Multi-Keyword Certificateless Searchable Public Key Authenticated Encryption Scheme Based on Blockchain

As a quite attractive secure search mechanism in cloud environments, searchable encryption allows encrypted files to be searched by keyword and does not reveal any information about original data files. However, most existing searchable encryption schemes only support single keyword ciphertext retrieval, and they cannot resist against inside keyword guessing attacks. Besides, the previous schemes rarely focus on integrity verification and fair transactions without any third party. Focusing on these problems, we propose a multi-keyword certificateless searchable public key authenticated encryption scheme based on blockchain. We use certificateless cryptosystem to encrypt keywords, which avoids the problems of certificate management in traditional cryptosystem and key escrow in identity-based cryptosystem. Our scheme also supports multi-keyword search, which locates encrypted files precisely and returns the desired files. Moreover, we upload the real encrypted files to the cloud server, while the encrypted indexes are put in blockchain, which ensures the anti-tampering, integrity and traceability of the encrypted indexes. The anti-tampering of blockchain also ensures that users can receive accurate search results without any third party verification. Furthermore, we utilize smart contract to track monetary rewards, which enables fair transactions between data owners and users without any trusted third party. We prove that the proposed scheme is secure against inside keyword guessing attacks in the random oracle model. Finally, our performance evaluation shows that the proposed scheme has higher computational performance than other related schemes.


I. INTRODUCTION
As big data and cloud computing develop rapidly in the recent years, an increasing number of individuals and enterprises upload data files to cloud servers due to insufficient memory capacity of application devices [1]. However, cloud servers are not completely trusted for the reason that they are not under the full supervision of enterprises and users. Once the data owners upload sensitive data to the cloud server, they The associate editor coordinating the review of this manuscript and approving it for publication was Xiao Liu . cannot fully control these data. This may make malicious users, attackers, and cloud server providers (CSP) access or steal data owners' sensitive data. Therefore, the issue of data privacy preserving in cloud storage environments has become increasingly important [2], [3].
In order to protect data confidentiality, data owners often encrypt data files before they are outsourced. However, this pattern faces the problem of how to implement keyword search over encrypted files. The simplest method is to download the encrypted files, decrypt them, and then perform keyword search. But this operation is not applicable for the VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ reason that it downloads unnecessary data files and wastes a lot of network overheads [4]. Searchable encryption technology can solve this problem, which can perform keyword search in encrypted files without downloading needless data files. In addition, it does not divulge any information about original data files [5]- [7]. Searchable encryption mainly includes symmetric searchable encryption (SSE) and public key encryption with keyword search (PEKS). SSE technology is mainly used to solve the storage problem of untrusted servers, and PEKS technology is mainly used to solve the routing problem of untrusted servers [8]. In the SSE cryptosystem, data owner encrypts data files and stores ciphertext remotely on a semi-trusted cloud server, while retaining the ability to search keywords in encrypted files. Data owner can perform keyword search efficiently by utilizing the powerful computing power of the cloud server, and does not reveal any data privacy to the server. This not only protects data confidentiality, but also has high search efficiency [9]. However, the SSE schemes face risks in terms of key distribution and management for the reason that both data files encryption and trapdoor generation must be encrypted by using the same symmetric key [10].
The PEKS technology uses user's public key to encrypt data files, and the data owner does not need to perform key agreement with users. Therefore, the PEKS is quiet suitable for data sharing in real scenarios [11], [12]. Most previous PEKS schemes are constructed based on traditional cryptosystem and identity-based cryptosystem, hence they have problems with certificate management or key escrow [13]- [15]. Certificateless searchable public key encryption (CL-SPKE) is an attractive cryptosystem because it solves these problems [16]. However, the great majority of CL-SPKE schemes only support single keyword retrieval in encrypted files [17], [18]. In fact, in order to search accurately and save computing resources, users generally execute multiple keywords retrieval. In addition, most existing CL-SPKE schemes also require that cloud server, which is presumed to be ''honest-but-curious'', can honestly perform search operations based on user needs [19], [20]. In real situations, a malevolent cloud server may return partial or fake search results. Aiming at this problem, many scholars have proposed a series of verifiable searchable encryption schemes, whereas most verifiable schemes only detect malicious behaviors of cloud servers or users [21]- [23]. They do not have effective measures to achieve fair payments, because the malicious party has got what he or she wants. For instance, a user wants to execute keyword search in encrypted files, and he is asked to pay before the cloud server starts to search. After receiving the search results, he finds that the search results are incorrect, but the cloud server gets deposit. Obviously, the transaction is not fair.
The blockchain-based solution is a feasible method that enables users to share data files in a secure and fair manner. As a distributed database, blockchain provides a new way to record and convey value, making transactions more transparent, fair, and secure [24], [25]. Specifically, blockchain technology can ensure data integrity and achieve fair sharing of data files. Besides, the anti-tampering property of blockchain guarantees the security and authenticity of data. It also ensures that users can receive integral and correct search results without any verification. In addition, blockchain can trace information such as data authenticity and abnormal server behavior [26]- [28]. Therefore, we propose a novel certificateless searchable public key authenticated encryption (CL-SPKAE) scheme based on blockchain. In the proposed scheme, data owners store encrypted indexes in the blockchain, while the original encrypted files are stored in any public cloud server. This arrangement not only ensures that encrypted indexes are not known by cloud servers, but also detects illegal tampering by malicious cloud servers.
In this paper, we present a multi-keyword CL-SPKAE scheme based on blockchain, which can resolve the contradiction between data privacy preserving and user security sharing. The main contribution of our scheme is summarized as follows.
• We present a novel CL-SPKAE scheme. We use certificateless cryptosystem to encrypt keywords, which avoids the overhead of certificate management in traditional cryptosystem and solves the problem of key escrow in identity-based cryptosystem. In addition, our scheme encrypts keywords to generate indexes using the user's public key and the data owner's private key, which realizes keyword authentication. Therefore, the third party cannot encrypt the keyword to conduct inside keyword guessing attacks without the data owner's private key.
• Our scheme guarantees the anti-tampering, integrity and traceability of the encrypted indexes. We put the encrypted indexes into the blockchain and upload the real encrypted files to cloud servers. Apart from keeping cloud server away from the encrypted indexes, this arrangement can also monitor illegal operations by malicious cloud servers. In addition, the anti-tampering of blockchain ensures that users can receive correct search results without any third party verification.
• Our scheme achieves fair transactions. We utilize smart contract to enable fair transactions between data owners and users without the participation of any trusted third party. It ensures that the honest party always gets what he or she deserves, while the malicious party always gets nothing.
• Our scheme implements multi-keyword search over encrypted files. Compared with the single keyword model, our multi-keyword scheme can search accurately and save a lot of computing resources, which is more practical in the actual cloud environment.
• We prove that the proposed scheme is secure against keyword guessing attack in a random oracle model under type I attacker and type II attacker. Moreover, we compare feature, computational cost and communication cost with other similar schemes. The analysis results indicate that our scheme has lower computational cost in the keyword encryption and search phase. The rest of this paper is organized as follows. We describe the relevant work in section II and briefly present some preliminaries in section III. We give the definition and security model of the CL-SPKAE scheme in section IV. Then, we give the system model and detailed construction of our scheme in section V. We prove the security of the proposed scheme in section VI and give its performance analysis in Section VII. Finally, we draw the concluding remarks in section VIII.

