Available online at www.sciencedirect.com Available online at www.sciencedirect.com
Procedia Engineering
Procedia Engineering 00 (2011) 000–000 Procedia Engineering 15 (2011) 1737 – 1741 www.elsevier.com/locate/procedia
Advanced in Control Engineeringand Information Science
Decryptable searchable encryption with a designated tester Chengyu Hu a*, Pengtao Liub b
a School of Computer Science and Technology, Shandong University, Jinan, 250101, P.R.China Institute of Information Science and Technology, Shandong University of Political Science and Law, Jinan, 250014, P.R.China
Abstract Public key encryption with keyword search (PEKS) enables user to send a trapdoor Tw to a server that will enable the server to locate all encrypted messages containing the keyword w, but learn nothing else. In a searchable public-key encryption scheme with a designated tester (dPEKS), only the designated server can test which dPEKS ciphertext is related with a given trapdoor by using his private key. PEKS/dPEKS scheme does not allow the user to get w from Tw which limits its applicability. Decryptable searchable encryption which enables decryption can resolve this problem. In this paper, we propose a decryptable searchable encryption scheme with a designated tester. We prove that the scheme is secure against adaptive chosen keyword attack.
© 2011 Published by Elsevier Ltd. Open access under CC BY-NC-ND license. Selection and/or peer-review under responsibility of [CEIS 2011] Keywords: decryptable; searchable encryption; designated tester; dPEKS
1. Introduction With the rapid developments of internet technologies, the amount of sensitive data to be stored and managed on networked servers rapidly increases. To ensure the privacy and confidentiality of sensitive data from even inside attackers such as a malicious server, a user may encrypt the sensitive data before uploading the data into the server. However, this renders a server unable to perform searches for retrieving the data upon a query from a user. To resolve this problem, Boneh et al. [1] propose the concept of public key encryption with keyword search (PEKS) to enable one to search encrypted keywords without
* Corresponding author. E-mail address:
[email protected].
1877-7058 © 2011 Published by Elsevier Ltd. Open access under CC BY-NC-ND license. doi:10.1016/j.proeng.2011.08.324
1738 2
Chengyu HuHu and Liu / Procedia Engineering 15000–000 (2011) 1737 – 1741 Chengyu ,Pengtao et al/ Procedia Engineering 00 (2011)
compromising the security of the original data and proposed a universal transformation from anonymous identity-based encryption (IBE)[2] to PEKS. Abdalla et al. present an improved universal transformation from anonymous IBE to PEKS[3]. To achieve combinable multi-keyword search, two schemes on publickey encryption with conjunctive keyword search (PECKS) [4,5] are respectively proposed. In [6], Baek et al. propose a searchable public key encryption for a designated tester (dPEKS) in which only the server can test whether or not a given dPEKS ciphertext is related with a trapdoor by using its private key. All of proposed PEKS schemes and the expansions do not allow to retrieve the keyword, also they do not guarantee any relation between message and keyword. However, in some situation, users may want to sort the encrypted data using keywords. The PEKS/dPEKS is not applicable in this scenario. Decryptable searchable encryption which extends the notion of PEKS and enables decryption of keyword can resolve this problem. Fuhr and Paillier[7] present a construction for it. However, it is improper that its test method can decrypt the ciphertext