A Secure Data Sharing Scheme with Designated Server

The cloud-assisted Internet ofThings (CIoT) is booming, which utilizes powerful data processing capabilities of the cloud platform to solve massive Internet of Things (IoT) data. However, the CIoT faces new security challenges, such as the confidentiality of the outsourced data. Data encryption is a fundamental technique that can guarantee the confidentiality of outsourced data, but it limits target encrypted data retrieval from cloud platform. Public key encryption with keyword search (PEKS) provides a promising solution to address this problem. In PEKS, a cloud server can be authorized to search the keyword in encrypted documents and retrieve associated encrypted documents for the receiver. However, most existing PEKS schemes merely focus on keyword search function while ignoring the associated documents encryption/decryption function. Thus, in practice, a PEKS scheme must cooperate with another separated public key encryption (PKE) scheme to fulfill a completely secure data sharing scheme. To address this problem, in this paper, we propose a secure data sharing scheme with designated server that combines PKE scheme with PEKS scheme, which provides both keyword search and documents encryption/decryption functions. Furthermore, only the designated server can search the keyword via encrypted documents for enhanced security in our work. Moreover, our scheme also satisfies the public verifiability of search results, which includes both keywords and documents ciphertexts’ correctness and integrity. As to the security, our scheme provides stronger indistinguishability security of document and keyword in the proposed security model.


