Conjunctive Keywords Searchable Encryption with ... - Springer Link

Conjunctive Keywords Searchable Encryption with Efficient Pairing, Constant Ciphertext and Short Trapdoor Zhenhua Chen1 , Chunying Wu1 , Daoshun Wang2 , and Shundong Li1 1

2

School of Computer Science, Shaanxi Normal University [email protected] Department of Computer Science and Technology, Tsinghua University

Abstract. A conjunctive keyword searchable encryption scheme makes it possible to retrieve several keywords in encrypted data at one time. In this paper, we present a conjunctive keyword searchable encryption with constant pairing, short ciphertext and trapdoor in the standard model. We also propose two concrete constructions and give their security analysis. The first scheme is constructed in composite order groups model and the second scheme is implemented in prime order groups model. Under assumed standard model, our proposed schemes achieve higher computation efficiency and shorter ciphertext/trapdoor, which have flexible applications in multiple keywords search and filter such as email filtering, firewall and copyright protection. Keywords: Public encryption with keyword search, Fully security, Conjunctive keyword, Trapdoor.

1

Introduction

The concept of public key encryption with keyword search was first introduced by Boneh et al. [6]. Suppose that Bob wants to send Alice an encrypted email m in such a way that it is indexed by some searchable keywords x1 , x2 , . . . , x ∈ ZN , then Bob would make a construction of the form Enc(m)||P eks(x1 )|| . . . ||P eks(xn ) where Enc is a regular asymmetric encryption function, and P eks is a searchable encryption function. Receiver Alice may create a trapdoor with her secret key to search the emails sent to her containing a series of specific keywords e1 , . . . , eˆe ll. − The email server can test whether the searchable encryption ciphertext Ct→ x and − contain the same keywords and forward the encrypted mail if the trapdoor T w→ e this is the case. Meanwhile, the email server learns nothing about the keywords used after he performed the test algorithm. In practice, the system will be used over many rounds. In its current model of PEKS, a server that has received the trapdoor for a keyword e can store the trapdoor and use it to learn all future emails with that category. Recent improvements and extensions to this scheme M. Chau et al. (Eds.): PAISI 2012, LNCS 7299, pp. 176–189, 2012. c Springer-Verlag Berlin Heidelberg 2012 

Conjunctive Keywords Searchable Encryption

177

are given in [4] [5] [11] [17] [13] [15] [18]. Abdalla et al. [1] and Baek et al. [3] proposed searchable encryption revisited scheme respectively. In a PEKS scheme, any third party can test whether or not the searchable encryption ciphertext and the trapdoor include the same keywords without knowing the keyword themselves, which means keyword-testability. It is easy to see that the PEKS scheme which combines public key encryption and searchable encryption is not against chosen-ciphertext attacks. Rhee et al. [12] and Jeong et al. [10] proposed different scheme against keywords guessing attack. Baek et al. [2] proposed a secure scheme to support keyword-testability and datarecoverability. Later, Zhang et al. [16] presented a generic scheme that provides data-recoverability and keyword-testability. A limitation common to all above schemes is that they only allow the server to identify the subset of documents that match a certain keyword, but do not allow for boolean combinations of such queries. Yet boolean combinations of queries appear essential to make effective use of a document repository, since simple keyword search often yields far too coarse results. For example, rather than retrieving all emails from keyword Alice, a user might only want those emails from keyword Alice that are marked keyword art and pertain to keyword finance, in which case what is needed is the ability to search on the conjunction of the keywords, Alice, art and finance. Conjunctive keyword searches on encrypted data have been studied by numerous researchers over the past few years and all existing schemes use keyword fields as compulsory information. Keyword (single or conjunctive) search over encrypted data in single-user setting were studied in Boneh et al. [7] and Golle et al. [8]. Schemes multi-user setting were proposed in Hwang et al. [9] and Wang et al. [14]. In this paper, we propose a new conjunctive public keywords searchable encryption (CPEKS in short) scheme based on bilinear pairing which achieves constant ciphertext and short trapdoor. We give two concrete constructions. There have constant ciphertext in the encryption and short trapdoor involved in the procedure and so our new CPEKS scheme is more efficient than just discussed schemes in this paper. Our new scheme is computationally consistent and can be fine in practice. Furthermore, we provide further discussions on the notion and security model for the CPEKS scheme. The CPEKS scheme can be proved secure under the cBDH assumption and c3DH assumption in the standard model. The remainder of this paper is organized as follows. We give some syntax for CPEKS, security model and mathematic assumptions in Section 2. We present a scheme in composite order groups for conjunctive searchable keywords encryption with efficient pairing, constant ciphertext and short trapdoor in Section 3 and a scheme in prime order groups in Section 4. We give the security analysis in Section 5 and draw our conclusion in Section 6.

