國
立 政 治 大 學
‧
N a
tio na
l C h engchi U ni ve rs it y
Trapdoor 𝑂(1) 𝑂(1) 𝑂(1) 𝑂(𝑛)
Trapdoor Scope 𝔾 𝔾 𝔾 or 1 𝑛
Security W/O trapdoor One-way One-way One-way IND
With trapdoor IND IND IND IND
Security proof
The efficiency is not good among all PKEET schemes, but the security is outstanding. Following, the security proof will focus on the security against type-I adversaries (authorized users), which implies the security against type-II adversaries (unauthorized users).
Theorem 10: PKE-FET is IND-CCA2 secure in the standard model.
Proof. Assume that there is an adversary who is able to break the IND-CCA2 security of PKE-FET with non-negligible probability 𝜖(𝜅), it can be demonstrated that how one simulator may utilize the adversary to break the SXDH assumption (“given 𝑔•ˆ, 𝑔•Œ, 𝑔•• ∈ 𝔾•, decide whether 𝛾 = 𝛼𝛽 or not”, defined in section 2.1.3) with non-negligible probability. The detail proof is illustrated in Figure 21, which is shown in the pseudo-code expression. In the beginning, the simulator initializes a set of public parameter 𝑝𝑝 and the key pair (𝑠𝑘, 𝑝𝑘). Then, the adversary is allowed to request the decryption oracles 𝒪Š , 𝒪Š¡ to the simulator, and the simulator answers as those in Figure 21.
The discussion goes with several probabilities.
‧
Figure 21: The simulated IND-CCA2 game of PKE-FET.
First, if at least one of the outputted two messages is included in the message set 𝑴 inside trapdoor 𝑇, the simulated game can be break easily without acquiring any advanced probability. In this case, it could be realized as the simulator fails, which occurs with 2𝑛/𝑞 probability. It is a negligible probability since 𝑛 ≪ 𝑞.
Second, if above scenario does not happen, the simulator outputs 𝛾 = 𝛼𝛽 if the adversary had a right guess; or it outputs 𝛾 ≠ 𝛼𝛽, otherwise. The discussion continues with two scenarios.
‧ 國
立 政 治 大 學
‧
N a
tio na
l C h engchi U ni ve rs it y
• In case 𝛾 = 𝛼𝛽. This is the PKE-FET scheme. Then, the adversary has non-negligible probability 𝜖(𝜅) to break the IND-CCA2 security of PKE-FET.
• In case 𝛾 ≠ 𝛼𝛽. This is not the PKE-FET scheme so that the adversary has only 50%
probability to output correctly.
Both of above cases in the second scenario occur in half probability so that the simulator will win with (1 + 𝜖(𝜅))/2 probability; in other words, it acquires 𝜖(𝜅)/2 advanced probability to break the SXDH assumption and it is non-negligible.
In sum, assume there is an adversary who can break the IND-CCA2 of PKE-FET with a non-negligible probability 𝜖(𝜅), the simulator may take advantage of the adversary to break the SXDH problem with advanced probability 1 −—?W ⋅A ¼— , which is also non-negligible. By the intractability of the SXDH problem, it is proved that there is no polynomial-time adversary is able to break the IND-CCA2 security of PKE-FET with non-negligible advanced probability. To conclude, it is proved that PKE-FET is IND-CCA2 security based on the intractability of the SXDH assumption.
‧ 國
立 政 治 大 學
‧
N a
tio na
l C h engchi U ni ve rs it y
5. Public key encryption with keyword search
In the keyword search syntax (depicted in Figure 22), there are encrypted documents that were outsourced to a cloud storage server. With the aid of powerful storage space of cloud servers, on one hand, users don’t need large storage space on their local machines; on the other hand, those outsourced data can be retrieved and accessed by different devices like mobile phones, laptops and PCs easily. Besides the convenience of cloud storage, users also concern the privacy issues so that they prefer to store encrypted data on cloud server. In the ideal scenario, if the cloud server provides storage service and knows nothing about the content what was outsourced, that will be a great solution. However, there is a current obstacle that if user outsources encrypted data on the server, the encrypted documents cannot be searched. If the document owner desires to search and retrieve its encrypted documents corresponding to a specific keyword like “urgent”, the server cannot help; what the server can do is just returning all the owner’s documents. To organize an efficient search over encrypted documents, some addition metadata is required.
The public key encryption with keyword search, PEKS, [83] was originally proposed by Dan Boneh et al. It is also called a searchable encryption. In their design, one encrypted keyword is attached beside one encrypted document so that this document can be found with this keyword.