Introduction
Cloud storage has been widely deployed in daily life.As a promising application, cloud-assisted Internet of Things (CIoT) have utilized cloud storage to store their data to reduce the burden of data processing, as shown in Figure 1.In CIoT, users rely on the cloud platform to complete the data storage and data sharing.Generally, data is migrated from the user to a cloud server, in which the cloud server is widely recognized as an honest-but-curious party.However, the cloud storage is provided by a third party and the user's data may have private information.Therefore, the user should encrypt the data prior to uploading it to cloud server for protecting data confidentiality.Unfortunately, this approach eliminates the data search service provided by modern search engines, which inevitably makes the effective data search function become a challenging research problem.A trivial solution is that we download the full encrypted data and then decrypt it to obtain the plaintext data.Of course, it needs to occupy a large amount of local storage space and communication consumption.Another trivial solution is that the user sends the private key to cloud server.The server decrypts the encrypted data in the cloud, searches for the user in plaintext, and retrieves the intended data.This solution solves the above problem, but it compromises data privacy, which violates the original intention of data encryption.Focusing on the aforementioned problem, searchable encryption was proposed.Searchable encryption enables a data receiver to authorize the cloud server to search in encrypted documents, where encrypted documents are not needed to be decrypted.Searchable encryption is mainly divided into two techniques, which are symmetric searchable encryption (SSE) and public key encryption with keyword search (PEKS).In SSE, a shared key is required to achieve data sharing function in the cloud platform.PEKS was proposed in 2004 by Boneh et al. [1], which can realize the keyword search function and eliminate complicated key management in cloud platform.The general PEKS system includes three participants, i.e., a data sender, a data receiver, and a cloud server.Data sender encrypts keywords index using receiver's public key and uploads keyword ciphertexts to cloud server.The data receiver uses its private key to generate a keyword trapdoor and transmits trapdoor to cloud server.Cloud server uses the trapdoor to match the keyword ciphertext; if the keyword in the ciphertext and the keyword in the trapdoor are identical, its outputs are equal; otherwise, its outputs are not equal.
However, PEKS mainly focuses on the keyword search process and omits the associated documents encryption/ decryption process, which only explains using a standard encryption scheme to encrypt associated documents.However, in the actual applications, the documents encryption/decryption is indispensable, since the corresponding documents are what we really need.Therefore, it is essential and meaningful to combine the public key encryption (PKE) scheme with the PEKS scheme to form a completely secure data sharing scheme.For this reason, a completed scheme named integrated PKE and PEKS scheme is suggested, which combines PEKS with PKE to encrypt keyword  and its corresponding document message  together.The PEKS-PKE system includes three participants, i.e., a data sender, a data receiver, and a cloud server.Data sender encrypts message  using receiver's public key   .It also encrypts keyword   with receiver's public key   and appends to the resulting message ciphertext and then uploads encrypted message and keywords   ‖    to cloud server.Receiver generates the trapdoor   with its private key   and uploads   to cloud server.The cloud server matches the keyword trapdoor   with encrypted keywords    , and if the same keyword is used, it outputs  and returns   to receiver; else, it outputs  and returns ⊥.The data receiver uses its private key   to decrypt the message ciphertext   .
This integrated scheme PEKS-PKE can provide keyword  search function and message  encryption/decryption function.Most of PEKS schemes after Boneh's scheme do not introduce how to achieve this completed scheme.
When searching the keyword in the cloud, we generally assume that the cloud server is honest but curious, which means that it performs the search operation honestly; actually it is curious about the keyword content.However, in practical applications, the server may not always behave honestly.Generally, the cloud server is managed and operated by a business company.The company may delete encrypted data for their benefits for releasing storage space.In addition, the server may be broken into by malicious intruder Eve or it may unintentionally delete data.When performing a search operation, the server may return the part of the search results to deceive the receiver.Since the receiver does not know the content of the encrypted document, or even whether the encrypted document is associated with the keyword; this poses a threat to the receiver's data correctness and integrity.In addition to, the receiver may declare that the cloud server has lost some data or returned incorrect search results and doubt about the behavior of cloud server even if the provider has performed all required operations honestly.This will cause disputes.Therefore, if there is an honest-but-curious third party who can verify the integrity and correctness of the search results in a public manner, we can entrust the cloud server honestly performs the keyword search operation and solves the dispute with receiver.
Considering a specific scenario, Personal Health Record (PHR) is confidential documens to anyone except the patient and the chief physician.In order to protect patients' privacy, patients need to encrypt the PHR data prior to uploading it to cloud server.We can use a PEKS scheme to solve keyword search problem in encrypted PHR.However, the above PEKS requires that the cloud server is totally trusted; that is, it honestly stores the encrypted documents, performs the search operation, and returns the encrypted PHR.We know that it is not practical to assume a cloud platform is honest for a hospital.Generally, the hospital will outsource the construction of the cloud platform to a professional company and the physical control of the encrypted PHR belongs to professional company.Therefore, the cloud platform may delete some encrypted PHR to release their storage space for their economic benefits.They may want to perform the dishonest search operation to deceive the chief physician and the patient.The chief physician does not know the correctness and integrity of the search results, and it is in charge of the diagnosis and treatment of patients.When the encrypted PHR search results are incomplete, the chief physician may make incorrect diagnostic results with serious consequences.Furthermore, once there is a medical negligence, the chief physician may unilaterally declare that the cloud server has lost some data or returned incorrect search results and deliberately pass the buck to the cloud service provider even if the provider has performed all required operations honestly.A straightforward solution is that the patient sends the PHR integrity evidence to the chief physician.The chief physician downloads the total encrypted data and then checks the integrity.This solution has two drawbacks.One drawback is that it breaks the asymmetry of PEKS, and on the other hand it is too expensive for the communication cost.
From the above discussion, we can know that it is importance of combining PKE and PEKS with providing the public verifiability under the untrusted cloud platform.Maintaining the privacy and public verifiability of search results are exciting and unresolved research problems.
Recently, Zhang et al. [2] proposed a public verifiable searchable encryption scheme.The scheme discussed the correctness of the returned keyword ciphertexts and lacked the integrity of both documents and keywords ciphertexts.
In 2018, we proposed a PEKS with public verifiability scheme [3].Our scheme achieves the correctness and integrity of keywords ciphertext.However, when the cloud server is not honest, we only discuss keywords ciphertext is incomplete, since the corresponding encrypted documents are what we really need.That is to say, when cloud server returns encrypted document, it also may return another uncorrelated encrypted document with a corrected keyword ciphertext.In this case, the cloud server can also pass the verification by sweeping attack.In addition, the taggen phase lacks an index label and it will reduce the efficiency of verification.Furthermore, the tag only includes the keyword and the corresponding document serial number, in which it may also let cloud server easily forge the tag.Therefore, in practical applications, the scheme is very fragile.Our previous scheme also only focuses on keyword search function, while ignoring the associated documents encryption/decryption function.
In this paper, we propose a secure data sharing scheme with designated server that captures both functions of PKE and PEKS, which provides the functions both keyword search and documents encryption/decryption.Furthermore, only the designated server can search the keyword for enhanced security.Our scheme can also satisfy the public verifiability of search results, including ciphertexts both documents and keywords, which achieves the correctness and integrity.The scheme is great improvement comparing our previous work.
1.1.Our Contributions.Specifically, our contributions are as follows: (1) We introduce the definition of secure data sharing scheme with designated server, which satisfies the functions both of keyword search and documents encryption/decryption.
(2) We propose a special secure data sharing scheme with designated server.Our scheme achieves security of the document indistinguishability against chosen ciphertext attack (IND-CCA), keyword indistinguishability against chosen keyword attack (IND-CKA), and trapdoor indistinguishability.
(3) It achieves the public verifiability of search results, which includes both keywords and documents ciphertexts' correctness and integrity.
(4) Our scheme removes the secure channel between the data receiver and the cloud server, which only the designated server can perform matching operation.
Technical route is as follows: we choose the Variable Hashed Elgamal scheme [4] as document encryption/decryption scheme and the PEKS with a designated tester (dPEKS) scheme as the searchable encryption scheme.These two schemes are basic components.Variable Elgamal scheme is an encryption scheme that provides document ciphertext indistinguishability security against chosen ciphertext attack (IND-CCA).The dPEKS scheme is an searchable encryption scheme that provides keyword ciphertext indistinguishability security against chosen keyword attack(IND-CKA).The trivial solution is to combine Variable Elgamal encryption with dPEKS, but there is a problem that the server is not fully trusted.The server may perform swapping keyword attacks.The swapping keyword attack is that the data receiver gets the document message it does not need.For example, when the receiver searches the document  1 corresponding to the keyword  1 , the server sweeps the documents  2 ,  1 and returns the document  2 corresponding to the keyword  2 .Therefore, the receiver can not get the document  1 that it really needs.To resist this attack, we need to bind the keyword ciphertext and document ciphertext so that the malicious server cannot perform the sweeping attacks.In addition to, we also need to consider the security of combined scheme.
Since the widely used keyword space is limited, the outside adversary can guess a keyword and generate the keyword ciphertext; if the outside adversary can perform the matching operation, it can get the keyword in the trapdoor until guess the true keyword.We call this attack named offline keyword guessing attack (offline KGA).Therefore, to resist this offline KGA, we generate a key pair for the cloud server.Only the designated server can perform the keyword search operation to avoid outside adversary's offline KGA.What we need to point out here is that the adversary may get the guessing keyword by comparing two bilinear pairs without generating keyword ciphertext.We also need the trapdoor satisfies trapdoor indistinguishability in proposed scheme to resist offline KGA.
1.2.Related Works.Song et al. [8] proposed the first symmetric searchable encryption (SSE) in 2000.Song's scheme requires a word-by-word comparison to complete the keyword search operation.After Song's work, many researchers propose SSE schemes [9][10][11].[12].It is shown that an anonymous IBE scheme could be transformed into a PEKS scheme and it proposed a temporary keyword search scheme.In 2008, Baek et al. [5] proposed the PEKS with a designated tester scheme that does not require a secure channel.In 2010, Rhee et al. [13] proposed a scheme that can resist outside attacker's offline KGA in trapdoor indistinguishability security model.In 2013, Fang et al. [14] proposed a PEKS scheme in the standard model, which can resist outside attacker's offline KGA.Later, many researchers studied the offline KGA and proposed many schemes [15][16][17][18][19][20].
In 2014, Zheng et al. [21] proposed the first verifiable attribute-based encryption with keyword search scheme.This scheme flexibly uses bloom filters and signatures to achieve the verifiability.In Zheng et al. scheme, attribute ciphertext and trapdoor are proportional to the number of attributes.It also requires a secure channel and supports the receiver private verification.After this work, many researchers proposed attribute-based encryption with keyword search schemes [22,23].
In 2006, Baek et al. [24] proposed the first PEKS-PKE scheme.This scheme realizes the functions of document encryption/decryption and keyword search.Baek et al. 's scheme only discusses the security of document and does not involve the security of keyword, and it needs a secure channel.In 2009, Zhang et al. [7] proposed a PEKS-PKE scheme, which involves the security of keyword.It has two public and private key pairs and requires a secure channel.Chen et al. [6] proposed a PEKS-PKE scheme in 2016 and Chen et al. 's general construction leaks the keyword to the server.These three schemes do not discuss the security of trapdoor, and their schemes do not support the correctness and integrity verification of the search results, including the returned ciphertexts both documents and keywords.
1.3.Organization.The paper is organized as follows.Section 1 is the introduction.The scheme definition and security models are described in Section 2. A secure data sharing scheme with designated server is proposed in Section 3. We analyze the security and efficiency of the proposed scheme in Section 3. The paper is concluded in Section 4.

