An Efficient Pairing-Free Certificateless Searchable Public Key Encryption for Cloud-Based IIoT

The Industrial Internet of Things (IIoT), as a special form of Internet of Things (IoT), has great potential in realizing intelligent transformation and industrial resource utilization. However, there are security and privacy concerns about industrial data, which is shared on an open channel via sensor devices. To address these issues, many searchable encryption schemes have been presented to provide both data privacy-protection and data searchability. However, due to the use of expensive pairing operations, most previous schemes were inefficient. Recently, a certificateless searchable public-key encryption (CLSPE) scheme was designed by Lu et al. to remove the pairing operation. Unfortunately, we find that Lu et al.’s scheme is vulnerable to user impersonation attacks. To enhance the security, a new pairing-free dual-server CLSPE (DS-CLSPE) scheme for cloud-based IIoT deployment is designed in this paper. In addition, we provide security and efficiency analysis for DS-CLSPE. The analysis results show that DS-CLSPE can resist chosen keyword attacks (CKA) and has better efficiency than other related schemes.


Introduction
The gradual maturity of communication technology, especially the emergence of the 5-th generation wireless systems, has greatly promoted the popularization of IoT, which connects everything to the Internet for intelligent identification, tracking, monitoring, etc. [1][2][3]. Industrial IoT (IIoT) is one of the main application directions of IoT. It can collect the industrial data in real-time via various sensing devices (e.g., global positioning system and radio frequency identification), realize the optimal utilization of resources, improve the quality, and reduce the cost of the product through further analyzing those collected data [4].
IIoT provides new technological guidance for the development of industry and has great application potential. Nowadays, the IIoT market is expanding rapidly [5]. Meanwhile, the number of IIoT devices will also grow several times, inevitably leading to an explosion of the collected industrial data.
In order to effectively manage and utilize these big data, users are more willing to outsource the data to the cloud server provider (CSP), which has powerful data storage and analytical capabilities [6]. In a cloud-based IIoT setting, as presented in Figure 1, massive industrial data is collected through sensor devices and transmitted to the CSP in realtime via the Internet. The CSP further analyzes and mines these data to provide better intelligent services for industrial sectors such as intelligent logistics and manufacturing.
Users enjoy various convenient services offered by CSP; however, their data security and privacy are seriously threatened [7][8][9][10]. One reason is that their data is transmitted on an open channel, so an adversary can eavesdrop on the transmitted data to obtain information about an enterprise's production or operations [11]. The other reason is that they will not be able to physically control the outsourced data nor will they be able to fully trust the CSP. For example, the CSP may exploit users' outsourced data to make illegal profits or carry out other malicious acts, such as tampering and deleting. Once the confidential data is eavesdropped or destroyed, it may cause unpredictable damage to an enterprise (e.g., huge economic losses). Overall, it is urgent to establish a practical mechanism with security and privacy preservation for IIoT data utilization and management.
Encryption is the most direct approach to guarantee data privacy. Users can first encrypt the confidential data and then submit the ciphertext to CSP. Although traditional encryption is effective in preserving the privacy of IIoT data, it also incurs some troubles in data utilizations, especially the problem of searching over encrypted data. Since the original data structure will be changed once it is encrypted, the search algorithms for plaintext will not be feasible for the encrypted data. To address this issue, the searchable encryption (SE) technology has emerged, which supports search over ciphertext according to keywords [12,13]. The first symmetric SE (SSE) scheme was presented in [12]. However, SSE suffers from the troublesome key distribution. To resolve this problem, a SE scheme based on a public-key cryptosystem (SPE) was designed in [13]. Since then, various SPE schemes have been designed [14][15][16][17]. However, these SPE schemes face cumbersome certificate management or key escrow burden since the inherent designing structure based on public key infrastructure (PKI) and identity-based cryptosystem. The CLSPE schemes [18][19][20] can overcome these cumbersome burdens. However, most of the previous CLSPE schemes were computationally expensive since the use of many complex pairing operations. Recently, Lu and Li [21] presented a new CLSPE scheme without pairing operation. Unfortunately, we analyze their scheme suffer from user impersonation attack. To improve the security, we design a new DS-CLSPE scheme without pairing for cloud-based IIoT deployment.
