mathsf{ReEnc}(\mathsf{sp},{\mathsf{pk}}_{\mathsf{r}},{\mathsf{C}}_{\mathsf{1}})$: on input a system parameter $sp$, the receiver public key $p{k}_{r}$, the ciphertext ${C}_{1}$, and output the double ciphertext ${C}_{1}^{\prime}$.
- (5)
- ${\mathsf{T}}_{\mathsf{w}}\leftarrow \mathsf{Trapdoor}(\mathsf{sp},{\mathsf{sk}}_{\mathsf{r}},\mathsf{w},{\mathsf{pk}}_{\mathsf{s},\mathsf{1}},{\mathsf{pk}}_{\mathsf{s},\mathsf{2}},{\mathsf{pk}}_{\mathsf{r}})$: on input a system parameter $sp$, cloud server 1 public key $p{k}_{s,1}$, cloud server 2 public key $p{k}_{s,2}$, the receiver public key $p{k}_{r}$, the receiver secret key $s{k}_{r}$, the keyword w, and output the keyword search trapdoor ${T}_{w}$.
- (6)
- ${\mathsf{C}}_{\mathsf{1}}^{\prime}\phantom{\rule{3.33333pt}{0ex}}\mathsf{or}\perp \leftarrow \mathsf{Test}(\mathsf{sp},{\mathsf{T}}_{\mathsf{w}},{\mathsf{C}}_{\mathsf{2}},{\mathsf{sk}}_{\mathsf{s},\mathsf{1}},{\mathsf{sk}}_{\mathsf{s},\mathsf{2}})$: on input a system parameter $sp$, the cloud server 1 secret key $s{k}_{s,1}$, the cloud server 2 secret key $s{k}_{s,2}$, the keyword search trapdoor ${T}_{w}$, the ciphertext $({C}_{1}^{\prime},{C}_{2})$, and output ciphertext ${C}_{1}^{\prime}$ if the keyword search trapdoor ${T}_{w}$ matching the ciphertext ${C}_{2}$, and ⊥ otherwise. The matching process as follows:
- ${\mathsf{Test}}_{\mathsf{1}}(\mathsf{sp},{\mathsf{T}}_{\mathsf{w}},{\mathsf{C}}_{\mathsf{2}},{\mathsf{sk}}_{\mathsf{s},\mathsf{1}})\to {\mathsf{C}}_{\mathsf{T}}$: the cloud server 1 inputs the trapdoor ${T}_{w}$, the ciphertext ${C}_{2}$, the cloud server 1 secret key $s{k}_{s,1}$, the system parameter $sp$, and outputs the transitional ciphertext ${C}_{T}$.
- ${\mathsf{Test}}_{\mathsf{2}}(\mathsf{sp},{\mathsf{C}}_{\mathsf{T}},{\mathsf{sk}}_{\mathsf{s},\mathsf{2}})\to {\mathsf{C}}_{\mathsf{1}}^{\prime}\phantom{\rule{3.33333pt}{0ex}}\mathsf{or}\phantom{\rule{3.33333pt}{0ex}}\perp $: the cloud server 2 inputs the system parameter $sp$, the transitional ciphertext ${C}_{T}$, the cloud server 2 secret key $s{k}_{s,2}$. If the transitional ciphertext satisfies the condition, it outputs the double ciphertext ${C}_{1}^{\prime}$, and ⊥ otherwise.

- (7)
- $\mathsf{M}\leftarrow \mathsf{Dec}(\mathsf{sp},{\mathsf{sk}}_{\mathsf{r}},{\mathsf{C}}_{\mathsf{1}}^{\prime})$: on input a system parameter $sp$, the receiver secret key $s{k}_{r}$, the ciphertext ${C}_{1}^{\prime}$ and output the message M.

#### 2.3. Security Model

**Definition**

**1**

**(IND-CKA).**

**Definition**

**2**

**(IND-Trapdoor).**

**Definition**

**3**

**(IND-Double**

**ciphertext).**

**Definition**

**4**

**(IND-CKA**

**3).**

## 3. DSS against the KGA

#### 3.1. Our Construction

- $\mathsf{SysGen}\left({\mathsf{1}}^{\mathsf{k}}\right)$: This algorithm inputs a security parameter ${1}^{k}$. It outputs a cyclic multiplicative group ${G}_{1}$ of prime order p and $g,{g}_{1},{g}_{2}\in {G}_{1}$, which g is generator of ${G}_{1}$. It selects three cryptographic hash functions ${H}_{1}:{\{0,1\}}^{*}\to {\{0,1\}}^{n},{H}_{2}:{\{0,1\}}^{*}\to {G}_{1},{H}_{3}:{\{0,1\}}^{*}\to {\{0,1\}}^{lo{g}_{2}^{p}+n}$. The algorithm outputs the system parameter$$sp=({G}_{1},g,{g}_{1},{g}_{2},{H}_{1},{H}_{2},{H}_{3}).$$
- $\mathsf{KeyGen}\left(\mathsf{sp}\right)$:
- ${\mathsf{KeyGen}}_{{\mathsf{server}}_{\mathsf{1},\mathsf{2}}}\left(\mathsf{sp}\right)$: This algorithm inputs a system parameter $sp$. It chooses random number ${\alpha}_{1},{\alpha}_{2},{\beta}_{1},{\beta}_{2}$∈${Z}_{p}^{*}$, and outputs the following $(p{k}_{s,1},s{k}_{s,1})$ and $(p{k}_{s,2},s{k}_{s,2})$ as the public/secret key pair of cloud server 1 and that of cloud server 2, separately.$$(p{k}_{s,1},s{k}_{s,1})=({g}_{1}^{{\alpha}_{1}}{g}_{2}^{{\alpha}_{2}},({\alpha}_{1},{\alpha}_{2})),$$$$(p{k}_{s,2},s{k}_{s,2})=({g}_{1}^{{\beta}_{1}}{g}_{2}^{{\beta}_{2}},({\beta}_{1},{\beta}_{2})).$$
- ${\mathsf{KeyGen}}_{\mathsf{receiver}}\left(\mathsf{sp}\right)$: This algorithm inputs a system parameter $sp$. It chooses random number $c\in {Z}_{p}^{*}$ and outputs a pair of public and secret key $(p{k}_{r},s{k}_{r})$ for the receiver,$$p{k}_{r}={g}^{c},s{k}_{r}=c.$$