178

2 2.1

Z. Chen et al.

Syntax and Preliminaries Syntax for CPEKS

Let Σ be a finite set of keyword values. We assume that conjunctive keywords → − → e = (e1 , . . . , e ), − x = (x1 , . . . , x ) ∈ Σ  where  is the number of keywords for providing the encryption and the trapdoor. Apublic key encryption with conjunctive keywords search (CPEKS) algorithm is comprised of four algorithms  =(Setup,Peks,Trapdoor,Test) which is formally defined as follows.  .Setup(1λ ) The Setup algorithm takes as input a security parameter λ, it parameters params and master key msk.  generates public → .Peks(params, − x ) The Peks algorithm takes as input the public parameters → params, and a keyword vector − x = (x1 , . . . , x ), and outputs a ciphertext → − . Ct x  → .Trapdoor(params, msk, − e ) The Trapdoor algorithm takes as input the → system master key msk, a keyword vector − e = (e1 , . . . , e ), and the sys− tem public params, it produces and outputs the trapdoor T w→ e for keywords → − e .  − − − .Test(params, Ct→ x , T w→ e ) The Test algorithm takes input a ciphertext Ct→ x, → − a trapdoor T w e and system public parameters params, it outputs 1 if test succeeds or outputs 0 otherwise.  The consistency the scheme should satisfy the following: ⎡ − ⎤ → ∀→ x ∈ Σ , − e ∈ Σ  , ⎢ (params, msk) ← .Setup(1λ ), ⎥ ⎢ ⎥  → − ⎢ Ct→ ⎥ − ← .P eks(params, x ), ⎢ x ⎥  → − ⎢ T w→ ⎥ − ← .T rapdoor(params, msk, e ), ⎢ e ⎥ → − → − ⎣ .T est(params, Ct→ ⎦ − → − , T w ) = 1 if f x = e x e  → − → − − → − .T est(params, Ct→ , T w ) = 0 if f x =  e x e Security Model. We define the security notion in the sense of indistinguishability security against chosen keyword attacks (IND-CPEKS-CKA). Formally, security is defined using the following game between an attacker A and a challenger B. → − Init. Attacker A commits two two keywords vector − x 0, → x 1 ∈ Σ. Setup. Challenger B performs Setup algorithm to generate system parameters params and keeps the master key msk secretly. B sends params to A . Phase 1. A makes a bound number of trapdoor extraction queries for vectors → − → → → → → e 1, − e q1 with the restriction that − e i = − x 1 and − e i = − x 2 . B returns the − trapdoor T w→ to A . ei Challenge. Once attacker A decides that phase 1 is over, the challengerB flips → − − a random coin ζ ∈ {0, 1}, and then perform Ct→ x ζ ← P eks(params, x ζ ), and − sends Ct→ ˆ to A . x ζ to A . the ciphertext CTL Phase 2. A may continue to perform Query 1 queries for i = q1 , . . . , qs ;

Conjunctive Keywords Searchable Encryption

179

Guess. A outputs a guess ζ  , and wins the game if ζ  = ζ. The advantage of an attacker A in IND-CPEKS-CKA game is defined as |P r[ζ  = ζ]− 12 | where the probability is taken over the random bits used by the challenger and the attacker. Definition 1. A public encryption with conjunctive keywords search scheme (CPEKS) is selectively secure if all polynomial time attackers have at most a negligible advantage in IND-CPEKS-CKA security game. We construct two CPEKS schemes. The first scheme (in short we named as   ) is presented in composite order groups and the second scheme (named as ) is constructed in prime order groups. We will put forward the detail construction and give their security analysis in Section 3 and Section 4, respectively. 2.2

Admissible Bilinear Maps in Composite Order Group Let be the set of keywords involving... Let G =< g > and Gt be two cyclic multiplicative groups of composite order n = pqr, i.e., |G| = |Gt | = n. eˆ be an admissible bilinear map from G2 to Gt , i.e., for all u, v ∈ G and a, b ∈ Z× p , it holds that eˆ(ua , v b ) = eˆ(ub , v a ) = eˆ(u, v b )a = eˆ(u, v)ab and eˆ is non-trivial, i.e., eˆ(g, g) = 1Gt . We also assume that it is a hard problem to factor p, q, r on n. Let Gp , Gq and Gr denote the subgroups of order p, q, r of G, and Gt,p , Gt,q and Gt,r denote as the subgroups of Gt , respectively. Then G = Gp × Gq × Gr , and Gt = Gt,p × Gt,q × Gt,r . Lemma 1. Orthogonality of composite order subgroup. If g ∈ G, gp ∈ Gp , gq ∈ Gq and gr ∈ Gr be the generators of G, Gp , Gq , Gr , then g pq be the generator of Gr , g pr be the generator of Gq , and g qr be the generator of Gp , respectively. Specially, for all random elements hp ∈ Gp , hq ∈ Gq , and hr ∈ Gr which satisfy hp = gpα , hq = gqβ and hr = grγ for some integers α, β, γ ∈ Zn . It has, eˆ(hp , hq ) = eˆ((g qr )α , (g pr )β ) = eˆ(g αpqr , g βpqr ) = eˆ(g α , g β )pqr = 1Gt 2.3

Mathematic Assumptions

cBDH assumption. For a given composite order group generating G, let the following distribute be P (λ).

