TCA-PEKS: Trusted certificateless authentication public-key encryption with keyword search scheme in cloud storage

Public key encryption with keyword search (PEKS) technology is capable of achieving accurate ciphertext retrieval while protecting data privacy. However, curious or malicious semi-trusted cloud servers can cause privacy breaches, which then creates a trust problem for ciphertext management and searching. To address this problem, we propose a trusted certificateless authentication public-key encryption with a keyword search scheme in cloud storage (TCA-PEKS), which ensuring trusted retrieval, simultaneously resolves the problems of key escrow and certificate management that exist in PEKS. In the scheme, the security of the ciphertext storage and verifications are strengthened based on blockchain non-tampering features, which assists users in verifying the correctness of a file. In particular, we construct an open and transparent smart contract to limit the malicious behaviour of cloud servers, in which the user’s complete private key splits the secret value and the partial private key, further guaranteeing the correctness of the retrieval process. Finally, the scheme is proven to satisfy ciphertext and trapdoor indistinguishability under the random oracle model, and the performance evaluation results show that the scheme is highly efficient.


Introduction
With the growing maturity of cloud storage technology, users can significantly reduce their local hardware storage overhead and make data access more convenient by uploading data to remote cloud servers [1,2]. However, due to the data being stored in the cloud, it is out of the owner's physical control, and the cloud servers may be unreliable, resulting in personal information leakage. Therefore, cloud data security has become an urgent problem in the development of cloud storage.
Cryptography is currently the main means to protect the security of data. The users, through cryptographic algorithms, encrypt data and then upload it to the cloud server for management, which makes it difficult for malicious adversaries to access the plaintext content of the data and effectively prevents any leakage of the user's private information [3,4]. However, if a user wants to find a certain data file, he will download a large number of ciphertexts and then decrypt them all, which causes a large waste of computational resources by the high-frequency decryption and file transfer operations. Therefore, this method is not applicable for scale cloud storage, and it destroys the searchability of the data.
Searchable encryption (SE), which can accurately locate encrypted data by user requests, has become a hot research topic in the cloud storage technology field. This technology generates unique encryption indexes, which enables cryptographic files to be retrieved. The users can locate data files, by which keyword ciphertexts match the corresponding trapdoors. So it can balance the retrieval and confidentiality of the cloud data.
Searchable encryption is divided into two types, symmetric searchable encryption (SSE) and public key encryption with keyword search (PEKS). SSE mostly contains only hash functions or binary operations, and exhibits high efficiency [5], but due to the complexity of key negotiations, it is generally used for retrieval of personal encrypted data. In contrast, PEKS is more widely used in multiuser scenarios because it can encrypt data using the receiver's public key without facing the insecurity of the key negotiation process [6].
In PEKS, as the main entity for performing the search algorithm, the third-party cloud server is either credible or not, and determines the correctness of the user's search results. In most scenarios cloud servers act as honest but curious entities, which will not actively deviate from the scheduled retrieval process. However, cloud servers are likely to be internal adversaries that steal user privacy data and return incorrect results, because of a lack of effective supervision [7]. In recent years, blockchain technology has received widespread attention because it has decentralized and distributed characteristics. Particularly, the immutability of the blockchain and the transparency of smart contracts assists in establishing a trusted ciphertext retrieval system. Motivated by these advantages, we exploit the consortium blockchain technology to develop our scheme, it uses consensus among multiple preselected nodes to create a distributed database with moderately decentralized and more efficient than pubilc blockchains, which contributes to effectively solving the problem of third-party semi-trustworthiness in searchable encryption [8].
Key security and multiuser retrieval burdens also further affect the reliability of the retrieval process. One reason is that the public-key cryptosystem based on Public Key Infrastructure (PKI) has large-scale certificate management problems. The other reason is that identity-based cryptography (IBC) can solve the problem of managing certificate by uses identity information, but leading to an insecurity of the key escrow at the same time. To address these challenges, certificateless public key cryptography (CL-PKC) are effective schemes [9][10][11][12][13]. It is proposed based on IBC, whose key consists of two parts: the identification key extracted from the key generation centre and the user's own private key, these keys effectively reduce the complexity of key management in the PEKS scheme [14]. So in this paper, to address the abovementioned privacy threats caused by curious or malicious behavior of thirdparty cloud servers and the problems in PEKS based on traditional public-key cryptosystems and IBC, we proposed a trusted certificateless authentication public-key encryption with keyword search scheme in cloud storage(TCA-PEKS) using the immutability of the blockchain and the advantages of CL-PKC.