- $\mathsf{PEKS}(\mathsf{sp},{\mathsf{pk}}_{\mathsf{s},\mathsf{1}},{\mathsf{pk}}_{\mathsf{s},\mathsf{2}},{\mathsf{pk}}_{\mathsf{r}},\mathsf{w},\mathsf{M})$: This algorithm inputs a system parameter $sp$, the cloud server public key $p{k}_{s,1},p{k}_{s,2}$, the receiver public key $p{k}_{r}$, the keyword w, the message $M\in {\{0,1\}}^{n}$, and chooses random number ${r}_{0},{r}_{1}\in {Z}_{p}^{*}$. It outputs the message ciphertext ${C}_{1}=({C}_{11},{C}_{12})$, which$${C}_{11}={g}^{{r}_{0}},k=p{k}_{r}^{{r}_{0}},{C}_{12}={H}_{1}\left(k\right)\oplus M.$$$${C}_{2}=[A,B,C]=[{g}_{1}^{{r}_{1}},{g}_{2}^{{r}_{1}},p{k}_{s,1}^{{r}_{1}}\xb7p{k}_{s,2}^{{r}_{1}}\xb7p{k}_{r}\xb7{H}_{2}\left(w\right)].$$
- $\mathsf{ReEnc}(\mathsf{sp},{\mathsf{pk}}_{\mathsf{r}},{\mathsf{C}}_{\mathsf{1}})$: This algorithm inputs a system parameter $sp$, the receiver public key $p{k}_{r}$, the message ciphertext ${C}_{1}$. It chooses random number ${r}_{2}\in {Z}_{p}^{*}$ and outputs the double message ciphertext ${C}_{1}^{\prime}=({C}_{11}^{\prime},{C}_{12}^{\prime})$, which$${C}_{11}^{\prime}={g}^{{r}_{2}},k=p{k}_{r}^{{r}_{2}},{C}_{12}^{\prime}={H}_{3}\left(k\right)\oplus {C}_{11}\parallel {C}_{12}.$$
- $\mathsf{Trapdoor}(\mathsf{sp},{\mathsf{pk}}_{\mathsf{s},\mathsf{1}},{\mathsf{pk}}_{\mathsf{s},\mathsf{2}},{\mathsf{pk}}_{\mathsf{r}},{\mathsf{sk}}_{\mathsf{r}},\mathsf{w})$: This algorithm inputs a system parameter $sp$, the cloud server public key $p{k}_{s,1},p{k}_{s,2}$, the receiver secret key $s{k}_{r}$, the keyword w, and chooses random number ${r}_{3}\in {Z}_{p}^{*}$. It outputs the keyword search trapdoor ${T}_{w}=[{T}_{1},{T}_{2},{T}_{3}],$$${T}_{1}={g}_{1}^{s{k}_{r}{r}_{3}},{T}_{2}={g}_{2}^{s{k}_{r}{r}_{3}},$$$${T}_{3}=p{k}_{s,1}^{s{k}_{r}{r}_{3}}\xb7p{k}_{s,2}^{s{k}_{r}{r}_{3}}\xb7p{k}_{r}^{-1}\xb7{H}_{2}^{-1}\left(w\right).$$
- $\mathsf{Test}(\mathsf{sp},{\mathsf{T}}_{\mathsf{w}},{\mathsf{C}}_{\mathsf{2}},{\mathsf{sk}}_{\mathsf{s},\mathsf{1}},{\mathsf{sk}}_{\mathsf{s},\mathsf{2}})$:
- ${\mathsf{Test}}_{\mathsf{1}}(\mathsf{sp},{\mathsf{T}}_{\mathsf{w}},{\mathsf{C}}_{\mathsf{2}},{\mathsf{sk}}_{\mathsf{s},\mathsf{1}})\to {\mathsf{C}}_{\mathsf{T}}$: The cloud server 1 inputs the trapdoor ${T}_{w}$, the ciphertext ${C}_{2}$, the cloud server 1 secret key $s{k}_{s,1}$, the system parameter $sp$, and chooses random number $d\in {Z}_{p}^{*}$. It outputs the transitional ciphertext ${C}_{T}=({A}^{*},{B}^{*},{C}^{*})$, where$${T}_{w}\xb7{C}_{2}=({C}_{I,1},{C}_{I,2},{C}_{I,3}),$$$${C}_{I,1}={T}_{1}\xb7A,{C}_{I,2}={T}_{2}\xb7B,{C}_{I,3}={T}_{3}\xb7C,$$$${A}^{*}={C}_{I,1}^{d},{B}^{*}={C}_{I,2}^{d},{C}^{*}={\left(\frac{{C}_{I,3}}{{C}_{I,1}^{{\alpha}_{1}}{C}_{I,2}^{{\alpha}_{2}}}\right)}^{d}.$$
- ${\mathsf{Test}}_{\mathsf{2}}(\mathsf{sp},{\mathsf{C}}_{\mathsf{1}}^{\prime},{\mathsf{C}}_{\mathsf{T}},{\mathsf{sk}}_{\mathsf{s},\mathsf{2}})\to {\mathsf{C}}_{\mathsf{1}}^{\prime}\phantom{\rule{3.33333pt}{0ex}}\mathsf{or}\phantom{\rule{3.33333pt}{0ex}}\perp $: The cloud server 2 inputs the system parameter $sp$, the transitional ciphertext ${C}_{T}$, the cloud server 2 secret key $s{k}_{s,2}$, and the double ciphertext ${C}_{1}^{\prime}$. It outputs ${C}_{1}^{\prime}$, if$$\frac{{C}^{*}}{{A}^{*{\beta}_{1}}{B}^{*{\beta}_{2}}}={1}_{G},$$

