4 Our Construction
4.1 Public Key Searchable Encryption with Conjunctive Queries
We construct a searchable encryption scheme on elliptic curve groups, based on El Gamal Proxy Re-encryption and Hidden Vector Encryption.
Users can share encrypted data among all authorized users while users are able to perform conjunctive keyword search. In our construction, author-ized user share encrypted data over the data server that supports the fol-lowing operations:
Get – The user requests the shared data with its id.
Search – The user asks the data server to perform conjunctive keyword
search by sending a query trapdoor associated with the keywords.Insert – The user inserts new data into the data server by running the data
encryption algorithm to encrypt the data and the keywords.Remove – The user requests the data server to remove encrypted data of
certain id and its related keyword encryptions.Since the data server – or called the proxy server since it stand as a proxy between users - is considered to be “honest and curious” which points out that the server will perform the search operation honestly but is curious about the data content. While performing the search operation for users, it is important that the data server gains no other information except:
1. which user sent the query, and
2. the set of encrypted documents which contain the queried keywords That is, the data server will learn nothing about the data content, key-words to be queried and other information.
In our design, the authorized users are able to:
Encrypt – Users encrypt data with the associating keywords and pass it
to the data server.Query – Users query for keywords conjunctively over the encrypted
data on the data server by producing a trapdoor related to the keywords.Decrypt – Users decrypt the encrypted data that is returned from the
data server.Note that only authorized users in possession of a secret key can do the above operations. The user’s secret key is called user side key, which is generated and distributed securely to the users by a Key Management Server (KMS), while the corresponding server side key is securely trans-mits to the data sever by the KMS. Two keys – the user side key and the server side key – are related with a master key that is held secretly by the KMS. Hence, the KMS should keep the master key secure in order to keep the entire system free from attack.
We assume no authorized user reveals his user side key to the data server; otherwise the data server can reconstruct the master key by multi-plying the user side key with the server side key related to it. We also as-sume there is an impartial KMS which keeps master key secret and re-veals nothing but the public parameters. Under these assumptions, we build up our construction for authorized users to store and share data on
untrusted server without revealing the data content to the data server, while conjunctive queries over the encrypted data is supported by the data server.
Each algorithm in our searchable encryption scheme consists of two parts: an elliptic curve proxy encryption part to encrypt the symmetric session key that encrypts the data, and a hidden-vector encryption part to generate the conjunctive query searchable encryptions related the key-words of data. We give the definition of our construction as follows:
Definition 4.1
(Public Key Searchable Encryption with Conjunctive Queries)
Let and be strings of length where { and { . Let ( ) be the attribute vector related to data , and ( ) be encrypted data on data server. Define a predicate ( ) if and only if or , for ; ( ) otherwise.
We construct a searchable encryption scheme consisting of the following nine algorithms:
1. ( ): The KMS takes the security parameter and attribute length ( ), then outputs public key and a master key set .
2. ( ): The KMS takes the master key set and a user’s identity , generates the secret key set . User side key is then securely sent to the user , and server side key is sent to the server.
3. ( ): The user uses his user side key to encrypt a document with a set of associated attribute vector . The output is user-side ciphertext ( ).
4. ( ( )): On receiving the ciphertext
( ) from user , the server fetches the server side key , and outputs re-encrypted ciphertext ( ).
5. ( ): On input the attribute y, the user uses his user side key to generate a trapdoor ( ).
6. ( ( ) ( ) ): The server takes as input the trapdoor ( ) and user’s server side key , then test for each ( ) ( ) if predicate ( ) . If ‘yes’, the server invokes pre-decrypt algorithm to obtain ( ) and send ( ) to the user . 7. ( ( )): The server takes the encrypted
data that contains queried keyword from the trapdoor and user’s identity as input, pre-decrypt the encrypted data with its server side key as ( ). Send ( ) to user .
8. ( ( )): The user takes his user key , and decrypts ( ) to obtain data .
9. ( ): Given , the data server updates the user-key mapping set ( ).
The following is the concrete construction of our searchable encryption.
Note that both the data encryption and attribute vector (keyword related) encryption are based on pairing-based cryptography.
( )
The KMS first takes the input security parameter and the attribute length ( ) . The KMS chooses an instance
{ and ← , where is the group order of and , is a symmetric bilinear pairing and is a generator of . Set ( ) . Then the KMS chooses ran-dom numbers ←
and computes
and
for . The public parameters is published by the KMS as [ ( ) ( ) ],
and the the master key is kept secret as [ ( ) ].
( )
On input the , for each user , the KMS randomly chooses
← , and compute ⁄ . Then the KMS securely transmits to the user and ( ) to the data server. The server side key mapping set is updated as ( ).
( )
The user takes as input the data where
is the base filed
of , the user side key and attribute vector { . The user chooses random number ← and computes . Let and ( ) . Then he computes [ ] where , and . Next, the userchooses ←
and
←for
, and computes ( ), , and{
{
for . Finally, ( ) [ ( ) ( )] is sent to the data server where ( ) [ ] as ciphertext and ( ) [ ( ) ] as searchable encryption.
( ( ))
The proxy server finds the server side key of user j, ( ). It then re-encrypts the ciphertext ( ) [ ( ) ( )] by computing and . Finally, ( ) [ ( ) ( )] , where ( ) [ ] and ( ) [ ( ) ] is inserted into the data storage ( ) ( ) ( ).
( )
The user takes as input his user side key and string { . Denote and to be the set of indices such that { | and { | . Let be the
set of indices for which . If , that is, ( ), let . Else, for each , choose a number ← such that ∑ . Compute ( ) where
{
{
Then, the user sends the trapdoor relative to attribute vector to the data server.
( )
Take as input
the server side key of user
, and the trapdoor , the data server perform search by calculating whether for each ( ) ( ). If , then , the data server calculates as( )
Else, the data server calculates as
[∏ ( )
( )]
If predicate ( ) , then since
[∏ ( )
( )]
[ ( )∑ ( ) ∑ ] [ ( )∑ ]
[ ( ) ] ( ) ( )
( ( ))
On inputs user id and encrypted data ( ) [ ], the data server pre-decrypt ( ) to ( ) in order for user to decrypt the encrypted data. The data server computes . ( ) [ ] is then sent to the user .
( ( ))
User fully decrypts the pre-decrypted ciphertext ( ) [ ] where [ ] . He computes and where , to obtain the plaintext data . ( )
To revoke user , the data server simply updates the user-key map-ping set ( ).
Thus we complete the construction of our public key searchable
encryp-tion with conjunctive queries. We will further discuss the experimental performance of each function in section 4.3.