Scheme Definition and Security Models
2.1.System Model.The system model of secure data sharing scheme with designated server that supporting public verifiability is shown in Figure 2: there are four participants in this model including a data sender, a receiver, cloud server, and the third party verifier.
First of all, data sender encrypts the document message  by using receiver's public key   and encryption algorithm  to form message ciphertext   , encrypts the corresponding keyword   by using cloud server's public key   , receiver's public key   , and encryption algorithm  to form keyword ciphertext    , then binds the   and    to form ciphertext , and uploads the ciphertext  to cloud server; data sender also uses the cloud server public key   , the receiver public key   , the keyword   , the keyword ciphertext    , and corresponding message ciphertext   to generate the verification tag  and sends the verification tag  to third party verifier.
Secondly, the receiver uses its secret key   and cloud server's public key   to generate keyword trapdoor   with the verification trapdoor   and transmits   to cloud server.And then, cloud server uses the trapdoor   and ciphertext  to compute the matching result.If the keyword in the ciphertext  and the keyword in the trapdoor   are equal, cloud server returns the ciphertext  to receiver.Next, to obtain the message , the receiver decrypts the  by using its secret key   .
In final step, when there is a dispute between cloud server and receiver, the third party verifier uses the verification trapdoor   from receiver, the verification tag , and returns the verification result.

