Security Enhanced Public Key Encryption with Keyword Search

ér4#“íòdª½©tÇÀ‹òÍ$

Security Enhanced Public Key Encryption with

Keyword Search

Å
«É½¸×ç Email:pyting@mail.ntou.edu.tw

ØŠ

Å
«É½¸×ç Email:y456@mail.ntou.edu.tw

Åzp

Å
«É½¸×ç Email:M96570025@mail.ntou.edu.tw ¿ b ¿ b

¿ b — …d3bZª…d3bZª…d3bZª Boneh AÊAÊAÊ 2004
T|í
T|í
T|í

“ªªWɜ彩ítÇÀ‹òÍ$ªªWɜ彩ítÇÀ‹òÍ$ªªWɜ彩ítÇÀ‹òÍ$”,ZªíÍ$³/Â.ZªíÍ$³/Â.ZªíÍ$³/Â. âËòn?ªW½© âËòn?ªW½© âËòn?ªW½©,पJ ÎŸ…Í$ÛbN¬érपJ ÎŸ…Í$ÛbN¬érपJ ÎŸ…Í$ÛbN¬ér −f£Éœå˙Æícq −f£Éœå˙Æícq

−f£Éœå˙Æícq,Bb6½heBb6½heBb6½he BaekÊÊÊ 2008
FT
FT
FT

|íér4ì2 |íér4ì2

|íér4ì2, BbN|w2íÿõBbN|w2íÿõBbN|w2íÿõ, #“wì2U5xJ}#“wì2U5xJ}#“wì2U5xJ}

“²Ï¿tòd - Éœå˙Æ”ÛUí?‰ “²Ï¿tòd - Éœå˙Æ”ÛUí?‰ “²Ï¿tòd - Éœå˙Æ”ÛUí?‰,N|N|N| BaekíÍ$ʇíÍ$ʇíÍ$ʇ ú¤Ãíér4ì2„pvXcí˚Ø ú¤Ãíér4ì2„pvXcí˚Ø ú¤Ãíér4ì2„pvXcí˚Ø, Í(BbT|ø_ZªÍ(BbT|ø_ZªÍ(BbT|ø_Zª íÍ$ íÍ$ íÍ$,1/ÊÓœ6_
-„p¤Í$Å—‡H#“5ér41/ÊÓœ6_
-„p¤Í$Å—‡H#“5ér41/ÊÓœ6_
-„p¤Í$Å—‡H#“5ér4 ì2 ì2 ì2 É œ È É œ È É œ È — ɜ彩ɜ彩ɜ彩, tÇÀ‹òÍ$tÇÀ‹òÍ$tÇÀ‹òÍ$, ²Ï¿tò²Ï¿tò²Ï¿tò d d

d-Éœå˙ÆÛUÉœå˙ÆÛUÉœå˙ÆÛU,Óœ6_
Ӝ6_
Ӝ6_

Abstract—We propose a security enhanced version of

Boneh’s “Public Key Encryption with Keyword Search” system. The server in the new system is equipped with a key pair for performing the search operations. This new system eliminates completely the “secure channel” assumption for the keyword trapdoor. We reexamine the security definition by Baek, point out the weakness of it, and strengthen it such that it is secure against chosen test ciphertext - keyword trapdoor attacks. We discuss the problems met by Baek’s scheme and propose a modified system with full security proofs according to the enhanced security definition in the random oracle model.

Index Terms:—Keyword Search, Public Key

Encryp-tion, Chosen Test Ciphertext - Keyword Trapdoor Attack, Random Oracle Model