1.1. Related Work. The SE technology provides the functionality of searching over ciphertext without losing the confidentiality of original data. The first concrete SE scheme was presented in [12], which was built on a symmetric cryptosystem. Later, various SSE schemes have been designed. A SSE scheme with verifiable functionality (VSSE) was presented in [22], which can both protect data privacy and provide the verifiability. Recently, Zuo et al. [23] gave two dynamic SSE schemes (i.e., Scheme-A and Scheme-B), which support range queries. The former scheme has forward security property but imposes a heavy storage cost on the client, and the latter scheme reduces the client's storage but loses the forward security. Later, a novel VSSE scheme with forward security was presented in [24]. However, all SSE schemes face the complex key management issue.
To avoid the key management issue, the concept of SPE was introduced in [13]. A SPE system contains three participants: cloud server (CS), data sender (DS), and data receiver (DR). DS uses DR's public key to encrypt his/her own data, including files and keywords extracted from files, and sends the encrypted data to CS. DR uses its own private key to produce a trapdoor for the keyword to be retrieved and submits the trapdoor to CS. Then, CS verifies whether the trapdoor matches the ciphertext and returns the successfully matched files to DR. Later, a SPE scheme with a designated server (dSPE) was constructed, in which only the specified server can run the test algorithm [14]. Lin et al. [25] designed a novel blockchain-based system for the secure outsourcing of bilinear pairings to remove the secure channel and the trusted server. To resist inside keyword guessing attack (IKGA), an authenticated SPE scheme was constructed in [15]. Recently, a SPE scheme with forward security was designed in [16] to resist file-injection attacks [26]. However, the above-proposed schemes are built on PKI cryptosystem; they inevitably face the complicated certificate management problem.
To reduce the overhead of managing certificate, an IDbased cryptosystem was introduced, in which the participant's public key is set to some public information (e.g., name and office number), and the private key is created by a key generation center (KGC) based on the public information [27]. A general framework for transforming a two-level anonymous ID-based encryption (IBE) scheme to an IDbased SPE (IBSPE) scheme was presented in [17]. Recently, Lu et al. [28] constructed an IBSPE with a designated server (dIBSPE), which supports conjunctive keyword search. Li et al. [29] designed two-authenticated dIBSPE schemes based 2 Wireless Communications and Mobile Computing on symmetric bilinear pairing and asymmetric bilinear pairing, respectively. In their schemes, any adversary cannot run the encryption algorithm to get a valid ciphertext unless it can capture the data sender's private key, and no adversary can perform the test algorithm correctly unless it has the ability to access the specified server's private key. Zhang et al. [30] constructed a proxy-oriented IBSPE scheme based on lattices to resist quantum computer attacks, in which the original data sender delegates his/her own data to a proxy for encryption in order to lower the computation cost of himself. However, all ID-based SPE schemes are plagued by key escrow issues.
In certificateless cryptosystem (CLC), the private key of the participant is jointly created by KGC and the participant itself, which resolves the burden of key escrow and certificate management existing in PKI-based and ID-based cryptosystem [31]. Peng et al. [18] introduced SE technology into the CLC system and proposed a CLSPE scheme with a designated server (dCLSPE). To lower computation overhead in [18], Islam et al. [19] designed a new dCLSPE scheme based on the problems of CDH and BDH. He et al. [20] constructed a novel-authenticated CLSPE scheme against IKGA attacks. However, all previous CLSPE schemes involve bilinear pairing operations, which require high computation overhead. Recently, a CLSPE scheme without pairing operation is designed in [21]. Unfortunately, we analyze scheme [21] cannot resist user impersonation attacks, thus, we develop a new pairing-free CLSPE scheme. The last section is mainly to summarize the full paper.

Preliminaries
We first present the complexity assumptions used in this paper and then give the system model and formal definition of DS-CLSPE.

Complexity Assumptions.
Suppose G denotes a q-order cyclic group, and the point P ∈ G denotes a generator.