Our contributions
Most PEKS schemes assume that the cloud servers are credible, given the lack of consideration of security problems when the cloud servers are semi-trustworthy. Therefore we propose a new notion called trusted certificateless authentication public-key encryption with keyword search to solve the aforementioned problem, which combines blockchain technology with CL-PKC to limit the malicious behaviour of cloud servers. In TCA-PEKS, the users private key includes two parts, a partial private key based on the user's identity information generated by the key generation centre (KGC), and a secret value. Therefore, it assures that the adversary cannot forge a valid private key or even a malicious KGC. After that, the data owner uploads encrypted files associated with keywords, while the ciphertext and hash of the encrypted file are stored in the blockchain, which assists in verifying the system's correctness and integrity. To ensure a correct search process, the scheme uses smart contracts to execute retrieval algorithms instead of the traditional cloud servers. Then, the cloud server sends the data file that contains the file serial number. If a cloud server intends to forge a file, it can be captured because the recipient will compare the hash value stored on the blockchain to the retrieving file's hash value.
We formally prove that the TCA-PEKS scheme satisfies ciphertext indistinguishability and trapdoor indistinguishability based on two types of adversary attacks under the random oracle model, and it is verified to resist the Keyword Guessing Attack (KGA). In addition, to further enhance the trapdoor security in the trapdoor generation process, we not only use part of the user's private key and secret value but also insert random values to ensure the differences consist of the same keywords.
We compare TCA-PEKS with other PEKS schemes in terms of computational complexity including the encryption algorithm, trapdoor algorithm and search algorithm, and simultaneously simulate the actual performance of each algorithm. The computational complexity and average time indicate that our scheme is more efficient, and security is ensured when it is under adversary attacks and it provides confidence for the user when accessing the files.

Related work
Boneh et al. introduced the public key cryptosystem into searchable encryption and proposed the concept of PEKS [15] but problems such as low retrieval efficiency and leakage of keyword information in the file exist, which restricts the trapdoor transmission to only the secure channels. J.
Baek improved the security of trapdoor transmission by requesting server key pairs [16]. Rhee et al. proposed the concept of trapdoor indistinguishability and designed the first PEKS scheme for Keyword Guessing Attack (KGA) [17]. Fang et al. proved that a strong signature scheme can resist both selective keyword attacks and ciphertext attacks [18]. In recent years, Chen et al. used keyword servers to assist in the generation of live-board gates and ciphertexts, preventing attackers from forging ciphertexts [19]. Xu et al. provided an encrypted data search scheme with finegrained access control by using a secure dynamic searchable encryption [20]. Some schemes were also successively optimized and became more secure and efficient against attacks from external adversaries [21,22].
By introducing blockchain smart contracts technology in to traditional searchable encryption, to some extent solves the semi-trustworthy problem of cloud servers [23]. By using smart contracts, the original cloud-based search process is entrusted to the predefined smart contract, which executes a trusted search without the third party's supervision. L Chen et al. proposed a blockchain-based searchable encryption scheme for health records [24], using blockchain technology to ensure data integrity and traceability. Combined blockchain and attribute based cryptosystems are used to design a searchable encryption data sharing scheme [25], and Chen et al. designed a highly efficient cloud-assisted public key searchable encryption scheme in the context of vehicular networking [26].
The current PEKS schemes face the problems of complex certificate management and key escrow. In 2014, Peng et al proposed the concept of certificateless encryption with keyword search based on certificateless cryptosystems [27]. ISLAM et al. proposed a certificateless ciphertext retrieval scheme for designated servers [28]. MA et al. proposed certificateless searchable encryption schemes that were applied to industrial IoT environments and mobile networks [29]. These certificateless searchable encryptions all default to the cloud server not acting as an internal adversary to obtain the keyword information of the file. However, as an important data management and algorithm operation carrier, it will cause serious privacy security threats once it is compromised or it is carried out inside the Keyword Guessing Attack (IKGA).

