Group public key encryption with equality test against offline message recovery attack

Information Sciences 510 (2020) 16–32 Contents lists available at ScienceDirect Information Sciences journal homepage: www.elsevier.com/locate/ins ...

Download PDF

1MB Sizes 0 Downloads 48 Views

Report

PDF Reader
Full Text

Information Sciences 510 (2020) 16–32

Contents lists available at ScienceDirect

Information Sciences journal homepage: www.elsevier.com/locate/ins

Group public key encryption with equality test against oﬄine message recovery attack Yunhao Ling a, Sha Ma a,∗, Qiong Huang a, Ximing Li a, Yunzhi Ling b a b

College of Mathematics and Informatics, South China Agricultural University, Guangzhou 510642, China College of Computer Science and Technology, Jilin University, Changchun 130012, China

a r t i c l e

i n f o

Article history: Received 18 October 2018 Revised 10 September 2019 Accepted 14 September 2019 Available online 14 September 2019 Keywords: Public key encryption Equality test Oﬄine message recovery attack Group

a b s t r a c t Public key encryption with equality test (PKEET) allows a tester to check whether two ciphertexts encrypted under different public keys contain the same message without decrypting them. In this paper, we ﬁrst introduce group mechanism into PKEET and propose a new primitive, namely group public key encryption with equality test (G-PKEET). G-PKEET can resist the attack that the tester can recover the message from a given ciphertext by exhaustively guessing the message oﬄine. Furthermore, the group mechanism makes PKEET supporting group granularity authorization, which could authorize a tester to perform the equality test only on ciphertexts of group users, and could greatly reduce not only the storage cost of trapdoors but also the cost of computation and communication. We deﬁne security models for G-PKEET, present its concrete construction in bilinear pairings and prove its security in the random oracle model. © 2019 Elsevier Inc. All rights reserved.

1. Introduction Public key encryption with equality test (PKEET), introduced by Yang et al. [26], is a type of searchable encryption in multiuser environment that allows a tester to check whether two ciphertexts encrypted under different public keys contain the same message without decrypting them. Its typical applications include management of encrypted data in cloud and spam ﬁltering in encrypted email systems. Due to its potential practical value, plenty of PKEET schemes (such as [5,13,15,18–20]) have been presented after Yang et al.’s work. However, PKEET is vulnerable to oﬄine message recovery attack (OMRA), which was ﬁrst described by Tang [18]. Roughly speaking, given a ciphertext C, a tester adversary aims to ﬁnd out the correct message hidden in the ciphertext C. It encrypts a guessing message M from message space M to generate ciphertext C , and then it could know whether the guessing message M is the one underlying the ciphertext C by performing equality test on C and C. When the actual message space M is of polynomial size, it is able to ﬁnd out the correct message by checking each M ∈ M. This type of attack is unavoidable due to the desired equality test functionality, similar to inside keyword guessing attack (IKGA) in public key encryption with keyword search (PEKS) [1]. Until now how to resist OMRA in PKEET is still a challenging task. Moreover, we argue that the current PKEET with authorization mechanism [5,13,15,18] is not suitable for group user scenario. Taking Fig. 1 for example, let UA , UB , UC and UD be users in a PKEET system with authorization mechanism.

∗

Corresponding author. E-mail address: [email protected] (S. Ma).

https://doi.org/10.1016/j.ins.2019.09.025 0020-0255/© 2019 Elsevier Inc. All rights reserved.

Y. Ling, S. Ma and Q. Huang et al. / Information Sciences 510 (2020) 16–32

17

Fig. 1. An illustration of PKEET with authorization mechanism.

UA and UB in the group G1 expect the tester to perform the equality test only on their ciphertexts. UC and UD in the group G2 also expect the tester to perform the equality test only on their ciphertexts. The authorization mechanism requires that UA , UB , UC and UD issue their trapdoors tdA , tdB , tdC and tdD to the tester, respectively. Note that when the tester gets a trapdoor of user (e.g. UA ) it can perform equality test on ciphertexts of this user and ciphertexts of any user (e.g. ciphertexts of UB , UC or UD ). As a consequence, when the tester gets tdA , tdB , tdC and tdD it can freely perform equality test on ciphertexts of UA , UB , UC and UD (see Fig. 1). Obviously, the behavior of tester in Fig. 1 is out of their expectation. In conclusion, this type of user granularity authorization is not suitable for group user scenario. We need a group granularity authorization in PKEET applications. 1.1. Related work Resistance Against OMRA. OMRA is inherent due to the following reasons: (1) Independent testing. The tester can independently perform the equality test. (2) Public generation of ciphertext. The tester can generate ciphertext for any guessing message. According to the ﬁrst reason, Ling et al.[10], Ma et al. [14], Tang [19] and Wu et al. [23] make use of two servers to resist OMRA under the assumption that they do not conclude. Since neither of the two servers can independently perform the equality test, the attack is launched unsuccessfully. According to the second reason, Ling et al. [11] and Wu et al. [24] disable public generation of ciphertext. Since the tester cannot encrypt any guessing message, the attack is eliminated. It is worth nothing that [11,23,24] are identity-based encryption. Resistance Against IKGA. Some PEKS schemes [2,3,6,21] have been proposed to resist IKGA. Chen et al. [2,3] and Wang et al. [21] use two-server setting and assume that the two servers do not collude. In [6], the sender encrypts a keyword using his private key and the public key of receiver, the sender encrypts a keyword using his private key and the public key of receiver, so that server cannot encrypt any guessing keyword for launching IKGA without the knowledge of sender’s private key. But these schemes lack the desired equality test functionality. PKEET with Authorization Mechanism. The concept of PKEET was proposed by Yang et al. [26], but it only achieves one-wayness under chosen-ciphertext attack (OW-CCA) security against any entity. Therefore, Tang [18], Ma et al. [13,15], and Huang et al. [5] introduced different authorization mechanisms into PKEET, respectively. Their schemes achieve OW-CCA security against the adversary who has been authorized by user and indistinguishability under chosen-ciphertext attack (INDCCA) security against the adversary who has not been authorized by user. Their authorization mechanisms then are widely used in almost all PKEET schemes. However, they do not support the group granularity authorization, and hence cannot be used in the group user scenario. 1.2. Our work In this paper, we ﬁrst introduce group mechanism into PKEET and propose a new primitive, namely group public key encryption with equality test (G-PKEET). Introduction to Group Mechanism. A G-PKEET system model is illustrated in Fig. 2. There are three parties involved: a trusted group administrator (GA), a tester and users. When a user wishes to join group, the GA issues a group public key according to his public key to him. When the GA wishes to authorize a tester to perform equality test only on ciphertexts of group users, it issues a group trapdoor to the tester. We list the properties of G-PKEET as follows. Resistance Against OMRA. To resist OMRA, Wu et al. [24] and Ling et al. [11] disable public generation of ciphertext. But their schemes require all users keep the same secret information, and then take this secret information as the part of input in encrypting a message. Similar to them, G-PKEET also disables public generation of ciphertext, but all users do not need

18

Y. Ling, S. Ma and Q. Huang et al. / Information Sciences 510 (2020) 16–32

Fig. 2. A G-PKEET system model.