ø  ø  ø 

ª½©í‹òÍ$3b}Ñú×é, øéu’ò ’mR¦ (Private Information Retrieval, PIR) Í $[4], [6], [9] w2øjTX’eé#ÇøjŒÉ, ŒÉ íøjÎ7)ƒ¯¯‘Kí’e5Õ, ̶)ƒwFí ’m, ÇøjÞŒÉ66ı’eË6.}òQõƒ FíŒÉ‘K, ¤éÍ$¦ÑÖjér« (Secure Multiparty Computation)í@à[7]; ùéu’el æ/ÂTXw•6læ ŒÉw•6_AËíòd ’e[10], [5], ¤éÍ$3b«àú˚íò{Í$‹ ò, /Âʽ©¬˙2̶)ƒ’eòdCuŒÉÉ œåòdíqñ; úéuªªWɜ彩ítÇÀ ‹òÍ$[3], [1], ¥éÍ$ªJ«àÊéríÚäs K/Â,, !…,f£6 QY6¸/Âú_¡ D6, LSø_f£6ªJàQY6ít‹òm7f ]BsK/Â, QY6ªJ`TÉœåí˙Æf]# /ÂJ½©xNìÉœåíÚäsK …d«níÍ$чHúéí@à, Boneh[3] AÊ 2004
T|øP!kÂ(4ºú (Bi-linear pairing) X¶Éœå½©ítÇÀ‹òÍ $ (Public-key Encryption system with Keyword Search, PEKS), àÇøFývÍ$!kÂ(4ºú2

f£6 ÉœåW òdPEKS- / ɜå˙Æ T w  -ªúAŠ5òd QY6 ò y ÉœåW Í$¡b: Í$¡b: Í$¡b: ×”b p, ˇ G1, G₂,|G₁| = |G₂| = p, g Ñ G₁ íÞ AjÖ, Â(4ºú e : G1×G1→ G2,ÆEƒ H1: {0, 1}∗_{→ G}∗ 1, H2: G2→ {0, 1}k, k= log2p QY6: QY6: QY6: ‘² y ∈RZ_p∗, l Y = gy,t pkr= Y , ò skr= y òd òd òd P EKS(pkr, W): f£6L² r ∈RZp∗, S= (U₁, U₂) = (gr, H₂(e(H₁(W ), Yr))) Éœå˙Æ Éœå˙Æ Éœå˙Æ T rapdoor(skr, W): QY6l T w = H1(W )y Éœåªú Éœåªú Éœåªú T est(T w, S):S = (U1, U2), /Âl1ªú H2(e(T w, U1))= U? 2 Çø. Boneh[3] 5 PEKS Í$ ú_AªJ«àúj Diffie-Hellman À>²›ì[8] uø_˜òbMíÔ4Vql, ?¹çú_Aít }Ñ gx_{, g}y_{, g}z_{,†úA·ªJAWl|uí˜ò}

e(gy, gz)x = e(gx, gz)y = e(gx, gy)z = e(g, g)xyz, Í $«Tvf£6‘²v4 òdóYíò r £t gr,_{QY6íòÑ y, tÑ g}y,ÇÕ‡úòd2íÉ œå W , «àÆEƒl H1(W ) TÑø_.Œít , dloggH1(W ) Ñú@íò, ³LSAø−wb M, ¤vf£6DQY6uø_˜ò e(H1(W ), gy)r = e(H1(W )y, gr), ‡6Ê‹òvâf£6l, (6 †}ÑÉœå˙Æ (trapdoor) H1(W )y âQY6l, e(·, gr) †â\æFòdí/Âl, à¤/ .ø−½©víÉœå W , QY66.})ƒ.ÖN ìÉœåídK , H Í $ 2 â k L S A É b ³ i ƒ ò d (gr_{, H} 2(e(H1(W ), gy)r)) J£Éœå˙Æ H1(W )y, .ÛbLS’ò’m¹ª¿tòd2u´ÖÉœå W , ĤÛbcq«àérí−Vf£òdCuÉ œå˙Æ Baek[1] Ê 2008
‡ú¤½æT|ø _j²íj , Í7ÄÑÊér4ì2³Uàóçÿ íÛU6, wér4EÍ&Zª …díl«n Baek T|íér4ì2; ^Zwì2AÑʲÏÉ œå (chosen keyword) ²Ï¿tòd-Éœå˙Æ (chosen test ciphertext-trapdoor) ÛU-5òd.ª }< (message-indistinguishability) ér4JJ}Û U‰œ#íãA; N| Baek íÍ$Êþt„p¤#“ 5ér4vXcí˚Ø; QOT|ø_Zªíœ„, 1 /ÊÓœ6 (random oracle) _
[2]-„p¤Zª 휄¯¯#“íér4ì2, à¤BbªJqlø_ QY6D/®AxòíÍ$, LSú6óÍ ³iòdJ£Éœå˙ÆEÍ̶AWªú¿t, ª7 T¯Í$«Tíér4 âk̶ÔFª?íÛUj¶, ¡ù
Vò {Í$íÇêóçO˝Üí„p, rÖ³ér4„ píÍ$Ð/·`ƒúj, ku'ÖÍ$íql-Z2 AÍËUàƒø<ér4„p2ÛbíjK, vÝB .u'ñqj„vjKòg,íqlÜ1, Í7ÄÑL S-CuÌ-íNÜ·ª?\ÛU6«àVújCu ß×Í$£í«T, ÊqlÍ$vBb´u@vbS ¦ÊŒ4íér–1- 6ÿuâ„p2M¥Zªér «TíÍ$œ„ …dù2øH Baek íér4ì2J£ wFT|í SCF-PEKS Í$, úT|#“íér 4ì2, «Hw<°1/N| Baek 휄„p¤#“ íér4ì2ví½æ, û‡ú#“íér4T| ZGí SCF-PEKS-1 Í$, ü„p SCF-PEKS-1 Í$Å—#“5ér4ì2, ýÑ! ù ù ù Baekííí SCF-PEKSÍ$Dér4ì2Í$Dér4ì2Í$Dér4ì2 Çù2¿b·H Baek í “.Ûér− (Secure Channel Free, SCF) í PEKS” Í$, ¯U,Y
Bonehí PEKS Í$JjZªœ£©è, ĤD Baek ídıI|p