Paper origanization
The rest of the paper is organized as follows. We introduce the preliminary knowledge and the security model of this scheme in Sect. 2. In Sect. 3, we introduce the system model and construct a concrete TCA-PEKS profile. We prove its concrete security capabilities in Sect. 4. In Sect. 5, the performance of the proposed scheme is compared and analysed, and finally, we present the conclusion of the paper.

Bilinear pairing
Suppose G 1 ,G 2 is a multiplicative cyclic group and the order is prime p, g is a generating element of the group G 1 , there exists a bilinear pairing ê ∶ G 1 × G 1 → G 2 that has the following three properties: 1. Bilinear: Given a, b ∈ Z q , ê(g a , g b ) =ê(g, g) ab are equal. 2. Computable: Given g ∈ G 1 , there exists an efficient algorithm to make ê(g, g) ∈ G 2 . 3. Non-degenerate: There exists g ∈ G 1 such that ê(g, g) ≠ 1

Definition 1: DBDH (Decisional Bilinear
Diffie-Hellman Hypothesis) For the generated tuples T 1 (g, g a , g b ,ê(g, g) abc ) and T 2 (g, g a , g b ,ê(g, g) z ) , adversary Adv DBDH cannot distinguish T 1 , T 2 in polynomial time with a nonnegligible advantage.

Definition 2: DDH (Decisional Diffie-Hellman Hypothesis)
Let g be the generating element of the group G 1 . Randomly select (a, b, z) ∈ Z q . For the generated tuples T 1 (g, g a , g b , g ab ) and T 2 (g, g a , g b , g z ) , adversary Adv DDH cannot distinguish T 1 , T 2 in polynomial time with a non-negligible advantage.

Definition 3: PBFT (Practical Byzantine Fault Tolerance)
A consensus mechanism that has high processing efficiency and transaction volume with a moderate number of nodes, commonly used in consortium or private blockchain. The main process is defined as follows, the master node generates a sequence number for the message when the client uploads a message to the master node. Then, storage operations are performed when the master node receives the number of verification credentials, n ≥ 2f + 1 , from the slave node. (f indicates the number of adversary nodes that can be accommodated, and the total number of nodes is n = 3f + 1)