System
Model. As presented in Figure 2, a DS-CLSPE system contains five participants: data sender (DS), data receiver (DR), KGC, front server (FS), and back server (BS). The responsibilities of each participant are described below.
(i) KGC is responsible for generating system parameters and participants' partial keys  (i) Setup(λ): suppose q is a large prime number and G is a group with order q. P denotes a generator selected from G, and h 1 : f0, 1g * ⟶ ℤ * q , h 2 : f0, 1g * ⟶ ℤ * q , and h 3 : G ⟶ ℤ * q denote three different hash functions. KGC performs this algorithm as follows (1) Selects s ∈ ℤ * q at random (2) Calculates P pub = sP (3) Publishes parm = fG, P, P pub , q, h 1 , h 2 , h 3 g and keeps s in secret and sends the partial key pair fT DR , d DR g to the receiver (iii) KeyGen(parm, ID DR , T DR , d DR ): the receiver picks x DR ∈ ℤ * q , calculates P DR = x DR P, and sets PK DR = ðT DR , P DR Þ, SK DR = ðd DR , x DR Þ as his/her own public/private keys (iv) Encrypt(parm, w, PK DR ): the sender randomly chooses r ∈ ℤ * q , calculates C 1 w = rP and here Q DR = T DR + P DR + h 1 ðID DR ÞP pub , and sets the ciphertext (v) Trapdoor(parm, w ′ , SK DR ): the receiver computes (vi) Test(parm, C w , T w ′ ): given C w and T w ′ , the server checks If this equation holds, returns "1"; Otherwise, returns "0".    Wireless Communications and Mobile Computing Upon receiving fd A 1 , T A 1 g, A 1 can forge the partial key pair ðd DR , T DR Þ of the receiver ID DR as follows:

Attack on
(2) Replace Public Key Query: A 1 selects x * DR ∈ ℤ * q randomly and computes P * DR = x * DR P. Then, A 1 submits this query with ðID DR , PK * DR Þ, here P K * DR = ðT * DR , P * DR Þ. C will set PK DR ⟵ PK * DR (iii) Forge Trapdoor: once A 1 has successfully forged d *

DR
and replaced PK DR , it can forge a trapdoor T w 0 for a keyword w 0 with respect to the identity ID DR as below: (iv) Challenge: A 1 returns the keywords ðw 0 , w 1 Þ and the identity ID DR as challenge target. Then C picks up μ ∈ f0, 1g randomly and returns C w μ ⟵ Encrypt ðparm, w μ , PK DR Þ to A 1 Upon receiving C w μ , A 1 performs Test algorithm and gets τ ⟵ Testðparm, C w μ , T w 0 Þ ∈ f0, 1g.

The Proposed DS-CLSPE Scheme
To overcome the weakness of Lu et al.'s scheme and avoid the use of bilinear pairing, we develop a new dual-server CLSPE scheme. The details are described as follows.
(i) Setup(λ): suppose q is a large prime number, G is a group with order q. Let P denote a generator of G, (3) Sends fT i , d i g to the corresponding participant (iii) KeyGen(parm, ID i , T i , d i ): this algorithm is performed by the participant i ∈ fDR, FS, BSg as follows FS, BSgÞ and keyword w. DR performs the steps below to produce ciphertext C w (1) Selects r ∈ ℤ * q randomly where The parameters fQ i , α i , β i g can be published publicly.
(v) Trapdoor(parm, w ′ , SK DR , PK FS , PK BS ): the receiver generates the trapdoor T w ′ of keyword w′ as below (1) Selects l ∈ ℤ * q randomly where Q i and β i are computed as above.
Correctness. Suppose that w = w ′ , then we have

Security Analysis
This section first presents the security model of DS-CLSPE and then gives the formal proof of DS-CLSPE.

