A Generic Scheme of plaintext-checkable database encryption

A Generic Scheme of plaintext-checkable database encryption

Accepted Manuscript A Generic Scheme of Plaintext-Checkable Database Encryption Sha Ma, Yi Mu, Willy Susilo PII: DOI: Reference: S0020-0255(17)30164...
Download PDF
611KB Sizes 0 Downloads 46 Views
Report

Accepted Manuscript

A Generic Scheme of Plaintext-Checkable Database Encryption Sha Ma, Yi Mu, Willy Susilo PII: DOI: Reference:

S0020-0255(17)30164-0 10.1016/j.ins.2017.11.010 INS 13238

To appear in:

Information Sciences

Received date: Revised date: Accepted date:

17 January 2017 30 October 2017 1 November 2017

Please cite this article as: Sha Ma, Yi Mu, Willy Susilo, A Generic Scheme of Plaintext-Checkable Database Encryption, Information Sciences (2017), doi: 10.1016/j.ins.2017.11.010

This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.

ACCEPTED MANUSCRIPT

A Generic Scheme of Plaintext-Checkable Database Encryption

CR IP T

Sha Maa,b,∗, Yi Mub , Willy Susilob a College

of Mathematics and Informatics, South China Agricultural University, Guangzhou, Guangdong 510640, China b School of Computing and Information Technology, University of Wollongong, NSW, Australian

AN US

Abstract

Database encryption is essential for cloud database systems. For a large database, decryption could take a lot of computational time. Therefore, verifying an encryption that contains a correct plaintext without decryption becomes significant for a large database system. Plaintext-checkable encryption (PCE) is a potential tool for such database systems, which is first proposed by Canard et

M

al. in CT-RSA 2012. Although the generic PCE in the random oracle model has been studied intensively, the generic PCE in the standard model and its

ED

efficient implementation are still challenging problems. This paper presents the first generic PCE in the standard model using smooth projective hash function (SPHF) and prove its s-priv1-cca security, which is independent of current unlink

PT

security. Based on the instantiated SPHF from DDH assumption, we obtain the most efficient PCE in the standard model, without any pairing operation. Finally, we improve two existing generic constructions in the random oracle model

CE

so that they are secure under chosen ciphertext attack. Keywords: database encryption, plaintext-checkable encryption, provable

AC

security.

∗ Corresponding

author Email addresses: [email protected] (Sha Ma), [email protected] (Yi Mu), [email protected] (Willy Susilo)

Preprint submitted to Information Sciences

November 4, 2017

ACCEPTED MANUSCRIPT

1. Introduction In CT-RSA 2012, Canard et al. [7] first proposed a cryptographic primitive called plaintext-checkable encryption (PCE), which extends public-key encryp-

5

CR IP T

tion to achieve the following functionality: given a plaintext, a ciphertext and a

public key, it is universally possible to check whether the ciphertext encrypts the plaintext under the public key. We observe that this primitive would be very useful for database query, for example, public query on encrypted data or encrypted query on public data. Canard et al. [7] provided generic PCE constructions in

the random oracle model based on any probabilistic or deterministic encryption

and a practical construction in pairing groups in the standard model. To the

AN US

10

best of our knowledge, generic PCE construction in the standard model and its efficient implementation are still challenging problems.

A related primitive of PCE is searchable encryption, which has been well studied and widely employed in real-world applications. Searchable encryption is first formalized in [18] for the purpose of allowing text search over encrypted

M

15

data. Based on the usage of either symmetric or asymmetric encryption tech-

ED

nique, searchable encryption is classified in to symmetric searchable encryption [18, 9, 14, 19, 24, 26] and asymmetric encryption [6, 1, 12, 13, 22]. Here, we concentrate on asymmetric encryption technique. Public key encryption with keyword search (PEKS) was first proposed by Boneh et al. [6] that allows

PT

20

the user to delegate keyword search on his own encrypted data through transmitting a corresponding encrypted-keyword trapdoor. Thereafter, many PEKS

CE

variants [1, 12, 13, 22] have been presented to affiliate with other properties. Another related primitive is probabilistic public key encryption with equality test (PKEET), which was first proposed by Yang et al. [23] that allows anyone

AC

25

to check whether the ciphertexts encrypt the same plaintext. Thereafter, many PKEET variants [20, 21, 17] have been presented to enforce different authorization policies. Essentially, PKEET can be trivially used for constructing PCE. We will explain it in Section 5. Comparatively, PEKS is suitable for search on

30

encrypted data using encrypted keyword while PKEET is suitable for equality

2

ACCEPTED MANUSCRIPT

Table 1

The applications of different cryptography primitives (a) Keyword search

Unencrypted

Unencrypted PCE

CR IP T

XX XXX data Encrypted XXX keyword XX Encrypted PEKS PCE



(b) Equality test

XX XXX data2 Encrypted XXX data1 XX

Unencrypted

PKEET

PCE

Unencrypted

PCE



AN US

Encrypted

test on encrypted data. We conclude that PCE can be used in the following applications shown in Table 1: (1) search on encrypted data using unencrypted keyword, (2) search on unencrypted data using encrypted keyword, and (3) equality test on unencrypted data and encrypted data.

Blew we compare our construction with related work [23] and [7] (the scheme

M

35

in the standard model) in terms of property and security in Table 2. As to the

ED

efficiency comparison, we leave it to Section 5. In Table 2, the second column shows whether the scheme is constructed in a generic way. The third to forth columns show the security and the underlying assumption for guaranteeing the security. The fifth column shows whether the model is proven in the standard

PT

40

model. The sixth column shows whether the scheme can be constructed in the

AC

CE

non-pairing groups.

[23] [7]

Ours

Table 2

Comparison with [23], [7]

Generic

Security

Assumption

Standard Model

w/o Pairing

×

OW-CCA

CDH

UNLINK-CPA

DLIN+SXDH

× √

×

S-PRIV1-CCA

HSM

× √



× √

It can be learnt from Table 2 that only our scheme is constructed in a

3

ACCEPTED MANUSCRIPT

generic way. With regard to the security, our scheme achieves S-PRIV1-CCA, 45

which is more secure than OW-CCA evidently and independent with UNLINK (We will explain the reason in Section 3). Furthermore, [23] is proven secure

CR IP T

in random oracle model based on CDH assumption. Both [7] and our scheme are proven secure in standard model, where the former is based on DLIN and SXDH assumptions and the latter is based on hard subset membership problem 50

(HSM). Thanks to using SPHF as a building block, our work does not need the pairings group as a necessary requirement.

We consider a SALE database for a chemical warehouse using the cloud

AN US

storage service, which contains three tables (See Table 3): the Product table

(including the product id “PId”, the product name “Name”, the price “Price” 55

and the producer “Producer”), the E customer table (including the customer ID “CId”, the customer name “Name”, the telephone number “Tel” and the payment card number “CardNum”) and the Order table (including the product ID “PId” and the customer ID “CId”), where the Product table and the

60

M

E customer table are required to be outsourced to the cloud storage due to their large amount of data while the relatively small Order table is kept in local

ED

storage for privacy preserving, which depicts the personal activities or interests as sensitive data. Besides, let the Product table is in plain for public access and the E customer table are encrypted for personal information. Assume that we

PT

have the following query requirements on the SALE database: 1. Find the producer of the product whose name is “flu” and ensure that the

65

CE

query intention “flu” should be protected.

2. Find the telephone number of the customer whose payment card number

AC

is “622300857396”, which is found to be a fake card number detected by

70

the department of the fund security.

3. Find the name of the customer who has placed the order “P001”.

Accordingly, we design the three SQL clauses (SQL 1, SQL 2 and SQL 3) shown c

in Table 3, where = denotes to check if the former ciphertext contains the latter plaintext, which is the functionality provided by PCE discussed in this paper. 4

Table 3

CR IP T

ACCEPTED MANUSCRIPT

A SALE database and SQL sentences (a) Product

Name

Price

Producer

P001

vitamins

15

CN

P002

fragrance

80

FR

P003

flu

38

AU

P004

soap

AN US

PId

5

JP

(b) E customer

Name

Tel

CardNum

nv4¿2y

b7%xkl

j3dpw$8z3nm9!v

nv4@x0#uqa368xw

*x7u(x

g9h84r

2jsn8*su3ythmbs

x2f9gikr2kn+92zf3y

+3z-bg

k*5z2w

ut!xf4bt51amj)5w

e3&z6qtr5bj8k*wr9g

M

CId

PT

ED

(c) Order

PId

CId

P001

C003

P003

C002

(d) SQL sentences: c

SELECT Producer FROM Product WHERE Enc(“flu”) = Name.