The encrypted keyword is called an index due to the fact that encrypted keyword works like the index in the database systems: both of them accelerate the speed of data accesses. The scenario in Figure 22 shows that a sender encrypts a document with a keyword and then store them on the cloud server. While needed, the receiver can request a keyword search query through a trapdoor (with one or some hidden keywords); and the server will return the encrypted documents when the keywords on both the index side and the trapdoor side match. In the whole process, the server acquires pretty few information about the documents and keywords since they are both encrypted.
Just like the equality test schemes, the searchable encryption is another application of secure computation. By the way, the encryption and decryption of documents are usually omitted in searchable encryption schemes because the research target focuses on the test between index and trapdoors. Of course, there are some works like [84] does not omit the document part.
‧
Figure 22: The syntax of searchable encryption.
5.1 Framework and previous works of PEKS
After the informal description above, the formal introduction of PEKS begins with the syntax definition. Then, the security notion will be formally introduced as well. By the definition of [83], the PEKS is composed of five algorithms including 𝑆𝑒𝑡𝑢𝑝, 𝐾𝐺𝑒𝑛, 𝐵𝑢𝑖𝑙𝑑𝐼𝑛𝑑𝑒𝑥, 𝑇𝑟𝑎𝑝𝑑𝑜𝑜𝑟 and 𝑇𝑒𝑠𝑡. Some names of algorithms may be different from the original work because different PEKS adopted different names, but their functionality is consistent. In this work, all algorithm names and functions are synchronized as below.
• 𝑆𝑒𝑡𝑢𝑝(𝜅): On input a secure parameter 𝜅, it outputs a series of public parameters 𝑝𝑝 to construct a PEKS environment.
• 𝐾𝐺𝑒𝑛(𝑝𝑝): A pair of public key and secret key are created for further usage. Senders use receiver’s public key 𝑝𝑘 to encrypt keywords into index; and receivers utilize their secret key 𝑠𝑘 to generate trapdoors, and they send the trapdoors to cloud servers as search queries.
• 𝐵𝑢𝑖𝑙𝑑𝐼𝑛𝑑𝑒𝑥(𝑝𝑘, 𝑤): It builds an index of an inputted keyword 𝑤 using the receiver’s public key. The index 𝐼 is attached beside the encrypted document for keyword search.
• 𝑇𝑟𝑎𝑝𝑑𝑜𝑜𝑟(𝑠𝑘, 𝑤Ó): The receiver is able to request a keyword search query with keyword 𝑤’. A trapdoor 𝑇 will be sent to the cloud server as a search query.
Sender
‧
When it comes to the security model, Dan Boneh et al. defined the indistinguishability against chosen keyword attack, IND-CKA, a security notion that is quite similar to IND-CCA2. If the keyword is regarded as a message, the IND-CKA can be treated as the IND-CCA2 model defined in section 3.1.2. It is still a game between an adversary and a simulator. The simulator simulates a game and provides the trapdoor oracle 𝒪™ access to the adversary. After polynomial-times of trapdoor requests, the adversary outputs two keywords 𝑤Í and 𝑤•; the simulator randomly picks one of them and builds a challenge index 𝐼Ï. On receiving the challenge, the adversary is still allowed to request trapdoor query to oracle 𝒪™¡, but both keyword 𝑤Í and 𝑤• are forbidden to be queried to the trapdoor oracle. Finally, the adversary outputs a guess 𝑏′ to terminate the IND-CKA game. A PEKS scheme is called IND-CKA secure if the following probability 𝐴𝑑𝑣𝒜,»Ë¸¢ÎxŠ°Ž¸Â is negligible. By the way, the IND-CKA secure is also called semantic secure for PEKS schemes.
𝐴𝑑𝑣𝒜,»Ë¸¢ÎxŠ°Ž¸Â 𝜅 123Pr problem. Then, another identity-based construction [25] was also proposed by Dan Boneh et al.
The ID-based construction relies on the Type-I bilinear pairing, and it is pretty easy-understanding.
For clear, the ID-based construction is demonstrated below.