180

Z. Chen et al.

⎡

$

(n = pqr, G, Gt , eˆ) ← − G(λ)

⎤

⎢ ⎥ $ $ $ ⎢ gp ← ⎥ − Gp , gq ← − Gq , a, b, c ← − Zn ⎢ ⎥ a b c ⎢ 0 ← (gq , gr , gp , gp , gp ; n, G, Gt , eˆ) ⎥ ⎢ ⎥ $ $ ⎣T ← abc ˆ(gp , gp ) , T2 ← − Gt,p , ζ ← − {0, 1} ⎦ 1 − e T  ← ζT1 + (1 − ζ)T2 $

We call (0, T  ) the challenge pair of cBDH problem where 0 ← − P (λ). After given the challenge pair to adversary A , A outputs ζ  and succeeds if ζ = ζ  in cBDH assumption. The advantage of A in solving L-cDH assumption in groups generated by G is cBDH (λ) := |P r[A (0, T1 ) = 0] − P r[A (0, T2 ) = 0]| AdvG,A cBDH Definition 2. The cBDH assumption holds if the advantage AdvG,A (λ) in solving cBDH problem is negligible in probabilistic polynomial-time.

c3DH assumption. For a given composite order group generating G, the c3DH problem is stated as the following. ⎡ ⎤ $ (n = pqr, G, Gt , eˆ) ← − G(λ) ⎢ ⎥ $ $ $ $ ⎢g ← − Gq , gr , R1 , R2 , R3 ← − Gr , a, b, c ← − Zn ⎥ ⎢ p − Gp , gq ← ⎥ ⎢ 0 ← (g , g , g a , g b , g ab R , g abc R ; n, G, G , eˆ) ⎥ q r 1 2 t ⎢ ⎥ p p p p ⎢ ⎥ $ $ c ⎣ T1 ← ⎦ − gp R3 , T2 ← − Gpq , ζ ← − {0, 1}  T ← ζT1 + (1 − ζ)T2 $

We call (0, T  ) the challenge pair of c3DH problem where 0 ← − P (λ). After given the challenge pair to adversary A , A outputs ζ  and succeeds if ζ = ζ  in c3DH assumption. The advantage of A in solving c3DH assumption in groups generated by G is c3DH (λ) := |P r[A (0, T1 ) = 0] − P r[A (0, T2 ) = 0]| AdvG,A

c3DH Definition 3. The c3DH assumption holds if the advantage AdvG,A (λ) in solving c3DH problem is negligible in probabilistic polynomial-time.

3

Construction in Composite Order Groups

In this section, we construct a PEKS with conjunctive keywords search without random oracles. 3.1

Our Construction

Let Σ = Zn be the keyword space. Our scheme is described as follows.

Conjunctive Keywords Searchable Encryption



181

.Setup(1λ ) This algorithm first generates the bilinear group G of composite order n = pqr where p, q and r (p, q, r > m) are random primes of bit size Θ(λ). Then it picks α ∈ Zp , and v, w1 , w2 , (u1 , h1 ), . . . , (u , h ) ∈ Gp randomly. It also picks random elements Rv , Rw,1 , Rw,2 , (Ru,1 , Rh,1 ), . . . , (Ru, , Rh, ) ∈ Gq , and computes V = vRv , W1 = w1 Rw,1 , W2 = w2 Rw,2 For i = 1, . . . , , computes Ui = ui Ru,i , Hi = hi Rh,i , E = eˆ(v, g)α , Finally, it keeps the secret key msk = (α, v, w1 , w2 , (u1 , h1 ) . . . , (u , h )) and publishes the public parameters params as params = [gq , gr , V, W1 , W2 , (Ui , Hi )|i=1 , E]



→ .Peks(params, − x ) To generate the ciphertext with conjunctive keywords → − vector x = (x1 , . . . , x ) ∈ Σ  . This algorithm first picks s ∈ Zn and − Z1 , Z2 , Z3 , Z4 ∈ Gq , and outputs the ciphertext Ct→ x as follows.

− Ct→ x



C0 = E s , C1 = V s Z1 , C2 = W1s Z2 ,  = C3 = W2s Z3 , C4 = ( i=1 Hi Uixi )s Z4

→ .Trapdoor(params, msk, − e ) To get a trapdoor for conjunctive keywords → −  e = (e1 , . . . , e ) ∈ Σ , this trapdoor algorithm takes as input the master → secret key msk, public parameters params, and keywords vector − e , and − produces the trapdoor T w→ e as follows. Randomly picks r1 , r2 , r3 ∈ Zn , and Y1 , Y2 , Y3 , Y4 ∈ Gr . Computes and → − − outputs the trapdoor T w→ e for e as

− T w→ e =





  K1 = g α w1r1 w2r2 ( i=1 hi uei i )r3 Y1 , K2 = v r1 Y2 , K3 = v r2 Y3 , K4 = v r3 Y4

− − .Test(params, Ct→ x , T w→ e ) This algorithm takes input the peks ciphertext − − Ct→ , keyword trapdoor T w→ x e and system parameters params, it checks the equation

eˆ(C1 , K1 ) = C0

4

eˆ(Ci , Ki )

i=2

If above equation holds, then it outputs 1 as success, otherwise outputs 0 as failure.