and get the associated keyword. Fang et al. present an efficient decryptable searchable encryption scheme without random oracle[8]. But it is not the scheme with a designated tester. In this paper, we present a secure decryptable searchable encryption with a designated tester and prove that our scheme is secure against adaptive chosen keyword attack. The rest of this paper is organized as follows. In Section 2, we review some preliminaries. In Section 3, we present our scheme and give the security analysis. Finally, we draw our conclusions in Section 4. 2. Preliminaries 2.1. Bilinear Pairings Let G1 be a cyclic group generated by g, with a prime order p, and G2 be a cyclic group with the same prime order p. Let e : G1×G1ÆG2 be a map with the following properties[9]: 1) Bilinearity: e(ga, gb) = e(g, g)ab for any a, b∈Z*p ; 2) Non-degeneracy: e(g, g) is a generator of G2 which is also denoted by g2, i.e., g2 ≠1G2; 3) Computability: There is an efficient algorithm to compute e(u,v) for all u,v∈G1; (λ ) The Truncated (Decisional) q-ABDHE Assumption: We define the advantage function AdvGq −,ABDHE B of an adversary B as 1
| Pr[ B ( g , g x , L g x , g z , g zx q
q+2
, e ( g , g ) zx
q +1
) = 1] − Pr[ B ( g , g x , L g x , g z , g zx q
q+2
, e ( g , g ) r ) = 1] |
Where x, z, r �Zp are randomly chosen. We say that the truncated decisional augmented bilinear (λ ) is Diffie-Hellman exponent (q-ABDHE [9]) assumption relative to generator G1 holds if AdvGq −,ABDHE B negligible for all PPT B. 1
2.2. Decryptable searchable encryption with designated tester In the following, we provide the definition of a decryptable searchable encryption scheme with designated tester(dPEKSD) and the game-based security definition model. A decryptable searchable encryption scheme with designated tester consists of the following polynomial time randomized algorithms where gp denotes a set of global parameters. 1) GlobalSetup(λ):takes a security parameter λ as input, and generates a global parameter gp. 2) KeyGenServer(gp):takes input gp, outputs a pair of public and secret keys (pkS, skS), of server S. 3) KeyGenReceiver(gp):takes as input gp and generates public and secret keys (pkR, skR) of the receiver R. 4) dTrapdoor(gp, pkS, skR, w): takes as input, gp, the server’s public key, pkS, the receiver’s secret key, skR, and a keyword, w. It then generates a trapdoor, Tw. 5) dPEKSD(gp, pkR, pkS, w): takes as input, gp, the receiver’s public key, pkR, the server’s public key, pkS, and a keyword, w. It returns a dPEKSD ciphertext, C, of w.
Chengyu Hu and Pengtao Liu / Procedia Engineering 15 (2011) 1737 – 1741 Author name / Procedia Engineering 00 (2011) 000–000
6) dTest(gp, C, skS, Tw): takes as input, gp, a dPEKSD ciphertext, C, the server’s secret key, skS, and a trapdoor, Tw. It outputs ‘1’ if w=w’ and ‘0’ otherwise, where C= dPEKSD(gp, pkR, pkS, w’). 7) KeywordDec(gp, C, skR): takes as input, gp, a dPEKSD ciphertext, C, the receiver’s secret key, skR. It ouputs the associated keyword w, where C= dPEKSD(gp, pkR, pkS, w). Security Model of dPEKSD. Let Ai (i =1,2) be an adversary whose running time is bounded by t which is polynomial in a security parameter k. Similar to [10], we consider the following two games: Game1. A1 is assumed to be a malicious server. Setup: A1 generates the pair of his public/secret keys (pkS, skS) and gives pkS = pkA1 to B. B generates the receiver's pair of public/secret keys (pkR, skR) and gives pkR to A1. Here, (pkS, skS) and pkR are given to A1, pkS and (pkR, skR) are given to B. Phase 1 (dTrapdoor, KeywordDec and dTest queries): A1 can adaptively ask B for the trapdoor Tw for