SQL 2:

SELECT Tel FROM E customer

CE

SQL 1:

SELECT Name FROM E customer, Order c

WHERE E customer.CId = Order.CId AND PId like “P001”.

AC

SQL 3:

c

WHERE CardNum = 622300857396.

5

ACCEPTED MANUSCRIPT

The current PCE scheme in the standard model [7], which is implemented us75

ing pairing maps, does not consider that the adversary might query a decryption oracle. As a result, using the existing PCEs as a building block would have some

CR IP T

limitations in the applications. For example, Canard et al. [7] clarified “if using our PCE scheme for constructing group signature with verifier-local revocability (VLR), the resulting group signature cannot achieve CCA-anonymity when the 80

adversary has an oracle to open the signature of its choice (the decryption oracle in PCE scheme), as considered e.g. in the model by Bellare et al.[4] ”. For this

another killer application of PCE, a possible solution might be to design a PCE

AN US

scheme based on linear encryption [5] to be combined with one-time signature

and Kiltz’s tag-based encryption [10]. Under this unproven speculation, it still 85

requires a PCE scheme defined over symmetric bilinear groups. Based on the aforementioned observations, we conclude that a secure PCE construction under chosen ciphertext attack could surely simplify some applications of PCE. In

chosen ciphertext attack. 1.1. Our Contributions

ED

90

M

this paper, we are interested in such PCE schemes with the property of under

Using the smooth projective hash function (SPHF) as a basic cryptographic tool, we present the first generic construction of plaintext-checkable encryption

PT

(PCE) in the standard model while the existing generic PCE constructions [7] are only proved in the random oracle model. We adopt the s-priv1-cca notion to define our PCE security, which is inde-

CE

95

pendent with the current unlink security with the characteristic of providing the decryption oracle to the adversary. Our generic construction is proven to sat-

AC

isfy s-priv1-cca based on the hard subset membership problem for SPHF with a

strong word security.

100

With an efficient instantiation of SPHF based on the Decisional Diffie-

Hellman assumption, we obtain the most efficient PCE in the standard model, without the need of any pairing operation. Concretely, our check algorithm

6

ACCEPTED MANUSCRIPT

only needs 4 modular exponentiation operations while the check algorithm in [7] costs 4 pairing operations. We improve Canard et al.’s two generic PCE constructions in the random

105

CR IP T

oracle model [7] to be secure under chosen ciphertext attack and prove that they satisfy the unlink-cca security.

2. Preliminaries 2.1. Smooth Projective Hash Function

AN US

A smooth projective hash function (SPHF) is based on a domain X and an

110

N P language L ⊂ X . An SPHF system over L onto a set Y is defined as follows [8].

• SPHFSetup(k): It takes as input a security parameter k and outputs (L, param) as the global parameters.

• HashKG(L, param): It generates a hashing key hk.

M

115

• ProjKG(hk,(L,param),W ): It derives the projection key hp from the hash-

ED

ing key hk, possibly depending on the word W. • Hash(hk,(L, param), W ): It outputs the hash value hv ∈ Y from the hash-

PT

ing key hk on any word W ∈ X . • ProjHash(hp,(L,param),W,w ): It outputs the hash value hv0 ∈ Y from the

120

projection key hp and any word W ∈ X with the witness w ∈ WS, where

CE

WS is the witness space.

AC

In this paper, we add the WordGen algorithm as an SPHF extension:

125

• WordGen((L, param), w): It generates a word W ∈ L from the witness w ∈ WS.

We define an operator ~ on the group Y: Y ~ Y → Y. For any y1 ∈ Y and

y2 ∈ Y, y1 ~ y2 ∈ Y. For any element y ∈ Y, we define y ~ y −1 = 1Y , which is the identity element of Y. 7

ACCEPTED MANUSCRIPT

Correctness. The correctness of SPHF assures that if W ∈ L with a witness 130

w, then Hash(hk, (L, param), W) = ProjHash(hp, (L, param), W, w). Pseudo-randomness. The pseudo-randomness of SPHF assures that if W ∈

CR IP T

L, then the following two distributes are computationally indistinguishable: {((L, param), W, hp, hv)|hv = Hash(hk, (L, param), W )}, $

{((L, param), W, hp, hv)|hv ← Y}.

Smoothness. The smoothness of SPHF assures that if W ∈ X \L, then the

AN US

following two distributions are statistically indistinguishable:

{((L, param), W, hp, hv)|hv = Hash(hk, (L, param), W )}, $

{((L, param), W, hp, hv)|hv ← Y}. 135

2-Smoothness. The 2-smoothness of SPHF assures that if W1 , W2 ∈ X \L ∧

M

W1 6= W2 , then the following two distributions are statistically indistinguishable: {((L, param), W1 , W2 , hp, hv1 , hv2 )|hv2 = Hash(hk, (L, param), W2 )},

ED

$

{((L, param), W1 , W2 , hp, hv1 , hv2 )|hv2 ← Y},

PT

where hv1 = Hash(hk, (L, param), W1 ). Definition 1. (Hard subset membership problem). The subset membership

CE

problem is hard on (X , L) for an SPHF if it is computationally hard to dis-

140

tinguish random elements of L from random elements of X \L.

AC

Word Security. SPHF implies that it is impossible to recover the witness from the word due to the smoothness property. In this paper, we need a strong word security for SPHF to assure that given W ∈ L, the adversary A = (A1 , A2 ) as a pair of polynomial time algorithms could not get any partial information about

145

the witness under W . We clarify that A1 and A2 share neither coins nor states. A1 takes input hp and returns a witness w together with some side information 8

ACCEPTED MANUSCRIPT

t. A2 takes hp and a word W and tries to compute t. In fact, nearly all SPHFs in the literature have word security and hence this property is thought to be a reasonable and realistic assumption. The following WordSec experiment is defined for the adversary A against word security, which wins with negligible

CR IP T

150

probability. ExpWordSec SPHF,A (k) :

1. Setup. The challenger runs SPHFSetup, HashKG and ProjKG, generates (param, L, hp, hk) and sends the adversary (param, L, hp).

AN US

2. Challenge Phase. The adversary A1 randomly selects (w0 , t0 ), (w1 , t1 ) and

155

presents them to the challenger. Then the challenger selects a random b ∈ {0, 1}, generates a word Wb for wb and presents Wb to the adversary A2 .

3. Guessing Phase. The adversary A2 outputs a bit b0 . The adversary A is 1, and 0 otherwise.

M

said to win the game if b0 = b, inducing that the output of experiment is

160

ED

We say SPHF has word security if for any polynomial adversary A, 0 AdvWordSec SPHF,A (k) = | Pr[b = b ] − 1/2|,

PT

which is negligible on the security parameter k. The Extension of SPHF. Similar to [8], we define an extension SPHFaux of the SPHF syntax in this paper. It is defined by the six algorithms: (SPHFSetupaux ,

CE

165

HashKGaux , ProjKGaux , WordGenaux , Hashaux , ProjHashaux ), where SPHFSetupaux , HashKGaux , ProjKGaux and WordGenaux are defined the same as SPHFSetup,

AC

HashKG, ProjKG and WordGen, and slightly modified Hashaux and ProjHashaux

are described as follows.

170

• Hashaux (hkaux , (L, param), W, aux): It outputs the hash value hvaux ∈ Y from the hashing key hkaux on any word W ∈ X and the auxiliary input aux.

9

ACCEPTED MANUSCRIPT

• ProjHashaux (hpaux , (L, param), W, w, aux): It outputs the hash value hv0aux ∈ Y from the projection key hpaux , the witness w ∈ WS for the word W ∈ L

2.2. Collision Resistant Hash Function

CR IP T

and the auxiliary input aux.