- $\mathsf{Dec}(\mathsf{sp},{\mathsf{sk}}_{\mathsf{r}},{\mathsf{C}}_{\mathsf{1}}^{\prime})$: This algorithm inputs a system parameter $sp$, the receiver secret key $s{k}_{r}$, the double message ciphertext ${C}_{1}^{\prime}$ and outputs the message$${C}_{11}\parallel {C}_{12}={C}_{1,2}^{\prime}\oplus {H}_{3}\left({C}_{1,1}^{\prime s{k}_{r}}\right),M={C}_{1,2}\oplus {H}_{1}\left({C}_{1,1}^{s{k}_{r}}\right).$$
**Correctness:**When assuming the correctly generated ciphertext ${C}_{2}=[A,B,C]$ for ${w}_{i}$ with a correct trapdoor ${T}_{w}=({T}_{1},{T}_{2},{T}_{3})$. Then we can verify the equation for correctness if ${w}_{i}=w$ as follows:$${T}_{w}{C}_{2}=({C}_{I,1},{C}_{I,2},{C}_{I,3}),{C}_{I,1}={g}_{1}^{{r}_{1}+c{r}_{3}},{C}_{I,2}={g}_{2}^{{r}_{1}+c{r}_{3}},$$$${C}_{I,3}={\left({g}_{1}^{{\alpha}_{1}}{g}_{2}^{{\alpha}_{2}}\right)}^{{r}_{1}+c{r}_{3}}{\left({g}_{1}^{{\beta}_{1}}{g}_{2}^{{\beta}_{2}}\right)}^{{r}_{1}+c{r}_{3}}{H}_{2}\left({w}_{i}\right){H}_{2}^{-1}\left(w\right).$$$${C}_{T}=({A}^{*},{B}^{*},{C}^{*}),{A}^{*}={g}_{1}^{({r}_{1}+c{r}_{3})d},{B}^{*}={g}_{2}^{({r}_{1}+c{r}_{3})d},$$$${C}^{*}={\left({\left({g}_{1}^{{\beta}_{1}}{g}_{2}^{{\beta}_{2}}\right)}^{({r}_{1}+c{r}_{3})}{H}_{2}\left({w}_{i}\right){H}_{2}^{-1}\left(w\right)\right)}^{d}.$$$$\frac{{C}^{*}}{{A}^{*{\beta}_{1}}{B}^{*{\beta}_{2}}}={\left({H}_{2}\left({w}_{i}\right){H}_{2}^{-1}\left(w\right)\right)}^{d}={1}_{G}$$

#### 3.2. Proof

#### 3.2.1. Keyword Privacy

**Theorem**

**1.**

**Proof.**

**Setup.**Let $sp=({G}_{1},g,{g}_{1},{g}_{2},{H}_{1},{H}_{2},{H}_{3})$. The simulator $\mathcal{B}$ chooses random elements ${\alpha}_{1},{\alpha}_{2},{\beta}_{1},{\beta}_{2},c\in {Z}_{p}^{*}$, and sets$$(p{k}_{s,1},s{k}_{s,1})=({g}_{1}^{{\alpha}_{1}}{g}_{2}^{{\alpha}_{2}},({\alpha}_{1},{\alpha}_{2})),$$$$(p{k}_{s,2},s{k}_{s,2})=({g}_{1}^{{\beta}_{1}}{g}_{2}^{{\beta}_{2}},({\beta}_{1},{\beta}_{2})),$$$$p{k}_{r}={g}^{c},s{k}_{r}=c.$$**Trapdoor Query.**The adversary ${\mathcal{A}}_{1}$ can query ${w}_{i}$ to trapdoor oracle. The simulator chooses random number ${r}_{3}\in {Z}_{p}^{*}$ and outputs the keyword search trapdoor$${T}_{w}=[{T}_{1},{T}_{2},{T}_{3}]=[{g}_{1}^{c{r}_{3}},{g}_{2}^{c{r}_{3}},p{k}_{s,1}^{c{r}_{3}}\xb7p{k}_{s,2}^{c{r}_{3}}\xb7p{k}_{r}^{-1}\xb7{H}_{2}^{-1}\left(w\right)].$$**Challenge.**The adversary ${\mathcal{A}}_{1}$ gives two challenge words ${w}_{0}$,${w}_{1}$ and the message ${m}^{*}$ to the simulator $\mathcal{B}$, which ${w}_{b}\ne {w}_{i},b\in \{0,1\}$. The simulator returns a ciphertext $({C}_{1},{C}_{2,b})$. $b\in \{0,1\}$ is randomly chosen. The simulator chooses random number ${r}_{0}\in {Z}_{p}^{*}$, and the ciphertext $({C}_{1},{C}_{2,b})$ is outputted as:$${C}_{1}=({C}_{11},{C}_{12}),{C}_{11}={g}^{{r}_{0}},k=p{k}_{r}^{{r}_{0}},{C}_{12}={H}_{1}\left(k\right)\oplus {m}^{*},$$$${C}_{2,b}=[{g}_{1}^{{a}_{1}},{g}_{2}^{{a}_{2}},{\left({g}_{1}^{{a}_{1}}\right)}^{{\alpha}_{1}+{\beta}_{1}}{\left({g}_{2}^{{a}_{2}}\right)}^{{\alpha}_{2}+{\beta}_{2}}{g}^{c}{H}_{2}\left({w}_{b}\right)].$$$${C}_{2,b}=[A,B,C]=[{g}_{1}^{{r}_{1}},{g}_{2}^{{r}_{1}},p{k}_{s,1}^{{r}_{1}}\xb7p{k}_{s,2}^{{r}_{1}}\xb7p{k}_{r}\xb7{H}_{2}\left({w}_{b}\right)].$$**Trapdoor Query.**The adversary ${\mathcal{A}}_{1}$ adaptively makes trapdoor query on ${w}_{i}$, ${w}_{i}\ne {w}_{0},{w}_{1}$. The simulator $\mathcal{B}$ computes trapdoor in the same way as above trapdoor query.**Guess.**The adversary ${\mathcal{A}}_{1}$ outputs ${b}^{\prime}$ as it’s guess.