• 𝑆𝑒𝑡𝑢𝑝(𝜅): A type-I pairing 𝑒: 𝔾• × 𝔾• → 𝔾™ as well as two one-way collision-resistant
‧ 國
立 政 治 大 學
‧
N a
tio na
l C h engchi U ni ve rs it y
is composed of 𝑝𝑝 ← {𝑒, 𝔾•, 𝔾™, 𝑔, 𝑞, 𝐻•, 𝐻—} where 𝑔 ∈ 𝔾• and 𝑞 denote a generator and the order of 𝔾•, 𝔾™, respectively
• 𝐾𝐺𝑒𝑛(𝑝𝑝): On input the public parameters 𝑝𝑝, a user randomly picks 𝑥 $ ℤW∗ as its private key and publishes the public key 𝑦 ← 𝑔s.
• 𝐵𝑢𝑖𝑙𝑑𝐼𝑛𝑑𝑒𝑥(𝑝𝑘, 𝑤): It outputs 𝐼 ← (𝑈, 𝑉) where 𝑈 ← 𝑔ƒ, 𝑉 ← 𝐻—(𝑒(𝐻• 𝑤 , 𝑦ƒ)) and 𝑟
$ ℤW∗.
• 𝑇𝑟𝑎𝑝𝑑𝑜𝑜𝑟(𝑠𝑘, 𝑤Ó): It outputs 𝑇 ← 𝐻• 𝑤′ s as a trapdoor with hidden keyword 𝑤′.
• 𝑇𝑒𝑠𝑡(𝐼, 𝑇): Let 𝑈, 𝑉 ← 𝐼, it outputs 1 if 𝑉 = 𝐻—(𝑒(𝑇, 𝑈)); or it outputs 0, otherwise.
The inference of the test algorithm is straightforward because 𝑉 = 𝐻— 𝑒 𝐻• 𝑤 , 𝑦ƒ = 𝐻— 𝑒 𝐻• 𝑤 , 𝑔 sƒ , and 𝐻— 𝑒 𝑇, 𝑈 = 𝐻— 𝑒 𝐻• 𝑤Ó s, 𝑔ƒ = 𝐻—(𝑒 𝐻• 𝑤′ , 𝑔 sƒ) . By the bilinear property of the pairing algebra, the “equality test between keywords” can be easily understood in this construction.
Previous works with multi-keyword search
It is obvious that above construction is a PEKS scheme with single keyword match. Each document can be found by one keyword. It is a nice beginning but not the destination yet. When considering the modern webpages, Instagram photo posts or blog articles, one single keyword or hashtag is far from enough to make those articles easily searchable. In a search engine’s view, if one webpage can be found only by one specific keyword, imagine that how many keywords do users have to memorize in order to find their documents? It might be a terrible experience for users to correctly find their required single keyword attached document. As a result, a multi-keyword search is intuitive and required in the PEKS syntax. Fortunately, several previous works had proposed solutions to cope with multi-keyword search such as conjunctive keyword search [32], [85]–[89], disjunctive keyword search [90] and subset keyword search [91]. Let 𝒘 ← (𝑤•, … , 𝑤²) and 𝒘′ ← (𝑤′•, … , 𝑤′?) be the keyword sets hidden in the index and trapdoor respectively, two most
‧ 國
立 政 治 大 學
‧
N a
tio na
l C h engchi U ni ve rs it y
• Conjunctive keyword search 𝑤• = 𝑤•Ó ∧ 𝑤— = 𝑤—Ó ∧ … ∧ 𝑤? = 𝑤?Ó . The test passes only when all keywords on both sides match. This is the most common seen multi-keyword search syntax. In some works, even the order should be noticed correctly.
• Disjunctive keyword search 𝑤• = 𝑤•Ó ∨ 𝑤— = 𝑤—Ó ∨ … ∨ 𝑤? = 𝑤?Ó . The test returns 1 if there are one or more matches on the both sides.
Among these two types of multi-keyword search syntax, the conjunctive keyword search is actually as hard as the single keyword search in users’ viewpoint. In that scenario, a user has to correctly remember 𝑛 keywords in a right order to retrieve one document. Perhaps it is even more difficult and impractical in authors’ opinion. Then, when it comes to the disjunctive keyword search, it is a totally opposite condition. Too much documents with weak connectivity to the target will be returned because of the disjunctive search condition. For instance, when I organize a search query corresponding to keywords “FIFA”, “world” and “cup”, the following unrelated documents will be returned.
• Document with keywords “handmade”, “souvenir” and “cup”.
• Document with keywords “second” “world”, and “war”.
On the other hand, both conjunctive and disjunctive keyword search are not intuitive to our search habit. In the above case, when searching for keywords “FIFA”, “world” and “cup”, users may expect the results contains subset keywords like “world” and “cup”, which is based on the conjunctive keyword search and it in advance provides a more elastic and flexible solution that allows subset keyword search.