Fig. 3. An illustration of group granularity authorization of group mechanism.

Table 1 Comparison on properties.

[26] [4,5,7–9,12,13,15,16,18,20,22,25–27] [10,14,19] G-PKEET

OMRA

GGA

GT

✕ ✕ √ √

✕ ✕ ✕ √

✕ ✕ ✕ √

Note: GGA: group granularity authorization. GT: group trapdoor.

to keep the same secret information. Each user takes his private key as the part of input in encrypting a message. Compared with [11,24], G-PKEET provides a better countermeasure to resist OMRA. Group Granularity Authorization. The group mechanism supports the group granularity authorization, which could authorize a tester to perform the equality test only on ciphertexts of group users. In details, each group user takes his group public key as the part of input in encrypting a message, so that group information is attached to the generated ciphertext. If two ciphertexts include different group information, they cannot be performed the equality test. Using the example above, the expectations of UA , UB , UC and UD can be achieved if they use the group granularity authorization (see Fig. 3). Group Trapdoor. To authorize a tester, the group mechanism uses group trapdoor, not trapdoors of users. Using our example from Fig. 4, if n group users authorize the tester, the authorization mechanism requires that they generate n trapdoors respectively and then the tester stores these n trapdoors, but the group mechanism requires that GA generates 1 group trapdoor gtd and then the tester stores this 1 group trapdoor. Obviously, the group mechanism could greatly reduce not only the storage cost of trapdoors but also the cost of computation and communication. Comparison on Properties. In Table 1 we make a comparison on properties among G-PKEET and most PKEET schemes [4,5,7–10,12–16,18–20,22,25–27].

Y. Ling, S. Ma and Q. Huang et al. / Information Sciences 510 (2020) 16–32

19

Fig. 4. The comparison of trapdoor between authorization mechanism and group mechanism.

The second to fourth columns show the resistance of oﬄine message recovery attack, group granularity authorization and group trapdoor, respectively. It can be learnt from Table 1 that G-PKEET and [10,14,19] can resist OMRA. Only G-PKEET supports the group granularity authorization and group trapdoor. In conclusion, G-PKEET is very promising in particular PKEET applications. 1.3. Our contributions The contributions of this paper can be summarized as follows. We ﬁrst introduce group mechanism into public key encryption with equality test and propose a new primitive, namely group public key encryption with equality test (GPKEET). G-PKEET can resist the attack that tester can recover the message from a given ciphertext by exhaustively guessing the message oﬄine. Furthermore, the group mechanism makes PKEET supporting group granularity authorization and could greatly reduce not only the storage cost of trapdoors but also the cost of computation and communication. We deﬁne security models for G-PKEET and present its concrete construction in bilinear group. We prove G-PKEET scheme satisfying OW-CCA security against the adversary who has been authorized by group administrator and IND-CCA security against the adversary who has not been authorized by group administrator in the random oracle model. 1.4. Paper organization In the next section we give preliminaries. Then we give the deﬁnition and security model of G-PKEET in Section 3 and its construction in Section 4. In Section 5, we give the security analysis of G-PKEET. In Section 6, we compare G-PKEET scheme with related PKEET schemes. Finally, we conclude this paper in Section 7. 2. Preliminaries Bilinear map. Let G = g and GT be cyclic groups of prime order p. A bilinear map e : G × G → GT satisﬁes the following properties: 1. Bilinear: For any g ∈ G and a, b ∈ Z∗p , e(ga , gb ) = e(g, g)ab ; 2. Non-degenerate: e(g, g) = 1GT , where 1GT is the generator of GT ; 3. Computable: e is eﬃciently computable. R

Computational Diﬃe-Hellman (CDH) Problem. Let G be a group of prime order p. In this paper, We denote by ← the process of uniformly sampling a random element. We say that the CDH problem is hard in G, if given (g, ga , gc ) ∈ G3 as R

input for random g ∈ G and a, c ← Z∗p , any randomized algorithm A computes gac with negligible advantage , CDH de f

AdvA,G = Pr[A(g, ga , gc ) = gac ] ≤ . 3. Deﬁnition 3.1. Group public key encryption with equality test Deﬁnition 1. A G-PKEET consists of the following eight algorithms (Setup, KeyGenuser , KeyGengroup , Join, Enc, Dec, Aut, Test) operating over plaintext space M, ciphertext space C and key space K.

20

Y. Ling, S. Ma and Q. Huang et al. / Information Sciences 510 (2020) 16–32

Fig. 5. An illustration of adversaries for G-PKEET.

• • • •

•

•

• •

Setup(λ): It takes as input a security parameter λ, and returns a public system parameter PP. KeyGenuser (PP): It takes as input public system parameter PP, and returns a public/secret key pair (pki , ski ). KeyGengroup (PP): It takes as input public system parameter PP, and returns a group secret key gsk. It is run by GA. Join(gsk, pki ): It takes as input a group secret key gsk and a public key pki , and returns a group public key gpki for group user Ui . It is run by GA. Enc(gpki , ski , pkj , M): It takes as input group public key gpki and secret key ski of the group user Ui , public key pkj of the group user Uj and a message M, where Ui and Uj refer as to a sender and a receiver respectively, and returns a ciphertext Ci,j . Dec(gpki , skj , Ci,j ): It takes as input group public key gpki of the group user Ui , secret key skj of the group user Uj , where Ui and Uj refer as to a sender and a receiver respectively, and a ciphertext Ci,j , and returns the message M. Aut(gsk): It takes as input a group secret key gsk and returns a group trapdoor gtd. It is run by GA. Test(Ci, j , Ci , j , gtd): It takes as input two ciphertexts Ci,j , Ci , j and a group trapdoor gtd, and returns 1 if Ci,j and Ci , j contain the same message and 0 otherwise.