any keyword w of his choice. A1 can get the associated keyword w about C. Also, A1 can get the test result about C and the Tw. To get the trapdoor Tw for keyword w of his choice, A1 makes the dTrapdoor query. Challenge: A1 gives pkR, w0, and w1 to B. The restriction is that A1 did not ask for the trapdoors Tw0 or Tw1 . B chooses randomly b∈{0,1} and computes C*=dPEKSD(gp, pkR, pkS, wb), and sends C* to A1. Phase 2 (dTrapdoor queries): A1 can adaptively ask B for the trapdoor Tw for any keyword w of his choice as long as w ≠w0, w1. Guess: A1 outputs b’∈{0,1} and wins Game1 if b = b’. We define A1's advantage in breaking the dPEKSD as Adv A (λ ) =| Pr[b = b' ] − 12 | . Game2. A2 is assumed to be an outsider attacker (including a malicious receiver). Setup: A2 generates the pair of his pair of public/secret keys (pkR, skR) and gives pkR = pkA2 to B. B generates the server's pair of public/secret keys (pkS, skS) and gives pkS to A2. Here, (pkR, skR) and pkS are given to A2 and pkR and (pkS, skS) are given to B. Phase 1 (dTest queries): A2 can ask B for the test result about C and the given Tw of his choice. Challenge: A2 gives pkR, pkS, w0 and w1 to B. The restriction is that A2 did not make dTest query for Tw0 or Tw1. B chooses randomly b∈{0,1} and computes C*=dPEKSD(gp, pkR, pkS, wb), and sends C* to A2. Phase 2 (dTest queries): This is identical to Phase 1, except thatA2 may not issue the test query for (C, skS, Tw) where the corresponding elements of C is not same to one of C* and trapdoor Tw for any keyword w of his choice as long as w ≠w0, w1. Guess: A2 outputs b’∈{0,1} and wins Game1 if b = b’. We define A2's advantage in breaking the dPEKSD as Adv A (λ ) =| Pr[b = b' ] − 12 | . We say that a dPEKSD is secure against an adaptive chosen keyword attack if for any polynomial time attackers Ai (i =1,2) we have that Adv A (λ ) is negligible. 1
2
i
3. Decryptable searchable encryption scheme with designated tester 3.1. Our construction Let (p, g, G1,G2,e) be the bilinear map parameters. Let H:{0,1}*Æ Z*p, F:{0,1}*Æ Z*p be two collisionresistant hash functions. Let Bin(x) be the binary form of x. Our dPEKS scheme works as follows: 1) GlobalSetup(λ): Given a security parameter λ, it returns global parameter gp=( G1, G2, e, H, F, g, p). 2) KeyGenServer(gp): It randomly chooses s0, s1, s2∈RZ*p, and returns skS=(s0, s1, s2) and pkS=(gp, yS0, yS1, yS2)=(gp, g-s0, g-s1, g-s2) as a server’s pair of secret and public keys, respectively. 3) KeyGenReceiver(gp):It randomly chooses x, r0, r1, r2∈RZ*p, and returns skR=(x, r0, r1, r2) and pkR=(yR0, yR1, yR2, yR3)=(gr0, gr1, gr2, gx) as a receiver’s pair of secret and public keys, respectively. 4) dTrapdoor(gp, pkS, skR, w): It outputs Tw= {d w,k }k∈{1, 2} = {( y R y S )1 ( x− F ( w )) }k∈{1, 2} , where w∈{0,1}*. k
k
1739 3
1740 4
Chengyu HuHu and Liu / Procedia Engineering 15000–000 (2011) 1737 – 1741 Chengyu ,Pengtao et al/ Procedia Engineering 00 (2011)
5) dPEKSD(gp, pkR, pkS, w): It randomly picks a rand value r∈ RZp, and outputs C=[C1, C2, C3, C4]=[ ( y R g − F ( w ) ) r , e( g , g ) r , w ⊕ Bin(e( g , y R ) r ) , e( g , y R ) tr ⋅ e( g , y R ) r ], where w∈KS, t=H(C1, C2, C3). 6) dTest(gp, C, skS, Tw): This algorithm computes t=H(C1, C2, C3) and checks if C4 = e(C1 , d wt ,1d w, 2 ) ⋅ C 2s t + s . If the equality is satisfied, then output ‘1’; otherwise, output ‘0’. 7) KeywordDec(gp,C, skR): It computes t=H(C1,C2,C3) and outputs w = C3 ⊕ Bin(C2r ) if C4 = C2tr ⋅ C2r It is straightforward to verify that all correctly generated dPEKSD ciphertext can be correctly tested by the server S who has the correct trapdoor and server’s secret key skS and can be correctly decrypt by the receive who has the receiver’s secret key skR. 3
