Cross-domain heterogeneous signcryption with keyword search for wireless body area network

The Wireless body area network (WBAN) is a network composed of sensors communicating through wireless technology, these sensors can capture and encrypt the physiological data of the human body and transmit it to a remote cloud server for use by authorized users. However, how to retrieve and obtain the encrypted data has become a problem that must be solved. Nowadays, searchable encryption with keywords (SEK) is a widely used technology to solve this problem. Nevertheless, there are some problems that need to be noted. First, SEK is vulnerable to keyword guessing attack (KGA) and inside keyword guessing attack (IKGA). Second, since the sender and receiver are likely to work under different cryptosystems, the designed scheme should satisfy heterogeneity. Third, the communication parties in heterogeneous domain usually use different cryptographic system parameters, achieving cross-domain authentication between these communication parties can greatly improve the practicability of the scheme. To address these issues, we put forward a new searchable signcryption scheme for WBAN. Under the complexity of computational assumptions, the proposed scheme is proved to simultaneously achieve ciphertext indistinguishability, trapdoor indistinguishability, ciphertext unforgeability and the resistance of KGA and IKGA in the random oracle model (ROM). Further, our scheme allows the WBAN sensors in the certificateless public key cryptography (CLC) environment and the receivers in the public key infrastructure (PKI) environment to realize cross-domain authentication and heterogeneous communication. Compared to the five existing schemes, the total computation cost of our scheme is reduced by at least 59.99%.


Introduction
The development of cloud storage facilitates access to data and makes it increasingly important in the application of WBAN [1,2]. For instance, the sensors in WBAN transmit the collected physiological data via the Internet to a third-party cloud server for storage and allow users to quickly find the data they need [3,4]. Despite the convenience of cloud storage, data stored on cloud servers also faces additional security challenges. One challenge is how to ensure that the data stored in cloud server is not leaked [5]. To preserve data confidentiality, the sensors in WBAN usually upload encrypted data to the cloud server, but this practice destroys the original structure of the data and makes traditional search tools ineffective. Fortunately, SEK simplified this problem [6][7][8][9]. Currently, symmetric and asymmetric searchable encryption are two main types of SEK. They allow the sender and receiver to use the keywords extracted from the encrypted data to generate a keyword ciphertext and trapdoor respectively, and the server performs the test operation using the keyword ciphertext and trapdoor.
Searchable symmetric encryption (SSE) is a SEK that uses the symmetric cryptosystem to generate keyword ciphertext and trapdoor. SSE was first proposed by Song et al. [6]. Subsequently, some schemes based on SSE have been proposed in recent years [10][11][12][13]. But the symmetric cryptosystem confronts the difficulty of how to distribute keys safely. Fortunately, asymmetric cryptosystems do not have this problem. Then, Boneh et al. [14] homeopathically presented the concept of public key encryption with keyword search (PEKS) and gave a PEKS scheme satisfying keyword ciphertext indistinguishability. After that, some PEKS-based schemes were put forward [15,16]. However, for the original PEKS scheme, they only use the receiver's public key to complete the generation of keyword ciphertext. Once a trapdoor is given, the adversary can use exhaustive enumeration to collect keyword information based on the fact that the password space is usually much larger than the keyword space and receivers frequently use certain keywords for data search [17], which is known as KGA. Specifically, an adversary first guesses a keyword and forges a keyword ciphertext, then attempts to intercept the trapdoors transmitted on the public channel and perform the test operation, and finally the adversary can know the keywords contained in the corresponding ciphertext. IKGA is a more hazardous KGA that is launched by an inside adversary. This is because the internal attacker, such as the cloud server, stores ciphertext data and has the legitimacy to execute test operation. It can easily generate keyword ciphertext and execute the test operation to obtain keywords contained in the ciphertext. So, a secure PEKS scheme for WBAN needs to be able to strongly resist KGA and IKGA [17]. In addition, the use of CLC, PKI and other asymmetric cryptosystems has become more and more frequent, so the WBAN sensors and receivers are typically in different asymmetric cryptosystems [18] and use different cryptographic system parameters. It naturally makes sense to design a secure searchable signcryption scheme with heterogeneity and cross-domain authentication. And this means that both sides of communication parties in different cryptosystems can achieve secure communication using different cryptographic system parameters.
However, so far, there is no searchable signcryption scheme that can simultaneously realize the ciphertext indistinguishability, trapdoor indistinguishability, ciphertext unforgeability, the resistance of KGA and IKGA, heterogeneity and cross-domain authentication. Based on the above description, we give the system model of the WBAN crossdomain heterogeneous searchable signcryption scheme. As shown in Fig. 1, three entities work in the system model of our scheme, including WBAN sensors under the circumstance of CLC, the medical service provider like doctors or medical caregivers under the circumstance of PKI, and the cloud server. WBAN sensors obtain the system parameters and partial private key generated by the CLC server named key generation center (KGC). The PKI server is certificate authority (CA), which undertakes the task of producing the system parameters of PKI and the certified public key of the medical service provider. Note that the system parameters of CLC and PKI are not the same. And the main relationship between the three entities is as follows: WBAN sensors collect physiological data and extract a keyword from the data, then encrypt these data and upload the data to the cloud server. For the sake of desired data, the medical service provider generates a keyword trapdoor and sends it to the cloud server. The server checks if the trapdoor matches the stored encrypted data, and if so, returns the matching data.