Deﬁnition 2. (Correctness): If a G-PKEET scheme is correct, then these algorithms must satisfy the following conditions. If P P ← Setup(λ ), ( pki , ski ) ← KeyGenuser (P P ), ( pk j , sk j ) ← KeyGenuser (P P ), ( pki , ski ) ← KeyGenuser (P P ), ( pk j , sk j ) ← KeyGenuser (PP ), gsk ← KeyGengroup (PP ), gpki ← Join(gsk, pki ), gpk j ← Join(gsk, pk j ), gpki ← Join(gsk, pki ), gpk j ← Join(gsk, pk j ), gtd ← Aut(gsk ), Ci, j ← Enc(gpki , ski , pk j , M ), Ci , j ← Enc(gpki , ski , pk j , M ) and Ci , j ← Enc(gpki , ski , pk j , M ), where ∀M, M ∈ M and M = M , then 1) Pr[Dec(gpki , sk j , Ci, j ) = M] = 1. 2) Pr[Test(Ci, j , Ci , j , gtd ) = 1] = 1. 3) Pr[Test(Ci, j , Ci , j , gtd ) = 1] is negligible. 3.2. Security models To deﬁne security models for G-PKEET, we consider the following adversaries (see Fig. 5). 1) Type-I adversary: The attacker who has been authorized by GA. 2) Type-II adversary: The attacker who has not been authorized by GA. OW-CCA security Against Type-I Adversary. Assume that A1 is the type-I adversary. We deﬁne OW-CCA security against the adversary for G-PKEET scheme by the following game. 1. Setup: The challenger runs the Setup algorithm using a security parameter λ to generate public system parameter PP. Then it runs the KeyGenuser algorithm n times to generate n group users’ public/secret key pairs (pki , ski ), where 1 ≤ i ≤ n, runs the KeyGengroup algorithm to generate a group secret key gsk, runs the Join algorithm n times to generate n group users’ group public keys gpki , where 1 ≤ i ≤ n, and runs the Aut algorithm to generate a group trapdoor gtd. Finally, it randomly chooses targets i∗ and j∗ as challenge sender and challenge receiver, respectively, where 1 ≤ i∗ , j∗ ≤ n, and then gives PP, all pki and gpki , gtd, i∗ and j∗ to the adversary A1 . 2. Phase 1: A1 is allowed to issue the following kinds of queries for polynomially many times. The constraint is that j∗ does not appear in OKey oracle. • OKey query i. The challenger returns sk to A1 . i • OEnc query i, j, M. The challenger returns C i, j ← Enc (gpki , ski , pk j , M ) to A1 .

Y. Ling, S. Ma and Q. Huang et al. / Information Sciences 510 (2020) 16–32

21

• ODec query i, j, C . The challenger returns M ← Dec (gpk , sk , C ) to A1 . i j i, j i,j 3. Challenge: The challenger randomly chooses a plaintext M ∈ M and sets Ci∗∗ , j∗ ← Enc(gpki∗ , ski∗ , pk j∗ , M ). Finally, it sends Ci∗∗ , j∗ to A1 as challenge ciphertext. 4. Phase 2: A1 is able to issue queries in the same way as in Phase 1 with the constraint that (i∗ , j∗ , Ci∗∗ , j∗ ) does not appear in ODec oracle. 5. Guess: A1 outputs M ∈ M and wins if M = M.

The advantage of A1 in the game above is deﬁned as

AdvG−PKE E T,A1 (λ ) = Pr[M = M]. OW-CCA

Deﬁnition 3. A G-PKEET scheme is OW-CCA security if AdvG−PKE E T,A1 (λ ) = Pr[M = M] is negligible for all OW-CCA adversaries. IND-CCA security Against Type-II Adversary. Assume that A2 is the type-II adversary. We deﬁne IND-CCA security against the adversary for G-PKEET scheme by the following game. Note that this type of adversary cannot obtain group trapdoor gtd. OW-CCA

1. Setup: The challenger runs the Setup algorithm using a security parameter λ to generate public system parameter PP. Then it runs the KeyGenuser algorithm n times to generate n group users’ public/secret key pairs (pki , ski ), where 1 ≤ i ≤ n, runs the KeyGengroup algorithm to generate a group secret key gsk, runs the Join algorithm n times to generate n group users’ group public keys gpki , where 1 ≤ i ≤ n, and runs the Aut algorithm to generate a group trapdoor gtd. Finally, it randomly chooses targets i∗ and j∗ as challenge sender and challenge receiver, respectively, where 1 ≤ i∗ , j∗ ≤ n, and then gives PP, all pki and gpki , i∗ and j∗ to the adversary A2 . 2. Phase 1: A2 is allowed to issue the following kinds of queries for polynomially many times. The constraint is that j∗ does not appear in OKey oracle. • OKey query i. The challenger returns sk to A2 . i • OEnc query i, j, M. The challenger returns C i, j ← Enc (gpki , ski , pk j , M ) to A2 . • ODec query i, j, C . The challenger returns M ← Dec (gpk , sk , C ) to A2 . i j i, j i,j 3. Challenge: A2 randomly chooses two equal-length plaintexts M0 , M1 ∈ M and sends them to the challenger. The challenger randomly chooses a bit b ∈ {0, 1} and sets Ci∗∗ , j∗ ← Enc(gpki∗ , ski∗ , pk j∗ , Mb ). Finally, it sends Ci∗∗ , j∗ to A2 as challenge ciphertext. 4. Phase 2: A2 is able to issue queries in the same way as in Phase 1 with the constraint that (i∗ , j∗ , Ci∗∗ , j∗ ) does not appear in ODec oracle. 5. Guess: A2 outputs b and wins if b = b. The advantage of A2 in the game above is deﬁned as

AdvG−PKE E T,A2 (λ ) = |Pr[b = b] − 1/2|. IND-CCA

Deﬁnition 4. A G-PKEET scheme is IND-CCA security if AdvG−PKE E T,A2 (λ ) = |Pr[b = b] − 1/2| is negligible for all IND-CCA adversaries. IND-CCA

4. Construction We present our construction for G-PKEET scheme as follows: •

•

Setup(λ): This algorithm outputs systen parameter P P = (G, GT , p, g, e, H1 , H2 , H3 , H4 ) as follows. (a) Generate bilinear pairing parameters: group G, GT of prime order p, a bilinear map e : G × G → GT , a random generator g of G. (b) Select four hash functions H1 : {0, 1}l1 → G, H2 : G → G, H3 : G → {0, 1}l1 +l2 and H4 : {0, 1}∗ → {0, 1}λ , where l1 and l2 represent the length of message and the length of Z p , respectively, and λ represents the security parameter. R

KeyGenuser (PP): This algorithm randomly selects xi ← Z∗p and outputs a public/secret key pair (pki , ski ).

( pki , ski ) = (gxi , xi ). R

•

KeyGengroup (PP): This algorithm randomly selects s1 , s2 ← Z∗p and outputs a group secret key.

•

Join(gsk, pki ): This algorithm outputs group public key for group user Ui ,

gsk = (s1 , s2 ). gpki = (gxi s1 , gs2 ). •

R

Enc(gpki , ski , pkj , M): This algorithm randomly selects r1 , r2 ← Z∗p and outputs a ciphertext Ci, j = (C1 , C2 , C3 , C4 , C5 ) as follows.