Í$2|3b/Âql7t pks Dò

Í$¡b: Í$¡b: Í$¡b: ×”b p, ˇ G1, G₂,|G₁| = |G₂| = p, g Ñ G₁íÞ AjÖ, Â(4ºú e : G1×G1→ G2,ÆEƒ H1: {0, 1}∗_{→ G}∗ 1, H2: G2→ {0, 1}k, k= log2p /Â: /Â: /Â: ‘² x ∈RZ_p∗, l X = gx,‘² Q ∈RG∗₁, t pks= (Q, X), ò sks= x QY6: QY6: QY6: ‘² y ∈RZ_p∗, l Y = gy,t pkr= Y , ò skr= y òd òd òd SCF −P EKS(pks, pkr, W): f£6‘² r ∈R Z_p∗, S = (U₁, U2) = (gr_{, H} 2(e(Q, Xr) · e(H1(W ), Yr))) Éœå˙Æ Éœå˙Æ Éœå˙Æ T rapdoor(skr, W): QY6l T w = H1(W )y Éœåªú Éœåªú Éœåªú T est(sks, T w, S):S = (U1, U2), /Âl1ªú H2(e(Qx· T w, U1))= U? 2 Çù. Baek í SCF-PEKS[1] Í$ e(Q, gr)x, /ÂʪúvÛb«àwòn?l|

e(Qx, gr), , e(T w, U₁), yl H₂(·) ÆEƒ

M¹ªD U2 ªú, à¤íqlòg,íüªJ Î

érf£−ícq wér_
àÇúFý, 3b} Ñs_¶M, Game 1 !…,ÿu Boneh í PEKS íér_
, uø_ÛU6êr−„7/Â, ˪ J L<Éœå˙Æí6 (oracle) íòd}<_
; Game 2 †uçÛU6êr−„7QY6, °šË ªJ L<Éœå˙Æ6íòd}<_
 Baek 6„pÇùíÍ$¯¯Çúíér4ì2, à‹ø_ ^0íÛU6ªJúj Game 1 Cu Game 2, «à¥_ÛU6ÿªJqlø_^0íƶVúj BDH(Bilinear Diffie-Hellman) ½æ F‚ BDH ½æ¹Ñ#ì < g, gα, gβ, gγ > _° ¦ e(g, g)αβγ _{í½æ, …d2FÍ$5ér4·!k} BDH cq, ?¹cqL<œ0ÖávÈíƶ ·Ì¶j| BDH ½æ çø_°v¯¯ Game 1 ér4D Game 2 ér Game 1

A

−„/Â, x∈_RZ_p∗, X= gx 1-1 Í$¡b -1-2 6 T rapdoory(·)  - Éœå Wj  1-3 b∈_R{0, 1} S= P EKS(x, y, Wb) -W₀, W₁∈ {W_j} 1-4 6 T rapdoory(·)  - Éœå Wj∈ {W0, W1} 1-5  b∈ {0, 1} Game 2