II. RELATED WORK
After Song et al. [5] proposed the idea of searchable encryption, many scholars successively put forward a large number of provable secure SSE schemes with special properties [29]- [31]. SSE had high search efficiency, and it was simple to realize. Nevertheless, it faced risks in terms of key distribution and management. In order to address above issues, Boneh et al. [32] introduced searchable encryption in the asymmetric cryptosystem and constructed the first PEKS scheme. In this scheme, the sender encrypted the mail and keywords with the receiver's public key, and the receiver generated search trapdoor with its own private key. Baek et al. [33] proposed a new PEKS scheme, but this scheme required data owners to access all authorized users' public key when they encrypted data files. Then, Guo et al. [34] proposed a searchable encryption scheme based on certificate, but it only satisfied chosen plaintext security and faced the problem of complex certificate management. Zhu et al. [35] designed a searchable encryption scheme based on identity, which addressed the issue of certificate management. This scheme generated users' private keys with a trusted key generation center (KGC), so it existed a key escrow problem. To address the problems of certificate management and key escrow, Wu et al. [36] constructed a searchable encryption scheme based on certificateless cryptosystem. Later, Lu et al. [37] constructed a novel CL-SPKE. The scheme could resist guessing keyword attacks in the random oracle model, but it only supported single keyword ciphertext retrieval. Although single keyword retrieval schemes retrieved keyword quickly, they could not locate data files accurately, which existed certain limitations in practical applications.
Subsequently, Uwizeye et al. [38] designed a CL-SPKE scheme supporting conjunctive keyword search, but this scheme cannot resist against inside keyword guessing attacks. Wu et al. [39] constructed a novel CL-SPKAE scheme to satisfy the privacy of keyword. These schemes mentioned above required the cloud server, which was ''honest-but-curious'', could reliably perform search operations according to user needs. In fact, a malevolent cloud server may return partial or counterfeit search results. To solve this problem, many scholars had constructed an array of verifiable searchable encryption schemes. However, most verifiable searchable encryption schemes only detected malicious behavior and could not achieve fair payments.
To address above issue, Chen et al. [40] proposed a searchable encryption scheme based on blockchain and achieved fair payments by using smart contract. The scheme constructed encrypted indexes by complex logical expressions and users could search encrypted indexes by expressions, which solved the problem of only supporting single keyword retrieval in the scheme [41]. But these schemes was only applicable to symmetric cryptographic environment. As far as we know, designing an efficient blockchain-based PEKS scheme remains a challenging problem [42]. Also, there is no public multi-keyword CL-SPKAE scheme based on blockchain until now. Therefore, we are committed to constructing a new multi-keyword CL-SPKAE scheme based on blockchain in this paper.