C1 = gxi s1 r1 , C2 = H1 (M )xi r1 · H2 (gs2 r2 ),

22

Y. Ling, S. Ma and Q. Huang et al. / Information Sciences 510 (2020) 16–32

C3 = gr2 , C4 = H3 (gx j r2 ) (M||r1 ), C5 = H4 (C1 ||C2 ||C3 ||C4 ||M||r1 ). •

x

Dec(gpki , skj , Ci,j ): This algorithm computes (M ||r1 ) ← C4 H3 (C3 j ). If

C1 = gxi s1 r1 , C5 = H4 (C1 ||C2 ||C3 ||C4 ||M ||r1 ), • •

return M ; otherwise, return ⊥. Aut(gsk): This algorithm outputs a group trapdoor gtd = s2 . Test(Ci, j , Ci , j , gtd): This algorithm outputs 1 if

e(C1 , C2 /H2 ((C3 )s2 )) = e(C1 , C2 /H1 (C3s2 )); otherwise returns 0. Theorem 1. The G-PKEET scheme is correct according to Deﬁnition 2. Proof. The proof is straightforward, as follows. If P P ← Setup(λ ), ( pki , ski ) ← KeyGenuser (P P ), ( pk j , sk j ) ← KeyGenuser (P P ), ( pki , ski ) ← KeyGenuser (PP ), ( pk j , sk j ) ← KeyGenuser (PP ), gsk ← KeyGengroup (PP ), gpki ← Join(gsk, pki ), gpk j ← Join(gsk, pk j ), gpki ← Join(gsk, pki ), gpk j ← Join(gsk, pk j ), gtd ← Aut(gsk ), Ci, j ← Enc(gpki , ski , pk j , M ), Ci , j ← Enc(gpki , ski , pk j , M ) and Ci , j ← Enc(gpki , ski , pk j , M ), where ∀M, M ∈ M and M = M , then 1) It is easy to be veriﬁed. 2) We have

e(C1 , C2 /H2 ((C3 )s2 )) = e(g, H1 (M ))xi s1 r1 xi r1 ,

e(C1 , C2 /H2 (C3s2 )) = e(g, H1 (M ))xi s1 r1 xi r1 . It is easy to see that e(C1 , C2 /H2 ((C3 )s2 )) = e(C1 , C2 /H2 (C32 )). s

3) According to above we have e(C1 , C2 /H2 ((C3 )s2 )) = e(g, H1 (M ))xi s1 r1 xi r1 and e(C1 , C2 /H2 (C32 )) = e(g, H1 (M ))xi s1 r1 xi r1 . They are equal with probability 1/p, which is negligible. s

5. Security analysis Theorem 2. G-PKEET scheme is OW-CCA security against type-I adversary in the random oracle model assuming CDH problem is intractable. Proof. Let A1 be a probabilistic polynomial time (PPT) adversary attacking the OW-CCA security of the G-PKEET scheme. Suppose that A1 makes at most qH1 H1 hash queries, qH2 H2 hash queries, qH3 H3 hash queries, qH4 H4 hash queries, qKey

secret key queries, qEnc encryption queries and qDec decryption queries. Let AdvG−PKE E T,A1 (λ ) denotes the advantage of A1 in the OW-CCA security experiment. The security analysis is done by a sequence of games [17]. We ﬁrstly consider the original game. OW-CCA

Game 1.0 R

R

1) P P ← (G, GT , p, g, e ), xi ← Z∗p , ski = xi , pki = gxi , where 1 ≤ i ≤ n, s1 , s2 ← Z∗p , gsk = (s1 , s2 ), gpki = (gxi s1 , gs2 ), where R i∗ , j ∗ ←

1 ≤ i ≤ n, gtd = s2 , {1, 2, . . . , n}. H1 , H2 , H3 and H4 are set as random oracles. Hash query. At any time A1 can query the random oracle H1 , H2 , H3 and H4 . The challenger prepares four hash tables to record all queries and responses as follows, where all hash tables are empty at the beginning. OH1 query v1 : On input v1 , if v1 has been asked, h1 corresponding to v1 is returned. Otherwise, the challenger R

randomly selects uM ← Z∗p , computes h1 = guM ∈ G, adds (v1 , uM , h1 ) into T1 for OH1 and returns the h1 . OH2 query v1 : On input v1 , a compatible random value h2 from G is returned, where by compatible we mean that if the same input is asked multiple times, the same answer will be returned. The challenger adds (v1 , h2 ) into T2 for OH2 . OH3 query v1 : On input v1 , a compatible random value h3 from the set {0, 1}l1 +l2 is returned. The challenger adds (v1 , h3 ) into T3 for OH3 . OH4 query v1 : On input v1 , a compatible random value h4 from the set {0, 1}λ is returned. The challenger adds (v1 , h4 ) into T4 for OH4 .

Y. Ling, S. Ma and Q. Huang et al. / Information Sciences 510 (2020) 16–32

23

OH ,OH ,OH ,OH ,OKey ,OEnc ,ODec

2) state ← A1 1 2 3 4 (PP, { pki , gpki }ni=1 , gtd, i∗ , j∗ ), where the oracles are simulated as follows. The ∗ constraint is that j does not appear in OKey oracle. OKey query i: On input an index i, the challenger returns xi . OEnc query i, j, M: On input an index i, an index j and a plaintext M, the challenger returns Ci, j ← Enc(gpki , ski , pk j , M ). ODec query i, j, Ci,j : On input an index i, an index j and a ciphertext Ci,j , the challenger returns M ← Dec(gpki , sk j , Ci, j ). R

R

3) M ← {0, 1}l1 , r1 , r2 ← Z∗p , Ci∗∗ , j∗ = (C1∗ , C2∗ , C3∗ , C4∗ , C5∗ ) deﬁned as follows:

C1∗ = gxi∗ s1 r1 , C2∗ = H1 (M )xi∗ r1 · H2 (gs2 r2 ), C3∗ = gr2 , C4∗ = H3 (gx j∗ r2 ) (M||r1 ), C5∗ = H4 (C1∗ ||C2∗ ||C3∗ ||C4∗ ||M||r1 ). OH ,OH ,OH ,OH ,OKey ,OEnc ,ODec

4) M ← A1 1 2 3 4 (stat e, Ci∗∗ , j∗ ). The constraint are that j∗ does not appear in OKey oracle and (i∗ , j∗ , Ci∗∗ , j∗ ) does not appear in ODec oracle. Let S1.0 be the event that M = M in Game 1.0. We have that

AdvG-PKEET,A (qH1 , qH2 , qH3 , qH4 , qKey , qEnc , qDec ) = Pr[S1.0 ]. 1 OW-CCA

(1)