Related work
According to the previous description and the scheme [17] proposed by Byun et al. in 2006, it is clear that a secure PEKS scheme needs to be able to resist both KGA and IKGA. Ma et al. [19] gave their solution and proposed a SE scheme with two servers working together. This solution requires these two servers to perform the ciphertext retrieval operation by sharing the secret retrieval trapdoor, which means that any server cannot complete the ciphertext test operation to obtain ciphertext information by itself. Unfortunately, this scheme cannot achieve the resistance of IKGA under the collusion attack of the servers. In 2021, Liu et al. [20] proposed a concept called "designated ciphertext searchable encryption (DCSE)". The DCSE requires the sender to generate a tag related to the ciphertext index, and then the receiver uses this tag to generate a trapdoor. Because the information in this tag can only be obtained by the receiver, the attacker cannot generate the keyword ciphertext matching the trapdoor for KGA and IKGA. Although DCSE is able to resist KGA and IKGA, the addition of tags increases the communication cost of the scheme. Secure channel-free public key encryption with keyword search (SCF-PEKS), also known as PEKS with a designated server/tester (dPEKS), was introduced by Baek et al. [21]. Basically, dPEKS needs to add the tester's public key to the keyword ciphertext generation, ensuring that the test operation can only be performed by the server with the associated private key. Unfortunately, this method does not take into account the fact that the attacker is from within the system. If the attacker is the designated test server, this method is powerless against IKGA. In 2017, Huang and Li [22] first proposed a concept called "public-key authenticated encryption with keyword search (PAEKS)." It is an ideal way to realize the resistance to both KGA and IKGA. Specifically, PAEKS requires the sender to use its own private key to generate keyword ciphertext, so that neither outside nor inside adversaries can effectively forge keyword ciphertext to implement KGA and IKGA, and this solution can achieve efficient communication without additional communication cost. Therefore, based on the concept of PAEKS, scholars have proposed some improved dPEKS schemes [23,24], which enable the dPEKS scheme to further resist IKGA.
For many years, the major cryptographic systems generally used by scholars were identity-based cryptography (IBC) with key escrow issues and PKI with the concerns of certificate management. Surprisingly, the CLC [25] proposed by Al-riyami and Paterson solves these two problems. In recent years, quite a few searchable encryption schemes based on CLC have been presented [26][27][28][29][30]. However, the algorithms adopted by Zhang et al. [26] and Yang et al. [29] need too many pairing operations, resulting in high computation cost. He et al. [30] pointed out that the proposed scheme [28] is insecure because it does not have any effective method to prevent attackers from launching KGA and IKGA. At the same time, they provided a SEK scheme proven to be safe under IKGA. With the increasing use of public key cryptosystems such as CLC, IBC and PKI, a heterogeneous searchable signcryption scheme (HSC-KW) for WBAN [31] assures that the data being transferred is not only secure but also authenticated. Unfortunately, in [31], senders and receivers in different network domains use the same system parameters.