III. PRELIMINARIES
In this section, we briefly introduce several preliminary knowledge, including smart contract, gas system, bilinear pairing and complexity assumption.
A. SMART CONTRACT Smart contract, proposed by Nick Szabo [43], is a commitment defined in digital form, which controls digital assets and contains the rights and obligations agreed by the contract participants. Specifically speaking, a smart contract is an agreement that is executed automatically by a computer and does not require human participation. It always performs operations in accordance with rules agreed in advance. Due to the lack of a trusted execution environment, smart contracts were not applied to the actual industry when they were first proposed. Later, the application of smart contracts has been realized because of the birth of Bitcoin. That is because people realize that blockchain as the basic technology of Bitcoin can provide a trusted execution environment for smart contracts. In blockchain-based decentralized environment, the smart contract is written into the Ethereum in a digital form [44]. The characteristics of blockchain can ensure the transparency, traceability, anti-tampering and non-repudiation in the storage, reading, and execution phase of smart contracts.
In Ethereum, smart contract is a special account that consists of an account address, script code, balance, and storage space [45]. In other words, Ethereum-based smart contracts are a collection of code and data located at specific addresses in Ethereum. Participants can create smart contracts and write them into the blockchain. When certain conditions in the contract are triggered, the code defined in the contract will execute autonomously. Moreover, the execution results are also published in the blockchain. These execution results can be traced back, but they can not be changed.
There are miners in Ethereum that verify and approve all transactions in the blockchain. They add new transactions to blockchain by solving cryptographic challenges. This process is called mining new blocks. Once the new block is successfully mined, the newly created cryptocurrency is rewarded to workers. Therefore, third-party entities are encouraged to mine more blocks. In addition, the data stored in Ethereum VOLUME 8, 2020 are consistent and transparent among miners, which cannot be modified or rejected.

B. GAS SYSTEM
The gas system in Ethereum is introduced to prevent incorrect or malicious programs(such as endless loop programs). It can resist denial-of-service attacks and implement smart contracts. Each transaction has limited gas consumption in Ethereum. When the limited gas runs up, the transaction will be terminated. Moreover, users can obtain gas through currency exchange with Ethereum and workers' incomes are gas consumptions, as described by Hu et al. [39].
Each calculation that miners process transactions incurs a fee, which is paid for the gas consumed by the instruction. Different instruction has different gas consumption. For instance, in this paper, Gaslsrch represents the gas limitation that the user has spent, and $gasprice represents the price of gas per unit. For each transaction, multiplying Gaslsrch by $gasprice represents the maximum fee that the user is willing to pay to execute transactions. If the user's account has sufficient balance to pay the maximum fee, the transaction is successfully packaged and submitted to blockchain. Otherwise, the transaction is considered invalid.

C. BILINEAR PAIRING
Assuming that G 1 and G 2 are two multiplicative cyclic groups of large prime order p. A bilinear pairing map e : G 1 × G 1 → G 2 satisfies the following properties: 1) Bilinearity: e(g 1 a , g 2 b ) = e(g 1 , g 2 ) ab hods for any g 1 , g 2 ∈ G 1 and a, b ∈ Z p * . 2) Non-degeneracy: e(g, g) = 1, where g is a generator of G 1 . 3) Computability: e(g 1 , g 2 ) is efficiently computable for any g 1 , g 2 ∈ G 1 .

D. COMPLEXITY ASSUMPTION
Given a tuple (g, g α , g β , R), where α, β ∈ Z p * and g, R ∈ G 1 , the decisional Diffie-Hellman (DDH) problem is to distinguish whether R is g αβ or a random element in G 1 .
The advantage ξ that A can solve the mDDH problem is defined as Adv DDH Definition 1 (DDH Assumption): We say the DDH assumption holds if no attacker A can solve the DDH problem with a non-negligible advantage.

IV. DEFINITION AND SECURITY MODEL A. DEFINITION
Formally, the CL-SPKAE scheme is composed of six polynomial time algorithms, as follows [39]: • Setup(1 λ ). The algorithm takes as input a security parameter λ, and it outputs system parameters param and master key msk.
• PatialKeyGene(param, msk, id). The algorithm takes as input the identity id of an entity, param and msk, and it outputs the corresponding partial private key psk.
• KeyGene(param, psk). The algorithm takes as input param and psk, and it outputs the corresponding public key pk and final private key sk.
The algorithm takes as input param, the user's identity id u , the user's public key pk u , the data owner's identity id o , the data owner's private key sk o , the keyword set W and data file F, and it outputs encrypted indexes C F and encrypted files CT .
• Trapdoor(param, sk u , pk o , W ). The algorithm takes as input param, the user's private key sk u , the data owner's public key pk o and search keywords W , and it outputs the trapdoor T W .
• Search(param, C F , T W ). Upon receiving param, C F and T W , the algorithm outputs the search results.