A

−„QY6, y∈_RZ_p∗, Y = gy 2-1 Í$¡b -2-2 6 T rapdoory(·)  - Éœå Wj  2-3 b∈_R{0, 1} S= P EKS(x, y, W_b) -W0, W₁∈ {W_j} 2-4 6 T rapdoory(·)  - Éœå Wj∈ {W0, W1} 2-5  b∈ {0, 1} Çú. Baek íér_
4íÍ$«Tv, /¸QY6.â¯Tn?DªW òdDÉœå˙Æíªú, ÿø.ª ú #“íér_
ú #“íér_
ú #“íér_
n Baek íér4ì2, ªJêÛ_
2F «níãAœÿ, Ê Game 2 2, ª L<Éœå

˙Æí6 T rapdoory(·) !…,uÖìí, ÄÑÛU

6 A êr−„7QY6, 6ø−QY6íò y, Ĥ ÛU6ªJÓvlL<Éœåí˙Æ, ;….ÛbÉ ½v6, ÛU6̶
âɽv67‹#wÛUí ?‰; âÇøjÞVõ, âkÛU61.ø−/Âí ò x, ĤÛU6³Ÿ¶AWªúòdDÉœå˙ Æ, ?¹l T est(x, T w, S), à‹?DàÇûTXª l T est(x, ·, ·) í6#ÛU6, †ªJ‹#ÛU6 íÛU?‰, à¤ì2íér_
¨Ö7ŸV Baek í ér4ì2, F)ƒíér4œò

Êþt„p Baek í SCF-PEKS xÇû2 Game 2 _{íér4v, .âÊ.ø− x í8”-_Ò} l| T est(x, T wj, Sj), ?¹Ûbl e(Qx, U1) ·

Game 2

A

−„QY6, y∈_RZ_p∗, Y = gy 2-1 Í$¡b -2-2 6 T est(x, T wj, Sj) - Éœå˙Æ T wj_{òd S}, j  2-3 b∈_R{0, 1} S= P EKS(x, y, Wb) -W₀, W₁ 2-4 6 T est(x, T wj, Sj) - T wj, Sj, S∈ {Sj} 2-5  b∈ {0, 1} Çû. ‹#5ér_
e(T wj, U1), w2 Sj = (U1, U2), Q ªJâ‘D6 ‘² δ, I Q = gδ_{, पJl e(Q}x_{, U} 1) = e(Xδ, U₁), âkBbcq H_{2 ÑÓœ6, Ĥà} ‹ T wj ¹Ñ Sj 2íÉœå Wj Fú@í˙Æ, † e(Qx, U₁) · e(T wj, U1) øìɽ¬ H2 6, ªJÊ

H₂-list 2©v tj = e(Qx, U1) · e(T wj, U1) Fú@

í Vj, à‹D U2 ó°† T est(x, ·, ·) 6 1 ´

† 0 Í7Ê«à Game 2 íÛU6ÛU BDH ½æ < g, gα_{, g}β_{, g}γ _{> v (¡5Çþ£üíz}

p), âk e(Q, Xγ) = e(gδ, gαγ), 1̶'ñqË)

ƒ e(g, g)αβγ _{5ñ™M, ĤÊ-ø2Bb}ùp}

ú_ÆEƒ, JêA Game 2 í„p û ‡ú#“ér_
ZG5Í$ û ‡ú#“ér_
ZG5Í$ û ‡ú#“ér_
ZG5Í$ à,FH, Bb.ø− Baek í SCF-PEKS Í $u´¯¯#“íér4ì2, àÇüFý, Bb‡ú ,H}pXcí½æ, T|_çí^£, Uàú_ÆE ƒ H1, H2, £ H3, पJÊÓœ6_
-„p ¤ZGÍ$Å—Çú2 Game 1 J£Çû2 Game 2 íérì2 ¤Í$5£ü4ð„à-: H₃(e(H₁(U₁)x · T w, U₁)) = H₃(e(H₁(gr), grx) · e(H₂(W )y, gr)) = H₃(e(H₁(gr), Xr) · e(H₂(W ), Yr)) = U₂ SCF-PEKS-1 ¸ SCF-PEKS s_Í$5È |3bíÏÊk‡6íòd2Uà e(H1(gr), X)r