Our contributions
Based on the notion of PEKS, we propose a new searchable signcryption scheme in this paper named cross-domain heterogeneous signcryption with keyword search (CHSKS), which entitles senders working within the CLC system and receivers in the PKI environment to communicate with each other. Our CLC-PKI CHSKS is symbolized by the symbol "CP-CHSKS," which makes the following innovations: 1. In order to realize the heterogeneous communication between sender and receiver in different cryptosystems and to improve the practicability of the CP-CHSKS scheme, the new scheme allows the WBAN sensors and receivers to work in CLC and PKI environments respectively, and different cryptosystems can use different cryptographic system parameters which is more consistent with the actual application environment. 2. A great CP-CHSKS scheme should have strong security. We propose the first searchable signcryption scheme that can simultaneously realize the keyword ciphertext indistinguishability, trapdoor indistinguishability, keyword ciphertext unforgeability, resistance of KGA and IKGA, heterogeneity and cross-domain authentication.
3. An excellent CP-CHSKS scheme should be able to perform cryptographic operations in the shortest possible time. Therefore, we try to reduce the use of pairing operations and unnecessary online computation operations to make the proposed scheme has superior performance. Compared with [19,26,[29][30][31], the total computation cost of our scheme decreased by about 61.17%, 87.61%, 69.93%, 71.83% and 59.99%, respectively.

Organization
The following sections make up the remainder of this paper: Section 2 contains the description of the system model of our scheme and the mathematical assumptions necessary to prove the security of the CP-CHSKS. Section 3 introduces the generic model of our scheme and its security model. The detailed descriptions of the proposed scheme and its security analysis are included in Sections 4 and 5 respectively. The sixth section analyzes the performance of our scheme, and the last section summarizes this study. Table 1 illustrates the notions used in the proposed scheme.

Bilinear pairing
Definition 1 Bilinear Pairing: Bilinear pairing can be described as a mapping between two groups G 1 and G 2 . Generally, we determine G 1 and G 2 as cyclic groups with the same order q respectively, and G 1 is a subgroup of the additive group of points on a determined elliptic curve, while G 2 is a subgroup of the multiplication group of a finite field. Based on the above description, we say that a mapping ê ∶ G 1 × G 1 → G 2 is a bilinear pairing if it meets the following conditions.

Computational assumptions
is a bilinear pairing and given a tuple (P, aP) , where P, aP ∈ G 1 are known and a ∈ Z * q is sealed. The purpose is to figure out a.

Definition 3 Bilinear Diffie-Hellman Inversion Problem
is a bilinear pairing and given a tuple (P, aP) , where P, aP ∈ G 1 are known and a ∈ Z * q is sealed. The purpose is to figure out ê(P, P) 1 ∕ a .

Definition 4
Computational Diffie-Hellman problem (CDHP): Suppose ê ∶ G 1 × G 1 → G 2 is a bilinear pairing and given a tuple (P, aP, bP) , where P, aP, bP ∈ G 1 are known and a, b ∈ Z * q are sealed. The purpose is to figure out the value of abP.

Generic model
The following eight algorithms are available in the generic CP-CHSKS scheme: 1. Setup: As long as a security parameter s is provided, KGC utilizes it to run this algorithm to get the necessary parameters, which include the master secret key and public system parameters PParams 1 . CA can similarly generate PKI system parameters PParams 2 .

CLC-Partial key extraction (CL-PKE): When an identity
ID i and a master secret key are input, KGC runs this algorithm to produce a partial private key u i and a partial public key T i . 3. CLC-Secret value generation (CL-SVG): To get a secret value d i , when an identity ID i is input, the data sender in the context of CLC needs to run this algorithm. Note that a secret value d i and a partial private key u i can be combined to form a user's full private key SK i = (u i , d i ). 4. CLC-Public key generation (CL-PKG): The data sender in the context of CLC computes a public key PPK i after getting a secret key d i . Then, the whole public key

PKI-Key generation (PKI-KG): Enter a receiver's pri-
vate key d j selected randomly by the receiver. To get the corresponding public key PK j , the receiver in PKI environment runs this algorithm. 6. CLC-PKI PEKS(CP-PEKS): A keyword w ∈ W(all the keywords are in W ) extracted from data m , the public key of the receiver PK r and the full sender's private key are the inputs of this algorithm. To generate the keyword ciphertext w , the date sender needs to run this algorithm. 7. PKI-Trapdoor generation(PKI-TG): The receiver in PKI executes this algorithm to generate a keyword trapdoor T w by taking a keyword w , the system parameters Three one-way hash functions Three types of adversaries PParams 1 of the sender's environment and the private key d r of the receiver as inputs. 8. Test: The cloud server takes system parameters, a trapdoor T w and a keywork ciphertext w as inputs, returns true if the verification is successful. Otherwise, ⊥ is returned.