Game 1.1 R

R

1) P P ← (G, GT , p, g, e ), xi ← Z∗p , ski = xi , pki = gxi , where 1 ≤ i ≤ n, s1 , s2 ← Z∗p , gsk = (s1 , s2 ), gpki = (gxi s1 , gs2 ), where R

1 ≤ i ≤ n, gtd = s2 , i∗ , j∗ ← {1, 2, . . . , n}. H1 , H2 , H3 and H4 are set as random oracles. Hash query. At any time A1 can query the random oracle H1 , H2 , H3 and H4 . The challenger prepares four hash tables to record all queries and responses as follows, where all hash tables are empty at the beginning. OH1 query v1 , OH2 query v1 , OH3 query v1 and OH4 query v1 : Same as that in Game 1.0. OH ,OH ,OH ,OH ,OKey ,OEnc ,ODec

2) state ← A1 1 2 3 4 (PP, { pki , gpki }ni=1 , gtd, i∗ , j∗ ), where the oracles are simulated as follows. The constraint is that j∗ does not appear in OKey oracle. OKey query i: Same as that in Game 1.0. R

OEnc query i, j, M: The challenger randomly selects r1 , r2 ← Z∗p and outputs a ciphertext Ci, j = (C1 , C2 , C3 , C4 , C5 ) as follows. It computes

C1 = gxi s1 r1 , C3 = gr2 . It then performs a query to OH1 on input M to get answer h1 , a query to OH2 on input gs2 r2 to get answer h2 and a query to OH3 on input gx j r2 to get answer h3 . It computes

C2 = hx1i r1 · h2 , C4 = h3 (M||r1 ). Finally, it performs a query to OH4 on input (C1 ||C2 ||C3 ||C4 ||M||r1 ) to get answer h4 and sets

C5 = h4 . The challenger adds (v1 , h1 ) to table T1 for OH1 , (v1 , h2 ) to table T2 for OH2 , (v1 , h3 ) to table T3 for OH3 and (v1 , h4 ) to table T4 for OH4 , and returns Ci,j to A1 . x

ODec query i, j, Ci,j : The challenger performs a query to OH3 on input C3 j to get the answer h3 . It then computes

C4 h3 to get M ||r1 and veriﬁes C1 = gxi s1 r1 . If the veriﬁcation fails, return ⊥. Then the challenger performs a query to OH4 on input (C1 ||C2 ||C3 ||C4 ||M ||r1 ) to get answer h4 and veriﬁes if C5 and h4 are equal. If so, the challenger sends M to A ; otherwise it sends ⊥ to A . 1

R

1

R

R

3) M ← {0, 1}l1 , r1 , r2 ← Z∗p , W1∗.1 ← {0, 1}l1 +l2 , Ci∗∗ , j∗ = (C1∗ , C2∗ , C3∗ , C4∗ , C5∗ ) deﬁned as follows:

C1∗ = gxi∗ s1 r1 , C2∗ = H1 (M )xi∗ r1 · H2 (gs2 r2 ), C3∗ = gr2 , C4 = W1∗.1 (M||r1 ), C5∗ = H4 (C1∗ ||C2∗ ||C3∗ ||C4∗ ||M||r1 ). Add tuple (gx j∗ r2 , W1∗.1 ) into table T3 for OH3 .

24

Y. Ling, S. Ma and Q. Huang et al. / Information Sciences 510 (2020) 16–32 OH ,OH ,OH ,OH ,OKey ,OEnc ,ODec

4) M ← A1 1 2 3 4 (stat e, Ci∗∗ , j∗ ). The constraint are that j∗ does not appear in OKey oracle and ∗ ∗ ∗ (i , j , Ci∗ , j∗ ) does not appear in ODec oracle. Let S1.1 be the event that M = M in Game 1.1. Since the idealness of the random oracle, Game 1.1 is identical to Game 1.0. We have that

Pr[S1.1 ] = Pr[S1.0 ].

(2)

Game 1.2 R

R

1) P P ← (G, GT , p, g, e ), xi ← Z∗p , ski = xi , pki = gxi , where 1 ≤ i ≤ n, s1 , s2 ← Z∗p , gsk = (s1 , s2 ), gpki = (gxi s1 , gs2 ), where R

1 ≤ i ≤ n, gtd = s2 , i∗ , j∗ ← {1, 2, . . . , n}. H1 , H2 , H3 and H4 are set as random oracles. Hash query. At any time A1 can query the random oracle H1 , H2 , H3 and H4 . The challenger prepares four hash tables to record all queries and responses as follows, where all hash tables are empty at the beginning. OH1 query v1 , OH2 query v1 and OH4 query v1 : Same as that in Game 1.1. OH3 query v1 : Same as that in Game 1.1, except that if A1 asks (C3∗ )x j∗ . We denote the event by E1 . OH ,OH ,OH ,OH ,OKey ,OEnc ,ODec

2) state ← A1 1 2 3 4 (PP, { pki , gpki }ni=1 , gtd, i∗ , j∗ ), where the oracles are simulated as follows. The ∗ constraint is that j does not appear in OKey oracle. OKey query i and OEnc query i, j, M: Same as that in Game 1.1. ODec query i, j, Ci,j : Same as that in Game 1.1, except that if A1 asks for decryption of (C1∗ , C2∗ , C3∗ , (C4∗ ) , C5∗ ) after obtaining the challenge ciphertext Ci∗∗ , j∗ (see below), where (C4∗ ) = C4∗ , ⊥ is returned. R

R

R

3) M ← {0, 1}l1 , r1 , r2 ← Z∗p , W2∗.1 ← {0, 1}l1 +l2 , Ci∗∗ , j∗ = (C1∗ , C2∗ , C3∗ , C4∗ , C5∗ ) deﬁned as follows:

C1∗ = gxi∗ s1 r1 , C2∗ = H1 (M )xi∗ r1 · H2 (gs2 r2 ), C3∗ = gr2 , C4∗ = W2∗.1 , C5∗ = H4 (C1∗ ||C2∗ ||C3∗ ||C4∗ ||M||r1 ). Add the tuple (gx j∗ r2 , W2∗.1 (M||r1 )) into table T3 for OH3 . OH ,OH ,OH ,OH ,OKey ,OEnc ,ODec

4) M ← A1 1 2 3 4 (stat e, Ci∗∗ , j∗ ). The constraint are that j∗ does not appear in OKey oracle and (i∗ , j∗ , Ci∗∗ , j∗ ) does not appear in ODec oracle. Let S1.2 be the event that M = M in Game 1.2. Since C4∗ is a random value in both Game 1.1 and Game 1.2, the challenge ciphertext generated in Game 1.1 is identically distributed to that in Game 1.2. Therefore, if event E1 does not occur, Game 1.2 is identical to Game 1.1. We have that

|Pr[S1.2 ] − Pr[S1.1 ]| ≤ Pr[E1 ].