Security Model.
Two types of adversaries should be considered in a certificateless cryptosystem [31,32].
Type 1. This adversary is denoted as A 1 , who has no master key but can replace anyone's public key.
Type II. This adversary is denoted as A 2 , who holds the master key but cannot replace anyone's public key.
As defined in scheme [33], assume that both BS and FS are honest-but-curious, and that they cannot collude. The security model of DS-CLSPE is defined by the following game, i.e., indistinguishability against CKA attack (IND-CKA), which is the interaction between an adversary A ∈ fA 1 , A 2 g and a challenger C. Game. This game is interacted between A and C.
(i) Setup: C generates fparm, sg by executing Setup algorithm. If A = A 1 , C returns parm to A; otherwise (A = A 2 ), returns both parm and s (ii) Phase 1: the following oracles can be queried by A (a) CreateUser Queries: upon receiving this query for ID i , C checks whether ID i has been created.
If so, C outputs PK i directly. Otherwise, C performs the algorithm KeyGen to produce the key pair ðPK i , SK i Þ and returns PK i (b) PrivateKey Queries: upon receiving this query for ID i , C checks whether ID i has been created.
If so, C returns SK i ; otherwise, returns ⊥ (c) PatialPrivateKey Queries: upon receiving this query for ID i , C checks whether ID i has been created. If so, C returns partial private key d i ; otherwise, returns ⊥ (d) ReplacePublicKey Queries: if A = A 1 , then it can perform these queries. Upon receiving A ' s query for ID i with a false public key PK * i , C sets PK i ⟵ PK * i (e) Trapdoor Queries: if A submits this query for ðID i , wÞ, then C returns the corresponding trapdoor T w if ID i has been created; otherwise, returns ⊥ (iii) Challenge: A selects identity ID ch and keywords ðw 0 , w 1 Þ as challenge targets. C picks up σ ∈ f0, 1g at random and returns C w σ ⟵ Encryptðparm, w σ , ID ch , PK ch , PK FS , PK BS Þ to A (iv) Phase 2: the oracles defined as in phase 1 can be continuously queried by A (v) Guess: A returns σ ′ ∈ f0, 1g. We say A wins the above game if σ ′ = σ and below conditions hold: (1) Trapdoor queries for w 0 and w 1 have never been submitted by A; (2) If A = A 1 , it has never made P rivateKey and PartialPrivateKey queries for ID ch ; if A = A 2 , it has never made PrivateKey queries for ID ch (note that A 2 can calculate partial private key as it knows master key).

Provable Security
where e is Euler number and q SK , q PSK , q T denote the maximum number of PrivateKey queries, PartialPrivateKey queries, and Trapdoor queries, respectively.
Proof. Let q be a large prime number. Given ðP, aP, bPÞ, C ' s goal is to output abP.
(i) Setup: C generates the public parameters parm = fG, P, P pub , h 0 , h 1 , h 2 , qg, here P pub = aP. C selects x FS , x BS , t FS , t BS ∈ ℤ * q , computes P FS = x FS P, P BS = x BS P, T FS = t FS P, and T BS = t BS P, and sets PK FS = ðT FS , P FS Þ, PK BS = ðT BS , P BS Þ. Finally, C sends fparm, PK FS , PK BS g to A 1 (ii) Phase 1: the following oracles can be queried by A 1 If h 1 -list already contains the searched tuple, C outputs β i directly; otherwise, C chooses β i ∈ ℤ * q at random, adds ðID i , T i , P i , β i Þ into h 1 -list, and returns β i (c) h 2 Queries: C maintains a h 2 -list with tuples ðw i , ID i , h 2i Þ. Upon receiving this query for Upon receiving A 1 ' s query for ID i , C searches user-list for ðID i , PK i , SK i , t i , x i , coin i Þ. C outputs PK i directly if user-list already includes the searched tuple; otherwise, C tosses a coin i ∈ f0, 1g at random such that Pr ½coin i = 1 = δ (δ will be computed later) and executes the following steps (1) If coin i = 1, C selects two random numbers t i , x i from ℤ * q , sets PK i = ðT i , P i Þ, where T i = t i P, P i = x i P. C adds ðID i , PK i ,⊥,t i , x i , 1Þ into user-list and returns PK i (2) Otherwise (coin i = 0), C selects three numbers C adds ðID i , PK i , SK i ,⊥,⊥,0Þ into user-list, adds ðID i , T i , α i Þ into h 0 -list, and returns PK i (e) PrivateKey Queries: when A 1 submits this query for ID i , C searches ðID i , PK i , SK i , t i , x i , coin i Þ from user-list. If coin i = 0, C outputs SK i ; otherwise, C aborts the game (this event is denoted as Event 1 ).
(f) PartialPrivateKey Queries: when A 1 submits this query for ID i , C searches ðID i , PK i , SK i , t i , x i , coin i Þ from user-list. If coin i = 0, C outputs the first part of SK i , i.e., d i ; otherwise, C aborts the game (this event is denoted as Event 2 ).
(g) ReplacePublicKey Queries: when A 1 submits this query with a value PK * i , C replaces PK i with PK * i . Note that this query implies A 1 must also submit the corresponding private key SK * i (h) Trapdoor Queries: when A 1 submits this query for ðw, where Q FS and Q BS are computed as in the proposed scheme. C returns T w = ðT 1 w , T 2 w Þ. Otherwise, C aborts the game (this event is denoted as Event 3 ).
(iv) Phase 2: The oracles defined in phase1 can be asked continuously by A 1 (v) Guess: A 1 outputs σ ′ . If σ ′ = σ, then C wins in the above game At this point, C can compute the value abP as follows: Analysis. The advantage of C winning the game is analyzed below. C wins in above game if none of the events Event i (i = 1, 2, 3, 4) occur.