Security model
A CP-CHSKS should not only satisfy ciphertext indistinguishability and trapdoor indistinguishability, but also unforgeability. Two adversaries A 1 and A 2 exist in CLC according to [25]. A 1 is unable to get the master secret key, but A 2 is able to do so. A 2 is unable to replace the sender's public key, whereas A 1 is capable of doing so. To facilitate the distinction, we add an adversary A 3 , where A 3 is the adversary who has the same ability as A 1 and tries to break the indistinguishability of the trapdoor. The security model of CP-CHSKS is illustrated by the following three games, each of these three games is completed by a challenger C and an adversary A ( A could be one of A 1 , A 2 , and A 3 ). The oracles listed below may be used: • Hash-query: A executes this query according to the required parameters of hash function H i(i=1,2,3) , then C computes and returns the hash value. • CL-partial key query: A executes this query with the purpose of obtaining a user's partial private key u i . Given ID i , C calculates and returns u i . • CL-secret value query: A queries C with an identity ID i , then C performs the CL-SVG algorithm to obtain d i and returns it to A. • CL-public key query: A provides C with an identity ID i .
To get and return the related public key PK i , challenger C needs to executes the CL-PKG algorithm. • CL-replace public key query: Any sender's public key in CLC environment can be replaced with a valuable value by A ( A could not be A 2 ). • CL-PKI-SE query: A sender's identity ID S , a receiver's identity ID r and a keyword w are given to C , then C runs CP-PEKS algorithm to generate ciphertext and return it to A. • PKI-public key query: A provides C with an identity ID j , then C executes the PKI-KG algorithm and returns PK j to A. • PKI-trapdoor query: When C receives a keyword w and a receiver's identity ID r sent by A , C performs the PKI-TG algorithm to generate corresponding trapdoor T w and return it to A.

Definition 5 If any polynomially bounded adversary A l(l=1,2)
is not able to win Game 1 with a non-negligible advantage, then the proposed CP-CHSKS scheme possesses ciphertext indistinguishability when facing adversary A l .

Game 1
Initialization The security parameter s is given, C generates cryptographic system parameters and master secret key by performing the Setup algorithm. C provides A l with system parameters, sends A 2 the master secret key and keeps the value confidential to the adversary A 1 .
Phase 1 A l can initiate a series of queries to C during this phase, these queries are consistent with the queries defined in the security model. Additionally, A 2 does not need to perform the CL-partial query and CL-replace public key query.
Challenge A l provides C with a receiver's identity ID B , a sender's identity ID A and a pair of keywords w 0 , w 1 , the restriction is that the PKI-trapdoor query on keywords (w 0 , w 1 ) has never been asked before. Then C chooses a bit from {0, 1} randomly and computes a keyword ciphertext * = CP-PEKS(w , SK A , PK A , PK B ) . Finally, the * is returned.
Phase 2 C is queried continuously by adversary A l , but A l has no chance to perform the PKI-trapdoor query on keyword w ( =0,1) at this phase.
Guess A l is the winner of this game only if A l outputs a bit ′ that is equal to .

Definition 6
If any polynomially bounded adversary A 3 is not able to win Game 2 with a non-negligible advantage, then the proposed CP-CHSKS scheme possesses trapdoor indistinguishability when facing adversary A 3 .

Game 2
Initialization This game's initialization needs the same procedures as the initialization of Game 1. A 3 can query challenger C the queries contained in phase 1 of Game 1.

Phase 1 Adversary
Challenge A 3 sends C a receiver's identity ID B and a pair of chosen keywords (w 0, w 1 ) , the restriction is that the PKI-trapdoor query and CL-PKI-SE query on keywords (w 0 , w 1 ) have never been asked before. Then C determines a random selection form {0, 1} and computes a trapdoor T * = PKI-TG(w , d B , PParams 1 ) . Finally, the T * is returned. Phase 2 A 3 is able to perform various queries continuously except for the CL-PKI-SE query and PKI-trapdoor query on keyword w ( =0,1) .
Guess A 3 is the winner of this game only if A 3 outputs a bit ′ that is equal to .