7.u e(Q, X)r_{, –1,¥øáí3bñíEÍ}

uâf£6¸/Â>²ø_¾òM, f£6ªJ Í$¡b: Í$¡b: Í$¡b: ×”b p, ˇ G1, G2, |G1| = |G2| = p, g Ñ G1 í ÞAjÖ, Â(4ºú e : G1× G1 → G2, ÆEƒ H1 : G1 → G∗1, H2 : {0, 1}∗ → G∗1, H3 : G2 → {0, 1}k_{, k= log} 2p /Â: /Â: /Â: ‘² x ∈RZ_p∗, l X = gx,t pks= X, ò sks= x QY6: QY6: QY6: ‘² y ∈RZ_p∗, l Y = gy,t pkr= Y , ò skr= y òd òd òd SCF −P EKS−1(pks, pkr, W): f£6L² r ∈R Z_p∗, S = (U₁, U₂) = (gr_{, H3(e(H1(g}r_{), X}r_{) · e(H2(W ), Y}r₎₎₎ Éœå˙Æ Éœå˙Æ Éœå˙Æ T rapdoor(skr, W): QY6l T w= H2(W )y Éœåªú Éœåªú Éœåªú T est(sks, T w, S):S = (U₁, U₂), /ªú H3(e(H1(U1)x· T w, U1))= U? 2 Çü. ér4#“5 SCF-PEKS-1 Í$ à e(H1(gr), X)r Vl¤M, 7/ªJà e(H₁(gr), gr)x Vl¤M, «à¥_uí¾òMõ ÛÉ/ªJªúòdDÉœå˙ÆíÛ°, Ĥ  Î7ÛbN¬ér−f£Éœå˙Æícq, -ø í„p2éýUà H1(gr) ¦H Q Î7ªJÊ׶ }8”-£ü_Ò T est(x, ·, ·) 6, °vN¬Óœ 6 H₁ í_Ò6ªJß‚Ëøúj Game 2 í½æ “Ñúj BDH ½æ, *7
¤Í$í Game 2 é r4 ü ²ÏÉœåÛUD²Ï¿tòd-Éœå˙Æ ü ²ÏÉœåÛUD²Ï¿tòd-Éœå˙Æ ü ²ÏÉœåÛUD²Ï¿tòd-Éœå˙Æ ÛU-òd.ª}<5ér4 ÛU-òd.ª}<5ér4 ÛU-òd.ª}<5ér4 ìÜ 1. ìÜ 1. ìÜ 1. Ê BDH ½æÑl,̶újícq -, Çü2 SCF-PEKS-1 Í$ÑÓœ 6_
-²ÏÉœåÛUD²Ï¿tò d - Éœå˙ÆÛU- òd.ª}<í „p. „p. „p. Game 1: ÇýÑúj BDH íƶ B 5º0, w2cq