175

Definition 2. (Collision Resistant Hash Function). H : {0, 1}l1 (k) → {0, 1}l2 (k)

is a collision-resistant hash function if for any security parameter k ∈ N,

|l1 (k)| > |l2 (k)| and for any probabilistic polynomial algorithm A, Pr[(x0 , x1 ) ← 180

A(1k , H) : x0 6= x1 ∧ H(x0 ) = H(x1 )] ≤ ζ(k), where ζ denotes a negligible

AN US

function for the security parameter k.

3. Definitions

3.1. Plaintext-Checkable Encryption

We recall the basic definition of PCE consisting of the following four algorithms:

M

185

1. PCEKG(k): A probabilistic, polynomial-time key generation algorithm

ED

which takes as input a security parameter k ∈ N, outputs a public/private key pair (pk, sk). The plaintext space and the ciphertext space are denoted by M and C, respectively. 2. PCEEnc(pk, M ): A probabilistic, polynomial-time encryption algorithm

PT

190

which takes as input pk and M ∈ M, outputs a ciphertext C ∈ C.

CE

3. PCEDec(pk, sk, C): A deterministic, polynomial-time decryption algorithm which takes as input pk, sk and C ∈ C, outputs either a plaintext M ∈ M

AC

or a special symbol ⊥.

195

4. PCECheck(pk, C, M ) A deterministic, polynomial-time check algorithm which takes as input pk, C ∈ C and M ∈ M, outputs 1 if C is an encryption of M , and 0 otherwise.

10

ACCEPTED MANUSCRIPT

3.2. Security notion: s-priv1-cca security We review some classical security notions: ind-cpa and ind-cca for public 200

key encryption schemes, unlink-cpa (or unlink) and unlink-cca for PCE schemes,

CR IP T

s-priv1-cpa (or s-priv1) and s-priv1-cca for public key encryption with equality

test, where “-cca” stands for under chosen ciphertext attack and “s-” stands for a strong version by additionally providing the adversary the public key.

Definition 3. (IND-ATK). Let Π = (G, E, D) be a public key encryption

scheme and let A be a polynomial-time adversary. For atk ∈ {cpa, cca} and k ∈ N, let

def



 Advind-atk A,Π (k) = Pr

AN US

205

(pk, sk) ← G(k), (x0 , x1 ) → AO(·) (pk), b ← {0, 1}, y ← E(pk, xb ), b0 ← AO(·) (pk, x0 , x1 , y) : b0 = b

where x0 6= x1 ∧ |x0 | = |x1 | and

− 1 2

then O(·) = ,

M

If atk = cpa,



If atk = cca,

then O(·) = Dsk (·).

ED

In the case of cca, A is not allowed to query the decryption oracle on y. We 210

A.

PT

say that Π is secure in the sense of ind-atk if Advind-atk A,Π (k) is negligible for any

Definition 4. (UNLINK-ATK). Let Π = (G, E, D) be a public key encryption

CE

scheme and let A = (A1 , A2 ) be a polynomial-time adversary. It is assumed that

AC

A1 and A2 share neither coins nor states. For atk ∈ {cpa, cca} and k ∈ N, let

def Advunlink-atk (k) = A,Π



O(·)

(pk, sk) ← G(k), (x0 , x1 ) → A1

(pk),

  Pr   b ← {0, 1}, y0 ← E(pk, xb ), y1 ← E(pk, x1 ),  O(·) b0 ← A2 (pk, y0 , y1 ) : b0 = b

11



  1 −  2 

ACCEPTED MANUSCRIPT

215

If atk = cpa,

then O(·) = ,

If atk = cca,

then O(·) = Dsk (·).

CR IP T

where x0 6= x1 ∧ |x0 | = |x1 | and

In the case of unlink-cca, A2 is allowed to query the oracle for decryption neither

y0 nor y1 . We say that Π is secure in the sense of unlink-atk if Advunlink-atk (k) A,Π is negligible for any A.

Definition 5. (S-PRIV1-ATK). Let Π = (G, E, D) be a public key encryption 220

AN US

scheme and let A = (A1 , A2 ) be a polynomial-time adversary. It is assumed that A1 and A2 share neither coins nor state. For atk ∈ {cpa, cca} and k ∈ N, let O(·)

(pk, sk) ← G(k), ((x0 , t0 ), (x1 , t1 )) → A1

(pk),

  O(·) Pr   b ← {0, 1}, y ← E(pk, xb ), h ← A2 (pk, y),  If h = t1 , b0 = 1; Else b0 = 0 : b0 = b

M

def Advs-priv1-atk (k) = A,Π





  1 −  2 

where x0 6= x1 ∧ |x0 | = |x1 | and

then O(·) = ,

If atk = cca,

then O(·) = Dsk (·).

ED

If atk = cpa,

PT

In the case of s-priv1-cca, A2 is not allowed to query the oracle for decryption y.

We say that Π is secure in the sense of s-priv1-atk if Advs-priv1-atk (k) is negligible A,Π

CE

for any A.

[7] presents unlink security for PCE and shows the following relation of the

225

AC

three security notions: ind-cpa

unlink

priv1.

That is, unlink is weaker than ind-cpa and stronger than priv1 (or ind-det in [7]) for deterministic encryption [2]. In this paper, we adopt the security notion s-priv1-cca for our PCE scheme, which is defined for public key encryption with 12

ACCEPTED MANUSCRIPT

equality test [15], and show a relation as follows.

ind-cca

unlink-cca

  unlink 

s-priv1-cca

  

s-priv1

priv1.

CR IP T

230

We clarify that ind-cca is stronger than ind-cpa for probabilistic encryption.

unlink-cca is stronger than unlink by additionally accessing a decryption oracle, which is evidently weaker than ind-cca. priv1 is defined for deterministic en-

cryption in the single-message scenario (We can get similar result for the multi235

message scenario). s-priv1-cca is stronger than s-priv1 by additionally accessing

AN US

a decryption oracle. s-priv1 is stronger than priv1 by additionally providing the

public key pk to A1 , which outputs the challenge plaintexts. Accordingly, we present Lemma 1, 2, 3 and 4 as follows.

Lemma 1. unlink-cca is independent with ind-cpa.

Proof 1. unlink-cca and ind-cpa are independent with each other, which means

M

240

there exist the schemes that satisfy unlink-cca but does not satisfy ind-cpa, and meanwhile there exist the schemes that satisfy ind-cpa but does not satisfy unlink-

ED

cca.

It is evident that all PCE schemes that satisfy unlink-cca do not satisfy ind245

cpa because the adversary in the ind-cpa experiment could successfully guess the

PT

challenge ciphertext is the encryption of which message using the PCE functionality itself.

CE

Taking ElGamal encryption as an example, it has been proven to be indcpa secure, not ind-cca secure. Furthermore, it is not unlink-cca secure. The

250

reason is that the adversary in the unlink-cca experiment could successfully guess

AC

whether C0 and C1 share the same message by recovering the plaintexts mb and m1 of C0 and C1 after submitting valid ciphertexts related to C0 and C1 to the decryption oracle, and finally succeeds in deciding C0 is the encryption of either m0 or m1 .

255

Lemma 2. unlink-cca is stronger than s-priv1-cca. 13

ACCEPTED MANUSCRIPT

Proof 2. We show that the existence of an adversary Aunlink-cca against unlinkcca experiment with significant advantage implies the existence of an efficient algorithm As-priv1-cca against s-priv1-cca experiment. That is, the probability of 260

CR IP T

any adversary which succeeds in the unlink-cca game is not larger than the probability of any adversary which succeeds in the s-priv1-cca game. We define the following game between a simulator (as a role of the unlink-cca adversary) and an adversary As-priv1-cca = (A1 , A2 ) that carries out an s-priv1-cca attack.

1. Key Generation Phase: The simulation takes pk as input and gives pk to As-priv1-cca .

AN US

2. Probing Phase. For a ciphertext C submitted by the adversary A, the sim-

265

ulator forwards C to the unlink-cca challenger. After obtaining a message m from the unlink-cca challenger, the simulator returns m to As-priv1-cca . 3. Challenge Phase. A1 submits (M0 , t0 ), (M1 , t1 ) for challenge. The simulator forwards (M0 , M1 ) to the unlink-cca challenger. After obtaining returns Cb∗ to A2 .