IND-CKA security model
IND-CKA (Indistinguishability-Chosen Keyword Attack) is divided into CIND-CKA (Ciphertext Indistinguishability under adaptive Chosen Keyword Attack) and TIND-CKA (Trapdoor Indistinguishability under adaptive Chosen Keyword Attack). If a scheme is going against keyword guessing attacks, it should satisfy both CIND-CKA and TIND-CKA. Therefore, we show that the scheme is IND-CKA secure, which proves that there is no adversary can win safety game by a nonnegligible advantage in any polynomial time. There are two types of adversaries A I and A II in TCA-PEKS: A I can replace the user's public key but cannot access the master key, and A II cannot replace the user's public key but can access the master key. The scheme proposed in this paper mainly proves security in terms of CIND-CKA and TIND-CKA. Game 1 CIND-CKA consists of the following algorithm, which is formed by the interaction between adversary A I and challenger C, to ensure that the ciphertext does not reveal keyword information. The game is defined as follows: Initialization Setup: C generates the master key SK m and the public parameters Params, A I cannot obtain the master key. Phase 1: A I issues a sequence of queries adaptively polynomial-many times. hash-query: A I execute the hash-query algorithm, the challenger maintains the mapping tuple and returns the corresponding value to the adversary. Partial-Private-Key-Query: Given the identity ID i , C returns the corresponding part of the private key D i . Private-Key-Query: Given the identity ID i , C returns the corresponding secret value x i . Public-Key-Query: Given the identity ID i , C runs the algorithm to compute the public key PK and returns it to A I . Replace-Public-Key: A I can randomly replace the public key. Encryption-Query: Input a keyword w and identity Information, C runs the encryption algorithm and returns the corresponding ciphertext to A I . Trapdoor-Query: Input a keyword w and the identity Information, C runs the trapdoor algorithm, and returns the corresponding trapdoor T w to A I . Challenge: A I selects two keywords w 0 , w 1 with equal length and identities (ID o , ID u ) , A I can replace the public key information for the given identities, C generates the ciphertext C = {C 1 , C 2 , C 3 } and randomly selects a bit b from {0, 1} , then sends the corresponding ciphertext to A I . Guess 1: A I selects and outputs b ′ , wins the challenge if b � = b.
In Game 1, we define the advantage of successfully distinguishing the ciphertext of TCA-PEKS as Game 2 CIND-CKA consists of the following algorithm, which is formed by the interaction between adversary A II and challenger C, to ensure that the ciphertext does not reveal keyword information. The game is defined as follows: Initialization Setup: C generate the master key SK m and the public parameters Params, A II obtain the master key but cannot replace the public key. Phase 1: A II is allowed to execute Hash-Query, Private-Key-Query, Public-Key-Query in an adaptive manner. Encryption-Query: Input a keyword w and identity information, C runs the encryption algorithm and returns the corresponding ciphertext to A II . Trapdoor-Query: Input a keyword w and identity information, C runs the trapdoor algorithm and returns the corresponding trapdoor T w to A II . Challenge: A II selects two keywords w 0 , w 1 with equal length and identities (ID o , ID u ) , A II can compute the part of the private key information for the given identities, C generates the ciphertext {C 1 , C 2 , C 3 , C 4 } and randomly selects a bit b from {0, 1} , then sends the corresponding ciphertext to A II . Guess 1: A II selects and outputs b ′ , and wins the challenge In Game 2, we define the advantage of successfully distinguishing the ciphertext of TCA-PEKS as Game 3 TIND-CKA consists of the following algorithm, which is formed by the interaction between adversary A I and challenger C, to ensure that the trapdoor does not reveal keyword information. The game is defined as follows: Initialization Setup: The process is the same as in Game 1. Phase 1: The process is the same as in Game 1. Challenge: A I selects two keywords w 0 , w 1 with equal length and identities (ID o , ID u ) , A I can replace the public key information for the given identities, C generates trapdoor T = {T 1 , T 2 , T 3 } and randomly selects a bit b from {0, 1} , then sends the corresponding trapdoor to A I . Guess 1: In Game 3, we define the advantage of successfully distinguishing the trapdoor of TCA-PEKS as Game 4 TIND-CKA consists of the following algorithm, which is performed by the interaction between adversary A II and challenger C, to ensure that the trapdoor does not reveal keyword information. The game is defined as follows: Initialization Setup: The process is the same as in Game 2.
Phase 1: A II is allowed to execute Hash-Query, Private-Key-Query, Public-Key-Query, Encryption-Query and Trapdoor-Query in an adaptive manner.
Challenge 1: A II selects two keywords w 0 , w 1 with equal lengths and identity(ID o , ID u ) , A II can compute the part of the private key information for the given identities, C generates the encryption trapdoor T = {T 1 , T 2 , T 3 } and randomly selects a bit b from {0, 1} , then sends the corresponding trapdoor to A II .
Guess 1: A II selects and outputs b ′ and wins the challenge In Game 4, we define the advantage of successfully distinguishing the trapdoor of TCA-PEKS as 3 Our scheme