ÛU6 A êr−„/ (Ëwò x), /.ª Iíi‘  }< SCF-PEKS-1 òd, B ʦ)ø _ BDH ½æ < g, gα_{, g}β_{, g}γ _{> (, ÊÇú Game} 1 ¥
1-1 2øQY6ít Y qÑ gα, ¤vQ Y6íò¹Ñ„øí α, B ÛbJ-íj¶_Ò H₁(U_1j), H₂(W_j
), H₃(tj) ú_Óœ6, w2 qT Ñ É½ T rapdoorα 6íŸb,Ì: H₁(U_1j): k Z_p∗ 2Óœ‘² aj, k {0, 1} 2‘² cj, Å— Pr{cj = 0} = _1+q1_T, à‹ cj = 0 †I hj = gβ· gaj_, à‹ c_j = 1 †I h_j = gaj_{, p}“ (U 1j, aj, cj, hj) ’ek H1-list 2 H₂(W_j
): k Z_p∗ 2Óœ‘² a
_j, _{k {0, 1} 2‘² c
j}, Å— Pr{c
j = 0} = _1+q1_T, à‹ c
j = 0 †I h
j = gβ· ga
j_, à‹ c
j = 1 †I h
j = ga
j_{, p}“ (W
j, a
j, c
j, h
j) ’ek H2-list 2 H₃(tj): k {0, 1}k 2Óœ‘² Vj, p“ (tj, Vj) k H₃-list 2 âk B .ø− α, 6 T rapdoorα(W ) = H₂(W )α _{í_Òj¶à-:} T rapdoorα(W ): k H2-list 2©v (Wj
= W, a
_j, c
_j, h
_j) 5’e, à c
_{j Ñ 0 †2i_Ò, à c
j} Ñ 1 † H2(W )α =
ga
j α = (gα₎a
j = Ya
j_, ÛU6 A êA¥
1-2 (, ʥ
1-3 2|³ ɽ¬˙ÆíL<s_Éœå W0 D W1, ƶ B ɽ H1 £ H2 6, )ƒ h0 = H1(gγ), H1-list 2 ú@í’eÑ (a0, c0), h
0 = H2(W0), h
1 = H2(W1), H₂-list2ú@í’eÑ (a
₀, c
₀) D (a
₁, c
₁), à‹ c₀ = 0 Cu c
0 = c
1 = 1 †T¢_Ò, ´†‘² b ∈ {0, 1}, U) c
b = 0, ÓœâÅ k íå2‘² J, I SCF-PEKS-1 òd S Ñ (gγ, J), f£#ÛU6 A, A ªW ¥
1-4 5ɽ, A |(| b
, ?¹ A wÑD S ú @5ÉœåÑ Wb
 Ê,H A íÛU¬˙2âk S íø¶Mu gγ, _{Ñ7U b}
kö£í b, Óœ6_
b° A B ýÛbɽ H3 6-s65ø: e(H1(gγ), X)γ · Game 1 - g, gα, gβ, gγ BDH½æ e(g, g)αβγ

B

g

,

Y

= g

α

-H

1

H

2

H

3

T rapdoor

_α 6 ? 6? 6? 6 ?

A

−„/Â, x∈RZ_p∗, X = gx  _W0, W₁ h0 = H₁(gγ), h₀ = H₂(W₀), h₁ = H₂(W₁), abort if c₀= 0 or c₀= c₁= 1 choose b∈ {0, 1} s.t. c_b=0, and J∈_R{0, 1}k -S= (gγ, J)  _b_{∈ {0, 1}} Çý. Game 1 2új BDH íƶ B 5º0 e(H₂(W₀), Y )γ_{Cu e(H1}(gγ), X)γ·e(H₂(W₁), Y )γ, ÄÑ B .ø− γ íbM, Ĥ B ̶â H3 -list 2òQvƒv°É½p“, É?ÔñËÊ H₃ -list 2‘²ø_ (t, ·), à‹ß‘ƒ, B ycqF ‘ƒí t ú@ƒ Wˆb, ˆb ∈R {0, 1}, ?¹ t = e(H₁(gγ), X)γ · e(H₂(W_ˆb), Y )γ, ¤vâ H1-list 2 ©v (U1j = gγ, aj, cj, hj), â H2-list2©v (Wi
=

W_ˆb, a
_i, c
_i, h
_i), † t = e(gaj_{, X})γ · e(gβ+a
_{i, g}α)γ

= e(gγ_{, X)}aj · e(g, g)α(β+a
_i)γ_, ªR) e(g, g)αβγ =

t/e(gα, gγ)ai
/e(gγ, X)aj B AŠËúj BDH ½æí

i‘à-: AdvGame1,CKAP EKS,B ≈ ·q_H31 ·12·

1 − 1 1+qT q_T · q_T 1+qT ·  1 −
1 − 1 1+qT ₂ ≈  · 1 q_H3 · 12 · 1e · 1+qq_TT · q_T 1+qT · q2 T+2qT q2 T+2qT+1 ≈  2·e·q_H3, w2 qH3 ÑÓœ6 H3 íɽŸb,Ì Game 2: ÇþÑúj BDH íƶ B 5º0, cqw2 ÛU6 A êr−„QY6, /.ªIíœ0  } < SCF-PEKS-1 òd, B ʦ)ø_ BDH ½æ <

g, gα, gβ, gγ >(, ÊÇû Game 2 ¥
2-1 2ø/

Âít X qÑ gα_{,¤v/Âíò¹Ñ„øí α,}

B ÛbJ Game 1 í„p2_Ò H₁(U_1j), H₂(W_j
), ¸ H3(tj) íj¶V_Ò H1, H2, H3 ú_Óœ6,

w2 qT ZÑ A ɽ T estα(·, ·) 6íŸb,Ì â k B .ø− α, 6 T estα(T w, S) í_Òj¶à-: T estα(T w, S): I S = (U1, U2), âk T w .â« à H2 VßÞ, Ä¤Ê H2-list2©v (Wj
, a
j, c
j, h
j) Å— e(h
j, Y) = e(T w, g), âkßÞ S v.â °vɽ H1 D H2 6, Ä¤Ê H1-list 2©v (U1i, ai, ci, hi) Å— U1i = U1, à‹ ci = 1, †ªú