**Setup.**Let $sp=({G}_{1},g,{g}_{1},{g}_{2},{H}_{1},{H}_{2},{H}_{3})$. The simulator $\mathcal{B}$ chooses random elements ${\alpha}_{1},{\alpha}_{2},{\beta}_{1},{\beta}_{2},c\in {Z}_{p}^{*}$, and sets$$(p{k}_{s,1},s{k}_{s,1})=({g}_{1}^{{\alpha}_{1}}{g}_{2}^{{\alpha}_{2}},({\alpha}_{1},{\alpha}_{2})),$$$$(p{k}_{s,2},s{k}_{s,2})=({g}_{1}^{{\beta}_{1}}{g}_{2}^{{\beta}_{2}},({\beta}_{1},{\beta}_{2})),$$$$p{k}_{r}={g}^{c},s{k}_{r}=c.$$**Trapdoor Query.**The adversary ${\mathcal{A}}_{2}$ can query ${w}_{i}$ to trapdoor oracle. The simulator chooses random number ${r}_{3}\in {Z}_{p}^{*}$ and outputs the keyword search trapdoor$${T}_{w}=[{T}_{1},{T}_{2},{T}_{3}]=[{g}_{1}^{c{r}_{3}},{g}_{2}^{c{r}_{3}},p{k}_{s,1}^{c{r}_{3}}\xb7p{k}_{s,2}^{c{r}_{3}}\xb7p{k}_{r}^{-1}\xb7{H}_{2}^{-1}\left(w\right)].$$**Challenge.**The adversary ${\mathcal{A}}_{2}$ gives two challenge words ${w}_{0}$,${w}_{1}$ and the message ${m}^{*}$ to the simulator $\mathcal{B}$, which ${w}_{b}\ne {w}_{i},b\in \{0,1\}$. The simulator returns a ciphertext $({C}_{1}^{\prime},{C}_{2,b})$. $b\in \{0,1\}$ is randomly chosen. The simulator chooses random number ${r}_{2}\in {Z}_{p}^{*}$, and the ciphertext $({C}_{1}^{\prime},{C}_{2,b})$ is outputted as:$${C}_{1}^{\prime}=({C}_{11}^{\prime},{C}_{12}^{\prime}),{C}_{11}^{\prime}={g}^{{r}_{2}},k=p{k}_{r}^{{r}_{2}},{C}_{12}^{\prime}={H}_{3}\left(k\right)\oplus {C}_{1},$$$${C}_{2,b}=[{g}_{1}^{{a}_{1}},{g}_{2}^{{a}_{2}},{\left({g}_{1}^{{a}_{1}}\right)}^{{\alpha}_{1}+{\beta}_{1}}{\left({g}_{2}^{{a}_{2}}\right)}^{{\alpha}_{2}+{\beta}_{2}}{g}^{c}{H}_{2}\left({w}_{b}\right)].$$$${C}_{2,b}=[A,B,C]=[{g}_{1}^{{r}_{1}},{g}_{2}^{{r}_{1}},p{k}_{s,1}^{{r}_{1}}\xb7p{k}_{s,2}^{{r}_{1}}\xb7p{k}_{r}\xb7{H}_{2}\left({w}_{b}\right)].$$**Trapdoor Query.**The adversary ${\mathcal{A}}_{2}$ adaptively makes trapdoor query on ${w}_{i}$, ${w}_{i}\ne {w}_{0},{w}_{1}$. The simulator $\mathcal{B}$ computes trapdoor in the same way as above trapdoor query.**Guess.**The adversary ${\mathcal{A}}_{2}$ outputs ${b}^{\prime}$ as its guess.

**Theorem**

**2.**

**Proof.**

**Setup.**Let $sp=({G}_{1},g,{g}_{1},{g}_{2},{H}_{1},{H}_{2},{H}_{3})$. The simulator $\mathcal{B}$ chooses random elements ${\alpha}_{1},{\alpha}_{2},{\beta}_{1},{\beta}_{2},c\in {Z}_{p}^{*}$, and sets$$(p{k}_{s,2},s{k}_{s,2})=({g}_{1}^{{\beta}_{1}}{g}_{2}^{{\beta}_{2}},({\beta}_{1},{\beta}_{2})),$$$$p{k}_{r}={g}^{c},s{k}_{r}=c.$$**Trapdoor Query.**The adversary ${\mathcal{A}}_{3}$ can query ${w}_{i}$ to trapdoor oracle. The simulator chooses random number ${r}_{3}\in {Z}_{p}^{*}$ and outputs the keyword search trapdoor$${T}_{w}=[{T}_{1},{T}_{2},{T}_{3}]=[{g}_{1}^{c{r}_{3}},{g}_{2}^{c{r}_{3}},p{k}_{s,1}^{c{r}_{3}}\xb7p{k}_{s,2}^{c{r}_{3}}\xb7p{k}_{r}^{-1}\xb7{H}_{2}^{-1}\left(w\right)].$$**Challenge.**The adversary ${\mathcal{A}}_{3}$ gives two challenge words ${w}_{0},$ ${w}_{1}$ to the simulator $\mathcal{B}$, which ${w}_{b}\ne {w}_{i},b\in \{0,1\}$. The simulator returns a challenge trapdoor ${T}_{{w}_{b}}$. $b\in \{0,1\}$ is randomly chosen. The ciphertext ${T}_{{w}_{b}}$ is outputted as:$${T}_{{w}_{b}}=[{\left({g}_{1}^{{a}_{1}}\right)}^{c},{\left({g}_{2}^{{a}_{2}}\right)}^{c},{\left({\left({g}_{1}^{{a}_{1}}\right)}^{{\alpha}_{1}+{\beta}_{1}}{\left({g}_{2}^{{a}_{2}}\right)}^{{\alpha}_{2}+{\beta}_{2}}\right)}^{c}{g}^{-c}{H}_{2}^{-1}\left({w}_{b}\right)].$$$${T}_{w}=[{T}_{1},{T}_{2},{T}_{3}]=[{g}_{1}^{c{r}_{3}},{g}_{2}^{c{r}_{3}},p{k}_{s,1}^{c{r}_{3}}\xb7p{k}_{s,2}^{c{r}_{3}}\xb7p{k}_{r}^{-1}\xb7{H}_{2}^{-1}\left({w}_{b}\right)].$$**Trapdoor Query.**The adversary ${\mathcal{A}}_{3}$ adaptively makes trapdoor query on ${w}_{i}$, ${w}_{i}\ne {w}_{0},{w}_{1}$. The simulator $\mathcal{B}$ computes trapdoor in the same way as above trapdoor query.**Guess.**The adversary ${\mathcal{A}}_{3}$ outputs ${b}^{\prime}$ as it’s guess.