Scheme Definition
Definition 1.More specifically, a secure data sharing scheme with designated server consists of the following algorithms: (1) p ← SysGen(1 k ): on input a security parameter 1  and output a system parameter .
(2) (pk r , sk r ) ← KeyGen receiver (sp): on input the system parameter  and output a pair of public and secret key (  ,   ) for the receiver.
(3) (pk s , sk s ) ← KeyGen server (sp): on input the system parameter  and output a pair of public and secret key (  ,   ) for the cloud server.
(4) u ← Enc(sp, pk s , pk r , w, m): on input the system parameter , the cloud server public key   , the receiver public key   , the keyword , the document message  and output a ciphertext  = (  ,   , ), which   = (,   , ) is message ciphertext,   = (,   ,   , ) is keyword ciphertext,  is a binding tag.
(5)  w i ← Tag(sp, pk s , pk r , w i , C w i , C j ): on input the system parameter , the cloud server public key   , the receiver public key   , the keyword   , the keyword ciphertext    and the message ciphertext   , which  is the serial number of the keyword and  is the message serial number corresponded the keyword   , and output the verification tag    , releases    to the third party verifier.
(6) (T w , VK w ) ← Trapdoor(sp, pk s , sk r , w): on input the system parameter , the cloud server public key   , the receiver secret key   , the keyword , and output the keyword search trapdoor   , the verification trapdoor   .
(7) u or ⊥← Test(sp, sk s , T w , u): on input the system parameter , the cloud server secret key   , the keyword search trapdoor   , the ciphertext , and output ciphertext  if the keyword in the  and the keyword in the   are equal; otherwise, output ⊥.
(8) m or ⊥← Dec(sp, sk r , u): on input the system parameter , the receiver secret key   , the ciphertext  and output the message  or ⊥.
(9) 1 or 0 ← Public verify(sp, VK w , ): when there is a dispute between cloud server and receiver, the third party verifier inputs the system parameter , the verification trapdoor   , the verification tag , output the verification result 1 if satisfies condition; and 0 otherwise.

