With the development of cloud computing, more and more data are outsourced to cloud servers for the purpose of freeing up local storage resources. Taking the privacy problem into account, the data are typically encrypted before outsourcing. However, the encryption operation will break the structure of underlying data, making the retrieval function limited. Searchable encryption (SE), as an encryption primitive, allows users to search encrypted files in cloud storage servers while ensuring the security of the original files. Although public-key encryption with keyword search(PEKS) solves the ciphertext retrieval problem in the public key scenario, it suffers from the inherent certificate management problem in the traditional public key infrastructure setting. Subsequently, scholars have solved this problem by combining PEKS with identity-based cryptography (IBC) or certificateless cryptography (CLC). However, IBC and CLC also have the key escrow or secure channel problem. The former means that the private keys of all users will be leaked once the private key generator in IBC is compromised. The latter implies that the (partial) private key of the user needs to be transmitted over a secure channel in IBC and CLS. Certificate-based searchable encryption(CBSE) solves the problems of certificate management, key escrow, and secure channel on the basis of realizing ciphertext retrieval. Nevertheless, existing CBSE schemes either use time-consuming bilinear pairing operations resulting in efficiency problems or use the sender's identity information as part of the search trapdoor, which leads to the failure to meet the property of sender anonymity. At the same time, existing schemes only consider the situation where a single recipient performs the search function, which leads to inefficiency in the scenario of multiple recipients and does not meet the practical requirements. In order to solve the above problems, based on elliptic curve cryptography, the multi-recipient certificate-based searchable encryption (MRCBSE) scheme is put forward using the key exchange protocol and digital signature technology. In the proposed scheme, for the same data, the sender only needs to perform the encryption operation once to generate a ciphertext that can be searched by multiple recipients at the same time. Also, the sender generates the ciphertext using its own private key and certificate, such that the adversaries cannot produce a valid ciphertext to launch the keyword guessing attack, ensuring the security of the search trapdoor. The search trapdoor of the proposed scheme consists of only one group element and does not reveal the identity information of the sender, thus achieving the property of sender anonymity. The formal definition and the corresponding security model of MRCBSE are given. Subsequently, based on the computational Diffie-Hellman assumption, the proposed scheme is proved to satisfy the indistinguishability under adaptive chosen keyword attack and the indistinguishability under adaptive keyword guessing attack in random oracle. Performance analysis results show that, in comparison with the related schemes, the proposed scheme not only has obvious advantages in terms of computation cost and communication cost but also realizes more security features, meaning that it is more suitable for multi-user service scenarios in cloud storage environments. © 2024 Science Press. All rights reserved.