Definition 7
If any polynomially bounded adversary A l(l=1, 2) is not able to win Game 3 with a non-negligible advantage, then the proposed CP-CHSKS scheme possesses ciphertext unforgeability when facing adversary A l .

Game 3
Initialization This game's initialization follows the same procedures as the initialization of Game 1.

Phase 1
Adversary A l is allowed to perform a series of queries contained in phase 1 of Game 1.
Forgery A l picks a keyword w , a sender's identity ID A and an identity ID B of receiver, then outputs * w as the forged keyword ciphertext. What is needed for A l to win the game is the satisfaction of the following conditions: 1. The match of * w and T w is successful when the Test algorithm is executed. 2. A 1 cannot perform the CL-replace public key query and CL-partial key query on ID A simultaneously. 3. * w is not be generated by the algorithm CP-PEKS.

The proposed scheme
Now, we describe our CP-CHSKS scheme in detail.
Setup After selecting a security parameter s , KGC chooses a cyclic addition group G 1 and a cyclic multiplication group G 2 with the same order of prime q 1 , selects P 1 as G ′ 1 s generator and confirms a bilinear pairing ê ∶ G 1 × G 1 → G 2 . KGC selects a value ∈ Z * q 1 as its master secrete key and uses to compute P pub = P 1 , then KGC needs to confirm three hash functions . After these operations are completed, the system parameters PParams 1 = G 1 , P 1 , q 1 , P pub , H 1 , H 2 , H 3 of CLC are determined. Similarly, CA generates the system parameters PParams 2 = G ′ 1 , P 2 , q of PKI. G 1 is a subgroup of G ′

1
, and the order of G ′ 1 is prime q , P 2 is a generator of group G ′ 1 .

CL-PKE
KGC first enters an identity of sender ID i ∈ 0, 1 * and a random number r i ∈ Z * q 1 , then computes D i = r i P 1 , , and finally outputs the partial private key u i = r i + (t i + 1)(mod q 1 ) and the part of public key T i = D i +t i P pub .

CL-SVG The secret value
is a random selection of sender ID i . Note that the user's full private key can be interpreted as SK i = (u i , d i ) now.

CL-PKG
Another part of the public key PPK i = d i P 1 of sender ID i is computed by itself, then PK i = (T i , PPK i ) is set as the full public key of the sender.

PKI-KG
Private key d j ∈ Z * q is randomly selected by the receiver in PKI, and PK j = d j P 2 is set as the receiver's public key.

CP-PEKS
A keyword w , a sender's private SK S and the public key of receiver PK r are input, the sender carries out this algorithm as follows: 1. Chooses a random number k ∈ Z * q 1 .

PKI-TG
Receiver takes a keyword w , the system parameter PParams 1 and a private key d r of the receiver as inputs, then performs the following steps to generate a keyword trapdoor: 1. Computes h w = H 2 (w) 2. Computes T w = (h w d r ) −1 P 1 , then receiver outputs the keyword trapdoor T w .
Test The cloud server that received trapdoors performs this algorithm to detect whether equation ê(PPK S , P 2 ) = e(T S + P pub , P 2 ) hy ê(R, T w ) holds. If the verification is successful, the test server returns the corresponding data, otherwise, ⊥ is returned. Here, we have h = H 3 (ID S , PPK S , T S , R). Now, we verify the correctness of the proposed scheme.

Theorem 1 Under the hypothesis of the complexity of CDHP, the proposed CP-CHSKS achieves ciphertext indistinguishability when facing adversary A l(l=1,2) in the ROM.
Proof Challenger C and adversary A l play Game 1 together. C knows the tuple (P, aP, bP) of CDHP but does not know the value of a and b . The purpose of C is to compute abP.
Initialization C executes the Setup algorithm using the given security parameter s to produce system parameters and master key , then sends system parameters to A l . Especially, C sends A 2 the master secret key and keeps the value hidden from adversary A 1 .