Our system model
In this section, we show an architecture for the interaction in TCA-PEKS, which consists of five main entities, the data owner (DO), data user (DU), cloud store server (CS), blockchain system (BCS) and key generation center (KGC), all of which play different roles and perform different functions in the ciphertext retrieval system, as shown in Fig. 1.
KGC holds the master public key, and its assignment is generating the parts of the private keys according to identity information. The owner extracts the keywords of the data file he wants to encrypt, and then uses the private key to generate the ciphertext with the keywords. DU is the receiver who is authorized to access the encrypted data, he can generate a trapdoor with the corresponding keyword when performing the ciphertext retrieve. CS is performed by a third-party cloud service provider, and is used to store the encrypted data file, especially if it does not perform search operations in our scheme. BCS mainly consists of the data blocks and smart contracts which are deployed on it. Smart contracts perform matching operations between trapdoors and ciphertexts based on predefined search algorithms, its open and transparent features guarantee the correctness of the results. Overview, our system is divided into 5 stages. First, KGC deploys the cryptosystem to generate public parameters and the master keys, it also processes user registration requests, then generates a partial private key base on the user's identity information. After that, if DO wants to upload an encrypted data file to CS, he extracts the keyword in the file and encrypts the keywords using part of the private key and secret value to generate the ciphertext. Then the DO hashes the data in the files, uploads the hash value and the ciphertext to the blockchain to assist in the verification process. When DU performs a search query for a keyword, it can calculate the trapdoor based on the complete private key and then uploads the trapdoor to BCS. Once the BCS receives the trapdoor, the smart contract sends PK do which contained in the trapdoor to the CS for interactive processing, and performs the matching operation with the ciphertext after getting the returned result by CS. Then the smart contract parses the corresponding C H (mainly including file serial number n and encrypted file hash M H ) when the correct ciphertext is found, sends the n to the cloud server and returns M H . Finally, DU receives the file M from the cloud server and run the same hash algorithm for file integrity verification to obtain result M H * . If the cloud server performs a malicious operation, it will be captured because M H * is not equal to M H . Our model has the following advantages: 1. Reliability: If the trapdoor provided by the receiver is correct, he can obtain the correct data file from the server. If the cloud server returns incorrect results or deviates from the system, it can be captured. 2. Confidentiality: The model protects the ciphertext and trapdoor reveal other information. In addition, we refer to work [26] to achieve forward privacy by introducing version information, so that the adversary cannot know whether a newly added ciphertext is related to a previously searched trapdoor. 3. Distributability: Implemented through decentralized blockchain, we can still return trustworthy results in the absence of a third-party trusted search server. This avoids cloud servers from being attacked or being compromised to return incorrect results at some point.

Formal definition
Our scheme consists of the following algorithms, which are formally defined as follows.
• Setup (1 ) → (params, SK m ) Given a security parameter , randomly select s ∈ Z q , SK m = s as the system master key, it sets the public parameters {q, G 1 , SK m , ID i , output the public-private key pair. • Encrytion (params, w i , PK du∕cs , Q du , D do , SK do ,M) → (C * , M * ) Given params, w i , PK du , PK cs , Q du , D do , SK do , M, outputs ciphertext list C * and encrypted file list M * = {n, C M }. • Store (C * , ID do ) → Block n Given the ciphertext list C * , encrypted Data list M * , C * is uploaded to the blockchain, and M * is stored by the cloud server. • Trapdoor (params, SK du , Q du∕do , D du , w i , PK do ) → T w Given params, SK du , Q du , Q do , D du , w i , PK do , outputs trapdoor T w . • Search (params, C, M * , T w ) → n Given params , C * ,M * , and T w , output the file serial number n and encrypted data file C M .

TCA-PEKS scheme
Here,we propose the construction of TCA-PEKS, which is composed of six polynomial-time algorithms.

GenKey (params,SK
secret value x du ∈ Z q randomly, outputs SK du = (x du , D du ) and PK du =g x du . The generation process of (SK do∕cs , PK do∕cs ) is the same. 3. Encrytion (params,w i ,PK du∕cs ,Q du ,SK do ,M) → (C * , M * ) : Randomly select r ∈ Z q , retrieves version informa- The The master node executes the PBFT algorithm, and the other nodes verify and sign the message to obtain , C * and ID do , which are uploaded to the blockchain if the legitimate verification message number is greater than 2f + 1 . The block structure is shown in Fig. 2. 5. Trapdoor(params, x du , Q du , w i , PK do ) → T w : Randomly select t ∈ Z q , DU obtains the version EV where generated and published during the encryption phase, if EV =⟂ , w � = w i , else w � = w i ‖EV , computes trapdoor The smart contract parses out T 3 and interact with CS, and the CS generation and 0 otherwise. The corresponding serial number n is sent to the cloud server. The cloud server retrieves M * = {n, C M } which contains n. The receiver can capture malicious operations in the cloud server because he has the file hash value in the C H .