B. SECURITY MODEL
In accordance with the security model of the CL-SPKAE presented in schemes [12], [16], [37], and [46], our scheme considers two types of adversaries: type I attacker A 1 and type II attacker A 2 . A attacker A 1 is permitted to replace any user's public key, while it is not capable of possessing the master key. On the contrary, A attacker A 2 is capable of possessing the master key, while it is not permitted to replace any user's public key.
Here, the security model of a CL-SPKAE scheme is defined by the following games between a PPT attacker A i (i = 1, 2) and a challenger C.
Game1: This game is executed between a PPT attacker A 1 and a challenger C.
C runs Setup algorithm to generate the master key and system parameters. Then, C sends system parameters to A 1 . A 1 can adaptively ask queries to the following oracles.
Hash-Query. A 1 can access all hash oracles, and the corresponding hash value can be obtained.
PatialKey Query. Given an identity ID i , C runs PatialKeyGene algorithm to generate the corresponding partial key Q I D i , and sends it to A 1 .
SecretValue Query. Upon receiving query initiated by A 1 , C runs KeyGene algorithm to generate the corresponding secret value to A 1 .
PublicKey Query. Given an identity ID i , C runs KeyGene algorithm to generate the corresponding public key PK I D i , and sends it to A 1 .
ReplacePublicKey Query. A 1 is permitted to replace any user's public key.
Trapdoor Query 1. A 1 selects arbitrary keyword and initiates some trapdoor queries to C. Then C runs trapdoor generation algorithm Trapdoor to calculate the corresponding trapdoors and returns them to A 1 .
Challenge. Upon randomly selecting two challenge keywords W 0 and W 1 , A 1 sends them to C. Note that W 0 and W 1 have not been queried by A 1 during trapdoor query 1 phase. Then, C randomly selects b ∈ {0, 1} and calls the keyword encryption algorithm EncInd to generate corresponding challenge ciphertext of w b . Finally, C send the challenge ciphertext to A 1 .
Trapdoor Query 2. A 1 continues to request the trapdoor query. The query process is similar to trapdoor query 1, but the keyword cannot be W 0 or W 1 .
Guess. A 1 outputs b . If b =b, A 1 wins the game. We define the advantage of A 1 in this game as ε = Pr(b = b) − 1 2 . Game2: This game is executed between a PPT attacker A 2 and a challenger C.
Setup. C runs Setup algorithm to generate the master key and system parameters. Then, C runs KeyGene algorithm to generate public key pk o and pk u . Finally, C sends the master key, system parameters, pk o and pk u to A 2 .
A 2 is permitted to ask Hash-Query,PatialKey Query, and Trapdoor Query 1 as in Game1.
Challenge. A 2 randomly selects two challenge keywords W 0 and W 1 and sends them to C, where W 0 and W 1 have not been queried by A 2 during trapdoor query 1 phase. Then C randomly selects b ∈ {0, 1} and lets w b be a challenge keyword. Next, C calls the keyword encryption algorithm EncInd to generate corresponding ciphertext of w b . Finally, C sends the challenge ciphertext to A 2 .
Trapdoor Query 2. A 2 continues to request the trapdoor query. The query process is similar to trapdoor query 2 in Game1.
Guess. A 2 outputs b . If b =b, A 2 wins the game. We define the advantage of A 2 in this game as ξ = The proposed scheme is semantically secure against inside keyword guessing attacks if ε and ξ are negligible for any PPT attacker.

A. SYSTEM MODEL
There are four entities in our CL-SPKAE scheme system model, namely: KGC, data owner, user, and CSP, as shown in Fig. 1.
• KGC. The KGC is responsible for the generation of the system master secret key and public parameters. Moreover, the KGC takes charges of producing a partial private key for every data owner and user, then it sends an individual partial private key to every entity through a secure channel.
• Data Owner. The data owner firstly extracts keyword sets from data files and builds encrypted indexes, while establishing smart contracts to describe how users search indexes. Then, the data owner puts both encrypted indexes and smart contracts in the blockchain. Finally, the data owner encrypts data files with a symmetric encryption algorithm(such as Advanced Encryption Standard) and sends encrypted files to CSP.
• User. The user can generate the trapdoor of multiple keywords and send it to blockchain. In addition, the user can also decrypt the encrypted files returned by CSP.
• CSP. The CSP is in charge of storing encrypted files and sending all matching encrypted files to users based on the search results returned by the blockchain.

B. OUR CONSTRUCTION
In this subsection, we present a novel multi-keyword CL-SPKAE scheme based on blockchain. Our CL-SPKAE scheme is described as follows.

1) SETUP
On input of the security parameter λ, the KGC performs the following steps to generate the master key and system parameters. VOLUME 8, 2020 • Choose two multiplicative cyclic groups G 1 and G 2 of prime order p, a generator g of group G 1 , and a bilinear map e : G 1 × G 1 → G 2 .
• Choose s ∈ Z p * randomly and calculate P=g s .