Phase 1
For the smooth progress of the game, C maintains five lists, L i(i=1, 2,3) , LK c and LK p . The outputs of hash queries are recorded by three lists L i(i=1, 2,3) , and the results of public key queries in the CLC and PKI environment are recorded by LK c and LK p respectively. C sets P pub = P and chooses two challenged identity ID x(1≤x≤q H ) and ID y (1≤y≤q P ) (Suppose that adversary can make q H times CL-public key query and q P times PKI-public key query at most) at random, then adaptively handles various queries submitted by A l : • H 1 query: A l submits this query on ID i , if a tuple (ID i , D i , t i ) is exists in L 1 , then t i is returned to A l by C . Otherwise, C selects t i ∈ Z * q 1 randomly as the return and inserts (ID i , D i , t i ) into list L 1 . • H 2 query: A l makes this query on a keyword w . C checks whether there is a tuple (w, h w ) in the list L 2 . If it exits, C returns h w . Otherwise, C randomly selects h w from Z * q 1 as the return and inserts (w, h w ) into L 2 . • H 3 query: A l submits H 3 query on tuple

as the return and inserts (ID
in LK c and the related value is available, returns u i to A 1 . Otherwise, C performs a CL-public key query, then the queried user's partial key u i and T i will be returned. • CL-public key query: A l submits this query on ID i . In the case of ID x ≠ ID i , challenger C checks if the tuple into LK c and L 1 respectively. Finally, C returns PK x = (T x , PPK x ) to A l . • CL-replace public key query: In addition to ID x , any sender's public key is easy to be replaced by A 1 . A 2 is not allowed to perform this query. • CL-PKI-SE query: A l submits this query with a keyword w , a sender's identity ID i and a receiver's identity ID j . In the case of ID x ≠ ID i , C generates ciphertext by running CP-PEKS algorithm and sends it to A l . Otherwise, this game is aborted by C. • PKI-public key query: A l submits this query on ID j . In the case of ID y ≠ ID j , challenger C first checks the list LK p . PK j is returned if the tuple (ID j , d j , PK j ) is found in the list LK p . If the tuple (ID j , d j , PK j ) does not exist in LK p , C picks d j ∈ Z * q at random and computes PK j = d j P as return, then inserts (ID j , d j , PK j ) into the list LK p . If ID y = ID j , C returns PK y = bP and inserts (ID y , ⊥, bP) into the list LK p . • PKI-trapdoor query: When A l submits this query with an identity ID j and a keyword w , C aborts this game if ID y = ID j . Otherwise, C needs to search (w, h w ) from L 2 , if the tuple (w, h w ) is found in the list L 2 , then C runs the PKI-TG algorithm to compute T w and returns it to A l . Otherwise, C makes a H 2 query to obtain h w , then inserts (w, h w ) into list L 2 and uses h w to run the PKI-TG algorithm to compute T w . Finally, C returns T w to A l .
Challenge A l sends C a sender's identity ID A , a receiver's identity ID B and a chosen pair of keywords (w 0 , w 1 ) . The restriction is that the PKI-trapdoor query on keywords (w 0 , w 1 ) has never been asked before. If ID x ≠ ID A or ID y ≠ ID B , C aborts this game. Otherwise, C randomly selects ∈ {0, 1} , chooses k, m ∈ Z * q 1 , CP ∈ G 1 and runs a H 2 query to acquire h w , then sets R * w = kh 2 w CP , y * = m and returns * = (R * , y * ) to A l . Phase 2 A l can make more queries except for the PKI-trapdoor query on keywords w 0 and w 1 .
Guess A l outputs a bit ′ as its guess. In order to make a correct guess, A l computed R w = h 2 w kd s PK B = h 2 w kabP . Hence, C can use the value of k which is chosen by itself at the challenge phase and select h w from L 3 , then compute abP = h −2 w k −1 R w as the answer of the CDHP. Finally, we can draw a conclusion that as long as A l wins, C can settle the CDHP. Nevertheless, it is well known that mathematical difficulties such as CDHP cannot be solved effectively at present, which confirms that our scheme can realize ciphertext indistinguishability.

Theorem 2 Under the hypothesis of the complexity of BDHIP, the proposed CP-CHSKS scheme achieves trapdoor indistinguishability when facing adversary A 3 in the ROM.
Proof C chooses an instance of BDHIP (P, aP) where a ∈ Z * q is unknown. The purpose of C is to compute ê(P, P) 1 ∕ a .

Initialization
The same initialization is used in the proof of Theorem 2 as it was in Theorem 1.