0
1
1
2
2
0
1
2
3.2. Security Analysis We now prove the security of our scheme under discrete logarithm assumption and q-ABDHE assumption described above. Theorem 1. Our scheme is secure against a chosen keyword attack in Game1 assuming discrete logarithm problem is intractable. Proof. Suppose that A1 is a malicious server with advantage ε in breaking the proposed scheme. Suppose that A1 makes qT dTrapdoor queries. Let qD is the number of KeywordDec and dTest queries. We build a simulator B that can play Game1.The simulation proceeds as follows: We first let the challenger sets the groups G1 and G2 with an efficient bilinear map e and a generator g of G1. Simulator B is given g, u=gα∈G1. Its goal is to compute α∈Zp. Setup: Let H:{0,1}*Æ Z*p, F:{0,1}*Æ Z*p be two collision-resistant hash functions. A1 generates (pkS, skS) and send pkS to B, where skS=(s0, s1, s2) and pkS=(g-s0, g-s1, g-s2) . B chooses x, r0, r1, r2∈RZ*p, and returns skR=(x, r0, r1, r2) and pkR=(gr0, gr1, gr2, gx). B sends pkR to A1. Query phase 1: A1 makes the dTrapdoor, KeywordDec and dTest queries queries and B excutes dTrapdoor, KeywordDec and dTest process in the scheme and returns the results as query result. Challenge: A1 present {w0, w1} and gives w0 and w1 to B. B chooses a random b∈{0,1} and computes C*=[ C1* , C2* , C3* , C4* ]=[ ( g α ) r , e( g , g α ) r , wb ⊕ Bin(e( g α , y R ) r ) , e( g α , y R ) tr ⋅ e( g α , y R ) r ], where t=H( C1* , C2* , C3* ). Then B sends C* to A1. Query phase 2: A1 continues making dTrapdoor queries for the trapdoor Tw for any keyword w of his choice as long as w ≠w0, w1. Output: A1 outputs b’∈{0,1}. If b = b’, then B can compute α=x-F(wb). We omit the detailed description of probability. Theorem 2. Our scheme is secure against a chosen keyword attack in Game2 assuming q-ABDHE assumption is intractable. Proof. Suppose that A2 is a malicious server with advantage ε in breaking the proposed scheme. We build a simulator B that can play a q-ABDHE game. The simulation proceeds as follows: We first let the challenger set the groups G1 and G2 with an efficient bilinear map e and a generator g of G1. Simulator B inputs a q-ABDHE instance ( g , g x , L g x , g z , g zx , T ) and has to distinguish T = e( g , g ) zx from a random element in G2. Setup: Let H:{0,1}*Æ Z*p, F:{0,1}*Æ Z*p be two collision-resistant hash functions. B chooses two random polynomials of degree q , {fk(X)}k={1,2}. Using coefficient of polynomials and q-ABDHE instance, B can computes { y R = g f ( x ) }k∈{1, 2} and y R = g x . A2 selects randomly r0∈RZ*p and computes y R = g r . The receiver’s public key pkR= { y R }k∈{0 ,1, 2 , 3} . This implicitly defines the secret key values as skR=(r0, f0(x), f1(x),x)( note that B and A2 can not know the values of f0(x), f1(x), x). B chooses s0, s1, s2∈RZ*p, and returns skS=(s0, s1, s2) and pkS=(g-s0, g-s1, g-s2). B sends pkS to A2. Query phase 1: When A2 want to get trapdoor of keyword w, he asks B to define two polynomials of degree q-1, Fw*,k ( X ) = ( f k ( X ) − sk ) ( X − F ( w)) . Then A2 can compute Tw using coefficients of the 0
1
q
2
q+2
q +1
k
0
k
3
k
0
1741 5
Chengyu Hu and Pengtao Liu / Procedia Engineering 15 (2011) 1737 – 1741 Author name / Procedia Engineering 00 (2011) 000–000