2) PatialKeyGene
After receiving the data owner's identity id o and user's identity id u , KGC computes the data owner's partial private key

3) KeyGene
Upon receiving psk o , the data owner selects x o ∈ Z p * randomly. Then, data owner computes his or her public key pk o = g x o and sets the corresponding private key Similarly, the user selects x u ∈ Z p * randomly, computes his or her public key pk u = g x u , and sets the corresponding private key sk u = (x u , psk u ) = (x u , H (id u ) s ).

4) EncInd
The data owner generates encrypted indexes by performing the following steps.
where ψ represents a collection of all keywords and m represents the number of keywords in the collection.
• Set the encrypted indexes C F = (C 1 , C 2 , C 3 , E 1 , . . . , E m ). After the keyword indexes are generated, the data owner firstly predefines the reward $offer for each search and creates smart contracts, as shown in Fig. 2. Then, the data owner uploads encrypted indexes C F and smart contracts to blockchain. Moreover, the data owner encrypts the data file F to obtain the corresponding data ciphertext CT using a symmetric encryption algorithm (such as Advanced Encryption Standard algorithm). Finally, the data owner sends CT to the CSP.

5) TRAPDOOR
The user first produces the trapdoor by performing the following steps.
• Choose a set of search keywords W = {w i ∈ ψ |(1 ≤ i ≤ l) }, where l represents the number of search keywords.
• Set the trapdoor T W = (T 1 , T 2 , T 3 ). Then, the user sets a time limitation Time . Finally, the user sends T W and Time to smart contracts and ask blockchain to search the encrypted indexes.

6) SEARCH
After receiving the user's search request, the smart contract searches blockchain by performing the following process.
• Check Time < Time . If it times out, the search is terminated. Otherwise, the smart contract performs the following steps.
• Check $userdeposit > Gaslsrch × $gasprice + $offer. If the inequality is established, it means that the deposit currency $userdeposit pre-stored by the user is enough to complete a search, and smart contract performs the following steps. Otherwise, the smart contract terminates the search.
• Check σ 1 = σ 2 · σ 3 . If the equation holds, it means that the keywords match successfully. Then, search results are returned to CSP. Otherwise, the failure messages are sent to CSP. Note. The detailed processes that smart contracts search blockchain using trapdoor to obtain search results is shown in Algorithm V-B6. Here, $ownerB represents the deposit account of data owner. $userB and $userdeposit represent the user's deposit account and deposit currency, respectively. $offer represents each search price that the data owner deserves. $gasprice represents the price of gas per unit. $cost represents the total cost of each search that the user should pay. Gaslsrch and Gassrch represent gas limitation and cost for calling the Search algorithm, respectively. Smart contracts use trapdoor and previously stored encrypted indexes to perform Search algorithm. Then smart contracts save search results to their state. In addition, within the predefined time limitation Time , the data owner receive rewards accordingly. Otherwise, the user's search request is rejected and the user's deposit is refunded.
Correctness. The correctness of matching between trapdoor and encrypted indexes is presented as follows:

VI. SECURITY ANALYSIS A. FAIRNESS
Fairness is achieved by using the smart contract. In Ethereum, all transactions are paid through the purchase of gas. As long as the user performs keyword search, the data owner certainly gets the reward he or she deserves. At the same time, as long as the user pays required payment, he or she definitely gets correct search results. Moreover, the characteristics of the blockchain ensure that users can obtain accurate and complete search results without the third party verification. In other words, malicious operations is detected and dishonest parties gets nothing. In addition, the user specifies the time limit Time to ensure fairness as the transactions need completing in this time. Otherwise, the user's deposit is returned.

B. SOUNDNESS
The transaction between the blockchain and the user is transparent, which can ensure that the results of each search are reliable. As long as the smart contract runs correctly on the blockchain, the search results must be correct without any third-party verification. In addition, each node of the blockchain can detect the tampering of search results by any entity. Therefore, there is no such thing as the search results are maliciously tampered with.

Theorem 1: Under the mDDH assumption, the proposed CL-SPKAE scheme is semantically secure against inside keyword guessing attacks in the random oracle model.
Theorem 1 can be proven by the following two lemmas. Lemma 1: Assuming that a PPT attacker A 1 can initiate up to q T and q CUR times trapdoor query 1 and createuser query respectively, where q T and q CUR is a positive integer. If A 1 can win our scheme with a non-negligible advantage ε, then we can construct the algorithm C to solve the DDH problem with non-negligible advantage ξ = ε/q CUS ·(1 − 1/q CUS ) q T .
Proof : Given (g, u 1 = g α , u 2 = g β , R) ∈ G 4 1 , C interacts with A 1 by the following game for the purpose of differentiating whether R is g αβ or a random element in G 1 . Then, C chooses a challenge identity ID D (1 < D < q CUS ) and sets P = g α . Finally, C sends param = (G 1 , G 2 , e, g, P, H , H 1 ) to A 1 .
Hash Query. C maintains a list H − list of the form (ID i , Q ID i , h i ). When A 1 initiates some queries about (ID i ), C responds via the following steps.
in the table and returns Q I D D to A 1 .
• Otherwise, C randomly selects h i ∈ Z p * and computes Q I D D = (g · g β ) h i . Moreover, C stores (I D i , Q I D i , h i ) in the table and returns Q I D i to A 1 .
Hash1 Query. C maintains a list H 1 − list of the form (w i , h1 i ). When A 1 initiates some queries about the keyword w i ∈ {0, 1} * , C responds via the following steps.
• If there is a corresponding item (w i , h1 i ) of w i in H 1 − list, C returns h1 i .
• Otherwise, C randomly selects h1 i ∈ Z p * for each w i that has not been queried. Finally, C stores h1 i in the table and returns h1 i to A 1 .