**Theorem**

**3.**

**Proof.**

**Setup.**Let $sp=({G}_{1},g,{g}_{1},{g}_{2},{H}_{1},{H}_{2},{H}_{3})$. The simulator $\mathcal{B}$ chooses random elements ${\alpha}_{1},{\alpha}_{2},{\beta}_{1},{\beta}_{2},c\in {Z}_{p}^{*}$, and sets$$(p{k}_{s,2},s{k}_{s,2})=({g}_{1}^{{\beta}_{1}}{g}_{2}^{{\beta}_{2}},({\beta}_{1},{\beta}_{2})),$$$$p{k}_{r}={g}^{a},s{k}_{r}=a.$$**${\mathit{H}}_{\mathbf{3}}$-query**: The ${H}_{3}$ list is initially empty. The adversary ${\mathcal{A}}_{5}$ can query ${k}_{i}\in {G}_{1}$ to ${H}_{3}$. If there exists a $({k}_{i},{X}_{i})$ in ${H}_{3}$ list, then the simulator $\mathcal{B}$ responds with ${H}_{3}\left({k}_{i}\right)={X}_{i}$; otherwise, the simulator $\mathcal{B}$ randomly chooses a value ${X}_{i}\in {\{0,1\}}^{lo{g}_{2}^{p}+n}$ and sets ${H}_{1}\left({k}_{i}\right)={X}_{i}$. It returns to the adversary ${\mathcal{A}}_{5}$ and adds the value to ${H}_{3}$ list.**Challenge.**The adversary ${\mathcal{A}}_{5}$ gives two challenge ciphertext ${C}_{1,0},{C}_{1,1}$ to the simulator $\mathcal{B}$. The simulator $\mathcal{B}$ returns ciphertext ${C}_{1,{b}_{0}}^{\prime}$. ${b}_{0}\in \{0,1\}$ is randomly chosen. The ciphertext ${C}_{1,{b}_{0}}^{\prime}$ is outputted as:$${C}_{1,{b}_{0}}^{\prime}=[{C}_{1,1}^{\prime},{C}_{2,2}^{\prime}],{C}_{1,1}^{\prime}={g}^{b},{C}_{2,2}^{\prime}={Z}^{*},{Z}^{*}\in {\{0,1\}}^{d}.$$$${H}_{3}\left({g}^{ab}\right)={Z}^{*}\oplus {C}_{1,{b}_{0}},$$**Guess.**The adversary ${\mathcal{A}}_{5}$ outputs ${b}_{0}^{\prime}$ as its guess.

**Theorem**

**4.**

**Proof.**

**Setup.**Let $sp=({G}_{1},g,{g}_{1},{g}_{2},{H}_{1},{H}_{2},{H}_{3})$. The simulator $\mathcal{B}$ chooses random elements ${\alpha}_{1},{\alpha}_{2},{\beta}_{1},{\beta}_{2},c\in {Z}_{p}^{*}$, and sets$$(p{k}_{s,2},s{k}_{s,2})=({g}_{1}^{{\beta}_{1}}{g}_{2}^{{\beta}_{2}},({\beta}_{1},{\beta}_{2})),$$$$p{k}_{r}={g}^{c},s{k}_{r}=c.$$**Trapdoor Query.**The adversary ${\mathcal{A}}_{6}$ can query ${w}_{i}$ to trapdoor oracle. The simulator chooses random number ${r}_{3}^{\prime}\in {Z}_{p}^{*}$ and outputs the keyword search trapdoor$${T}_{w}=[{T}_{1},{T}_{2},{T}_{3}]=[{g}_{1}^{c{r}_{3}^{\prime}},{g}_{2}^{c{r}_{3}^{\prime}},p{k}_{s,1}^{c{r}_{3}^{\prime}}\xb7p{k}_{s,2}^{c{r}_{3}^{\prime}}\xb7p{k}_{r}^{-1}\xb7{H}_{2}^{-1}\left(w\right)].$$**Challenge.**The adversary ${\mathcal{A}}_{6}$ gives two challenge words ${w}_{0},$ ${w}_{1}$ to the simulator $\mathcal{B}$. ${w}_{{b}_{1}},{w}_{{b}_{2}}\ne {w}_{i},{b}_{1},{b}_{2}\in \{0,1\}$. The simulator generates a ciphertext ${C}_{2,{b}_{1}}$ and trapdoor ${T}_{{w}_{{b}_{2}}}$. ${b}_{1},{b}_{2}\in \{0,1\}$ are randomly chosen. The ciphertext ${C}_{2,{b}_{1}}$ and the trapdoor ${T}_{{w}_{{b}_{2}}}$ as:$${C}_{2,{b}_{1}}=[{g}_{1}^{{a}_{1}},{g}_{2}^{{a}_{2}},{\left({g}_{1}^{{a}_{1}}\right)}^{{\alpha}_{1}+{\beta}_{1}}{\left({g}_{2}^{{a}_{2}}\right)}^{{\alpha}_{2}+{\beta}_{2}}{g}^{c}{H}_{2}\left({w}_{{b}_{1}}\right)],$$$${T}_{{w}_{{b}_{2}}}=[{g}_{1}^{c{r}_{3}},{g}_{2}^{c{r}_{3}},p{k}_{s,1}^{c{r}_{3}}\xb7p{k}_{s,2}^{c{r}_{3}}\xb7p{k}_{r}^{-1}\xb7{H}_{2}^{-1}\left({w}_{{b}_{2}}\right)].$$$${C}_{2,{b}_{1}}=[A,B,C]=[{g}_{1}^{{r}_{1}},{g}_{2}^{{r}_{1}},p{k}_{s,1}^{{r}_{1}}\xb7p{k}_{s,2}^{{r}_{1}}\xb7p{k}_{r}\xb7{H}_{2}\left({w}_{{b}_{1}}\right)].$$$${T}_{{w}_{{b}_{2}}}{C}_{2,{b}_{1}}=({C}_{I,1},{C}_{I,2},{C}_{I,3}),{A}^{*}={C}_{I,1}^{d},{B}^{*}={C}_{I,2}^{d},$$$${C}^{*}={\left(\left({g}_{1}^{({a}_{1}+c{r}_{3}){\beta}_{1}}{g}_{2}^{({a}_{2}+c{r}_{3}){\beta}_{2}}\right){H}_{2}\left({w}_{{b}_{1}}\right){H}_{2}^{-1}\left({w}_{{b}_{2}}\right)\right)}^{d}.$$**Trapdoor Query.**The adversary ${\mathcal{A}}_{6}$ adaptively makes trapdoor query on ${w}_{i},$ ${w}_{i}\ne {w}_{0},{w}_{1}$. The simulator $\mathcal{B}$ computes the trapdoor in the same way as above trapdoor query.**Guess.**The adversary ${\mathcal{A}}_{6}$ outputs $({b}_{1}^{\prime},{b}_{2}^{\prime})$ as it’s guess.