Wireless Communications and Mobile Computing
From the above proof of Lemma 3, when δ = 1/ðq SK + q PSK + q T + 1Þ, this value is at its maximum value Thus, Lemma 4. Let ε denote the advantage of A 2 winning in IND-CKA game. Then, the algorithm C can be constructed to solve the CDH problem with advantage where e, q SK , and q T are defined as Lemma 3.
(i) Setup: C selects s ∈ ℤ * q , calculates P pub = sP and generates parm = fq, G, P, P pub , h 0 , h 1 , h 2 g. Then, C selects x FS , x BS , t FS , and t BS ∈ ℤ * q , sets P FS = x FS P, P BS = x BS P, T FS = t FS aP, and T BS = t BS aP, and lets P K FS = ðT FS , P FS Þ and PK BS = ðT BS , P BS Þ. Finally, C sends fparm, s, PK FS , PK BS g to A 2 (ii) Phase1: the following oracles can be queried by A 2 (a) h 0 , h 1 , h 2 Queries: when A 2 submits these oracle queries, C responds as defined in Lemma 3 (b) CreateUser Queries: C maintains a user-list with ðID i , PK i , SK i , t i , x i , coin i Þ. Upon receiving this query for ID i , C searches ðID i , PK i , SK i , t i , x i , coin i Þ from user-list. If this tuple is already in user-list, C returns PK i ; otherwise, C tosses coi n i ∈ f0, 1g randomly such that Pr ½coin i = 1 = δ (δ will be computed later) and executes the following steps (1) If coin i = 1, C selects t i , x i from ℤ * q , computes T i = t i aP, P i = x i P, and sets P K i = ðT i , P i Þ. C adds ðID i , PK i ,⊥,⊥,x i , 1Þ into user-list and returns PK i If coin i = 0, C outputs SK i ; otherwise, C aborts the game (this event is denoted as Event 1 ) (d) Trapdoor Queries: when A 2 submits the query for ðw, ID i Þ, C searches ðID i , PK i , SK i , t i , x i , coi n i Þ from user-list and recovers ðID i , T i , P i , β i Þ and ðw i , ID i , h 2i Þ from h 1 -list and h 2 -list, respectively. If coin i = 0, C chooses l ∈ ℤ * q , computes T 1 w = lP, T 2 w = ðd i + β i x i Þh 2i Q FS + lQ BS , and returns T w = ðT 1 w , T 2 w Þ to A 2 , where Q FS and Q BS are computed as in the proposed scheme; otherwise, C aborts the game (this event is denoted as Event 2 ) (iii) Challenge: A 2 outputs ID ch and ðw 0 , w 1 Þ. C recovers ðID ch , PK ch , SK ch , t ch , x ch , coin ch Þ from user-list. If coin ch = 1, C randomly selects σ ∈ f0, 1g, C 2 w σ ∈ G and recovers ðw σ , ID ch , h 2σ Þ from h 2 -list. C sets C 1 w σ = bP and returns C w σ = ðC 1 w σ , C 2 w σ Þ to A 2 . Otherwise, C aborts the game (this event is denoted as Event 3 ) Note that C 2 w σ is implicitly defined as bQ FS + bQ BS + h 2σ Q ch = bðT FS + β FS P FS + α FS P pub Þ + bðT BS + β BS P BS + α BS P pub Þ + h 2σ ðT ch + β ch P ch + α ch P pub Þ.
(iv) Phase2: the oracles defined in phase 1 can be continuously accessed by A 2 (v) Guess: A 2 returns σ ′ . If σ ′ = σ, then C wins in the game The bit-size of a point in G ℤ q The bit-size of a number in ℤ q PK j j The bit-size of PK C j j The bit-size of ciphertext The bit-size of trapdoor Analysis. Now let us analyze C ' s advantage in winning the above game. C will win the game if Event 1 , Event 2 , and Event 3 do not occur.