(3)

We will show that the event E1 occurs with negligible probability. Lemma 1. Event E1 happens in Game 1.2 with negligible probability if CDH problem is intractable. Proof. Suppose that Pr[E1 ] is non-negligible. We construct a simulator B1 to run A1 for breaking the CDH assumption. Given a tuple (G, GT , p, e, g, ga , gc ), it runs A1 and works as follows. R

R

1) B1 sets sets P P = (G, GT , p, g, e ). It randomly selects s1 , s2 ← Z∗p and i∗ , j∗ ← {1, 2, . . . , n}, and sets gsk = (s1 , s2 ), R

pk j∗ = ga , which implies sk j∗ = a, and gpk j∗ = ((ga )s1 , gs2 ). Then it randomly selects xi ← Z∗p , and sets ski = xi , pki = gxi , gpki = (gxi s1 , gs2 ), where 1 ≤ i ≤ n∧i = j∗ , and gtd = s2 . H1 , H2 , H3 and H4 are set as random oracles. Hash query. At any time A1 can query the random oracle H1 , H2 , H3 and H4 . B1 prepares four hash tables to record all queries and responses as follows, where all hash tables are empty at the beginning. OH1 query v1 , OH2 query v1 and OH4 query v1 : Same as that in Game 1.1. OH3 query v1 : Same as that in Game 1.1, except that if A1 asks (C3∗ )x j∗ = gac (note that B1 can know if the equation holds by checking if e(v1 , g) and e(ga , gc ) are equal). We denote the event by E1 . OH ,OH ,OH ,OH ,OKey ,OEnc ,ODec

2) state ← A1 1 2 3 4 (PP, { pki , gpki }ni=1 , gtd, i∗ , j∗ ), where the oracles are simulated as follows. The constraint is that j∗ does not appear in OKey oracle. OKey query i: Same as that in Game 1.1. R

OEnc query i, j, M: Same as that in Game 1.1, except that for the query j∗ , · , · , B1 randomly selects r1 , r2 ← Z∗p and outputs a ciphertext Ci, j = (C1 , C2 , C3 , C4 , C5 ) as follows. It computes

C1 = (ga )s1 r1 , C3 = gr2 .

Y. Ling, S. Ma and Q. Huang et al. / Information Sciences 510 (2020) 16–32

25

It then performs a query to OH1 on input M to get answer (v1 , uM , h1 ), a query to OH2 on input gs2 r2 to get answer h2 and a query to OH3 on input gx j r2 to get answer h3 . It computes

C2 = (ga )uM r1 · h2 , C4 = h3 (M||r1 ). Finally, it performs a query to OH4 on input (C1 ||C2 ||C3 ||C4 ||M||r1 ) to get answer h4 and sets

C5 = h4 . It adds (v1 , h1 ) to table T1 for OH1 , (v1 , h2 ) to table T2 for OH2 , (v1 , h3 ) to table T3 for OH3 and (v1 , h4 ) to table T4 for OH4 , and returns Ci,j to A1 . ODec query i, j, Ci,j : Same as that in Game 1.1, except that for the query · , j∗ , · , if A1 asks for decryption of (C1∗ , C2∗ , C3∗ , (C4∗ ) , C5∗ ) after obtaining the challenge ciphertext Ci∗∗ , j∗ (see below), where (C4∗ ) = C4∗ , ⊥ is returned. Oth

erwise, it searches T3 to get h3 . For each tuple (v1 , h3 ), B1 computes M ||r1 = C4 h3 and veriﬁes if C1 = gxi s1 r1 . If the veriﬁcation fails, return ⊥. Then it searches T4 on input (C1 ||C2 ||C3 ||C4 ||M ||r1 ) to get h4 and veriﬁes if C5 and h4 are equal. If so, B1 returns M. If there is not a compatible tuple, it returns ⊥. R

R

R

3) M ← {0, 1}l1 , r1 ← Z∗p , (W2∗.1 ) ← {0, 1}l1 +l2 , Ci∗∗ , j∗ = (C1∗ , C2∗ , C3∗ , C4∗ , C5∗ ) deﬁned as follows:

C1∗ = gxi∗ s1 r1 , C2∗ = H1 (M )xi∗ r1 · H2 ((gc )s2 ), C3∗ = gc , C4∗ = (W2∗.1 ) , C5∗ = H4 (C1∗ ||C2∗ ||C3∗ ||C4∗ ||M||r1 ). Add the tuple (, (W2∗.1 ) (M||r1 )) into table T3 for OH3 , where means that the value is unknown yet. OH ,OH ,OH ,OH ,OKey ,OEnc ,ODec

4) M ← A1 1 2 3 4 (stat e, Ci∗∗ , j∗ ). The constraint are that j∗ does not appear in OKey oracle and ∗ ∗ ∗ (i , j , Ci∗ , j∗ ) does not appear in ODec oracle. Indistinguishable simulation. According to the setting of the simulation, the correctness and randomness property of the simulation hold. Given a decryption query i, j, Ci,j , B1 can perform a perfect decryption simulation if i, j, Ci,j = · , j∗ , · . If i, j, Ci, j = ·, j∗ , ·, we have the following cases. 1. C3a has been queried to OH3 before a decryption query is issued. In this case, C4 is uniquely determined after C3a is queried to OH3 . So the decryption oracle is simulated perfectly. 2. C3a has never been queried to OH3 when a decryption query is issued. In this case, ⊥ is returned by the decryption oracle. The simulation fails if Ci,j is a valid ciphertext. However, due to the idealness of the random oracle, this happens with probability 1/2l1 +l2 . Denote E2 the event that a valid ciphertext is rejected in the simulation. Then we have Pr[E2 ] ≤ qD /2l1 +l2 , which is negligible. Thus, B1 performs the decryption simulation correctly except with negligible probability. Probability of successful simulation. The probability of successful simulation is 1 as the simulated game does not abort. Analysis. Since A1 queries (C3∗ )a to OH3 with probability Pr[E1 ], B1 can solve the CDH problem with probability Pr[E1 ]. We have Pr[E1 ] = AdvA,G . Furthermore, if E2 does not happen, the simulated game is indistinguishable from the Game 1.2. We have Pr[E1 |¬E2 ] = Pr[E1 ]. CDH

Pr[E1 ] = Pr[E1 |E2 ]Pr[E2 ] + Pr[E1 |¬E2 ]Pr[¬E2 ]

≥ Pr[E1 |¬E2 ]Pr[¬E2 ] = Pr[E1 ](1 − Pr[E2 ] ) ≥ Pr[E1 ] − Pr[E2 ].