Security Model.
We define four security models, including the security models of IND-CKA, trapdoor indistinguishability (IND-Trapdoor), IND-CCA, and the public verifiability.
We define the keyword ciphertext semantic security.Any adversary can not distinguish the challenge keyword ciphertext unless the trapdoor is available.Formally, we define security game IND-CKA  played between a challenger B and adversary A  ,  = 1, 2.
In IND-CKA 1, the challenger B generates the receiver key pair (  ,   ) and sends public key   to the cloud server adversary A 1 .The adversary A 1 generates the cloud server key pair (  ,   ) and sends public key   to the challenger.The adversary can access the trapdoor oracle O 1 () to get any keyword trapdoor   and access the decryption oracle O 2 () on any ciphertexts  and then outputs two distinct challenge keywords and a message ( 0 ,  1 ,  * ), in which   ̸ =   ,  ∈ {0, 1}.The challenger generates challenge ciphertext   of (  ,  * ) with a random bit  and sends it to A 1 .During the game, the adversary can adaptively continue the query to decryption oracle O 2 () and trapdoor oracle O 1 () unless the challenge keywords.Finally, the adversary A 1 outputs a bit   as its guess.
In IND-CKA 2, the game played between a challenger B and an outside adversary We define   advantage as Next, we define the keyword trapdoor semantic security.Any adversary can not distinguish the challenge trapdoor; that is to say, the challenge trapdoor does not reveal any  We define A 3 advantage as After that, we define the document message ciphertext semantic security.Any adversary can not distinguish the challenge message ciphertext; even it can access the decryption oracle O 2 ().Formally, we define security game IND-CCA.
The IND-CCA is similar to the IND-CKA 1.The difference is that the adversary outputs two distinct challenge Finally, we define the public verifiability security.Any adversary can not forge a challenge response without the complete ciphertext.
In public verifiability security model, the challenger generates key pairs (  ,   ), (  ,   ) and sends public keys   ,   and secret key   to the adversary A 5 .The challenger B generates a query request ℎ  and sends it to adversary.The adversary A 5 forges challenge response   and sends it to challenger.Finally, the challenger outputs a bit  as its verification result.
Definition 5 (see Box 5).A secure data sharing scheme with designated server satisfies public verifiability security if no PPT adversary A 5 can win the game public verifiability (PV) with nonnegligible advantage, where B is the challenger and A 5 is the cloud server.
We define A 5 advantage as

A Secure Data Sharing Scheme with Designated Server
In this section, we propose an efficient construction of secure data sharing scheme with designated server.The algorithm outputs the system parameter  = (,  1 ,  2 ,  3 ,  4 ,  5 , , , ũ) . ( KeyGen receiver (sp): this algorithm inputs system parameter , chooses random number  ∈  *  , and outputs a pair of public and secret key (  ,   ) for the receiver: KeyGen server (sp): this algorithm inputs system parameter , chooses random number  ∈  *  , and outputs a pair of public and secret key (  ,   ) for the cloud server: Enc(sp, pk s , pk r , w i , m j ): this algorithm inputs system parameter , the cloud server public key   , the receiver public key   , the keyword   , in which  = 1, 2, . . .,  are the serial number of the keyword, and the message   ∈ {0, 1}  , in which  = 1, 2, . . .,  are the message serial number corresponding to the keyword   .It chooses random number ,   ∈  *  and outputs the ciphertext: where message ciphertext is and keyword ciphertext is and the binding tag is  =  4 (,   ,   ,    ).Tag(sp, pk s , pk r , w i , C w i , C j ): this algorithm inputs system parameter , the cloud server public key   , the receiver public key   , the keyword   , the keyword ciphertext    , and the message ciphertext   , in which  = 1, 2, . . .,  are the serial number of the keyword and  = 1, 2, . . .,  are the message serial number correspond the keyword   .It outputs the verification tag    and releases it to the third party verifier.
Trapdoor(sp, pk s , sk r , w): this algorithm inputs system parameter , the cloud server public key   , the receiver secret key   , and the keyword  and outputs the search trapdoor We have the verification trapdoor   : Test(sp, sk s , T w , u): this algorithm inputs system parameter , the cloud server secret key   , the trapdoor   , and the ciphertext  and outputs ciphertext  if and ⊥ otherwise.Dec(sp, sk r , u): this algorithm inputs system parameter , the receiver secret key   , and the ciphertext  and outputs the message Security and Communication Networks if and ⊥ otherwise.Public verify(sp, VK w , , u): when there is a dispute between cloud server and receiver, this algorithm inputs system parameter , the verification trapdoor   , the verification tag , and the ciphertext  and outputs the verification result 1 if satisfying verification condition, and 0 otherwise.The verification process can be divided into three steps: (i) Challenge query(sp): the third party verifier inputs the system parameter  and chooses random number  ∈ [1, 2  − 1],  ∈  *  .It keeps the  as a secret value and stores it.It outputs the challenge query ℎ  and sends it to cloud server, (ii) GenProof(ch w , sp, u): the server inputs the returned ciphertext , the system parameter , and the challenge query ℎ  .It computes   =   () and outputs the challenge response (iii) Verify(sp, VK w ,  w , R, s): the third party verifier inputs the system parameter , the verification trapdoor   , the verification tag   , the challenge response , and the secret value .By the   and   = [ 1 ,   ], if the   =  1 , it can get the   and compute It outputs result 1, if  =   and 0 otherwise.