polynomials and q-ABDHE instance. A2 makes the dTest queries and B executes dTest process in the scheme and returns the results as query result. Challenge: A2 present {w0, w1} and gives w0 and w1 to B. B chooses a random b∈{0,1}. Then B defines two degree q-1 polynomials Fw* ,k ( X ) = ( f k ( X ) − sk ) ( X − F ( wb )) and computes d k* = g F ( x ) using coefficients of the polynomials and q-ABDHE instance. B defines a polynomial of degree q+1 q +1 q+2 * i F * ( X ) = ( X q+2 − ( F ( w )) ) ( X F ( w )) F X , and computes C1* = g zx ( g z ) − F ( w ) , − = ∑ b b i q i =0 F * * * * s z x F * C 2 = T e( g , ∏ ( g ) ) C3 = wb ⊕ Bin(e(C1 , d 0 )(C2 ) t * = H (C1* , C2* , C3* ) , , , i =0 C4* = e(C1* , (d1* ) t d 2* ) ⋅ (C2* ) s t + s and outputs C*=( C1* , C2* , C3* , C4* ). Then B sends C* to A2. Query phase 2: A2 continues making dTest queries for the trapdoor Tw for any keyword w of his choice as long as w ≠w0, w1. Output: A2 outputs b’∈{0,1}. If b = b’, then B outputs 1, otherwise outputs 0. r * = zF * ( x) T = e( g , g ) zx C1* = g ( x − F ( w )) r C2* = e( g , g ) r Let .If , then , , * r * t r r C3 = wb ⊕ Bin(e( g , y R ) ) , C4 = e( g , y R ) ⋅ e( g , y R ) . If T is uniform in G2, then (C1* , C 2* , C3* , C 4* ) are uniformly random. As A2 can break the proposed scheme with advantage ε, we can get AdvGq −,ABDHE (λ ) =| Pr[B( g , g x ,L g x , g z , g zx , e( g , g ) zx ) = 1] − Pr[B( g , g x ,L g x , g z , g zx , e( g , g ) r ) = 1] |≥ ε B By Theorem 1 and Theorem 2, we can get that our scheme is secure against a chosen keyword attack. * wb , k
b
q+2
* q +1
i
i
*
b
q+2
0
*
1
*
2
q +1
*
b
* *
0
1
q
*
*
*
2
q+2
q +1
q
q+2
1
4. Conclusion In this paper, we provide the definition of a decryptable searchable encryption scheme with designated tester (dPEKSD) and the game-based security definition model. Then a secure decryptable searchable encryption with designated tester is proposed and proved secure against adaptive chosen keyword attack. References [1] Boneh D, Di Crescenzo G, Ostrovsky R, Persiano G. Public key encryption with keyword search. In: Cachin C, Camenisch J, editors. Eurocrypt’04, LNCS 3027, Berlin: Springer-Verlag; 2004, p. 506–522 [2] Boneh D, Franklin M. Identity-based encryption from the weil pairing. In: Kilian J, editor. CRYPTO’01, LNCS 2139, Berlin:Springer-Verlag; 2001, p. 213–239 [3] Abdalla M, Bellare M, Catalano D, et al. Searchable encryption revisited: Consistency properties, relation to anonymous ibe, and extensions. In: Shoup V, editor. CRYPTO’05, LNCS 3621, Berlin: Springer-Verlag; 2005, p. 205–222 [4] Park DJ, Kim K, Lee PJ. Public key encryption with conjunctive field keyword search. In: Lim CH, Yung M, editors. WISA’04, LNCS 3325, Berlin: Spring-Verlag; 2004, p. 73–86 [5] Hwang YH, Lee PJ. Public key encryption with conjunctive keyword search and its extension to a multi-user system. In: Takagi T, Okamoto T, Okamoto E, Okamoto T, editors. Pairing’07, LNCS 4575, Berlin: Springer-Verlag; 2007, p. 2–22 [6] Baek J, Safavi-Naini R, Susilo W. Public key encryption with keyword search revisited. In: Gervasi O, Murgante B, Lagana A, Taniar D, Mun Y, editors. ICCSA’08, LNCS 5072, Berlin: Springer-Verlag; 2008, p.1249-1259 [7] Fuhr T, Paillier P. Decryptable searchable encryption. In: Susilo W, Liu JK, Mu Y, editors. ProvSec’07, LNCS 4784, Berlin: Springer-Verlag; 2007, p. 228–236 [8] Fang L, Wang J, Ge C, et al. Decryptable Public Key Encryption with Keyword Search Schemes. International Journal of Digital Content Technology and its Applications, 2010;4(9):141–150. [9] Menezes AJ, Okamoto T, Vanstone SA. Reducing elliptic curve logarithms to a finite field. IEEE Transactions on Information Theory, 1993;39(5)1636–1646. [10] Rhee HS, Park JH, Susilo W, Lee DH. Improved Searchable Public Key Encryption with Designated Tester. In: Li W, Susilo W, Tupakula UK, Safavi-Naini R, Varadharajan V, editors. ASIACCS’09 , Sydney: ACM; 2009, p.376–379