CreateUser Query.
In order to answer these queries, C maintains a list L user − list of the form (ID i , PK I D i , PSK I D i , x I D i )). Upon receiving an identity ID i , C responds via the following steps. • Otherwise, C randomly selects x I D i ∈ Z p * , simulates Hash Query to obtain h i , and sets PK I D i = g x I D i and PSK I D i = (g α ) h i . Moreover, C stores (ID i , PK I D i , PSK I D i , x I D i ) in the table and returns PK I D i to A 1 . VOLUME 8, 2020 PatialKey Query. Upon receiving an identity ID i , C terminates this game if I D i = I D D . (We use EV 1 to represent this event.) Otherwise, C search for ID i in L user − list to find (ID i , PK I D i , PSK I D i , x I D i )) and returns PSK I D D to A 1 .
SecretValue Query. Upon receiving an identity ID i , C search in L user −list to find (ID i , PK I D i , PSK I D i , x I D i )) and returns x I D i to A 1 . Note that C returns ⊥ if the corresponding public key is replaced by A 1 .
PublicKey Query. Upon receiving an identity ID i , C search in L user −list to find (ID i , PK I D i , PSK I D i , x I D i )) and returns PK I D i to A 1 .
ReplacePublicKey Query. Upon receiving (ID i , PK ID i ), C calls CreateUser Query to obtain (ID i , PK I D i , PSK I D i , x I D i )). Then, C updates L user − list by replacing Trapdoor Query 1. A 1 initiates some trapdoor queries to C after selecting arbitrary keyword w , a data owner's identity ID i and a user's identity ID j . Then, C generates the corresponding trapdoor via the following steps.
• If ID j = ID D , C terminates game and returns failure messages. Otherwise, C performs the following steps.
(We use EV 2 to represent this event.) and (ID j , PK I D j , PSK I D j , x I D j )) from the list L user − list.
• Select r ∈ Z p * and let r = 1/h j .
• Compute trapdoors T 1 = l τ =1 g h1 i r g r x I D j · PSK I D j r , T 2 = P r , and T 3 = PK I D i r .
Challenge. Upon selecting a data owner's identity ID O , a user's identity ID U and two challenge keywords W 0 and W 1 , A 1 sends them to C. Note that W 0 and W 1 have not been queried by A 1 during the trapdoor query 1 phase. Then C responds to A 1 via the following steps.
• If ID U = ID D , C terminates game and returns failure messages. (We use EV 3 to represent this event.) • Otherwise, C select b ∈ {0, 1} and r ∈ Z p * randomly.
. . , E m ) to C. Trapdoor Query 2. A 1 continues to request the trapdoor of w j . The query process is the same as trapdoor query 1, but it is required that w j satisfies w j = W 0 and w j = W 1 .
Guess. A 1 outputs b . If b =b, A 1 wins the game. At this time, C calculates R = T j ( l τ =1 g h1 i r g r x I D j )PSK I D j r . If T j = l τ =1 g h1 i r g r x I D j · (g · g β ) h j αr , then we can smoothly infer that R = g αβ . Next, we analyze the probability that C can solve the DDH problem. We first analyze the probability of the game is not terminated in the simulation process. Then we calculate the probability that C can respond correctly while the game is not terminated. Finally we can estimate the advantage ξ of A 1 to win the game. It can be known that the game has been terminated in the events EV 1 , EV 2 , EV 3, respectively.
According to the event EV 3 , we can know that the event ¬EV 1 . Also, we obviously have that Pr[¬EV 3 ] = 1/q CUS and Pr[¬EV 2 ] = (1 − 1/q CUS ) q T , respectively. Therefore, the probability that C terminates the game is Pr[¬EV 1 ∩ ¬EV 2 ∩ In the light of the above analysis, the probability that C terminates the game is 1/q CUS · (1 − 1/q CUS ) q T . Hence the probability that C successfully differentiates whether R is g αβ or a random element in G 1 is at least ξ = ε/q CUS ·(1 − 1/q CUS ) q T . According to the DDH assumption, we know that ξ is negligible, and the advantage ε that A can break the proposed scheme is negligible.
Lemma 2: Assuming that a PPT attacker A 2 can initiate up to q T and q CUR times trapdoor query 1 and createuser query respectively, where q T and q CUR is a positive integer. If A 2 can win our scheme with a non-negligible advantage ξ , then we can construct the algorithm C to solve the DDH problem with non-negligible advantage ξ .
Proof : Given (g, u 1 = g α , u 2 = g β , R) ∈ G 4 1 , C interacts with A 2 by the following game for the purpose of differentiating whether R is g αβ or a random element in G 1 . Then, C selects s ∈ Z p * randomly, chooses a challenge identity ID D (1 < D < q CUS ), and computes P = g s . Finally, C sends param = (G 1 , G 2 , e, g, P, H , H 1 ) and msk = s to A 2 .
Hash Query. C maintains a list H − list of the form (ID i , Q ID i , h i ). When A 2 initiates some queries about (ID i ), C responds via the following steps. • Otherwise, C randomly selects h i ∈ Z p * and computes Q I D D = (g · g α ) h i . Moreover, C stores (I D i , Q I D i , h i ) in the table and returns Q I D i to A 2 .
Hash1 Query. C maintains a list H 1 − list of the form (w i , h1 i ). When A 2 initiates some queries about the keyword w i ∈ {0, 1} * , C responds via the following steps.
• Otherwise, C randomly selects h1 i ∈ Z p * for each w i that has not been queried. Finally, C stores h1 i in the table and returns h1 i to A 2 .