M

the encryptions Cb∗ and C1∗ from the unlink-cca challenger, the simulator

270

4. Probing Phase. The simulator provides a decryption oracle to the adver-

ED

sary As-priv1-cca again with the only difference that the decryption oracle

only responds to the queries C that are different from both Cb∗ and C1∗ . Let DecOracle(C1∗ ) be the event that As-priv1-cca queries C1∗ for decryption.

PT

275

5. Guessing Phase. The adversary A2 outputs a bit b0 . The adversary is said to win the game if b0 = b, inducing that the output of simulator is 1, and

CE

0 otherwise.

The simulator (Aunlink-cca ) provides the identical view to the challenger in

the s-priv1-cca experiment except that As-priv1-cca submits C1∗ to the decryption

AC

280

14

ACCEPTED MANUSCRIPT

oracle. Therefore, we have Pr[Aunlink-cca (k) = 1]

≤ Pr[As-priv1-cca (k) = 1|DecOracle(C1∗ )]

CR IP T

≤ Pr[As-priv1-cca (k) = 1] Pr[DecOracle(C1∗ )]

≤ Pr[As-priv1-cca (k) = 1](1 − Pr[DecOracle(C1∗ )]) ≤ Pr[As-priv1-cca (k) = 1], from which the lemma immediately follows.

AN US

Lemma 3. s-priv1-cca is independent with unlink.

Proof 3. s-priv1-cca and unlink are independent with each other, which means 285

there exist the schemes that satisfy unlink but do not satisfy s-priv1-cca, and meanwhile there exist the schemes that satisfy s-priv1-cca but do not satisfy unlink.

M

Canard et al. [7] presented a practical ElGamal-based construction (PCES) in the standard model. We observe that PCE-S does not satisfy s-priv1-cca. 290

The reason is that the adversary A can forge a valid ciphertxt C based on the

ED

challenge ciphertext Cb∗ with overwhelming advantage. Concretely, after seeing ∗





the challenge ciphertext Cb∗ = (Mb y r , g r , ha , ha $

∗ ∗

r

), the adversary A chooses ∗



r∗

a∗ x



x ← Zp and submits a new ciphertext C = (Mb y r , g r , ha x , ha 295

PT

decryption oracle. Since e(g, h

a∗ r ∗ x

) is equal to e(g , h

∗ ∗

r x

) to the

), the adversary A

immediately succeeds in the s-priv1-cca game.

CE

Yang et al. [23] provided public key encryption with equality test (PKEET), which does not satisfy unlink because it allows the check of plaintext equality on every two encryptions of a message. [15] slightly revised the PKEET scheme [23]

AC

to encrypt m to the ciphertext C = (U, V, W ) = (g r , H1 (m)r , P RG(H2 (U, V, y r ))⊕

300

m||r, where both H1 and H2 are simulated as random oracles, and P RG is a pseudo-random bit generator. This new PKEET scheme satisfies s-priv1-cca security in the random oracle model assuming P RG is a secure pseudo-random bit generator and CDH problem is intractable.

15

ACCEPTED MANUSCRIPT

Lemma 4. s-priv1-cca is independent with ind-cpa. 305

Proof 4. s-priv1-cca and ind-cpa are independent with each other, which means there exist the schemes that satisfy s-priv1-cca but do not satisfy ind-cpa, and

cca.

CR IP T

meanwhile there exist the schemes that satisfy ind-cpa but do not satisfy s-priv1-

Similar to the proof of Lemma 1, it is also evident that all PCE schemes 310

that satisfy s-priv1-cca do not satisfy ind-cpa because the adversary in the indcpa experiment could successfully guess the challenge ciphertext is the encryption

AN US

of which message using the PCE functionality itself.

Taking ElGamal encryption as an example again, it has been proven to be ind-cpa secure. However, it is not s-priv1-cca secure. The reason is that the 315

adversary in the s-priv1-cca experiment could successfully guess the information to distinguish m0 and m1 from Cb by computing tb of the recovered plaintext mb after submitting a valid ciphertext related to Cb to the decryption oracle, and

M

finally decide the distinguished information is related to one of either m0 or m1 .

ED

4. Generic Construction

Let the language L be hard-partitioned subset. Let SPHF1 =(SPHFSetup1 ,

320

HashKG1 , ProjKG1 , WordGen1 , Hash1 , ProjHash1 ) and SPHF2 =(SPHFSetup2 ,

PT

HashKG2 , ProjKG2 , WordGen2 , Hash2 , ProjHash2 ) be two SPHFs with word security defined on X → Y for the same language L under the same security

CE

parameter k, where SPHF2 is an extended SPHF defined in Section 2.1. Let Γ 325

be a collision-resistant hash function defined on X × Y × Y → WS. We present

AC

a generic construction of PCE = (PCEKG, PCEEnc, PCEDec, PCECheck). 1. PCEKG(k): For the SPHFi (i = 1, 2) system, it generates the public parameter (L, param) using SPHFSetupi under the security parameter k, the hash key hki using HashKGi and the projection key hpi using ProjKGi .

16

ACCEPTED MANUSCRIPT

Then it sets the public/private key pair (pk,sk) for the PCE scheme. sk : (hk1 , hk2 ) = (HashKG1 (L, param), HashKG2 (L, param)),

CR IP T

pk : (hp1 , hp2 ) = (ProjKG1 (hk1 , (L, param)), ProjKG2 (hk2 , (L, param))). 2. PCEEnc(pk,M ): It randomly picks a word W ∈ L with the witness w and computes

U = ProjHash1 (hp1 , (L, param), W, w) ~ M.

330

AN US

Then it generates a word W 0 with the witness τ = Γ(W, ProjHash1 (pk1 , (L,

param), W, w), M ) using the WordGen((L, param), τ ) algorithm, and computes

V = ProjHash2 (hp2 , (L, param), (W, U, W 0 ), τ ).

M

Finally, it outputs the PCE ciphertext C = (W, U, W 0 , V ) of the plaintext M under the public key pk.

335

ED

3. PCEDec(pk,sk,C ): Upon parsing C as (W, U, W 0 , V ), it computes M ← U ~ Hash1 (hk1 , (L, param), W )−1 and then verifies if

PT

• W 0 = WordGen((L, param), τ ), where τ = Γ(W, Hash1 (hk1 , (L, param), W ), M ).

• V = Hash2 (sk2 , (L, param), (W, U, W 0 )) and V = ProjHash2 (hp2 , (L,

CE

param), (W, U, W 0 ), τ ).

AC

340

Through the validation, it returns the plaintext M for the ciphertext C,

or ⊥ otherwise.

4. PCECheck(pk,M,C ): It computes τ = Γ(W, U ~ M −1 , M ) and then verifies if • W 0 = WordGen((L, param), τ ).

345

• V = ProjHash2 (hp2 , (L, param), (W, U, W 0 ), τ ). 17

ACCEPTED MANUSCRIPT

Through the validation, it returns 1 indicating that M is the plaintext of the ciphertxt C under the public key pk, or 0 otherwise.

CR IP T

Note that we will omit (L, param) as input in SPHF1 and SPHF2 for brevity. Theorem 5. PCE satisfies s-priv1-cca if it is computationally hard to distin350

guish any random element W ∗ ∈ L from any random element from X \L.

Proof 5. We show that the existence of an adversary A against the s-priv1-cca

security with significant advantage implies the existence of an efficient algorithm B that decides a random element W ∗ ∈ L or W ∗ ∈ X \L. We define the 355

AN US

following game between a simulator (also as a role of the distinguisher for the hard subset membership problem) and an adversary A = (A1 , A2 ) that carries out an s-priv1-cca attack.

Game0 : Game0 is the initial security game.

1. Key Generation Phase. The simulator emulates the initialization of the

360

M

system: it runs PCEKG by itself to generate the public parameter (L, param) and a public/private key pair (pk,sk) = ((hp1 ,hp2 ), (hk1 ,hk2 )), and pro-

ED

vides pk to A.