182

3.2

Z. Chen et al.

Consistency

In conjunctive keywords search encryption scheme, it is computational consistent → that it outputs 1 if the trapdoor keyword vector − e is equal to the encryption → − keyword vector x , otherwise it outputs 0. If xi = ei , it has eˆ(C1 , K1 ) = eˆ(V s Z1 , g α w1r1 w2r2 (



i=1

= eˆ(v s , g α w1r1 w2r2 (



i=1

hi uei i )r3 Y1 )

hi uei i )r3 )

= eˆ(v s , g α )ˆ e(v s , w1r1 )ˆ e(v s , w2r2 )ˆ e(v s , (



i=1

= eˆ(v, g)αs eˆ(v r1 , w1s )ˆ e(v r2 , w2s )ˆ e(v r3 , ( = E s eˆ(C2 , K2 )ˆ e(C3 , K3 )ˆ e(C4 , K4 ) = RHS

4

hi uei i )r3 )



i=1

hi uxi i )s )

Construction in Prime Order Groups

We construct a public encryption with conjunctive keyword search in prime order groups deployment. We use type-III asymmetric bilinear groups such that there is no computable isomorphisms between two groups G and H. In the previous composite group setting, the subgroup Gq and Gr were used to provide the anonymity of encryption and to hide the correlation between two random values. However, in the prime order asymmetric setting, the non-existence of efficiently computable isomorphism to provide the anonymity. Let G, H be multiplicative groups of prime order p, and let g, h be the generators of G, H respectively. It also has an asymmetric bilinear map eˆ : G × H → Gt over groups G, H and Gt . 4.1

Construction

The proposed scheme in prime order groups is described as below.  .Setup(1λ ) At first produces the groups description (G, H, Gt , p, g, h, eˆ) using G where g, h are the generators of G, H, respectively. Randomly picks α, v, w1 , w2 , (u1 , h1 ), . . . , (u , h ) ∈ Zp , and computes ˆ = eˆ(ˆ ˆ1 = g w1 , w ˆ2 = g w2 , E v , h)α vˆ = g v , w ˆ i = g hi f or i = 1, . . . ,  uˆi = g ui , h Keeps the master key msk as msk = [α, v, h, w1 , w2 , (u1 , h1 ), . . . , (u , h )]

Conjunctive Keywords Searchable Encryption

183

Publishes the system parameters together with the group description ˆ i )| ] ˆ (ˆ params = [ˆ v, w ˆ1 , w ˆ2 , E, ui , h i=1



→ .Peks(params, − x ) To generate the ciphertext with conjunctive keywords → − vector x = (x1 , . . . , x ) ∈ Σ  . This algorithm first picks s ∈ Zn , and outputs − the ciphertext Ct→ x as follows.

 ˆ s , C1 = vˆs , C2 = w C0 = E ˆ1s , −  ˆ xi s Ct→ x = C3 = w ˆ2s , C4 = ( i=1 h ˆi ) iu



→ .Trapdoor(params, msk, − e ) To get a trapdoor for conjunctive keywords → −  e = (e1 , . . . , e ) ∈ Σ , this trapdoor algorithm takes as input the master → secret key msk, public parameters params, and keywords vector − e , and − as follows. Randomly picks r , r , r ∈ Z produces the trapdoor T w→ 1 2 3 p , and e → − − then computes and outputs the trapdoor T w→ for e as e

  α+r1 w1 +r2 w2 +r3 i=1 (hi +ui ei ) K = h , 1 − T w→ e = K 2 = hr1 v , K 3 = hr2 v , K 4 = hr3 v



− − .Test(params, Ct→ x , T w→ e ) This algorithm takes input the peks ciphertext − − Ct→ , keyword trapdoor T w→ x e and system parameters params, it checks the equation

e(C3 , K3 )ˆ e(C4 , K4 ) eˆ(C1 , K1 ) = C0 · eˆ(C2 , K2 )ˆ If above equation holds, then it outputs 1 as success, otherwise outputs 0 as failure. 4.2

Consistency

The correctness is presented as follows. If xi = ei , it has v s , hα+r1 w1 +r2 w2 +r3 eˆ(C1 , K1 ) = eˆ(ˆ s

α

s

e(ˆ v ,h = eˆ(ˆ v , h )ˆ α s

vs

r1 w1



i=1

s

)ˆ e(ˆ v ,h

r1 w1

hi +ui ei r2 w2

vs

)

)ˆ e(ˆ v s , hr3

r2 w2

vs



i=1

r3

hi +ui ei



)ˆ e(g , h )ˆ e(g , h = eˆ(ˆ v , h ) eˆ(g , h  s w s r v w s r v s ˆ eˆ(g 1 , h 1 )ˆ e(g 2 , h 2 )ˆ e(g i=1 hi +ui ei , hr3 v ) =E ˆ s eˆ(C2 , K2 )ˆ e(C3 , K3 )ˆ e(( =E



)

i=1 hi +ui ei

)

g hi (g ui )xi )s , K4 )

i=1

ˆ s eˆ(C2 , K2 )ˆ =E e(C3 , K3 )ˆ e(C4 , K4 ) = RHS

5

Security Analysis

In this section, we prove the security of proposed schemes and give the proof of the former one mainly since two schemes have similar ciphertext structure.