CreateUser Query.
In order to answer these queries, C maintains a list L user − list of the form (ID i , PK I D i , PSK I D i , x I D i )). Upon receiving an identity ID i , C responds via the following steps.  • Otherwise, C randomly selects x I D i ∈ Z p * , simulates Hash Query to obtain h i , and sets PK I D i = g x I D i and PSK I D i = (g s ) h i . Moreover, C stores (ID i , PK I D i , PSK I D i , x I D i ) in the table and returns PK I D i to A 2 .
PatialKey Query. Upon receiving an identity ID i , C terminates this game if I D i = I D D . (We use EV 1 to represent this event.) Otherwise, C search for ID i in L user − list to find (ID i , PK I D i , PSK I D i , x I D i )) and returns PSK I D D to A 1 .
Trapdoor Query 1. A 1 initiates some trapdoor queries to C after selecting arbitrary keyword w , a data owner's identity ID i and a user's identity ID j . Then, C generates the corresponding trapdoor via the following steps.
• If ID j = ID D , C terminates game and returns failure messages. Otherwise, C performs the following steps.
(We use EV 2 to represent this event.) • Search (ID i , Q ID i , h i ) and (ID j , Q ID j , h j ) from the list H − list.
• Search (ID i , PK I D i , PSK I D i , x I D i )) and (ID j , PK I D j , PSK I D j , x I D j )) from the list L user − list.
• Select r ∈ Z p * and let r = β/sh j .
• Compute trapdoors T 1 = l τ =1 g h1 i r g r x I D j · PSK I D j r , T 2 = P r , and T 3 = PK I D i r .
Challenge. Upon selecting a data owner's identity ID O , a user's identity ID U and two challenge keywords W 0 and W 1 , A 2 sends them to C. Note that W 0 and W 1 have not been queried by A 2 during the trapdoor query 1 phase. Then C responds to A 2 via the following steps.
• If ID U = ID D , C terminates game and returns failure messages. (We use EV 3 to represent this event.) • Otherwise, C select b ∈ {0, 1} and r ∈ Z p * randomly.
, and E i = (g h1 i PK I D U ) r/x I D O .

Trapdoor Query 2.
A 2 continues to request the trapdoor of w j . The query process is the same as trapdoor query 1, but it is required that w j satisfies w j = W 0 and w j = W 1 .
) h j sr , then we can smoothly infer that R = g αβ . Next, We analyze the probability of the game is not terminated in the simulation process. It can be seen from the above game process that the game termination condition is the same as Lemma1. Therefore, the probability that C terminates this game is 1/q CUS · (1 − 1/q CUS ) q T . Then we can know the probability that C successfully solve the DDH problem is at least ξ = ξ/q CUS · (1 − 1/q CUS ) q T . According to the DDH assumption, we know that ξ is negligible, and the advantage ξ that A can break the proposed scheme is negligible.