#### 3.2.2. Message Privacy

#### 3.3. Analysis and Comparisons

#### 3.4. Research Method

## 4. Conclusions

## Author Contributions

## Funding

## Conflicts of Interest

## References

- Bista, R.; Chang, J.W. Privacy-Preserving Data Aggregation Protocols for Wireless Sensor Networks: A Survey. Sensors
**2010**, 10, 4577–4601. [Google Scholar] [CrossRef] - Zhang, P.; Ma, J. Channel Characteristic Aware Privacy Protection Mechanism in WBAN. Sensors
**2018**, 18, 2403. [Google Scholar] [CrossRef] [PubMed] - Sisinni, E.; Saifullah, A.; Han, S.; Jennehag, U.; Gidlund, M. Industrial internet of things: Challenges, opportunities, and directions. IEEE Trans. Ind. Inform.
**2018**, 14, 4724–4734. [Google Scholar] [CrossRef] - Pease, S.G.; Trueman, R.; Davies, C.; Grosberg, J.; Yau, K.H.; Kaur, N.; Conway, P.; West, A. An intelligent real-time cyber-physical toolset for energy and process prediction and optimisation in the future industrial Internet of Things. Future Gener. Comput. Syst.
**2018**, 79, 815–829. [Google Scholar] [CrossRef] - Jung, H.; Lee, I.H. Secrecy Performance Analysis of Analog Cooperative Beamforming in Three-Dimensional Gaussian Distributed Wireless Sensor Networks. IEEE Trans. Wirel. Commun.
**2019**, 18, 1860–1873. [Google Scholar] [CrossRef] - Xie, H.; Yan, Z.; Yao, Z.; Atiquzzaman, M. Data Collection for Security Measurement in Wireless Sensor Networks: A Survey. IEEE Internet Things J.
**2019**, 6, 2205–2224. [Google Scholar] [CrossRef] - Yaqoob, I.; Hashem, I.A.T.; Ahmed, A.; Kazmi, S.A.; Hong, C.S. Internet of things forensics: Recent advances, taxonomy, requirements, and open challenges. Future Gener. Comput. Syst.
**2019**, 92, 265–275. [Google Scholar] [CrossRef] - Tan, H.; Chung, I. A Secure and Efficient Group Key Management Protocol with Cooperative Sensor Association in WBANs. Sensors
**2018**, 18, 3930. [Google Scholar] [CrossRef] - Song, D.X.; Wagner, D.; Perrig, A. Practical techniques for searches on encrypted data. In Proceedings of the 2000 IEEE Symposium on Security and Privacy, S&P 2000, Berkeley, CA, USA, 14–17 May 2000; pp. 44–55. [Google Scholar]
- Boneh, D.; Di Crescenzo, G.; Ostrovsky, R.; Persiano, G. Public Key Encryption with Keyword Search. In Proceedings of the Advances in Cryptology—EUROCRYPT 2004, Interlaken, Switzerland, 2–6 May 2004; pp. 506–522. [Google Scholar]
- Curtmola, R.; Garay, J.; Kamara, S.; Ostrovsky, R. Searchable symmetric encryption: Improved definitions and efficient constructions. J. Comput. Secur.
**2011**, 19, 895–934. [Google Scholar] [CrossRef] [Green Version] - Chang, Y.C.; Mitzenmacher, M. Privacy Preserving Keyword Searches on Remote Encrypted Data. In Proceedings of the Applied Cryptography and Network Security, New York, NY, USA, 7–10 June 2005; pp. 442–455. [Google Scholar]
- Abdalla, M.; Bellare, M.; Catalano, D.; Kiltz, E.; Kohno, T.; Lange, T.; Malone-Lee, J.; Neven, G.; Paillier, P.; Shi, H. Searchable Encryption Revisited: Consistency Properties, Relation to Anonymous IBE, and Extensions. In Proceedings of the Advances in Cryptology—CRYPTO 2005, Santa Barbara, CA, USA, 14–18 August 2005; pp. 205–222. [Google Scholar]
- Baek, J.; Safavi-Naini, R.; Susilo, W. Public key encryption with keyword search revisited. In Proceedings of the International conference on Computational Science and Its Applications, Perugia, Italy, 30 June–3 July 2008; pp. 1249–1259. [Google Scholar]
- Baek, J.; Safavi-Naini, R.; Susilo, W. On the Integration of Public Key Data Encryption and Public Key Encryption with Keyword Search. In Proceedings of the Information Security, Samos Island, Greece, 30 August–2 September 2006; pp. 217–232. [Google Scholar]
- Rhee, H.S.; Park, J.H.; Susilo, W.; Lee, D.H. Improved searchable public key encryption with designated tester. In Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, Sydney, Australia, 10–12 March 2009; pp. 376–379. [Google Scholar]
- Rhee, H.S.; Park, J.H.; Susilo, W.; Lee, D.H. Trapdoor security in a searchable public-key encryption scheme with a designated tester. J. Syst. Softw.
**2010**, 83, 763–771. [Google Scholar] [CrossRef] - Fang, L.; Susilo, W.; Ge, C.; Wang, J. Public key encryption with keyword search secure against keyword guessing attacks without random oracle. Inf. Sci.
**2013**, 238, 221–241. [Google Scholar] [CrossRef] [Green Version] - Chen, Y.C. SPEKS: Secure server-designation public key encryption with keyword search against keyword guessing attacks. Comput. J.
**2014**, 58, 922–933. [Google Scholar] [CrossRef] - Chen, R.; Mu, Y.; Yang, G.; Guo, F.; Wang, X. Dual-server public-key encryption with keyword search for secure cloud storage. IEEE Trans. Inf. Forensics Secur.
**2016**, 11, 789–798. [Google Scholar] [CrossRef] - Chen, Y.; Zhang, J.; Lin, D.; Zhang, Z. Generic constructions of integrated PKE and PEKS. Des. Codes Cryptogr.
**2016**, 78, 493–526. [Google Scholar] [CrossRef] - Tang, Q.; Chen, L. Public-key encryption with registered keyword search. In Proceedings of the European Public Key Infrastructure Workshop, Pisa, Italy, 10–11 September 2009; pp. 163–178. [Google Scholar]
- Saito, T.; Nakanishi, T. Designated-Senders Public-Key Searchable Encryption Secure against Keyword Guessing Attacks. In Proceedings of the 2017 Fifth International Symposium on Computing and Networking (CANDAR), Aomori, Japan, 19–22 November 2017; pp. 496–502. [Google Scholar]
- Huang, Q.; Li, H. An efficient public-key searchable encryption scheme secure against inside keyword guessing attacks. Inf. Sci.
**2017**, 403, 1–14. [Google Scholar] [CrossRef] - Jiang, P.; Mu, Y.; Guo, F.; Wen, Q.Y. Private Keyword-Search for Database Systems Against Insider Attacks. J. Comput. Sci. Technol.
**2017**, 32, 599–617. [Google Scholar] [CrossRef] - Wu, L.; Chen, B.; Zeadally, S.; He, D. An efficient and secure searchable public key encryption scheme with privacy protection for cloud storage. Soft Comput.
**2018**, 22, 7685–7696. [Google Scholar] [CrossRef] - Zhu, B.; Sun, J.; Qin, J.; Ma, J. The Public Verifiability of Public Key Encryption with Keyword Search. In Proceedings of the International Conference on Mobile Networks and Management, Melbourne, Australia, 13–15 December 2017; pp. 299–312. [Google Scholar]
- Han, F.; Qin, J.; Hu, J. Secure searches in the cloud: A survey. Future Gener. Comput. Syst.
**2016**, 62, 66–75. [Google Scholar] [CrossRef] - Wu, A.; Zheng, D.; Zhang, Y.; Yang, M. Hidden Policy Attribute-Based Data Sharing with Direct Revocation and Keyword Search in Cloud Computing. Sensors
**2018**, 18, 2158. [Google Scholar] [CrossRef] [PubMed] - Guo, Y.; Liu, F.; Cai, Z.; Xiao, N.; Zhao, Z. Edge-Based Efficient Search over Encrypted Data Mobile Cloud Storage. Sensors
**2018**, 18, 1189. [Google Scholar] [CrossRef] - Noroozi, M.; Eslami, Z. Public-key encryption with keyword search: A generic construction secure against online and offline keyword guessing attacks. J. Ambient Intell. Humaniz. Comput.
**2019**. [Google Scholar] [CrossRef] - Cramer, R.; Shoup, V. A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In Proceedings of the Annual International Cryptology Conference, Santa Barbara, CA, USA, 23–27 August 1998; pp. 13–25. [Google Scholar]