• Subset keyword search ( 𝒘 ⊆ 𝒘′ or 𝒘′ ⊆ 𝒘 ). The test also contains the conjunctive keyword search since 𝒘 = 𝒘′ ⟹ 𝒘 ⊆ 𝒘′ ∧ (𝒘Ó ⊆ 𝒘).
‧ 國
立 政 治 大 學
‧
N a
tio na
l C h engchi U ni ve rs it y
5.2 Public key encryption with subset keyword search
Extracted from [92], the “filtered-equality-test, FET” can be regarded as a building block that may be utilized to construct a somewhat semantic secure PKEET scheme. The term “somewhat”
indicates the fact that the semantic secure comes from skillfully bypassing some challenges that might cause fail. Due to the fact that the probability is limited negligible, it is called “somewhat semantic secure” for precise description.
The FET skill was adopted to construct the first provable somewhat semantic secure PKEET scheme [92]. Then, it was utilized to build a subset keyword search scheme [93] named public key encryption with multi-keyword search, PE-MKS. Intuitively, the filtered-equality test over keywords may be quite suitable to construct a subset keyword search scheme since FET checks the belongingness first and the equivalence later. Informally, the PE-MKS works as follows.
Referring to Figure 22, a sender gathers 𝑚 keywords 𝒘 ← (𝑤•, … 𝑤²) to build an index 𝐼, and it outsources it to a cloud server. One day, the receiver requests a search trapdoor 𝑇 with keyword set 𝒘′ ← (𝑤′•, … , 𝑤′?) to the server. On receiving the search request, the cloud server returns related documents if 𝒘 ⊆ 𝒘′.5 The formal definitions of the PE-MKS is introduced as follows.
• 𝑆𝑒𝑡𝑢𝑝(𝜅): On input a secure parameter 𝜅, it outputs a series of public parameters 𝑝𝑝 to construct a PEKS environment.
• 𝐾𝐺𝑒𝑛𝑈𝑠𝑒𝑟(𝑝𝑝): A user’s key pair, a public key 𝑝𝑘 and a secret key 𝑠𝑘, are created for further usage.
• 𝐾𝐺𝑒𝑛𝑆𝑒𝑟𝑣𝑒𝑟(𝑝𝑝): A server’s key pair, a public key 𝑝𝑘Ý and a secret key 𝑠𝑘Ý, are created for further usage.
5 In fact, it is also great to build a FET-based subset keyword search scheme that tests 𝒘′ ⊆ 𝒘.
‧ 國
立 政 治 大 學
‧
N a
tio na
l C h engchi U ni ve rs it y
• 𝐵𝑢𝑖𝑙𝑑𝐼𝑛𝑑𝑒𝑥(𝑝𝑘, 𝑝𝑘Ý, 𝒘): It builds an index of the inputted keyword set 𝒘 using the receiver’s public key and the servers’ public key. The index 𝐼 is attached beside the encrypted document for keyword search.
• 𝑇𝑟𝑎𝑝𝑑𝑜𝑜𝑟(𝑠𝑘, 𝒘′): The receiver is able to request a keyword search query with keyword 𝒘’. A trapdoor 𝑇 will be sent to the cloud server as a search query.
• 𝑇𝑒𝑠𝑡(𝑠𝑘Ý, 𝐼, 𝑇): On input a trapdoor 𝑇, only the cloud server can execute the test with all index stored on the server and returns the corresponding documents. It outputs 1 when 𝒘 ⊆ 𝒘′; or it outputs 0, otherwise.
With the syntax above, the subset keyword search can be executed only by the assigned server.
This design was proposed to clarify who can search for those outsourced documents. It also prevents information leakage while transporting. Then, the detail construction is introduced below.
• 𝑆𝑒𝑡𝑢𝑝(𝜅): A type-III pairing 𝑒: 𝔾• × 𝔾— → 𝔾™ as well as a one-way collision-resistant hash function 𝐻: 0, 1 ∗ → ℤW∗ is hired. The public parameter 𝑝𝑝 is composed of 𝑝𝑝 ← {𝑒, 𝔾•, 𝔾—, 𝔾™, 𝑔•, 𝑔—, 𝑞, 𝐻, 𝑛} where 𝑔• ∈ 𝔾•, 𝑔— ∈ 𝔾— and 𝑞 denote two generators and the same order of all three groups, respectively. Number 𝑛 denotes an auxiliary information that regulates the maximum size of searched keywords in the trapdoors.