Therefore, AdvA,G ≥ Pr[E1 ] − qD /2l1 +l2 . That is, CDH

Pr[E1 ] ≤ AdvA,G + qD /2l1 +l2 , CDH

which is negligible. This completes the proof of Lemma 1.

(4)

Finally, we analyse the challenge ciphertext Ci∗∗ , j∗ in Game 1.2:

C1∗ = gxi∗ s1 r1 , C2∗ = H1 (M )xi∗ r1 · H2 (gs2 r2 ), C3∗ = gr2 , C4∗ = W2∗.1 , C5∗ = H4 (C1∗ ||C2∗ ||C3∗ ||C4∗ ||M||r1 ).

26

Y. Ling, S. Ma and Q. Huang et al. / Information Sciences 510 (2020) 16–32

Due to the idealness of the random oracle, A1 can ﬁgure out M by H1 (M )xi∗ r1 and H4 (C1∗ ||C2∗ ||C3∗ ||C4∗ ||M||r1 ) with negligible probability , that is,

Pr[S1.2 ] ≤ .

(5)

Combining (1) – (5), we have that

AdvG-PKEET,A (qH1 , qH2 , qH3 , qH4 , qKey , qEnc , qDec ) 1 OW-CCA

≤ AdvA,G + qD /2l1 +l2 + , CDH

which is negligible. The proof of Theorem 2 is completed. Theorem 3. G-PKEET scheme is IND-CCA security against type-II adversary in the random oracle model assuming CDH problem is intractable. Proof. Let A2 be a PPT adversary attacking the IND-CCA security of the G-PKEET scheme. Suppose that A2 makes at most qH1 H1 hash queries, qH2 H2 hash queries, qH3 H3 hash queries, qH4 H4 hash queries, qKey secret key queries, qEnc encryption queries and qDec decryption queries. Let AdvG−PKE E T,A2 (λ ) denotes the advantage of A2 in the IND-CCA security experiment. The security analysis is done by a sequence of games [17]. We ﬁrstly consider the original game. IND-CCA

Game 2.0 R

R

1) P P ← (G, GT , p, g, e ), xi ← Z∗p , ski = xi , pki = gxi , where 1 ≤ i ≤ n, s1 , s2 ← Z∗p , gsk = (s1 , s2 ), gpki = (gxi s1 , gs2 ), where R

1 ≤ i ≤ n, gtd = s2 , i∗ , j∗ ← {1, 2, . . . , n}. H1 , H2 , H3 and H4 are set as random oracles. Hash query. At any time A2 can query the random oracle H1 , H2 , H3 and H4 . The challenger prepares four hash tables to record all queries and responses as follows, where all hash tables are empty at the beginning. OH1 query v1 : On input v1 , if v1 has been asked, h1 corresponding to v1 is returned. Otherwise, the challenger R

randomly selects uM ← Z∗p , computes h1 = guM ∈ G, adds (v1 , uM , h1 ) into T1 for OH1 and returns the h1 . OH2 query v1 : On input v1 , a compatible random value h2 from G is returned. The challenger adds (v1 , h2 ) into T2 for OH2 . OH3 query v1 : On input v1 , a compatible random value h3 from the set {0, 1}l1 +l2 is returned. The challenger adds (v1 , h3 ) into T3 for OH3 . OH4 query v1 : On input v1 , a compatible random value h4 from the set {0, 1}λ is returned. The challenger adds (v1 , h4 ) into T4 for OH4 . OH ,OH ,OH ,OH ,OKey ,OEnc ,ODec

2) {M0 , M1 } ← A2 1 2 3 4 (PP, { pki , gpki }ni=1 , i∗ , j∗ ), where the oracles are simulated as follows. The constraint is that j∗ does not appear in OKey oracle. OKey query i: On input an index i, the challenger returns xi . OEnc query i, j, M: On input an index i, an index j and a plaintext M, the challenger returns Ci, j ← Enc(gpki , ski , pk j , M ). ODec query i, j, Ci,j : On input an index i, an index j and a ciphertext Ci,j , the challenger returns M ← Dec(gpki , sk j , Ci, j ). R

R

3) b ← {0, 1}, r1 , r2 ← Z∗p , Ci∗∗ , j∗ = (C1∗ , C2∗ , C3∗ , C4∗ , C5∗ ) deﬁned as follows:

C1∗ = gxi∗ s1 r1 , C2∗ = H1 (Mb )xi∗ r1 · H2 (gs2 r2 ), C3∗ = gr2 , C4∗ = H3 (gx j∗ r2 ) (Mb ||r1 ), C5∗ = H4 (C1∗ ||C2∗ ||C3∗ ||C4∗ ||Mb ||r1 ). OH ,OH ,OH ,OH ,OKey ,OEnc ,ODec

4) b ← A2 1 2 3 4 does not appear in ODec oracle.

(Ci∗∗ , j∗ ). The constraint are that j∗ does not appear in OKey oracle and (i∗ , j∗ , Ci∗∗ , j∗ )

Let S2.0 be the event that b = b in Game 2.0. We have that

AdvG-PKEET,A (qH1 , qH2 , qH3 , qH4 , qKey , qEnc , qDec ) = |Pr[S2.0 ] − 1/2|. 2 IND-CCA

(6)

Game 2.1 R

R

1) P P ← (G, GT , p, g, e ), xi ← Z∗p , ski = xi , pki = gxi , where 1 ≤ i ≤ n, s1 , s2 ← Z∗p , gsk = (s1 , s2 ), gpki = (gxi s1 , gs2 ), where R

1 ≤ i ≤ n, gtd = s2 , i∗ , j∗ ← {1, 2, . . . , n}. H1 , H2 , H3 and H4 are set as random oracles. Hash query. At any time A2 can query the random oracle H1 , H2 , H3 and H4 . The challenger prepares four hash tables to record all queries and responses as follows, where all hash tables are empty at the beginning. OH1 query v1 , OH2 query v1 , OH3 query v1 and OH4 query v1 : Same as that in Game 2.0.