Notation | Description |
---|---|

$sp$ | System parameter |

$p{k}_{s,1},s{k}_{s,1}$ | Public/secret key of the cloud server 1 |

$p{k}_{s,2},s{k}_{s,2}$ | Public/secret key of the cloud server 2 |

$p{k}_{r},s{k}_{r}$ | Public/secret key of the receiver |

w | Keyword |

m | Message |

$Enc\left(m\right)$ | Encryption algorithm Enc for the data m |

$peks\left(m\right)$ | Encryption algorithm peks for the keyword w |

${C}_{1}$ | Message ciphertext |

${C}_{2}$ | Searchable ciphertext for keyword |

${C}_{1}^{\prime}$ | Double message ciphertext |

${T}_{w}$ | Trapdoor for keyword w |

${C}_{T}$ | The transitional ciphertext |

$\mathcal{A}$ | Adversary |

$\mathcal{B}$ | Challenger or simulator |

$\mathcal{O}\left(w\right)$ | Trapdoor oracle for the keyword w |

Game IND-CKA 1 ${\mathit{Exp}}_{{\mathcal{A}}_{1}}^{\mathit{CKA}}\left[\mathit{DSS}\right]$ |

$Kset\u27f5\varphi $ |

$(p{k}_{s,1},s{k}_{s,1},p{k}_{s,2},s{k}_{s,2},p{k}_{r},s{k}_{r})\u27f5KeyGen\left(sp\right)$; |

$({w}_{0},{w}_{1},{M}^{*})\u27f5{\mathcal{A}}_{1}^{\mathcal{O}}(sp,(p{k}_{s,1},s{k}_{s,1}),p{k}_{s,2},p{k}_{r})$; |

$({C}_{1},{C}_{2,b})\u27f5\mathcal{B}({M}^{*},{w}_{b},p{k}_{s,1},p{k}_{s,2},p{k}_{r},b\in \{0,1\})$; |

${b}^{\prime}\u27f5{\mathcal{A}}_{1}^{\mathcal{O}}({C}_{1},{C}_{2,b},guess)$; |

if $\{{w}_{0},{w}_{1}\}\bigcap Kset=\varphi $, then return 1, if ${b}^{\prime}=b$; |

else return 0. |

Oracle $\mathcal{O}\left(w\right)$: |

$Kset=Kset\bigcup \left\{w\right\}$, ${T}_{w}\u27f5\mathcal{O}(p{k}_{s,1},p{k}_{s,2},p{k}_{r},s{k}_{r},w)$; |

return $\left\{{T}_{w}\right\}$ |

Game IND-CKA 2 ${\mathit{Exp}}_{{\mathcal{A}}_{2}}^{\mathit{CKA}}\left[\mathit{DSS}\right]$ |

$Kset\u27f5\varphi $ |

$(p{k}_{s,1},s{k}_{s,1},p{k}_{s,2},s{k}_{s,2},p{k}_{r},s{k}_{r})\u27f5KeyGen\left(sp\right)$; |

$({w}_{0},{w}_{1},{M}^{*})\u27f5{\mathcal{A}}_{2}^{\mathcal{O}}(sp,(p{k}_{s,2},s{k}_{s,2}),p{k}_{s,1},p{k}_{r})$; |

$({C}_{1}^{\prime},{C}_{2,b})\u27f5\mathcal{B}({M}^{*},{w}_{b},p{k}_{s,1},p{k}_{s,2},p{k}_{r},b\in \{0,1\})$; |

${b}^{\prime}\u27f5{\mathcal{A}}_{2}^{\mathcal{O}}({C}_{1}^{\prime},{C}_{2,b},guess)$; |

if $\{{w}_{0},{w}_{1}\}\bigcap Kset=\varphi $, then return 1, if ${b}^{\prime}=b$; |

else return 0. |

Oracle $\mathcal{O}\left(w\right)$: |

$Kset=Kset\bigcup \left\{w\right\}$, ${T}_{w}\u27f5\mathcal{O}(p{k}_{s,1},p{k}_{s,2},p{k}_{r},s{k}_{r},w)$; |

return $\left\{{T}_{w}\right\}$ |

Game IND-Trapdoor 1 ${\mathit{Exp}}_{{\mathcal{A}}_{3}}^{\mathit{off}-\mathit{line}\phantom{\rule{3.33333pt}{0ex}}\mathit{KGA}}\left[\mathit{DSS}\right]$ |

$Kset\u27f5\varphi $ |

$(p{k}_{s,1},s{k}_{s,1},p{k}_{s,2},s{k}_{s,2},p{k}_{r},s{k}_{r})\u27f5KeyGen\left(sp\right)$; |

$({w}_{0},{w}_{1})\u27f5{\mathcal{A}}_{3}^{\mathcal{O}}(sp,(p{k}_{s,1},s{k}_{s,1}),p{k}_{s,2},p{k}_{r})$; |

${T}_{b}\u27f5\mathcal{B}({w}_{b},p{k}_{s,1},p{k}_{s,2},p{k}_{r},s{k}_{r},b\in \{0,1\})$; |