H₃(e(H₁(U_1i)α, U₁) · e(T w, U₁)) = H₃(e(gaiα_{, U1}) ·

e(T w, U₁)) = H₃(e(Xai_{, U1}) · e(T w, U₁)) D U₂ ¹ Ñ T estα(T w, S), à‹ ci = 0 †T¢_Ò ÛU6 A êA¥
2-2 (, ʥ
2-3 2| L<s_Éœå W0 D W1, ƶ B ɽ H1 £ H₂ 6, )ƒ h₀ = H₁(gγ), H₁-list2ú@í’eÑ (a0, c0), h
0 = H2(W0), h
1 = H2(W1), H2-list 2ú @í (a
₀, c
₀) D (a
₁, c
₁), à‹ c₀ = 1 Cu c
₀ = c
₁ = 0 †T¢_Ò, ´†‘² b ∈ {0, 1}, U) c
b = 1, Óœ âÅ k íå2‘² J, I SCF-PEKS-1 òd S Ñ (gγ_{, J) 1f£# A, A ªW¥
2-4 5ɽ, A |(} | b
_{,?¹ A wÑD S ú@5ÉœåÑ Wb
 Ê,H}

AíÛU¬˙2âk S íø¶Mu gγ,Ñ7U b


kö£í b, Óœ6_
b° A BýÛbɽ H3  6-s65ø: e(H1(gγ), X)γ · e(H2(W0), Y )γ C u e(H1(gγ), X)γ· e(H2(W1), Y )γ, ÄÑ B .ø− γ íbM, Ĥ B ̶â H3-list2òQvƒv°É½p “, É?ÔñËÊ H3-list 2‘²ø_ (t, ·), à‹ß ‘ƒ, B ycqF‘ƒí t ú@ƒ Wˆb, ˆb ∈R {0, 1}, ?¹ t = e(H1(gγ), X)γ · e(H2(Wˆb), Y )γ, ¤vâ H₁-list 2©v (U_1j = gγ, aj, cj, hj), â H2-list 2 ©v (W
i = Wˆb, a
i, c
i, h
i), † t = e(gβ+aj, gα)γ ·

e(ga
i_{, Y})γ = e(g, g)α(β+aj)γ · e(gγ_{, Y})a
i_, ªR)

e(g, g)αβγ = t/e(gα, gγ)aj_/e(gγ_{, Y})a
i B AŠËú

j BDH ½æíi‘à-: Adv_{SCF −P EKS−1,B}Game2,CT CT A ≈  ·

1 q_H3 · 12 ·
1 − 1 1+qT q_T · 1 1+qT ·  1 −
1 1+qT ₂ ≈  · _q1 H3 · 1 2 · 1e · 1+qq_TT · 1+q1T · q2 T+2qT q2 T+2qT+1 ≈  2·e·q_H3·qT, w2 qH3 ÑÓœ6 H3 íɽŸb,Ì Game 2 - g, gα, gβ, gγ BDH½æ e(g, g)αβγ

B

g

,

X

= g

α

-H

1

H

2

H

3

T est

_α

(·, ·)

6 ? 6? 6? 6 ?