2. Probing Phase I. The simulator has to simulate the decryption oracle: for a ciphertext submitted by the adversary A, the simulator returns the 365

PT

plaintext M via PECDec on C using the secret key sk. 3. Challenge Phase. A1 outputs (M0 , t0 ) and (M1 , t1 ), and presents them to

the simulator. Then, the simulator has to simulate Cb∗ =PCEEnc(pk,M b )

CE

for a random chosen bit b, where Cb∗ = (W ∗ , U ∗ , (W 0 )∗ , V ∗ ) is generated

AC

as follows.

370

• The simulator first picks a random word W ∗ ∈ L, where W ∗ is the value input to the simulator, and computes U ∗ = Hash1 (hk1 , W ∗ ) ~ Mb using the private evaluation algorithm Hash1 . Then it generates the word (W 0 )∗ = WordGen(τ ∗ ) with τ ∗ = Γ(W ∗ , Hash1 (hk1 , W ∗ ), Mb ), and computes V ∗ = Hash2 (hk2 , (W ∗ , U ∗ , (W 0 )∗ )) using the private evaluation algorithm Hash2 . 18

ACCEPTED MANUSCRIPT

Finally, the simulator returns Cb∗ back to the adversary A2 .

375

4. Probing Phase II. The simulator provides again access to the decryption oracle with the only difference that the decryption oracle only responds to

CR IP T

the queries on C that are different from the challenge ciphertext Cb∗ .

5. Guessing Phase. A2 outputs its guess h. If h = t1 , then b0 = 1, otherwise b0 = 0. The simulator outputs 1 if b0 = b, or 0 otherwise.

380

We consider the behavior of this simulator in two cases: (1) The simulator (1)

is given a random element W ∗ ∈ L. Let Ek

be the event that the simulator

outputs 1 in this case. (2) The simulator is given a random element W ∗ ∈ X \L. 385

be the event that the simulator outputs 1 in this case. Let AdvDist (k) =

(1)

AN US

(0)

Let Ek

(0)

|Pr[Ek ] − Pr[Ek ]| that is the distinguishing advantage of the simulator. Our

Dist goal is to show that Advs-priv1-cca (k) is negligible. PCE,A (k) is negligible provided Adv

We now analyze the behavior of the simulator in these two cases: Case 1 : W ∗ ∈ L. In this case, the simulator is perfect. Therefore, we have 1 ≥ Advs-priv1-cca PCE,A (k). 2

ED

M

Pr[E (1) ] − k

(1)

Case 2 : W ∗ ∈ X \L. We will use the game-hopping technique for Case 2. 390

Game1 : Game1 is the same as Game0 , so that in addition to rejecting a ci-

PT

phertext (W, U, W 0 , V ) if W ∈ X \L, V = Hash2 (hp2 , (W, U, W 0 )) and W 0 = WordGen(τ ), where τ = Γ1 (W, Hash(hp1 , W ), M ), because V is uniquely deter-

CE

mined by (W, U, W 0 ) and W 0 is uniquely determined by τ . Let Fa be the event that V = Hash2 (hk2 , (W, U, W 0 )) and Fb be the event that W 0 = WordGen(τ ). 1 We define the advantage of A in Game1 as AdvGame PCE,A (k) and claim that

AC

395

Game0 1 AdvGame PCE,A (k) − AdvPCE,A (k) ≤ Pr[Fa ∧ Fb ] ≤ Pr[Fb ].

(2)

Next, we analyze the probability that the event Fb happens. For all ciphertxts

C = (W, U, W 0 , V ) ∈ X × Y × X × Y with W ∈ X \L submitted to a decryption oracle after the challenge phrase, we divide them into two cases: 19

ACCEPTED MANUSCRIPT

1. (W, U, W 0 ) = (W ∗ , U ∗ , (W 0 )∗ ). Since it is required that (W, U, W 0 , V ) 6= 400

(W ∗ , U ∗ , (W 0 )∗ , V ∗ ), it follows that V 6= V ∗ . Therefore, the simulator returns ⊥ due to that V is uniquely determined by (W, U, W 0 ).

CR IP T

2. (W, U, W 0 ) 6= (W ∗ , U ∗ , (W 0 )∗ ). Given W, U and W 0 , hk1 is still uniformly distributed with the only constraint that hp1 = ProjKG1 (hk1 ) and (W 0 )∗ = ∗

U WordGen(τ ∗ ) with τ ∗ = Γ(W ∗ , Hash1 (hk1 , W ∗ ), Hash(hk ∗ ), where hp1 , 1 ,W ) 405

W ∗ , U ∗ and (W 0 )∗ are fixed as above. Under this condition, we further divide all queried ciphertexts into four cases:

(a) W = W ∗ ∧ U = U ∗ ∧ W 0 6= (W 0 )∗ . Since U is completely determined

AN US

by (W, M ) and W 0 is also completely determined by (W, M ) due to

its witness τ , it follows that W 0 = (W 0 )∗ . Therefore, the simulator 410

returns ⊥ due to the condition that W 0 6= (W 0 )∗ .

(b) W = W ∗ ∧ U 6= U ∗ ∧ W 0 = (W 0 )∗ . We have τ = τ ∗ due to W 0 = (W 0 )∗ , which implies that

ED

M

  U∗ Γ W ∗ , Hash(hk1 , W ∗ ), Hash(hk1 , W ∗ )   U = Γ W, Hash(hk1 , W ), . Hash(hk1 , W ) Therefore, due to the collision resistance property of Γ, the probability that the adversary outputs a valid ciphertext (W, U, W 0 .·) submitted to the decryption oracle is at most ζ(k).

PT

415

(c) W = W ∗ ∧ U 6= U ∗ ∧ W 0 6= (W 0 )∗ . Due to the smooth property of

CE

SPHF1 , Hash1 (hk1 , W ∗ ) is uniformly distributed over Y. Therefore,

τ = Γ(W, Hash(hk1 , W ),

U Hash(hk1 ,W ) )

is uniformly distributed over

WS, which implies that W 0 is uniformly distributed over X . Since it

AC

420

is on the condition that W 0 is completely determined by (W, U ) due to

the witness τ , we claim that the probability that the adversary outputs a valid ciphertext (W, U, W 0 , ·) submitted to the decryption oracle is at most smooth(k). (d) W 6= W ∗ . Due to the 2-smooth property of SPHF1 , Hash1 (hk1 , W )

425

is uniformly distributed over Y. Therefore, τ = Γ(W, Hash(hk1 , W ), 20

ACCEPTED MANUSCRIPT

U Hash(hk1 ,W ) )

is uniformly distributed over WS implying that W 0 is

uniformly distributed over X . Due to the same reason described in the above Case (c), we claim that the probability that the adversary

430

oracle is at most 2-smooth(k).

CR IP T

outputs a valid ciphertext (W, U, W 0 , ·) submitted to the decryption

Assume that Q(k) denotes the number of decryption queries. From the above analysis, we have

AN US

Pr[Fb ] ≤ (ζ(k) + smooth(k) + 2-smooth(k)) · Q(k).

(3)

1 We define the advantage of A in Game1 as AdvGame PCE,A (k) be the advantage

of the adversary A in Game1 and claim that AdvGame1 (k) − AdvGame0 (k) PCE,A PCE,A 435

(4)

M

≤ (ζ(k) + smooth(k) + 2-smooth(k)) · Q(k).

by combining the relations (2) and (3).

ED

Game2 : Game2 is the same as Game1 except that the simulator sets U ∗ = y1∗ ~ Mb in stead of computing U ∗ = Hash1 (hk1 , W ∗ ) ~ Mb , in the encryption for Mb , where y1∗ ∈ Y is chosen at random. We define adversary A in Game2 and claim that

CE

440

PT

2 the advantage of A in Game2 as AdvGame PCE,A (k) be the advantage of the

AdvGame2 (k) − AdvGame1 (k) ≤ smooth(k), PCE,A PCE,A

(5)

AC

due to the smooth property of Hash1 .