${b}^{\prime}\u27f5{\mathcal{A}}_{3}^{\mathcal{O}}({T}_{b},guess)$; |

if $\{{w}_{0},{w}_{1}\}\bigcap Kset=\varphi $, then return 1, if ${b}^{\prime}=b$; |

else return 0. |

Oracle $\mathcal{O}\left(w\right)$: |

$Kset=Kset\bigcup \left\{w\right\}$, ${T}_{w}\u27f5\mathcal{O}(p{k}_{s,1},p{k}_{s,2},p{k}_{r},s{k}_{r},w)$; |

return $\left\{{T}_{w}\right\}$ |

Game IND-Trapdoor 2 ${\mathit{Exp}}_{{\mathcal{A}}_{4}}^{\mathit{off}-\mathit{line}\phantom{\rule{3.33333pt}{0ex}}\mathit{KGA}}\left[\mathit{DSS}\right]$ |

$Kset\u27f5\varphi $ |

$(p{k}_{s,1},s{k}_{s,1},p{k}_{s,2},s{k}_{s,2},p{k}_{r},s{k}_{r})\u27f5KeyGen\left(sp\right)$; |

$({w}_{0},{w}_{1})\u27f5{\mathcal{A}}_{4}^{\mathcal{O}}(sp,p{k}_{s,1},(p{k}_{s,2},s{k}_{s,2}),p{k}_{r})$; |

${T}_{b}\u27f5\mathcal{B}({w}_{b},p{k}_{s,1},p{k}_{s,2},p{k}_{r},s{k}_{r},b\in \{0,1\})$; |

${b}^{\prime}\u27f5{\mathcal{A}}_{4}^{\mathcal{O}}({T}_{b},guess)$; |

if $\{{w}_{0},{w}_{1}\}\bigcap Kset=\varphi $, then return 1, if ${b}^{\prime}=b$; |

else return 0. |

Oracle $\mathcal{O}\left(w\right)$: |

return $\left\{{T}_{w}\right\}$ |

Game IND-Double ciphertext ${\mathit{Exp}}_{{\mathcal{A}}_{5}}^{\mathit{Online}-\mathit{KGA}}\left[\mathit{DSS}\right]$ |

$(p{k}_{s,1},s{k}_{s,1},p{k}_{s,2},s{k}_{s,2},p{k}_{r},s{k}_{r})\u27f5KeyGen\left(sp\right)$; |

$({C}_{1,0},{C}_{1,1})\u27f5{\mathcal{A}}_{5}(sp,p{k}_{s,1},(p{k}_{s,2},s{k}_{s,2}),p{k}_{r})$; |

${C}_{1,b}^{\prime}\u27f5\mathcal{B}({C}_{1,b},p{k}_{s,1},p{k}_{s,2},p{k}_{r},b\in \{0,1\})$; |

${b}^{\prime}\u27f5{\mathcal{A}}_{5}({C}_{1,b}^{\prime},guess)$; |

Then return 1, if ${b}^{\prime}=b$; else return 0. |

Game IND-CKA 3 ${\mathit{Exp}}_{{\mathcal{A}}_{6}}^{\mathit{CKA}}\left[\mathit{DSS}\right]$ |

$Kset\u27f5\varphi $ |

$(p{k}_{s,1},s{k}_{s,1},p{k}_{s,2},s{k}_{s,2},p{k}_{r},s{k}_{r})\u27f5KeyGen\left(sp\right)$; |

$({w}_{0},{w}_{1})\u27f5{\mathcal{A}}_{6}^{\mathcal{O}}(sp,(p{k}_{s,2},s{k}_{s,2}),p{k}_{s,1},p{k}_{r})$; |

${C}_{2,{b}_{1}}\u27f5\mathcal{B}({w}_{{b}_{1}},p{k}_{s,1},p{k}_{s,2},p{k}_{r},{b}_{1}\in \{0,1\})$; |

${T}_{{w}_{{b}_{2}}}\u27f5\mathcal{B}({w}_{{b}_{2}},p{k}_{s,1},p{k}_{s,2},p{k}_{r},s{k}_{r},{b}_{2}\in \{0,1\})$; |

${C}_{T}\u27f5\mathcal{B}({C}_{2,{b}_{1}},{T}_{{w}_{{b}_{2}}},p{k}_{s,1},s{k}_{s,1},p{k}_{s,2},p{k}_{r})$; |

$({b}_{1}^{\prime},{b}_{2}^{\prime})\u27f5{\mathcal{A}}_{6}^{\mathcal{O}}({C}_{T},guess)$; |

if $\{{w}_{0},{w}_{1}\}\bigcap Kset=\varphi $, then return 1, if $({b}_{1}^{\prime},{b}_{2}^{\prime})=({b}_{1},{b}_{2})$; |

else return 0. |

Oracle $\mathcal{O}\left(w\right)$: |

return $\left\{{T}_{w}\right\}$ |

BCOP [10] | BSW [14] | RPSL [17] | Our | |
---|---|---|---|---|

MCiph | - | - | - | $2{E}_{1}$ |

KCiph | $2{E}_{1}^{\prime}+h+e$ | ${E}_{1}^{\prime}+{E}_{2}^{\prime}+h+2e$ | $2{E}_{1}^{\prime}+h+e$ | $4{E}_{1}+h$ |

ReEnc | - | - | - | $2{E}_{1}$ |

Trapdoor | ${E}_{1}^{\prime}+h$ | ${E}_{1}^{\prime}+h$ | $3{E}_{1}^{\prime}+2h+I+PM$ | $4{E}_{1}+h+2I$ |

Test | e | ${E}_{1}^{\prime}+e+PM$ | $2{E}_{1}^{\prime}+h+e+PM$ | $7{E}_{1}$ |

Dec | - | - | - | $2{E}_{1}$ |

© 2019 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Zhu, B.; Susilo, W.; Qin, J.; Guo, F.; Zhao, Z.; Ma, J.
A Secure and Efficient Data Sharing and Searching Scheme in Wireless Sensor Networks. *Sensors* **2019**, *19*, 2583.
https://doi.org/10.3390/s19112583

**AMA Style**

Zhu B, Susilo W, Qin J, Guo F, Zhao Z, Ma J.
A Secure and Efficient Data Sharing and Searching Scheme in Wireless Sensor Networks. *Sensors*. 2019; 19(11):2583.
https://doi.org/10.3390/s19112583

**Chicago/Turabian Style**

Zhu, Binrui, Willy Susilo, Jing Qin, Fuchun Guo, Zhen Zhao, and Jixin Ma.
2019. "A Secure and Efficient Data Sharing and Searching Scheme in Wireless Sensor Networks" *Sensors* 19, no. 11: 2583.
https://doi.org/10.3390/s19112583