184

Z. Chen et al.

To understand our construction, it is useful to examine the role of each of the subgroups Gp , Gq , Gr . The Gp subgroup is used to prevent an attacker from − − manipulating components of either an encryption Ct→ x or a trapdoor key T w→ e and then evaluating a query on the improperly formed inputs. The Gq subgroup → → − − is used to encode the keyword vector − e in the Ct→ x . When a keyword for e is → − satisfied with an encryption of Ct x , the product eˆ(C1 , K1 ) is evaluated as the identical element in the Gt,p subgroup, otherwise it is evaluated as a random element in Gt . The Gr subgroup is used to hide the trapdoor key against being evaluated in Gp explicitly. We prove the security of proposed scheme under the structure as a hybrid experiment over a sequence of games which is defined as follows: – – – – – –

Γ0 : Γ1 : Γ2 : Γ3 : Γ4 : Γ5 :

− Ct→ x − Ct→ x − Ct→ x − Ct→ x − Ct→ x − Ct→ x

= [C0 , C1 , C2 , C3 , C4 ]; = [C0 R0 = R0 , C1 , C2 , C3 , C4 ]; = [R0 , C1 R1 = R1 , C2 , C3 , C4 ]; = [R0 , R1 , C2 R2 = R2 , C3 , C4 ]; = [R0 , R1 , R2 , C3 R3 = R3 , C4 ]; = [R0 , R1 , R2 , R3 , C4 R4 = R4 ];

where R0 ∈ Gt and R1 , R2 , R3 , R4 ∈ G with random picked. The first game Γ0 is the real selective secure game, and Γ5 is random components with the same structure. We show that under the cBDH assumption and c3DH assumption hold, there is no algorithm that can distinguish between Γi and Γi+1 (i = 0, . . . , 4). Furthermore, in Ct5 of Γ5 , five components are randomly picked from Gt or G, thus it is indistinguishable between the real ciphertext Γ0 and random group elements of Γ5 . We give the detail proofs in Lemma 2, Lemma 3, Lemma 4, Lemma 5 and Lemma 6 for indistinguishability between Gamei and Gamei+1 (i = 0, . . . , 4). Lemma 2. If an attacker can distinguish the Γ0 and Γ1 with advantage 1 in time t1 after he performs at most q1 trapdoor queries, then there exists an algorithm can solve the cBDH problem with the advantage (Θ(t1 ), 1 ). Proof. Assume there exists an attacker A who has non-negligible advantage 4 to distinguish Γ3 andΓ4 , then we can construct an algorithm B to solve the c3DH problem which uses A as a subroutine. Given 0 ← (gq , gr , gpa , gpb , gpc ; $

n, G, Gt , eˆ) and T where T = eˆ(gp , gp )abc or T ← − Gt,p . → → x 1 ∈ Σ  , B randomly flips a At first, A commits two keyword vectors − x 0, − $ $ − {0, 1}. B randomly picks Rv , Rw,1 , Rw,2 , (Ru,1 , Rh,1 ), . . . , (Ru, , Rh, ) ← − coin ζ ← $ ˜ 1 ), . . . , (˜ ˜ ) ← Gq2+3 , and v˜, w ˜1 , w ˜2 , (˜ u1 , h u , h − Zn2+3 . Then B sets the system public parameters as ⎡ ⎤ (n = pqr, G, Gt , eˆ), ⎣ V = gpv˜ Rv , W1 = gpw˜1 Rw,1 , W2 = gpw˜2 Rw,2 , E = eˆ(gpa , gpb )v˜ , ⎦ ˜ (Ui = gpa˜ui Ru,i , Hi = gphi (gpa )−˜ui xζ,i Rh,i )|i=1

Conjunctive Keywords Searchable Encryption

185

Query answer. B will answer A ’s adaptive request for conjunctive keyword → → vector − e = (e1 , . . . , eˆ ) ∈ Σ  . B records the query into list L = (− e , T w) and answers the query as follows. → - If the keyword vector − e also stored in L, then B returns corresponding T w to A . → → → → e =− x 1 , B simply aborts. - If − e =− x 0 or − → - Otherwise, there exists at least an index j in − e such that ej = xζ,j . B first  computes ϑ = j=1 u ˜j (ej − xζ,j ), and picks r˜1 , r˜2 , r˜3 ∈ Zn , Y1 , Y2 , Y3 , Y4 ∈ − Gr . Then B produces and answers the trapdoor query T w→ e for conjunctive → − keyword vector e as 

 ˜ h i  ˜ K1 = gpr˜1 w˜1 +˜r2 w˜2 (gpb )− i=1 ϑ ( i=1 (gpa )u˜i (ei −xζ,i ) gphi )r˜3 Y1 , K2 = gpr˜1 v˜ Y2 , K3 = gpr˜2 v˜ Y3 , K4 = gpr˜3 v˜ (gpb )−˜v /ϑ Y4 It is easy see that the above output has the distribution of real simulation by Trapdoor algorithm successfully. Especially, K2 and K3 have the same structure to the actual key by Trapdoor algorithm. We only consider the components of K1 and K4 . K1 = gpr˜1 w˜1 +˜r2 w˜2 (gpb )−



˜ h i i=1 ϑ

(



˜

(gpa )u˜i (ei −xζ,i ) gphi )r˜3 Y1

i=1

= gpab (gpw˜1 )r˜1 (gpw˜2 )r˜2 (



b

˜

gphi (gpa )u˜i (ei −xζ,i ) )r˜3 − ϑ Y1

i=1

K4 =

gpr˜3 v˜ (gpb )−˜v/ϑ Y4 b v ˜(˜ r3 − ϑ )