445

Game3 : Game3 is the same as Game2 except that the simulator picks y2∗ ∈

Y at random and sets V ∗ = y2∗ in stead of computing V ∗ = Hash2 (hk2 , (W ∗ , U ∗ , (W 0 )∗ )) in the encryption for Mb . We define the advantage of A in Game3 as 3 AdvGame PCE,A (k) be the advantage of the adversary A in Game3 and claim

21

ACCEPTED MANUSCRIPT

that (6)

CR IP T

AdvGame3 (k) − AdvGame2 (k) ≤ psd-random(k), PCE,A PCE,A

due to the pseudo-random property of Hash2 . It is evident that the adver-

sary’s output b0 in Game3 is independent of the hidden bit b except that the adversary obtains the information about Mb from (W 0 )∗ . Due to the word security of SPHF, we have

450

(7)

AN US

1 3 |AdvGame PCE,A (k) − | ≤ WordSec(k). 2

Combining the relations (4), (5), (6) and (7), we claim that Pr[E (0) ] − k

1 2

≤ (ζ(k) + smooth(k) + 2-smooth(k)) · Q(k) +smooth(k) + psd-random(k) + WordSec(k). (8)

M

Combining the inequalities (1) and (8), we claim that

ED

Dist Advs-priv1-cca (k) + (ζ(k) + smooth(k) + 2-smooth(k)) · Q(k) PCE,A (k) ≤ Adv

+smooth(k) + psd-random(k) + WordSec(k),

PT

from which the theorem immediately follows.

CE

5. An Efficient PCE Instantiation In this section, we recall an efficient instantiation of SPHF [8] and then

455

present the resulting most efficient PCE implementation, without any pairing

AC

operation.

Definition 6. Decisional Diffie-Hellman (DDH) Assumption. Let G be

a group of prime order p with a random generator g, and unknown a, b be ran-

460

domly chosen from Zp . The Decisional Diffie-Hellman assumption says that it

22

ACCEPTED MANUSCRIPT

is hard to distinguish tuples of the form (g, g a , g b , g ab ) from tuples of the form (g, g a , g b , g c ), where c is randomly chosen from Zp .

CR IP T

An Instantiation of SPHF1 from DDH Assumption [8]. 1. Setup(k): param=(G, p, g1 , g2 ). $

2. HashKG(LDDH , param) : hk = (s1 , s2 ) ← Z2p .

465

3. ProjKG(hk, (LDDH , param)) : hp = g1s1 g2s2 ∈ G.

4. WordGen((LDDH , param), w = r) : W = (g1r , g2r ) ∈ G2 .

5. Hash(hk, (LDDH , param), W = (g1r , g2r )) : hv = g1rs1 g2rs2 ∈ G.

470

AN US

6. ProjHash(hp, (LDDH , param), W = (g1r , g2r ), w = r) : hv0 = hpr ∈ G. An Instantiation of SPHF2 from DDH Assumption [8]. We assume that Hθ is a collision resistant hash function. 1. SPHFSetupaux (k) : paramaux = (G, p, g1 , g2 ).

$

2. HashKGaux (LDDH , param) : hkaux = (a1 , a2 , b1 , b2 ) ← Z4p .

M

3. ProjKGaux (hkaux , (LDDH , param)) : hpaux = (hp0 , hp00 ) = (g1a1 g2a2 , g1b1 g2b2 ) ∈ G2 .

475

ED

4. WordGenaux ((LDDH , param), r): W = (g1r , g2r ) ∈ G2 . 5. Hashaux (hkaux , (LDDH , param), W = (g1r , g2r ), aux) : hvaux = (g1r )a1 +θb1 (g2r )a2 +θb2 ∈ G, where θ = Hθ (W, aux) ∈ Zp .

PT

6. ProjHashaux (hpaux , (LDDH , param), W = (g1r , g2r ), w = r, aux) : hv0aux = (hp0 )r (hp002 )θr ∈ G, where θ = Hθ (W, aux) ∈ Zp .

480

CE

5.1. The Instantiated PCE Scheme. Our instantiated PCE scheme using the above SPHF1 and SPHF2 on the

AC

DDH language is described as follows. 1. PCEKG(k): It first generates the same parameter param=(G, p, g1 , g2 ) for SPHF1 and SPHF2 using the security parameter k. Then it chooses a hash function Γ : G4 → Zp with the collision-resistant property, and another $

hash function H : G5 → Zp . Besides, it chooses (α1 , α2 , β1 , β2 , γ1 , γ2 ) ←

23

ACCEPTED MANUSCRIPT

Z6p and generates a pair of the public/private keys (pk, sk) of the PCE scheme.

CR IP T

sk : (hk1 , hk2 ) = ((α1 , α2 ), (β1 , β2 , γ1 , γ2 )). pk : (hp1 , hp2 ) = (h, (u, v)) = (g1α1 g2α2 , (g1β1 g2β2 , g1γ1 g2γ2 )).

2. PCEEnc(pk,M ): It randomly chooses r ∈ Zp and outputs a PCE ciphertext 485

C of the plaintext M :

AN US

C = (g1r , g2r , hr M, g1τ , g2τ , uτ v τ θ ),

where τ = Γ(g1r , g2r , hr , M ) and θ = H(g1r , g2r , hr M , g1τ , g2τ ). 3. PCEDec(sk,C ): It first parses C as (C1 , C2 , C3 , C4 , C5 , C6 ) and recovers the plaintext M using sk:

(9)

M

M = C3 (C1α1 C2α2 )−1 = hr M ((g1r )α1 (g2r )α2 )−1 .

Then it computes τ = Γ(C1 , C2 , C3 M −1 , M ) = Γ(g1r , g2r , hr , M ) and θ = H(C1 , C2 , C3 , C4 , C5 ) = H(g1r , g2r , hr M, g1τ , g2τ ), and verifies if the fol-

ED

490

lowing equations hold using sk. (10)

PT

C4 = g1τ , C5 = g2τ and C6 = C4β1 +γ1 θ C5β2 +γ2 θ = uτ v τ θ .

Through the validation, it outputs 1 indicating M is the plaintext of the

CE

ciphertext C, or 0 otherwise.

4. PCECheck(pk,M,C ): It parses C as (C1 , C2 , C3 , C4 , C5 , C6 ), and com-

AC

495

putes τ = Γ(C1 , C2 , C3 M −1 , M ) = Γ(g1r , g2r , hr , M ) and θ = H(C1 , C2 ,

C3 , C4 , C5 ) = H(g1r , g2r , hr M, g1τ , g2τ ). Then it verifies if C4 = g1τ , C5 = g2τ and Equation (11) holds. C6 = uτ v τ θ .

24

(11)

ACCEPTED MANUSCRIPT

Through the validation, it returns 1 indicating M is the plaintext of the ciphertext C under the public key pk, or 0 otherwise. 5.2. Comparison

CR IP T

500

In this section, we choose the PCE scheme transformed by the first PKEET

scheme [23] and the first PCE scheme (in the standard model) [7] for the comparison. Their property and security comparison are shown in Table 2. Here, we describe their efficiency comparison. Essentially, PKEET can be trivially used 505

for constructing PCE scheme. We simply show this transformation as follows.

AN US

1. PCEKG(k): Run (pk, sk) ← PKEET.KeyGen(k), and outputs (pk, sk). 2. PCEEnc(pk, M ): Run C ← PKEET.Enc(pk, M ), and output C. 3. PCEDec(pk, sk, C): Run M ← PKEET.Dec(sk, C), and outputs M .

4. PCECheck(pk, C, M ): Run C 0 ← PKEET.Enc(pk, M ) and b ← PKEET.Test(C, C 0 ), and output b, where b = 1 indicates M is the plaintext of C and b = 0

510

M

otherwise.