A

−„QY6, y ∈RZ_p∗, Y = gy  _W0, W₁ h0 = H₁(gγ), h₀ = H₂(W₀), h₁ = H₂(W₁), abort if c₀= 1 or c₀= c₁= 0 choose b∈ {0, 1} s.t. c_b=1, and J∈_R{0, 1}k -S= (gγ, J)  _b_{∈ {0, 1}} Çþ. Game 2 2új BDH íƶ B 5º0 ø_Í$Å— Game 1 íér4[ý: à‹ÛU 6³¦)QY6«àòFlíÉœå˙Æ, Fÿ ø−/Âíò x, 6³Ÿ¶ªúòdDÉœå, ª7½©c_’eé³Þí’e; ø_Í$Å— Game 2íér4†[ý: à‹ÛU6³/Âíò x, ÿ ø−QY6íò y, 6³Ÿ¶òQªúòdDÉ œå, ª7½©c_’eé ý ! ý ! ý ! …d3b‹# Baek .Ûbér−cq É œåª½©ítÇÀ‹òÍ$íér4ì2, U)é r_
2íÛU6ªJªW_@í “òd-Éœå˙ Æ ¿t” ɽ, N| Baek í SCF-PEKS Í$Ê„ p¤#“íérì2ví˚Ø, T|ø_^Z¬íÍ$ SCF-PEKS-1, 1/}pÊÓœ6_
-ªJÅ—# “íér4ì2 óœ5-, Ÿ… Boneh í PEKS ÿ «à SSL CuwFò{œ„VõTér−, ér Ëf£Éœå˙Æ, ¥šäíÍ$EÍ̶ŗ…d2 Game 2íér4, ÄÑÛU6Ébêr−„QY6, F ÿªJAWªúòdDÉœå Ê@àµÞ,Vz, … dFT|í SCF-PEKS-1 Í$¸ Boneh õTér −f£Éœå˙Æí PEKS ø<Ïæ, ‡6í@à 2QY6³/Â6íu, ̶AW½©, (6†

ª, ĤÛbeõÒ@à7F¦Ÿ 7 Baek í

SCF-PEKS ¸…dí SCF-PEKS-1 †u˘k°šé
í@

à, …dT|í SCF-PEKS-1 Í$xœ7íér4 þ _á þ _á þ _á …dóÉû˝wP2MÚ]û˝F (lå) U:TL-98-1501) £W\ÍÅ } (lå)U:NSC 97-2221-E-019-014) %‘^Œ, )Jß‚êA, Ô¤_á ÿ ¡ 5 d .

[1] J. Baek, R. Safavi-Naini, and W. Susilo, “Public key encryption with keyword search revisited”, in Proc. of 2008 International Conference on Computational Science and its Applications,

ICCSA 2008, LNCS 5072, pp.1249–1259, 2008.

[2] M. Bellare and P. Rogaway, “Random oracles are practical: A paradigm for designing efficient protocols”, in Proc. of the 1st ACM conference on Computer and Communications Security,

CCS 1993, pp.62–73, 1993.

[3] D. Boneh, G. Di Crescenzo, R. Ostrovsky, and G. Persiano, “Public key encryption with keyword search”, in Proc. of

Advances in Cryptology - Eurocrypt 2004, LNCS 3027, pp.506–

522, 2004.

[4] B. Chor, O. Goldreich, E. Kushilevitz, and M. Sudan, “Private information retrieval”, in Proc. of the 36th annual symposium on Foundations of Computer Science, FOCS 1995, pp.41–50, 1995.

[5] R. Curtmola, J. Garay, S. Kamara, and R. Ostrovsky, “Search-able symmetric encryption: improved definitions and efficient constructions”, in Proc. of the 13th ACM conference on Computer and Communications Security, CCS 2006, pp.79–88, 2006.

[6] G. Di Crescenzo, T. Malkin, and R. Ostrovsky, “Single-database private information retrieval implies oblivious transfer”, in Proc. of Advances in Cryptology - Eurocrypt 2000, LNCS 1807, pp.122–138, 2000.

[7] W. Du and M. J. Atallah, “Secure multi-party computation proglems and their applications: a review and open problems”, in Proc. of New Security Paradigms Workshop, pp.11–20, 2001. [8] A. Joux, “A one round protocol for tripartite Diffie-Hellman”, in Proc. of the 2000 Algorithmic Number Theory Symposium,

ANTS 2000, LNCS 1838, pp.385–394, 2000.

[9] Y. Lindell and B. Pinkas, “Privacy preserving data mining”, in Proc. of Advances in Cryptology - Crypto 2000, LNCS 1880, pp.36–54, 2000.

[10] D. Song, D. Wagner, and A. Perrig, “Practical techniques for searches on encrypted data”, in Proc. of the 2000 IEEE symposium on Security and Privacy, S&P 2000, pp.44–55, 2000.