Performance Analysis
This section mainly compares the computation/communication costs of DS-CLSPE with that of Lu and Li [21] and Peng et al. [18]. Let p, q be 512-bit and 160-bit prime numbers, respectively. G is a cyclic group with order q, which is generated by a point on a super-singular elliptic curve EðF p Þ. For the convenience of comparison, Table 1 presents the definition of some symbols. We evaluate the running time of the above basic operations using the MIRACL library [34] and performing on a personal computer (Processor: i5-8250U 1.60 GHz; Memory: 8 GB; Operating system: Win10). The evaluation result shows that T sm = 4:800 ms, T mm = 0:003 ms, T bp = 13:144 ms, T H = 12:082 ms, T pa = 0:025 ms. Furthermore, the result indicates that the operations of T H and T bp consume much more time than other operations. Therefore, we should minimize or even avoid using these time-consuming operations to enhance the efficiency of the designed scheme.
To compare the computation costs, we analyze the proposed DS-CLSPE scheme and schemes [18,21] in terms of four phases: KenGen, Encrypt, Trapdoor, and Test. Table 2 and Figure 3 present the specific comparison results. In addition, the communication costs of DS-CLSPE and schemes [18,21] are also presented in Table 2.
From Table 2 and Figure 3, the efficiency of DS-CLSPE is slightly worse than the scheme [21], but DS-CLSPE avoids the security flaws that existed in the scheme [21]. The data security is a primary concern in practical application, so DS-CLSPE is more practical. And in comparison with scheme [18], DS-CLSPE has better performance.

Conclusion
As the maturity of IoT and the popularization of sensor devices, IIoT has attracted widespread attention, which can provide users with real-time and reliable intelligent services by collecting and analyzing massive industrial data via the IoT devices. However, some sensitive information may be involved in industrial data, so data security is concerned. To protect data privacy, Lu et al. designed a CLSPE scheme without bilinear pairing operation. Unfortunately, we analyze that their CLSPE scheme cannot prevent user impersonation attacks. To resolve the security flaws, we design an improved pairing-free dual-server CLSPE scheme, i.e., DS-CLSPE. The formal security proof shows that DS-CLSPE  [21] 2T sm + T mm 3T sm + T mm T mm T sm 2 G j j G j j + ℤ q ℤ q Peng et al. [18] 8T sm + 2T H 4T sm + 3T H + 3T bp 3T sm + T H T sm + 2T pa + T bp 4 G j j G j j + ℤ q 3 G j j DS-CLSPE 6T sm 10T sm + 8T pa 3T sm + T pa 4T sm + 3T pa 6 G j j 2 G j j 2 G j j

Data Availability
The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
The authors declare that they have no conflicts of interest.