Theorem 1
Under the random oracle model, the DBDH problem is defined as when a, b, c, z ∈ Z q with the advantage of distinguishing T 0 (g, g a , g b , g c ,ê(g, g) abc ) , T 1 (g, g a , g b , g c ,ê(g, g) z ) for any polynomial-time adversary can be ignored.

Game 1 consists of the following processes:
Initialization Setup: Given a security parameter , C generate the master public-private key pair SK m , PK m , and public parameter Params. A I cannot obtain the master key . Phase I: Adversary A I adaptively issues a sequence of queries that are simulated by C. H 1 query: C randomly selects i, j ∈ {1, 2.....q 1 } and supposes that most queries are q 1 , then guesses that the i-th and the j-th queries initiated by correspond to the data owner's challenge identity ID o * and the data receiver's challenge identity ID u * . In response to the query, C initializes the empty list L H1 , including (ID i , Q i , n i ) , when A I issues queries about the identity: 1. If the query ID i is already in the list L H1 , indicating that the ID i has been queried, returns the corresponding tuple (ID i , Q i , n i ).

When
, C randomly selects n i ∈ Z q , computes Q i = g an i , records and returns the tuple (ID i , Q i , n i ). 3. Otherwise, C selects a random number k ∈ Z q , computeds Q i = g k , and records and returns the tuple 1. If the ID i is already in the list L psk , the corresponding tuple is returned. 2. When ID i = ID * o or ID i = ID * u , C randomly selects n i ∈ Z q and computes D i = g n i , then returns the tuple (ID i , n i , D i ). 3. otherwise, C retrieves the list L H1 , randomly selects v ∈ Z q and outputs D i = g kv , then returns the tuple Private-Key-Query:C initializes the empty list L S , including (ID i , x i , PK i ) , when A I issues queries of the private key: 1. If ID i = ID * u or ID i = ID * o , C randomly selects a i ∈ Z q , returns the tuple (ID i , ⊥, g a i ). 2. Otherwise, select a secret value x i ∈ Z q ,and return the tuple (ID i , x i , g x i ).
Public-Key-Query: A I gives the identity ID i , C retrieves L H1 and L S , then returns tuple (ID i , Q i , PK i ).

Encryption-Query:
A I gives the keyword w and identities (w, ID i , ID j ) , we assume ID i ∉ {ID o * , ID u * } , C retrieves L H1 ,L psk , L S , i, j denote the corresponding retrieval values of data owner and receiver respectively(same as below). C Fig. 2 The block structure randomly selects r ∈ Z q and computes =ê(D i ⋅ PK x i j , Q j ) to generate: Otherwise, output a random bit and abort. Trapdoor-Query: A I gives the keyword w and identities (w, ID i , ID j ) , we assume ID j ∉ {ID o * , ID u * } , C retrieves L H1 , L psk , L S , randomly selects t ∈ Z q and computes =ê( Otherwise, output a random bit and abort. Challenge: A I gives two keywords and the challenge identities (w 0 , w 1 , ID * o , ID * u ) , C retrieves L H 1 , L psk , L S , computes y =ê(g n i ⋅ PK x o u , Q u ) , and randomly selects b ∈ {0, 1} , r ∈ Z q to generate: Assuming that the game of challenger C is not aborted and simulates the complete attack process, the advantage of adversary A I breaking our scheme is the same as the probability of the adversary winning the challenge.
abt denotes abort if its guess of the challenge identities is not correct. The probability that both the challenger and user identities in Encryption-Query and Trapdoor-Query match is 1 − 1∕q 1 (q 1 − 1) . If its complete game, simulates a random oracle model based on the hash query, it generates a ciphertext for the adversary whose that representation matches the DBDH tuple. Definition A I wins in this game with probability: If Adv DBDH A I ≤ (k) , this scheme satisfies ciphertext indistinguishability.
, PK r j )) ⊕ H 3 (g ax i , g r ) Lemma 2 Assuming the DBDH problem is intractable, our scheme satisfies ciphertext indistinguishability for any polynomial adversary when Adv CIND−CKA , the adversary cannot distinguish the two tuples of the DBDH by a nonnegligible advantage, then it cannot distinguish the ciphertext sent by C. This scheme satisfies the ciphertext indistinguishability.