Proof of Construction.
In the following theorems, we will prove that our scheme satisfies keyword ciphertext security and trapdoor indistinguishability security, document ciphertext security, and the public verifiability security in the proposed security model.We will prove that our scheme is based on 1-BDHI, BDH, DDH, and CDH hard problems. 1 and   in the following problems are groups of prime order  from bilinear paring unless otherwise is specified.
Proof.(1) Suppose there is a cloud server adversary A 1 that can break our scheme in the IND-CKA 1 security model with advantage .In order to solve the 1-BDHI hard problem, let us construct a simulator B with a problem instance (,   ) over the cyclic group ( 1 , , ).Our goal is to compute the value (, ) 1/ .

Hash Query
1 -Query.The adversary A 1 can query   ∈  1 to  1 .If there exists a <   ,   > in  1 list, then the simulator B responds with  1 (  ) =   ; otherwise, the simulator B randomly chooses a value   , returns to the adversary A 1 , and adds the value <   ,   > to  1 list.The  1 list is initially empty.
2 -Query.The adversary A 1 can query   to  2 .The simulator maintains a list of tuples <   , V  ,   ,   > and the  2 list is initially empty.If there exists a   in  2 list, then the simulator B responds with  2 (  ) = V  ; otherwise, the simulator B generates a random coin   ∈ {0, 1}, [  = 0] = 1/(  + 1).It randomly chooses   ∈  *  , sets V  =    if   = 0, and sets V  =    if   = 1 and adds the value <   , V  ,   ,   > to  2 list. 3 -Query.The adversary A 1 can query   to  3 .If there exists a <   ,   > in  3 list, then the simulator B responds with  3 (  ) =   ; otherwise, the simulator B randomly chooses a value   , returns to the adversary A 1 , and adds the value <   ,   > to  3 list.The  3 list is initially empty.
Security and Communication Networks 9  4 -Query.The adversary A 1 can query (  ,   ,   ,    ) to  4 .If there exists a ((  ,   ,   ,    ),   ) in  4 list, then the simulator B responds with  4 (  ,   ,   ,    ) =   ; otherwise, the simulator B randomly chooses a value   , returns to the adversary A 1 , and adds the value to  4 list.The  4 list is initially empty.
Trapdoor Query.The adversary A 1 can query   to trapdoor oracle.First the simulator checks the  2 list; if   = 0, the simulation aborts.Otherwise, the simulator computes in which   is randomly chosen from  *  .Therefore, the simulator completed the trapdoor query and the trapdoor is correct.
Trapdoor Query.The adversary A 1 adaptively makes trapdoor query on   ,  ̸ =  0 ,  1 .The simulator B computes the trapdoor as the above trapdoor query.
Decryption Query.The adversary A 1 can query  to decryption oracle similar above decryption query.
Guess.The adversary A 1 outputs bit   as its guess.
Through the above description, we have completed the simulation process of the scheme and the simulation is correct.Next we will discuss the indistinguishability of the simulation.
When the hash query is not a challenge hash query ( 2 (  ),  1 )   = (   ,   ) ℎ/ , the response for the decryption query, trapdoor query, and challenge ciphertext are correct.All random numbers in simulation process are random and independent.Random numbers included Therefore, the simulation of the scheme is indistinguishable.
When the hash query is not a challenge hash query, the challenge ciphertext is randomness.Therefore, the adversary wins the game with an advantage 0.
Next we will discuss the successful of the simulation; the simulator does not abort the simulation in trapdoor query and challenge phase.The probability analysis can be seen in the paper [1].we omit here the probability   = 1/  .Therefore, the simulator solves the advantage of the 1-BDHI hard problem is (2) Suppose there is an outside adversary A 2 (including the receiver) that can break our scheme in IND-CKA 2 security model with advantage .In order to solve the BDH hard problem, let us construct a simulator B with a problem instance (,   ,   ,   ) over the cyclic group ( 1 , , ).Our goal is to compute the value (, )  .
The entire simulation process includes the following phases.
Therefore, the adversary needs to compute the Since  5 is a cryptography hash function, the probability that adversary outputs  w ‖ C ̸ =   ‖   and makes the equation equal is negligible.
About the verification tag security, we can also prove the tag security for third party verifier by the security reduction; we omit the details here.