Table 4

[7]

Encryption

Decryption

Test

4|G|

3E

3E

2P+3E

4|G|

4E

2P+E

4P

6|G|

7E

6E

4E

PT

Ours

Ciphertext Length

ED

[23]

Comparison

CE

In Table 4, the second column shows the size of the ciphertext. The third to fifth columns show the computation complexity of encryption, decryption and test algorithms. It can be learnt from Table 4 that our scheme has slightly larger ciphertext and a bit more cost of encryption than [23] and [7]. In terms

AC

515

of decryption, the computation complexity of our scheme is slightly larger than [23], but smaller than [7] since a bilinear pairing costs about five times than an exponentiation in a conventional desktop computer envioronment according to the experimental results in [11], [16] and [25]. It is evident that our scheme has

25

ACCEPTED MANUSCRIPT

520

the minimum computation complexity of test algorithm, which would be a good enough reason to choose our instantiation in real-world applications. Combining Table 2 and Table 4, we conclude that compared with [23] and [7]

CR IP T

our scheme has notable advantages both in test efficiency and property. Therefore, we believe that our construction can be a useful primitive in more 525

interesting applications.

6. Improved Canard et al.’s Schemes

In this section, we improve Canard et al.’s scheme [7] under chosen ciphertext

shown in Section 3.2. 530

AN US

attack. Naturally, the modified schemes satisfy s-priv1-cca due to the relation

6.1. Improved Generic PCE Based on a Probabilistic Encryption PCE-P.Kg(k)

PCE-P.Enc(pk, m)

k

pk ← pk sk ← sk

ED

return (pk, sk)

M

(pk, sk) ← PE.Kg(1 ).

r ←R {0, 1}`(k) ρ ← H(m||r)

c ← PE.Enc(pk, m; ρ) c ← (r, c)

PCE-P.Check(pk, c, m)

PT

PCE-P.Dec(sk, c) (r, c) ← c

(r, c) ← c

m ← PE.Dec(sk, c)

c0 ← PE.Enc(pk, m; ρ)

CE

sk ← sk

AC

pk ← pk

pk ← pk

ρ ← H(m||r)

ρ ← H(m||r)

If c0 = c then return 1

If PE.Enc(pk, m; ρ) = c

then return m Figure 1

else return 0 Improved PCE-P0 [7]

Canard et al. [7] presented a generic plaintext-checkable encryption (PCE-

P) [7] based on a probabilistic encryption (PE) in the random oracle model and claimed the following theorem. We observe a minor omission in PCE-P [7] and 26

ACCEPTED MANUSCRIPT

add the ciphertext validation in the PCE-P.Dec algorithm, marked with the text 535

boxes in Figure 2.

CR IP T

Theorem 6. [7] If PE satisfies ind-cpa then PCE-P in [7] satisfies unlink. Theorem 7. If PE satisfies ind-cca then PCE-P0 in Figure 1 satisfies unlinkcca.

Proof 6. (Sketch) We show that a successful adversary A against unlink-cca of

540

PCE-P0 can be used to construct an adversary B against ind-cca of PE. This

AN US

proof is similar to the proof of Theorem 6 in [7] except that the additional care needs to be taken to ensure that the simulation in the reduction is perfect as the adversary against unlink-cca may make queries to the decryption oracle that the simulator cannot answer. For concise statement, we only describe the simulation 545

for the decryption oracle in the Probing Phase I and the Probing Phase II, and recommend the readers to see the full version for the full proof.

M

In the Probing Phase I, for a decryption query on c = (r, c) submitted by the adversary A, B forwards c as a part of c to the challenger. The challenger runs the decryption algorithm PE.Dec algorithm on input of secret key sk and the query c, and responds the query by returning the output m to the adversary

ED

550

B. B checks that if c = PE.Enc(pk, m; H(m||r)) holds, m is presented to the

PT

adversary A as the query result on c, and ⊥ otherwise. In the Probing Phase II, for a decryption query on c = (r, c) submitted by the adversary A, B’s response is the same as Probing Phase I with the only

difference that c = (r, c) is different from the target ciphertexts c∗b = (rb∗ , c∗b )

CE

555

and c∗1 = (r1 , c∗1 ) of mb and m1 , respectively, which is required by the unlink-cca

experiment. Next, we will analyze B’s behavior. For any decryption query from

AC

A, B could simulate the decryption oracle perfectly except that the event that

the query c = (r, c) with c = c∗b and r 6= rb∗ is a valid ciphertext, denoted by E.

560

The reason is that c∗b is prohibited to be forwarded to the challenger, which is required by the ind-cca game for PE. However, we show that the probability that the event E happens is negligible. We analyze this event in two cases:

27

ACCEPTED MANUSCRIPT

1. m||r has been queried to the hash oracle H before a decryption c is issued.

Since c is uniquely determined by m and H(m||r), and c∗b is random in the range of all PE ciphertexts, we have Pr[c = c∗b ] ≤

565

1 , 2k

which is negligible.

CR IP T

2. m||r has never been queried to the hash oracle H before a decryption c is issued. Due to the idealness of the random oracle, H(m||r) is random in

the range of H, and thus c is random in the range of all PE ciphertexts.

Under the condition that c = c∗b , we have that Pr[c = c∗b ] ≤ negligible.

570

1 , 2k

which is

Assume that Q(k) is the number of decryption queries. Combining these two

AN US

cases, we claim that

Pr[E] ≤

1 Q(k), 2k−1

(12)

which is negligible. Equation (12) shows that the behavior of the simulator in the unlink-cca game is the same as the behavior of the simulator in the unlink game with negligible indistinguishability, from which Theorem 3 immediately follows, based on Theorem 2.

M

575

ED

6.2. Improved Generic PCE Based on a Deterministic Encryption Canard et al. [7] presented a generic plaintext-checkable encryption (PCE-

580

PT

D) based on a deterministic encryption (DE) in the random oracle model, and claimed the following theorem for the PCE-D security.

CE

Theorem 8. [7] If DE satisfies one-way then PCE-D in [7] satisfies unlink. To obtain a revised scheme PCE-D0 with unlink-cca security, our idea is to

construct an ind-cca encryption using DE based on the result of Theorem 3. To

AC

this aim, we design the PCE-D0 shown in Figure 3 using a known transformation

585

(See the following Theorem 5 [3]) from DE to an ind-cca encryption, and present

Theorem 10 to show its security. Theorem 9. [3] Let G, F be random hash functions, DE be a deterministic

encryption scheme with the one-wayness property, the following scheme PE-D 28

ACCEPTED MANUSCRIPT

PCE-D0 .Kg(1k ) ˜ sk) ˜ ← PE-D.Kg(k). (pk,

PCE-D0 .Enc(pk, m) ˜ ← pk pk $

˜ pk ← pk ˜ sk ← sk

r ← {0, 1}`(k) ρ ← H(m||r)

˜ ρ) c˜1 ← DE.Enc(pk,

CR IP T

return (pk, sk)

c˜2 ← G(ρ) ⊕ m c˜3 ← F(ρ||m)

c˜ ← (r, c˜1 , c˜2 , c˜3 ) PCE-D0 .Dec(sk, c)

PCE-D0 .Check(pk, c, m) (r, c˜1 , c˜2 , c˜3 ) ← c ˜ ← pk pk

AN US

(˜ c : (r, c˜1 , c˜2 , c˜3 )) ← c ˜ sk ← sk

˜ c˜1 )) m ← c˜2 ⊕ G(DE.Dec(sk, ˜ c˜1 ) = H(m||r) and if DE.Dec(sk, ˜ c˜1 )||m) c˜3 = F(DE.Dec(sk,

return m

˜ m; ρ) (˜ c01 , c˜02 , c˜03 ) ← PE-D.Enc(pk,

if (˜ c01 , c˜02 , c˜03 ) = (˜ c1 , c˜2 , c˜3 ) then return 1 else return 0

Improved PCE-D0

ED

M

Figure 2

satisfies ind-cca.

ρ ← H(m||r)

˜ m; r) : c ← (c1 : DE.Enc(pk, ˜ r), PE-D.Enc(pk,

PT

590

c2 : G(r) ⊕ m, c3 : F(r||m)).

˜ c1 )) and then Accordingly, the decryption is to compute m = c2 ⊕ G(DE.Dec(sk,

CE

˜ c1 )||m), or ⊥ otherwise. outputs m if c3 = F(DE.Dec(sk,

The following Theorem 10 states the relation between the unlink-cca security

AC

of PCE-D0 and the property of the underlying DE. Theorem 10. If DE satisfies one-wayness then PCE-D0 in Figure 3 satisfies

595

unlink-cca. Proof 7. (sketch) This proof is the direct application of Theorem 7 combined with Theorem 9 because a PCE-D0 ciphertext could be regarded as a ciphertxt c =

29

ACCEPTED MANUSCRIPT

(˜ c1 , c˜2 , c˜3 ) generated by a probabilistic encryption PE-D with ind-cca, together with the random element r used in the generation of c.