= gp

Y4

Since we model gpb as v, and a as the master key α respectively. At the same time, we model V = gpv˜ , W1 = gpw˜1 , W2 = gpw˜2 which are elements with blinding factors removed from Gr . It has the same distribution as actual key distribution since r1 , r2 , r3 are uniformly distributed in Zn . Randomness r1 , r2 , r3 is derived from r˜1 , r˜2 , r˜3 as the following equation ⎛ ⎞ ⎞ ⎛ ⎞ ⎛ r˜1 1 0 0 0 r1 ⎜ r˜2 ⎟ ⎝ r2 ⎠ = ⎝ 0 1 0 0 ⎠ × ⎜ ⎟ mod n ⎝ r˜3 ⎠ r3 0 0 1 − ϑb 1 $

After A finished the trapdoor queries request, B randomly picks Z1 , Z2 , Z3 , Z4 ← − − Gq and produces the challenge ciphertext Ct→ x ζ as

C0 = E v˜ , C1 = (g c )v˜ Z1 , C2 = (g c )w˜1 Z2  ˜ C3 = (g c )w˜2 Z3 , C4 = i=1 (g c )hi Z4



186

Z. Chen et al.

− A outputs the guess for the ciphertext Ct→ x ζ . If ζ = 0, then B outputs 0 as the cBDH solution that T = T0 = eˆ(gp , gp )abc . Otherwise, if ζ = 1 then B outputs 1 as the solution that T = T1 is a random element in Gt . B has the same advantage 1 in solving the cBDH problem.

Lemma 3. If an attacker can distinguish the Γ1 and Γ2 with advantage 2 in time t2 after he performs at most q2 trapdoor queries, then there exist an algorithm can solve the c3DH problem with the advantage (Θ(t2 ), 2 ). Lemma 4. If an attacker can distinguish the Γ2 and Γ3 with advantage 3 in time t3 after he performs at most q3 trapdoor queries, then there exist an algorithm can solve the c3DH problem with the advantage (Θ(t3 ), 3 ). Proof. Suppose there exists an attacker A who has non-negligible advantage 3 to distinguish Γ2 andΓ3 , then we can construct an algorithm B to solve the c3DH problem which uses A as a subroutine. Given 0 ← (gq , gr , gpa , gpb , gpab R1 , $

− G. gpabc R2 ; n, G, Gt , eˆ) and T where T = gpc R3 or T ← → → x 1 ∈ Σ  , then B randomly At first, A commits two keyword vectors − x 0, − $ flips a coin to get ζ ← − {0, 1}. B randomly picks Rv , Rw,1 , Rw,2 , (Ru,1 , Rh,1 ), . . ., $ $ ˜ ) ← (Ru, , Rh, ) ← − G2+3 , and α, w˜1 , w ˜2 , (˜ u1 , ˜ h1 ), . . . , (˜ u , h − Zn2+3 . Then B sets q the system public parameters as ⎤ (n = pqr, gq , gr , G, Gt , eˆ) ⎣ V = (gpab R1 )Rv , W1 = (gpab R1 gpa )w˜1 Rw,1 , W2 = gpw˜2 Rw,2 , E = eˆ(gpab R1 , gpa )α , ⎦ ˜ (Ui = (gpb )u˜i Ru,i , Hi = (gpb )−˜ui xζ,i (gpab R1 )hi Rh,i )|i=1 ⎡

→ A can adaptively request for a bounded of conjunctive keyword vectors − e = → −  (e1 , . . . , eˆ ) ∈ Σ . B answers and records the query into list L = ( e , T w) as follows. → → → → e =− x 1 , B simply aborts. - If − e =− x 0 or − → - If the keyword vector − e is also stored in L, then B returns corresponding T w to A . → - Otherwise, there exists at least an index j in − e such that ej = xζ,j . B first  computes ϑ = j=1 u ˜j (ej − xζ,j ). Obviously, ϑ = 0 mod n. B at random picks r˜1 , r˜2 , r˜3 ∈ Zn , and Y1 , Y2 , Y3 , Y4 ∈ Gr . Then B answers the Trapdoor → − − T w→ e for conjunctive keyword vector e as



˜

ϑ˜ r w ˜ +



˜ w r˜ h ˜

i=1 2 i 2 K1 = gpα (gpa )r˜1 w˜1 w˜2 + i=1 r˜3 hi w˜2 gp 3 2 Y1 , a r˜1 w ˜2 a −˜ r1 w ˜1 b −ϑ˜ r2 Y2 , K3 = (gp ) (gp ) Y3 , K4 = (gpa )r˜3 w˜2 gpr˜2 w˜2 Y4 K2 = (gp )



The above output has the same distribution of real simulation by Trapdoor − algorithm successfully. That is, we consider the components of T w→ e as

Conjunctive Keywords Searchable Encryption

K1 = gpα (gpa )r˜1 w˜1 w˜2 + = gpα (gp(ab+a)w˜1 )



i=1

r ˜1 w ˜2 b

˜iw r w ˜ + r˜3 h ˜2 ϑ˜ gp 3 2 ϑ˜ r w ˜ 2 (− a2

(gp )