Performance Analysis.
We use Tables 1 and 2 to show two comparisons between our secure data sharing scheme with designated server and previous schemes.In this section, the word abbreviation Trap Ind, Ciph Ind, Offline KGA, PVS, SKA, and keyword Ciph denote trapdoor indistinguishability, ciphertext indistinguishability, offline keyword guessing attacks, public verifiability security, swapping keyword attacks, and keyword ciphertext, respectively.We use ,  1 ,  2 , ℎ,  to denote a pairing operation, an exponentiation operation in  1 , an exponentiation operation in  2 , a hash operation which map a string to an element of cyclic group, and a multiplication in  1 , respectively.We ignore other hash operation and multiplication.
To evaluate the efficiency of our scheme, we implement these operations on a Core(TM) i7-6500U CPU of 2.50GHz 2.60GHz and 4GB RAM (3.89GB is available) running Ubantu 18.04.We use a Type-A pairing elliptic curve and implemented in the PBC library.For these four schemes, we test the running time of keyword ciphertext generation, trapdoor generation, and test algorithms, respectively.We first introduce some basic operation symbols.Every basic operation symbol denotes the running time of an operation in Table 4.
From Figures 3 and 4 and Tables 1 and 4, we found that our scheme is efficient in terms of keyword ciphertext generation algorithm compared to BDOP [1], BSW [5], and CZLZ [6].Since our scheme reduces some  1 modular exponentiation computations and  pairing computations, particularly, in CZLZ [6], the scheme requires the most computation cost due to 2 1 modular exponentiation computations, 4 pairing computations, and 1ℎ hash computations per keyword ciphertext generation.In BDOP [1], the scheme requires the most computation cost due to 2 1 modular exponentiation computations, 1 pairing computations, and 1ℎ hash computations per keyword ciphertext generation.In BSW [5], the scheme requires the most computation cost due to 1 1 modular exponentiation computations, 2 pairing computations, and 1ℎ hash computations per keyword ciphertext generation.Our scheme requires the most computation cost due to 1 1 modular exponentiations computations, 1 pairing computations, and 1ℎ hash computations per keyword ciphertext generation; therefore, our scheme is more efficient in terms of keyword ciphertext generation algorithm.As the number of keywords increases from 20 to 80 in Figure 4, we find that our scheme is also efficient.
From Figures 3 and 5 and Tables 1 and 4, we found that our scheme is slightly higher than in terms of trapdoor   generation algorithm.Since our scheme adds 2 1 modular exponentiation computations compared to BDOP [1] and BSW [5], however, it is worth noting that the trapdoor generation in our scheme is slightly higher than those of existing schemes.Since the BDOP [1], BSW [5], and CZLZ [6] suffer from trapdoor security attack, namely, offline KGA, we remove the secure channel between the cloud server and receiver for reducing the construction of secure channel costs.In addition, we can compress the trapdoor computation time from 7.014 ms to 2.876 ms.Since for the trapdoor   =  [ 1 ,  2 ] = [  1 ,  2 () 1/  ⋅   1 1 ], the  2 () 1/  is the same value for the same keyword, therefore, we can reduce the  1 + ℎ computation time when using the same keyword.
From Figures 3 and 6 and Tables 1 and 4, we found that our scheme is efficient in terms of test algorithm compared to CZLZ [6], since our scheme reduces 3 pairing computations, 4 1 modular exponentiation computations, and 1ℎ hash computations.However, our scheme is slightly higher than BDOP [1], since we add the 1 1 + 1 2 computation than BDOP [1].But this is because we remove secure channel.In our scheme, only the designated server can search the keyword via encrypted documents and not need a secure channel between cloud server and receiver.The running test algorithm time of our scheme is almost the same as that of the BSW [5].In addition, cloud computing has the advantages of unlimited capability in terms of both storage and computation.Therefore, it is acceptable to add a little time during the test phase for reducing the cost of establishing a secure channel.
Furthermore, from Table 2, we find that our scheme also offers stronger security than existing schemes, since our scheme satisfies the trapdoor indistinguishability security, ciphertext indistinguishability security, against offline keyword guessing attacks security, public verifiability security, against swapping keyword attacks security than other schemes.From Table 3, we find that our scheme also offers more functionality than existing schemes, since our scheme offers message and keyword encryption, message decryption, and search result's public verifiability compared to other schemes.