Phase 1
In the proof of Theorem 2, the operations required for C in phase 1 are similar to those in the proof of Theorem 1.
During the proof of Theorem 2, A 3 can make the queries that A 1 executed in the proof of Theorem 1. H 1 query, H 2 query, H 3 query, CL-partial key query and PKI-trapdoor query need the same treatment as Theorem 1, other queries requiring different methods to answer in this phase are listed below: • CL-public key query: When receiving a CL-public key query on ID i submitted by A 3 , C can normally provide A 3 with PK i = (T i , PPK i ) without identity restriction. • CL-secret value query: When A 3 submits this query on ID i , C can normally provide A 3 with user's secret value d i . There is no identity restriction. • CL-replace public key query: Any sender's public key can be replaced by A 3 . • PKI-public key query: C receives a PKI-public key query on ID j , if ID y = ID j , C sets PK y = aP , then returns PK y to adversary and inserts (ID y , ⊥, aP) into LK p . Other operations are comparable to the proof of Theorem 1 in other cases. • CL-PKI-SE query: A 3 submits this query with a keyword w , a sender's identity ID i and a receiver's identity ID j . C generates ciphertext by running CP-PEKS algorithm and then sends it to A 3 .
Challenge Adversary A 3 provides challenger C with a receiver's identity ID B and a pair of keywords w 0 , w 1 . The restriction is that the CL-PKI-SE query and PKI-trapdoor query on keywords w 0 and w 0 have never been asked before.
In the case of ID y ≠ ID B , C aborts this game. Otherwise C selects f ∈ Z * q and ∈ {0, 1} randomly, then returns T * w = fP to A 3 .
Phase 2 C allows A 3 to make more queries except for the PKI-trapdoor query and CL-PKI-SE query on keywords w 0 and w 1 .
Guess A 3 outputs a bit ′ as its guess. We can draw a conclusion that as long as A 3 wins, which means A 3 worked out T w = (h w d y ) −1 P = (h w a) −1 P . Then C can settle the BDHIP by computing ê(T w , P) h w =ê((h w d y ) −1 P, P) h w =ê(P, P) d −1 y =ê(P, P) 1 ∕ a . Nevertheless, it is well known that mathematical difficulties such as BDHIP cannot be solved effectively at present, which confirms that our scheme can realize trapdoor indistinguishability.

Theorem 3 Under the hypothesis of the complexity of DLP, the proposed CP-CHSKS scheme achieves ciphertext unforgeability when facing adversary A 1 in the ROM.
Proof C and A 1 play Game 3 together. Given C a tuple (P, aP) of DLP where a is unknown. The purpose of C is to compute the value of a.
Initialization The same initialization is used in the proof of Theorem 3 as it was in Theorem 1.