TIND-CKA
Theorem 2 Under the random oracle model, the DDH problem is defined as when x, y, z ∈ Z q with the advantage of distinguishing T 1 (g, g x , g y , g xy ) , T 2 (g, g x , g y , g z ) for any polynomialtime adversary can be ignored.

Game 3 consists of the following processes:
Initialization Setup:The process is the same as in Game 1. Phase I: Adversary A I issues a sequence of queries adaptively polynomial-many times. H 1 query: The process is the same as in Game 1. H 2 query: The process is the same as in Game 1. Partial-Private-Key-Query: The query process is the same as Game 1. Private-Key-Query: C initializes the empty list L S , including (ID i , x i , c, PK i ) , when the A I issues queries, if the ID i in the list L S , the corresponding tuple is returned. Otherwise, it randomly selects x i ∈ Z q and marks c = 1 , returns the tuple (ID i , x i , c, g x i ). Public-Key-Query: Given the identity ID i , C retrieves L H1 and L S returns tuple (ID i , Q i , PK i ).

Encryption-Query:
The process is the same as Game 1. Trapdoor-Query: A I gives the keyword w and identity (w, ID i , ID j ) , C retrieves L H 1 , L psk , L S , it selects t ∈ Z q and computes =ê(g k i , g n j ) ⋅ê(PK i , g k j x j ) to generate: Challenge: A I gives two keywords and the challenge identities (w 0 , w 1 , ID * o , ID * u ) , for given keywords w 0 , w 1 , C performs H 2 query and stops the algorithm if c = 1 in L S . Otherwise continue to retrieve L H1 ,L psk , compute y =ê(g k o , g n u ) ⋅ê(PK o , g k u x u ) , selects b ∈ {0, 1} to generate the trapdoor: Simulating the complete attack process, if A I cannot obtain the information for the random values in the trapdoor, the generated trapdoor satisfies the DDH tuple, which can be seen as a random element in G 1 .
We denote the probability of the secret value being queried in the phase is 1∕q s .

If Adv DDH
A I ≤ (k) , this scheme satisfies the trapdoor indistinguishability.

Game 4 consists of the following processes:
• Initialization Setup: Same as in Game 2. • Phase I: Adversary A II issues a sequence of queries adaptively polynomial-many times. • H 1 query: The process is the same as in Game 1.
• H 2 query: The process is the same as in Game 1. • Private-Key-Query: A II gives the identity ID i , C random selects x i ∈ Z q , marks c = 1 , return tuple (ID i , x i , c, g x i ). • Public-Key-Query: The process is the same as in Game 1. • Encryption-Query: The process is the same as in Game 1. • Trapdoor-Query: The query process is the same as in Game 1, except =ê(g k i , g k j s ) ⋅ê(PK i , g k j x j ). • Challenge: A II gives two keywords and the challenge identities (w 0 , w 1 , ID * o , ID * u ) , for given keywords w 0 , w 1 , C performs H 2 query and stop the algorithm if c = 1 in L S . Otherwise, continues to retrieve L H1 , L psk , computes y =ê(g k o , g k u s ) ⋅ê(PK o , g k u x u ) , and randomly selects b ∈ {0, 1} to generate the trapdoor: Simulating the complete processes, the trapdoor can be shown as: The generated trapdoor satisfies the DDH tuple and can be seen as a random element in G 1 , and the probability of the secret value being queried in the phase is 1∕q s . The proof process is similar to Game 3.

Forward privacy
The forward privacy protection in PEKS ensures that the previous trapdoors cannot be exploited to find the new updated files. The analysis of forward privacy in TCA-PEKS is similar to that of the work [26].
The smart contract uses a unique trapdoor T w interacting with CS, and the CS returns , PK r du )) to match the correct ciphertext C. When the file needs updated, the DO runs encryption algorithm by selecting new r * ∈ Z q and EV ∈ {0, 1} * , then C � 3 = H 4 (ê(g , PK r * du )) in search phase. Because of the security and collision-resistant nature of the hash function H 4 , there exist a matching error in ) . Therefore, the old trapdoor cannot be used to match new data and positive privacy is achieved.