Conclusion
We define a secure data sharing scheme with designated server and propose a specific construction.In our framework, BDOP [1].
BSW [5].ZH [7].CZLZ [6] the scheme not only realizes document encryption/decryption but also achieves the searchable encryption in the cloud environment.We also proved that our scheme has achieved the security of the document indistinguishability against chosen ciphertext attack, keyword indistinguishability against chosen keyword attack, trapdoor indistinguishability, and public verifiability under the proposed security models.The important property of the proposed scheme is that the search results can achieve public verifiability under dishonesty cloud server model, including ciphertexts both documents and keywords.Of course, this scheme can solve the practical scenario PHR problems in our introduction.Although we propose a DSS scheme with designated server that combines PKE scheme with PEKS scheme, we would consider as a major breakthrough to design a DSS scheme in the standard model and optimize the trapdoor size.In addition, as the increase in the number of receivers will degrade the efficiency of system in our scheme, we would consider constructing a DSS scheme in multireceivers scenario.

Figure 2 :
Figure 2: Secure data sharing scheme with designated server model.
A 2 is similar to IND-CKA 1.The details are in the following definition.Definition 2 ((IND-CKA) see Boxes 1 and 2).A secure data sharing scheme with designated server is IND-CKA secure if no probabilistic polynomial time (PPT) adversary A 1 can win game IND-CKA 1 and PPT adversary A 2 can win game IND-CKA 2 with nonnegligible advantage, where B is the challenger, A 1 is cloud server, and A 2 is the outside adversary (including a receiver).

Box 3 :
Game IND-Trapdoor  A 3 .information about the keyword.The IND-Trapdoor is similar to the IND-CKA 1.The adversary is given the challenge trapdoor instead of the challenge ciphertext.In IND-Trapdoor security model, the challenger B generates two key pairs (  ,   ), (  ,   ) and sends public keys   ,   to the adversary A 3 .A 3 can access the trapdoor oracle O 1 () to get any keyword trapdoor   and outputs two distinct challenge keywords ( 0 ,  1 ), in which   ̸ =   ,  ∈ {0, 1}.The challenger generates challenge trapdoor   of   with a random bit  and sends it to A 3 .During the game, the adversary A 3 can adaptively continue to query trapdoor oracle O 1 () unless the challenge keywords.Finally, the adversary A 3 outputs   as its guess.Definition 3 ((IND-Trapdoor); see Box 3).A secure data sharing scheme with designated server satisfies trapdoor indistinguishability if no PPT adversary A 3 can win the game IND-Trapdoor with nonnegligible advantage, where B is the challenger and A 3 is an outside adversary.

Figure 4 :
Figure 4: Computation cost of keyword ciphertext generation.

Figure 6 :
Figure 6: Computation cost of test algorithm.

Table 4 :
Running time of operations (ms).