Phase 1
In the proof of Theorem 3, the operations required for C in phase 1 are similar to the proof of Theorem 1 except that P pub is set as aP . H 1 query, H 2 query and H 3 query need the same treatment as Theorem 1, other queries requiring different methods to answer in this phase are listed below: • CL-secret value query: Now, C can normally provide A 1 with the corresponding user's secret value d i when receiving a CL-secret value query on ID i . • CL-public key query: Now, C needs to randomly determine a value c i ∈ {0, 1} and use it to decide the progress of the game. When receiving a CL-public key query on ID i submitted by as the answer and inserts tuple (ID i , d i , T i , ⊥, PPK i , r i , 1) and (ID i , D i , t i ) into lists LK c and L 1 respectively. If c i = 0 , C chooses u i , r i , d i , t i ∈ Z q 1 randomly, then sets D i = r i P , T i = u i P − P pub and PPK i = d i P . Finally, C inserts tuple into LK c and L 1 respectively, and PK i = (T i , PPK i ) is returned. • CL-partial key query: A 1 submits this query on ID i , If the tuple (ID i , d i , T i , u i , PPK i , r i , c i ) exists in LK c and c i = 1 , C stops the simulation. Otherwise, C returns the partial private key u i to A 1 . • CL-replace public key query: As long as the adversary chooses a legitimate value, any sender's public key can be replaced. • CL-PKI-SE query: A 1 submits this query on the sender's identity in list LK c and c i = 1 , the challenger stops the simulation. • PKI-trapdoor query: C is no need to consider the case of ID y = ID j , it can answer this query normally. • PKI-public key query: C is no need to consider the case of ID y = ID j , it can answer this query normally.
Forgery Now, A 1 outputs a forged ciphertext * w = (R * , y * ) , a sender's identity ID A and a receiver's identity ID B . Through the above process, the conditions defined in the definition of Game 3 should be met. If the tuple (ID A , d A , T A , u A , PPK A , r A , c A ) exists in list LK c and c i = 0 , the challenger stops the simulation. Otherwise, according to the forking lemma in literature [31], another valid keyword ciphertext Υ w = (R Υ , y Υ ) can be generated in the same way. So, we can get as the answer of DLP. The proof is as follows: From the statements above, we can draw a conclusion that as long as the keyword ciphertext is successfully forged by A 1 , C is certain to solve DLP. Nevertheless, it is well known that mathematical difficulties such as DLP cannot be solved effectively at present which confirms that our scheme is resistant to both KGA and IKGA initiated by A 1 .
into LK c and L 1 respectively. If ID x = ID i , C selects t x , r x ∈ Z q 1 randomly, then computes D x = r x P , u x = r x + (t x + 1)(mod q 1 ) , T x = D x +t x P pub and sets PPK x = aP . Finally, C provides A 2 with PK x = (T x , PPK x ) and inserts tuples (ID x , ⊥, T x , u x , aP, r x ) and (ID x , D x , t x ) into LK c and L 1 respectively. • CL-replace public key query: A 2 has no chance to perform this query. • PKI-trapdoor query: C is no need to consider the case of ID y = ID j , it can answer this query normally. • PKI-public key query: C does not need to distinguish identities, it can normally provide A 2 with the corresponding user's public key PK j when receiving a PKIpublic key query on ID j .
Forgery Now, A 2 outputs a forged ciphertext * w = (R * , y * ) , a sender's identity ID A and a receiver's identity ID B . Through the above process, the conditions defined in the definition of Game 3 should be met. If ID A ≠ ID x , the challenger stops the simulation. Otherwise, another valid keyword ciphertext Υ w = (R Υ , y Υ ) can be generated in the same way, then C 1 3 as the answer of DLP. The proof is as follows: From the statements above, we can draw a conclusion that as long as the keyword ciphertext is successfully forged by A 2 , C is certain to solve DLP. Nevertheless, it is well known that mathematical difficulties such as DLP cannot be solved effectively at present. Therefore, our scheme has ideal ciphertext unforgeability and is able to against both KGA and IKGA lunched by A 2 .

Performance analysis
In order to enable a reasonable evaluation of our scheme, in this section, we chose five existing schemes [19,26,[29][30][31] to compare with ours in the field of computation cost, features, and communication overhead.

Computation cost and features comparison
In order to make the comparison results more intuitive, we conducted quantitative comparative analysis. The MIRACLE library was run on a personal computer with an Intel 2.90 GHz CPU and 4 GB of RAM to obtain experimental data, and this experimental environment is similar to that of scheme [28]. Table 2 summarizes the calculation symbols used and the corresponding time required for the calculation represented by these symbols. The computation cost and feature comparison results are shown in Tables 3 and 4 respectively. (l+) (l ∈ N) denotes l operations that can be calculated offline. The cost of offline computation is not included in our comparison results. Figure 2 shows the comparative results of the computation cost in the form of a column chart. From Tables 3 and 4 and Fig. 2, we can clearly see that our scheme has outstanding performance. Compared with [19,26,[29][30][31], our scheme has a considerably lower total computation cost than the other five schemes, the total computation cost of our scheme decreased by about 61.17%, 87.61%, 69.93%, 71.83% and 59.99%, respectively. In addition to the excellent computation cost, our scheme can resist IKGA while schemes [19] and [26] cannot. In the test phase of scheme [26], the tester needs to obtain the hash value of the keyword, which means that the tester needs to get the keyword information. As for scheme [19], [19] allows trapdoors to propagate over public channels by specifying two test servers. However, although two test servers are specified in [19], due to the lack of the sender's private key at the phase of keyword ciphertext generation, internal attackers such as two collusive servers can still execute IKGA. Scheme [31] has excellent The amount of time it takes to do an exponentiation operation in G 2 0.339

Declarations
Ethical approval and consent to participate Not applicable.

Consent for publication Not applicable.
Human and animal ethics This article does not contain any studies with human participants or animals performed by any of the authors.