VII. PERFORMANCE EVALUATION
In this section, we give a feature comparison between previous searchable encryption schemes and our scheme. Then, we implement the several related schemes, for providing a comparison of computational costs with the proposed scheme. Finally, we compare the communication cost of the proposed CL-SPKAE scheme with several related schemes.
The computational cost of our scheme is compared with the schemes [46]- [48], and [16], as shown in Table 2. For ease of expression, let T M , T H , and T A denote execution time of one multiplication operation, one hash operation, and one addition operation, respectively. Let T E and T P denote the execution time of one exponentiation operation and one bilinear pairing operation, respectively. Let m and l denote the number of encrypted keywords and search keywords, respectively. As can be seen from Table 2, compared with the scheme [47], our scheme requires lower computational cost. Moreover, the computational cost in our scheme is roughly the same as the scheme [48], but higher that the schemes [16] and [46]. However, with the increase of keywords, the computational cost in our scheme is lower than that of the schemes [16] and [46].
The simulation experiments are run on a desktop computer with the hardware environment of a 3.1GHz Intel Core i5-2400 processor, 4GB memory and 512GB hard disk space. The simulation program conducted with the software environment of a 64-bit Windows 10 operating system and cryptographic library PBC-0.4.7-VC.
We choose 1, 2, 5, 10, and 20 keywords to compare the computational cost of our scheme with the schemes [16], [46], [47], and [48], as shown in Fig. 3-5. Fig. 3 reflects the change of keyword encryption time with the number of keywords in the EncInd phase. The keyword encryption time for single keyword in the schemes [16], [46]- [48] is approximately 18.631ms, 25.778ms, 38.544ms, and 26.759ms respectively, while that in our scheme is approximately 22.158ms. When the number of keyword increases to 20, the schemes [16], [46]- [48] cost approximately 205.023ms, 189.071ms, 216.893ms, and 363.637ms respectively, while that in our scheme is approximately  181.762ms. We can see that our scheme always takes less time than the schemes [46], [47] and [48]. The keyword encryption time for single keyword in our scheme is more than that of the scheme [16], but our scheme takes less time than the scheme [16] when the number of keyword increases to 2. Fig. 4 reflects the change of trapdoor generation time with the number of keywords in the Trapdoor phase. The trapdoor generation time for single keyword in the schemes [16], [46]- [48] is approximately 20.808ms, 17.095ms, 56.517ms, and 13.044ms respectively, while that in our scheme is approximately 22.442ms. When the number  of keyword increases to 20, the schemes [16], [46]- [48] cost approximately 266.673ms, 95.657ms, 303.111ms, and 177.519ms respectively, while that in our scheme is approximately 114.954ms. It can be seen that our scheme always takes more time than scheme [46], but takes less time than the scheme [47]. The trapdoor generation time for single keyword in our scheme is more than that of the schemes [16] and [48], but our scheme takes less time than the schemes [16] and [48] when the number of keyword increases to 3. Fig. 5 reflects the change of search time with the number of keywords in the Search phase. It is easy to see that the search time does not almost change with the the number of keywords in the schemes [47], [48] and our schemes, but the search time rises as the increase of keywords in the schemes [16], [46]. The search time for single keyword in the schemes [16], [46]- [48] is approximately 17.719ms, 4.34ms, 34.325ms, and 26.165ms respectively, while that in our scheme is approximately 25.995ms. When the number of keyword increases to 20, the schemes [16], [46]- [48] cost approximately 189.465ms, 100.113ms, 34.992ms, and 26.208ms respectively, while that in our scheme is approximately 26.866ms. It is clear that our scheme takes about the same time as scheme [48], but takes less time than the scheme [47]. The search time for single keyword in our scheme is more than that of the schemes [16] and [46], but our scheme takes less time than the scheme [16] and the scheme [46] when the number of keyword increases to 2 and 9, respectively.
The communication cost of our scheme is compared with the schemes [46]- [48], and [16] in terms of public key, encrypted index, and trapdoor, as shown in Table 3. For ease of expression, let |Z p * |, |G 1 |, and |G 2 | represent the size of an element in Z p * , G 1 , and G 2 , respectively. As can be seen from Table 3, the communication cost for single keyword in our scheme is smaller than the scheme [47], but higher than the schemes [16], [46] and [48]. However, with the increase of keywords, the communication cost in our scheme is smaller than that of the schemes [16], [46], and [48].

VIII. CONCLUSION
In this paper, we propose a novel CL-SPKAE scheme based on blockchain. Our scheme achieves multi-keyword search over encrypted indexes. We use blockchain technology to ensure the anti-tampering, integrity and traceability of the encrypted indexes. Also, we utilize smart contract to realize fair and reliable transactions without any third party verification. In addition, we prove that our scheme can resist inside keyword guessing attacks in the random oracle model. Finally, we conduct simulation experiment and performance evaluation. The analysis results prove that our scheme has higher computational performances in the keyword encryption and search phases. However, our scheme cannot achieve dynamic updates over the encrypted files, which has certain limitations in practical applications. Therefore, a future interesting work is to construct a dynamic CL-SPKE scheme with forward and backward privacy.
MEIDING WANG received the B.S. degree from Northwest Normal University, Lanzhou, China, in 2018, where she is currently pursuing the master's degree in computer science. Her current research interests include cloud computing security and cloud audit.
TING LI received the B.S. degree from Zhengzhou Normal University, Zhengzhou, China, in 2018. She is currently pursuing the master's degree in computer science with Northwest Normal University. Her current research interests include network security, blockchain technology, and their applications.
CAIFEN WANG received the Ph.D. degree in cryptography from Xidian University, Xi'an, China, in 2003. She is currently a Professor in computer science with Shenzhen Technology University. Her current research interests include network security, cryptographic protocols, and security engineering. She is also a member of the Chinese Cryptology and Information Security Association. VOLUME 8, 2020