K2 =

=

˜iw r˜2 h ˜2

) bϑ+ (gp

˜ i +a˜ ˜i) r2 w ˜2 h r3 w ˜2 h i=1 (˜



Y1 ,

i=1

˜i) abh

)

r ˜2 w ˜ 2 +a˜ r3 w ˜2 ab

Y1

Y1

(gpab )r˜1 w˜2 /b Y2

K3 = (gpa )r˜1 w˜1 (gpb )−ϑ˜r2 Y3 = (gpab )(− K4 =

i=1

r ˜ w ˜ − 1b 1



= gpα gpa˜r1 w˜1 w˜2 gpϑ˜r3 w˜2 gp (gpa )r˜1 w˜2 Y2



187

(gpa )r˜3 w˜2 gpr˜2 w˜2 Y4

=

r ˜ w ˜ ( 2ab 2

(gpab )

r ˜1 w ˜1 b

−

a˜ r w ˜ + 3b 2

ϑ˜ r2 a

)

)

Y3

Y4

It is easy see that the above simulated key has the same distribution as the actual key by Trapdoor algorithm since r˜1 , r˜2 , r˜3 are uniformly picked in Zn . Randomness of r1 , r2 , r3 is derived from r˜1 , r˜2 , r˜3 as the following equation ⎞ ⎛ ⎞ ⎛ ⎞ ⎛ w˜2 0 0 r˜1 r1 b ⎠ × ⎝ r˜2 ⎠ mod n ⎝ r2 ⎠ = ⎝ − w˜1 − ϑ 0 b a w ˜2 w ˜2 r3 r˜3 0 ab b $

− Gq , and After A ’s Trapdoor queries is over, B randomly picks Z1 , Z2 , Z3 , Z4 ← − outputs the challenge ciphertext Ct→ as xζ

C0 = (gpabc R2 , gp )α , C1 = (gpabc R2 )Z1 , C2 = (gpabc R2 )w˜1 Z2 ,  ˜ C3 = T w˜2 Z3 , C4 = (gpabc R2 ) i=1 hi Z4



− Finally, A outputs the guess ζ for the ciphertext Ct→ x ζ . If ζ = 0, then B outputs 0 as the c3DH decision that T = T0 = gpc R3 . Otherwise, if ζ = 1 then B outputs 1 as the solution that T is a random element in G. B has the same advantage 1 in solving the c3DH problem.

Lemma 5. If an attacker can distinguish the Γ3 and Γ4 with advantage 4 in time t4 after he performs at most q4 trapdoor queries, then there exist an algorithm can solve the c3DH problem with the advantage (Θ(t4 ), 4 ). Lemma 6. If an attacker can distinguish the Γ4 and Γ5 with advantage 5 in time t5 after he performs at most q5 trapdoor queries, then there exist an algorithm can solve the c3DH problem with the advantage (Θ(t5 ), 5 ). Proof. Assume there exists an attacker A who has non-negligible advantage 5 to distinguish Γ4 and Γ5 , then we can construct an algorithm B to solve the c3DH problem which uses A as a subroutine. Given 0 ← (gq , gr , gpa , gpb , gpab R1 , gpabc R2 ; n, G, Gt , eˆ) and T where T = gpc R3 $

or T ← − G. → → x 1 ∈ Σ  , B randomly flips a At first, A commits two keyword vectors − x 0, − $ $ − {0, 1}. B randomly picks Rv , Rw,1 , Rw,2 , (Ru,1 , Rh,1 ), . . . , (Ru, , Rh, ) ← − coin ζ ← $ ˜ 1 ), . . . , (˜ ˜ ) ← Gq2+3 , and α, w˜1 , w ˜2 , (˜ u1 , h u , h − Zn2+3 . Then B sets the system public parameters as

188

Z. Chen et al.

⎡

⎤ (n = pqr, gq , gr , G, Gt , eˆ) ⎣ V = (gpab R1 )Rv , W1 = (gpab R1 gp )w˜1 Rw,1 , W2 = gpw˜2 Rw,2 , E = eˆ(gpab R1 , gp )α , ⎦ (Ui = (gpb )u˜i Ru,i , Hi = (gpb )−˜ui xζ,i (gpab R1 )w˜i Rh,i )|i=1 $

After A ’s Trapdoor queries is over, B randomly picks Z1 , Z2 , Z3 , Z4 ← − Gq , and − outputs the challenge ciphertext Ct→ x ζ as

C0 = (gpabc R2 , gp )α , C1 = (gpabc R2 )Z1 , C2 = (gpabc R2 )w˜1 Z2 ,  ˜ w ˜2 C3 = gpabc R2 Z3 , C4 = T i=1 hi Z4



− Finally, A outputs the guess ζ for the ciphertext Ct→ x ζ . If ζ = 0, then B outputs c 0 as the c3DH decision that T = T0 = gp R3 . Otherwise, if ζ = 1 then B outputs 1 as the solution that T is a random element in G. B has the same advantage 1 in solving the c3DH problem.