• 𝐾𝐺𝑒𝑛𝑈𝑠𝑒𝑟(𝑝𝑝) : On input the public parameters 𝑝𝑝 , a user randomly picks (𝑥Í, … , 𝑥?, 𝑦) $ ℤW∗ as its private key 𝑠𝑘 and publishes the public key 𝑝𝑘 ← (𝑋Í, … , 𝑋?, 𝑌) where 𝑌 ← 𝑔—F and ∀𝑖 ∈ 0, 𝑛 : 𝑋„ ← 𝑔•sì.
• 𝐾𝐺𝑒𝑛𝑆𝑒𝑟𝑣𝑒𝑟(𝑝𝑝): On input the public parameters 𝑝𝑝, a server randomly picks 𝑠 $ ℤW∗ as its private key and publishes the public key 𝑆 ← 𝑔•Ý.
• 𝐵𝑢𝑖𝑙𝑑𝐼𝑛𝑑𝑒𝑥 𝑝𝑘, 𝑝𝑘Ý, 𝒘 : On input 𝑋Í, … , 𝑋?, 𝑌 ← 𝑝𝑘, 𝑝𝑘Ý and 𝑤•, … 𝑤² ← 𝒘 (it is required that 𝑚 ≤ 𝑛 ), it outputs an index 𝐼 ← 𝑈, 𝑉Í, … , 𝑉? where 𝑟 $ ℤW∗ , 𝑈 ← 𝐻 𝑒 𝑆, 𝑌 ƒ• , 𝑡 ← ?„ØÍℎ„ and ∀𝑖 ∈ 0, 𝑛 : ℎ„ ← ²œØ•𝐻(𝑤œ)„, 𝑉„ ← 𝑋„ƒ;ì.
‧
The test is a bit complicated so that it is inferred step by step for better realizing.
𝐻 ? 𝑒 𝑉„, 𝑇„
‧ 國
立 政 治 大 學
‧
N a
tio na
l C h engchi U ni ve rs it y
Table 6: Comparison between PE-MKS and previous subset keyword search scheme.
ZZ11[91] PE-MKS
Efficiency 𝐾𝐺𝑒𝑛𝑈𝑠𝑒𝑟 𝑡2 𝑛 + 1 𝑡2
𝐾𝐺𝑒𝑛𝑆𝑒𝑟𝑣𝑒𝑟 𝑁/𝐴 𝑡2
𝐵𝑢𝑖𝑙𝑑𝐼𝑛𝑑𝑒𝑥 𝑡v+ (2𝑛 + 4)𝑡2 𝑡v+ (𝑛 + 2)𝑡2
𝑇𝑟𝑎𝑝𝑑𝑜𝑜𝑟 (2𝑛 + 3)𝑡2 𝑛 ⋅ 𝑡2
𝑇𝑒𝑠𝑡 (2𝑛 + 3)𝑡v 𝑛 + 1 𝑡v+ 𝑡2
Storage Secret key (user) 𝜅 (𝑛 + 1)𝜅
Public key (user) 𝑞 (𝑛 + 1)𝑞
Secret key (server) 𝑁/𝐴 𝜅
Public key (server) 𝑁/𝐴 𝑞
Index 2𝑛 + 3 𝑞 + 𝜅 𝑛 + 1 𝑞 + 𝜅
Trapdoor (𝑛 + 3)𝑞 (𝑛 + 1)𝑞
Security 𝑁/𝐴 IND-CKA
Comparison with previous subset keyword search
To the best of our knowledge, ZZ11[91] is the only work that support subset keyword search. That work is compared with the newly proposed PE-MKS scheme in Table 6, which considering the computational costs, the storage space and the security notion that has been proved. When the key generation and storage are concerned, the PE-MKS works worse than ZZ11. For other algorithms like 𝐵𝑢𝑖𝑙𝑑𝐼𝑛𝑑𝑒𝑥, 𝑇𝑟𝑎𝑝𝑑𝑜𝑜𝑟 and 𝑇𝑒𝑠𝑡, PE-MKS works twice efficient than ZZ11. Besides, the index size of PE-MKS is a two-fold reduction of ZZ11. In the PEKS scenario, the cloud server keeps tons of index in the database, and it deals with the search queries between one trapdoor and plenty of index. Hence, the computational cost of algorithm 𝑇𝑒𝑠𝑡 and the storage space of index are the two most important factories while determining the efficiency and storage. To conclude, the newly proposed PE-MKS scheme is twice efficient and it costs only half storage space when it is compared to the only known previous subset keyword search scheme ZZ11[91].
Security proof