Analysis and evaluation
In this section, the performance of the TCA-PEKS is evaluated and compared with similar schemes, including Fang's scheme [18], SCF-MCLPEKS [29], dIBAEKS [12], and dCLPAEKS [13].The computational complexity of the five schemes are compared as shown in Table 1.
P denotes the bilinear pairing operation, E denotes the evaluation of a modular exponentiation of the elements on G 1 , H denotes the evaluation operation on the hash function, M denotes a multiplication operation, and A denotes an addition operation, compared to the encryption algorithm cost, trapdoor algorithm cost, and search algorithm cost.
To make the experimental results more accurate, the experiment is executed on the Intel(R) Core(TM) i5-6500H CPU 3/60GHz processor, 8GB RAM, Window7 operating system. The experimental simulations use the bilinear PBC (Pariring-Based Cryptography library). Figures 3 and 4 represent the time consumption of Encrypion algorithm and Trapdoor algorithm, respectively, which the x-axis is the number of keywords to be encrypted and the y-axis is the time required for the computation.  Fang's scheme [18] |G 1 | + |G 2 | 3|G 1 | + 2|G 2 | |G 1 | + |Z q | SCF-MCLPEKS [29] 2|G 1 | |G 1 | + | | |G 1 | dIBAEKS [12] 2|G 1 | 2|G 1 | 2|G 1 | + |G 2 | dCLPAEKS [9] |G 1 | 2|G 1 | 2|G 1 | + |G 2 | Our scheme 2|G 1 | 2|G 1 | + | | 3|G 1 |  Figure 6 shows the average running time of each scheme. Considering the security of the trapdoor algorithm we introduce random numbers in the process of trapdoor generation, so that the trapdoor is random for the same keyword each time. Although we need to perform an extra interaction for the trusted retrieval operation, there is still has advantage in time consumption when the ciphertexts are scaled.
The communication overhead of the five schemes is given in Table 2, where |G 1 | denotes the size of an element in G 1 , |G 2 | denotes the size of an element in G 2 , |Z q | denotes the size of an element in Z q , and | | denotes the size of an element in {0, 1} 2 , We generally have | | and |Z q | = 256 (bits), |G 1 | = 512 (bits), |G 2 | = 1536 (bits). Figure 7 shows the time to transfer one thousand corresponding data. According to the results, the communication overhead of our scheme is almost the same as that of dIBAEKS and dCLPAEKS, and lower than Fang's scheme. Overall, in evaluations with similar schemes, our scheme is comparable in terms of performance.

Conclusion
In this paper, We introduced the trusted certificateless authentication public-key encryption with keyword search scheme, which provides concrete solutions to data privacy protection in a semi-trusted cloud environment. The designed scheme solves the problem of key escrow and certificate management through use the certificateless cryptosystem. In particular, our TCA-PEKS scheme is distinct that because cloud servers do not act as executors of the search operations, and it achieves verifiability of the data files and transparency of the retrieval process through blockchain smart contracts technology. The scheme is proven secure by using a sequence of secure arguments based on number-theoretic assumption. In future work, we will consider constructing a more flexible TCA-PEKS scheme in which the keyword can be fuzzy searched.

Declarations
Ethical approval and Consent to participate The work has not been published before. The work is not under consideration elsewhere. Copyright has not been breached in seeking its publication. The publication has been approved by all co-authors and responsible authorities at the institute or organization where the work has been carried out. The submitted work is original and the results/data/figures in this manuscript have not been published elsewhere, nor are they under consideration by another publisher. Informed consent was obtained from all individual participants included in the study.
Human and animal ethics Not applicable.

Consent for publication
The Author agrees to pubilcation of the article in English by Springer in Springer's corresponding English-language journal.

Competing interests
The authors have no competing interests to declare that are relevant to the content of this article.