Theorem 1. If group generator G makes the (t1 , 1 )-cBDH assumption hold in Lemma 2, (t2 , 2 ), (t3 , 3 ), (t4 , 4 ) and (t5 , 5 )-c3DH assumption hold in Lemma 5 5 3, 4, 5 and 6,respectively, then the proposed scheme is (Θ( i=1 ti ), i=1 i )IND-CPEKS-CKA secure.

6

Conclusion

We proposed two conjunctive searchable keywords encryptions with efficient pairing, constant ciphertext and short trapdoor. We also presented two constructions: the former scheme was constructed in composite order groups model and the latter scheme was implemented in prime order groups model. We also proved the security of proposed schemes when the cBDH assumption and c3DH assumption hold. Acknowledgment. The authors grateful thank the reviewers for their valuable comments. This work is supported by National Science Foundation of China under Grant 61070189 and 61170032 and 61173164.

References 1. Abdalla, M., Bellare, M., Catalano, D., Kiltz, E., Kohno, T., Lange, T., MaloneLee, J., Neven, G., Paillier, P., Shi, H.: Searchable Encryption Revisited: Consistency Properties, Relation to Anonymous IBE, and Extensions. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 205–222. Springer, Heidelberg (2005) 2. Baek, J., Safavi-Naini, R., Susilo, W.: On the Integration of Public Key Data Encryption and Public Key Encryption with Keyword Search. In: Katsikas, S.K., L´ opez, J., Backes, M., Gritzalis, S., Preneel, B. (eds.) ISC 2006. LNCS, vol. 4176, pp. 217–232. Springer, Heidelberg (2006)

Conjunctive Keywords Searchable Encryption

189

3. Baek, J., Safavi-Naini, R., Susilo, W.: Public Key Encryption with Keyword Search Revisited. In: Gervasi, O., Murgante, B., Lagan` a, A., Taniar, D., Mun, Y., Gavrilova, M.L. (eds.) ICCSA 2008, Part I. LNCS, vol. 5072, pp. 1249–1259. Springer, Heidelberg (2008) 4. Bellare, M., Boldyreva, A., O’Neill, A.: Deterministic and Efficiently Searchable Encryption. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 535–552. Springer, Heidelberg (2007) 5. Boneh, D., Boyen, X.: Efficient Selective-ID Secure Identity-Based Encryption Without Random Oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004) 6. Boneh, D., Di Crescenzo, G., Ostrovsky, R., Persiano, G.: Public Key Encryption with Keyword Search. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 506–522. Springer, Heidelberg (2004) 7. Boneh, D., Waters, B.: Conjunctive, Subset, and Range Queries on Encrypted Data. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 535–554. Springer, Heidelberg (2007) 8. Golle, P., Staddon, J., Waters, B.: Secure Conjunctive Keyword Search over Encrypted Data. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 31–45. Springer, Heidelberg (2004) 9. Hwang, Y.H., Lee, P.J.: Public Key Encryption with Conjunctive Keyword Search and Its Extension to a Multi-user System. In: Takagi, T., Okamoto, T., Okamoto, E., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 2–22. Springer, Heidelberg (2007) 10. Jeong, I.R., Kwon, J.O., Hong, D., Lee, D.H.: Constructing PEKS schemes secure against keyword guessing attacks is possible? Computer Communications 32(2), 394–396 (2009) 11. Rhee, H.S., Park, J.H., Susulo, W., Lee, D.H.: Trapdoor security in a searchable public-key encryption scheme with a designated tester. Journal of Systems and Software 83(5), 763–771 (2010) 12. Rhee, H.S., Susilo, W., Kin, H.J.: Secure searchable public key encryption scheme against keyword guessing attack. IEICE Electronics Express 6(5), 237–243 (2009) 13. Sedghi, S., van Liesdonk, P., Nikova, S., Hartel, P., Jonker, W.: Searching Keywords with Wildcards on Encrypted Data. In: Garay, J.A., De Prisco, R. (eds.) SCN 2010. LNCS, vol. 6280, pp. 138–153. Springer, Heidelberg (2010) 14. Wang, P., Wang, H., Pieprzyk, J.: Keyword Field-Free Conjunctive Keyword Searches on Encrypted Data and Extension for Dynamic Groups. In: Franklin, M.K., Hui, L.C.K., Wong, D.S. (eds.) CANS 2008. LNCS, vol. 5339, pp. 178–195. Springer, Heidelberg (2008) 15. Zhang, B., Zhang, F.: An efficient public key encryption with conjunctive-subset keywords search. Journal of Network and Computer Applications 34, 262–267 (2011) 16. Zhang, R., Imai, H.: Generic Combination of Public Key Encryption with Keyword Search and Public Key Encryption. In: Bao, F., Ling, S., Okamoto, T., Wang, H., Xing, C. (eds.) CANS 2007. LNCS, vol. 4856, pp. 159–174. Springer, Heidelberg (2007) 17. Zhu, B., Zhu, B., Ren, K.: PEKSrand: providing predicate privacy in public-key encryption with keyword search, Cryptology ePrint Archive: Report 2010/466 (2010) 18. Zhang, M., Takagi, T.: GeoEnc: Geometric Area Based Keys and Policies in Functional Encryption Systems. In: Parampalli, U., Hawkes, P. (eds.) ACISP 2011. LNCS, vol. 6812, pp. 241–258. Springer, Heidelberg (2011)