7. Conclusion

CR IP T

600

We proposed the first generic construction of plaintext-checkable encryption (PCE) in the standard model, which satisfies the s-priv1-cca security notion.

Based on an efficient instantiation of smooth projective hash functions from DDH assumption, we obtained the most efficient PCE scheme in the standard 605

model, which demonstrates its usability for real-world applications. We also

AN US

improved Canard et al.’s construction in the random oracle model [7] to be secure under chosen ciphertext attack.

Acknowledgements

610

(No. 61402184).

ED

References

M

This work is supported by the National Natural Science Foundation of China

[1] M. Abdalla, M. Bellare, D. Catalano, E. Kiltz, T. Kohno, T. Lange, J. Malone-Lee, G. Neven, P. Paillier, and H. Shi. Searchable encryption re-

PT

visited: Consistency properties, relation to anonymous ibe, and extensions. Journal of Cryptology, 21(3):350–391, 2008.

615

CE

[2] M. Bellare, A. Boldyreva, and A. O Neill. Deterministic and efficiently searchable encryption. In Advances in Cryptology – CRYPTO 2007, volume

AC

4622 of LNCS, pages 535–552, Santa Barbara, CA, USA, August 19-23

620

2007. Springer, Berlin.

[3] Mihir Bellare and Phillip Rogaway.

Random oracles are practical: A

paradigm for designing efficient protocols. In Proceedings of the 1st ACM Conference on Computer and Communications Security, CCS ’93, pages 62–73, Fairfax, Virginia, USA, November 3-5 1993. ACM, New York. 30

ACCEPTED MANUSCRIPT

[4] Mihir Bellare, Haixia Shi, and Chong Zhang. Foundations of group signatures: The case of dynamic groups. In Topics in Cryptology – CT-

625

RSA 2005, pages 136–153, San Francisco, CA, USA, February 14-18 2005.

CR IP T

Springer, Berlin. [5] D. Boneh, X. Boyen, and H. Shacham. Short group signature. In Advances

in Cryptology – CRYPTO 2004, volume 3152 of LNCS, pages 41–55, Santa Barbara, California, USA, 15-19 August 2004. Springer, Berlin.

630

[6] D. Boneh, G. D. Crescenzo, R. Ostrovsky, and G. Persiano. Public key en-

AN US

cryption with keyword search. In Advances in Cryptology – EUROCRYPT 2004, volume 3027 of LNCS, pages 506–522, Interlaken, Switzerland, May 2-6 2004. Springer, Berlin. 635

[7] S´ebastien Canard, Georg Fuchsbauer, Aline Gouget, and Fabien Laguillaumie. Plaintext-checkable encryption. In Topics in Cryptology – CT-RSA

M

2012, volume 7178 of LNCS, pages 332–348, San Francisco, CA, USA, February 27-March 2 2012. Springer, Berlin.

ED

[8] R. Cramer and V. Shoup. Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In Advances in Cryp-

640

tology – Eurocrypt 2002, volume 2332 of LNCS, pages 45–64, The Nether-

PT

lands, April 28-May 2 2002. Springer, Berlin. [9] R. Curtmola, J. Garay, S. Kamara, and R. Ostrovsky. Searchable sym-

CE

metric encryption: improved definitions and efficient constructions. In ACM Conference on Computer and Communications Security, pages 79–

645

AC

88, Hilton Alexandria Mark Center, Alexandria, VA, USA, 30 Oct-3 Nov 2006. ACM.

[10] E. Kiltz. Chosen-ciphertext security from tag-based encryption. In Theory

650

of Cryptography Conference, TCC 2006, volume 3876 of LNCS, pages 581– 600, New York, NY, USA, March 4-7 2006. Springer, Berlin.

31

ACCEPTED MANUSCRIPT

[11] K. Lauter. The advantages of elliptic curve cryptography for wireless security. IEEE Transactions on Wireless Communications, 11(1):62–67, 2004. [12] Kaitai Liang, Xinyi Huang, Fuchun Guo, and Joseph K. Liu. Privacy-

CR IP T

preserving and regular language search over encrypted cloud data. IEEE

Transactions on information Forensics and Security, 11(10):2365–2376,

655

2016.

[13] Kaitai Liang, Chunhua Su, Jiageng Chen, and Joseph K. Liu. Efficient

multi-function data sharing and searching mechanism for cloud-based en-

660

AN US

cryption big data. In ASIACCS 2016, pages 83–94. ACM, 2016.

[14] Joseph K. Liu, Man Ho Au, Willy Susilo, Kaitai Liang, Rongxing Lu, and Bala Srinivasan. Secure sharing and searching for real-time video data in mobile cloud. IEEE Network, 29(2):46–50, 2015.

[15] Yao Lu, Rui Zhang, and Dongdai Lin. Stronger security model for public-

M

key encryption with equality test. In Pairing-Based Cryptography - Pairing 2012, volume 7708 of LNCS, pages 65–82, Cologne, Germany, May 16-18

665

[16] B.

ED

2012. Springer, Berlin. Lynn.

Pairing

based

cryptography

benchmarks.

PT

http://crypto.stanford.edu/pbc/times.html. [17] Sha Ma, Qiong Huang, Mingwu Zhang, and Bo Yang. Efficient public key encryption with equality test supporting flexible authorization. IEEE

670

CE

transaction on information forensics and security, 10(3):458–470, 2015.

AC

[18] D. X. Song, D. Wagner, and A. Perrig. Practical techniques for search on

675

encrypted data. In IEEE Symposium on Research in Security and Privacy, pages 44–55, Berkey, CA, 14-17 May 2000. IEEE, Piscataway, NJ, USA.

[19] Shi-Fen Sun, Joseph K. Liu, Amin Sakzad, Ron Steinfeld, and Tsz Hon Yuen. An efficient non-interacitve multi-client searchable encryption with

32

ACCEPTED MANUSCRIPT

support for boolean queries. In European Symposium on Research in Computer Security (ESORICS), volume 9878 of LNCS, pages 154–172, Heraklion, Greece, 2016. Springer, Berlin. [20] Q. Tang. Towards public key encryption scheme supporting equality test

CR IP T

680

with fine-grained authorization. In The 16th Australasian Conference on Information Security and Privacy (ACISP 2011), volume 6812 of LNCS, pages 389–406, Melbourne, Australia, July 11-13 2011. Springer, Berlin.

[21] Q. Tang. Public key encryption supporting plaintext equality test and Security and Communication Networks,

AN US

user-specified authorization.

685

5(12):1351–1362, 2012.

[22] Q. Tang and L. Chen. Public-key encryption with registered keyword search. In EuroPKI 2009, volume 6391 of LNCS, pages 163–178, Pisa, Italy, September 10-11 2010. Springer, Berlin.

[23] G. Yang, C. Tan, Q. Huang, and D. S. Wong. Probabilistic public key

M

690

encryption with equality test. In Topics in Cryptology – CT-RSA 2010,

ED

volume 5985 of LNCS, pages 119–131, San Francisco, CA, USA, March 1-5 2010. Springer, Berlin.

[24] Xu Yang, Ting-Ting Lee, Joseph K. Liu, and Xinyi Huang. Trust enhancement over range search for encrypted data. In IEEE TrustCom 2016, pages

PT

695

66–73, Tianjin, China, 2016. IEEE.

CE

[25] M. Yoshitomi, T. Takagi, S. Kiyomoto, and T. Tanaka. Efficient implementation of the pairing on mobilephones using brew. Cryptology ePrint

AC

Archive, Report 2007/340, 2007. ¡http://eprint.iacr.org/¿, 2007.

700

[26] Cong Zuo, James Macindoe, Siyin Yang, Ron Steinfeld, and Joseph K. Liu. Trusted boolean search on cloud using searchable symmetric encryption. In IEEE TrustCom 2016, pages 113–120, Tianjin, China, 2016. IEEE.

33