Y. Ling, S. Ma and Q. Huang et al. / Information Sciences 510 (2020) 16–32

27

OH ,OH ,OH ,OH ,OKey ,OEnc ,ODec

2) {M0 , M1 } ← A2 1 2 3 4 (PP, { pki , gpki }ni=1 , i∗ , j∗ ), where the oracles are simulated as follows. The ∗ constraint is that j does not appear in OKey oracle. OKey query i: Same as that in Game 2.0. R

OEnc query i, j, M: The challenger randomly selects r1 , r2 ← Z∗p and outputs a ciphertext Ci, j = (C1 , C2 , C3 , C4 , C5 ) as follows. It computes

C1 = gxi s1 r1 , C3 = gr2 . It then performs a query to OH1 on input M to get answer h1 , a query to OH2 on input gs2 r2 to get answer h2 and a query to OH3 on input gx j r2 to get answer h3 . It computes

C2 = hx1i r1 · h2 , C4 = h3 (M||r1 ). Finally, it performs a query to OH4 on input (C1 ||C2 ||C3 ||C4 ||M||r1 ) to get answer h4 and sets

C5 = h4 . The challenger adds (v1 , h1 ) to table T1 for OH1 , (v1 , h2 ) to table T2 for OH2 , (v1 , h3 ) to table T3 for OH3 and (v1 , h4 ) to table T4 for OH4 , and returns Ci,j to A2 . x

ODec query i, j, Ci,j : The challenger performs a query to OH3 on input C3 j to get the answer h3 . It then computes xi s1 r1

C4 h3 to get M ||r1 and veriﬁes C1 = g . If the veriﬁcation fails, return ⊥. Then the challenger performs a query to OH4 on input (C1 ||C2 ||C3 ||C4 ||M ||r1 ) to get answer h4 and veriﬁes if C5 and h4 are equal. If so, the challenger sends M to A2 ; otherwise it sends ⊥ to A2 . R

R

R

3) b ← {0, 1}, r1 , r2 ← Z∗p , W1∗.1 ← {0, 1}l1 +l2 , Ci∗∗ , j∗ = (C1∗ , C2∗ , C3∗ , C4∗ , C5∗ ) deﬁned as follows:

C1∗ = gxi∗ s1 r1 , C2∗ = H1 (Mb )xi∗ r1 · H2 (gs2 r2 ), C3∗ = gr2 , C4 = W1∗.1 (Mb ||r1 ), C5∗ = H4 (C1∗ ||C2∗ ||C3∗ ||C4∗ ||Mb ||r1 ). Add tuple (gx j∗ r2 , W1∗.1 ) into table T3 for OH3 . OH ,OH ,OH ,OH ,OKey ,OEnc ,ODec

4) b ← A2 1 2 3 4 does not appear in ODec oracle.

(Ci∗∗ , j∗ ). The constraint are that j∗ does not appear in OKey oracle and (i∗ , j∗ , Ci∗∗ , j∗ )

Let S2.1 be the event that b = b in Game 2.1. Since the idealness of the random oracle, Game 2.1 is identical to Game 2.0. We have that

Pr[S2.1 ] = Pr[S2.0 ].

(7)

Game 2.2 R

R

1) P P ← (G, GT , p, g, e ), xi ← Z∗p , ski = xi , pki = gxi , where 1 ≤ i ≤ n, s1 , s2 ← Z∗p , gsk = (s1 , s2 ), gpki = (gxi s1 , gs2 ), where R

1 ≤ i ≤ n, gtd = s2 , i∗ , j∗ ← {1, 2, . . . , n}. H1 , H2 , H3 and H4 are set as random oracles. Hash query. At any time A2 can query the random oracle H1 , H2 , H3 and H4 . The challenger prepares four hash tables to record all queries and responses as follows, where all hash tables are empty at the beginning. OH1 query v1 , OH2 query v1 and OH4 query v1 : Same as that in Game 2.1. OH3 query v1 : Same as that in Game 2.1, except that if A2 asks (C3∗ )x j∗ . We denote the event by E1 . OH ,OH ,OH ,OH ,OKey ,OEnc ,ODec

2) {M0 , M1 } ← A2 1 2 3 4 (PP, { pki , gpki }ni=1 , i∗ , j∗ ), where the oracles are simulated as follows. The constraint is that j∗ does not appear in OKey oracle. OKey query i and OEnc query i, j, M: Same as that in Game 2.1. ODec query i, j, Ci,j : Same as that in Game 2.1, except that if A2 asks for decryption of (C1∗ , C2∗ , C3∗ , (C4∗ ) , C5∗ ) after obtaining the challenge ciphertext Ci∗∗ , j∗ (see below), where (C4∗ ) = C4∗ , ⊥ is returned. R

R

R

3) b ← {0, 1}, r1 , r2 ← Z∗p , W2∗.1 ← {0, 1}l1 +l2 , Ci∗∗ , j∗ = (C1∗ , C2∗ , C3∗ , C4∗ , C5∗ ) deﬁned as follows:

C1∗ = gxi∗ s1 r1 , C2∗ = H1 (Mb )xi∗ r1 · H2 (gs2 r2 ), C3∗ = gr2 , C4∗ = W2∗.1 , C5∗ = H4 (C1∗ ||C2∗ ||C3∗ ||C4∗ ||Mb ||r1 ). Add the tuple (gx j∗ r2 , W2∗.1 (Mb ||r1 )) into table T3 for OH3 .

28

Y. Ling, S. Ma and Q. Huang et al. / Information Sciences 510 (2020) 16–32 OH ,OH ,OH ,OH ,OKey ,OEnc ,ODec

4) b ← A2 1 2 3 4 does not appear in ODec oracle.

(Ci∗∗ , j∗ ). The constraint are that j∗ does not appear in OKey oracle and (i∗ , j∗ , Ci∗∗ , j∗ )

Let S2.2 be the event that b = b in Game 2.2. Since C4∗ is a random value in both Game 2.1 and Game 2.2, the challenge ciphertext generated in Game 2.1 is identically distributed to that in Game 2.2. Therefore, if event E1 does not occur, Game 2.2 is identical to Game 2.1. We have that

|Pr[S2.2 ] − Pr[S2.1 ]| ≤ Pr[E1 ].

(8)

According to Lemma 1, we have

Pr[E1 ] ≤ AdvA,G + qD /2l1 +l2 , CDH

(9)

Game 2.3 R

R

1) P P ← (G, GT , p, g, e ), xi ← Z∗p , ski = xi , pki = gxi , where 1 ≤ i ≤ n, s1 , s2 ← Z∗p , gsk = (s1 , s2 ), gpki = (gxi s1 , gs2 ), where R

1 ≤ i ≤ n, gtd = s2 , i∗ , j∗ ← {1, 2, . . . , n}. H1 , H2 , H3 and H4 are set as random oracles. Hash query. At any time A2 can query the random oracle H1 , H2 , H3 and H4 . The challenger prepares four hash tables to record all queries and responses as follows, where all hash tables are empty at the beginning. OH1 query v1 , OH2 query v1 , OH3 query v1 and OH4 query v1 : Same as that in Game 2.2. OH ,OH ,OH ,OH ,OKey ,OEnc ,ODec

2) {M0 , M1 } ← A2 1 2 3 4 (PP, { pki , gpki }ni=1 , i∗ , j∗ ), where the oracles are simulated as follows. The constraint is that j∗ does not appear in OKey oracle. OKey query i, OEnc query i, j, M and ODec query i, j, Ci,j : Same as that in Game 2.2. R

R

R

R

3) b ← {0, 1}, r1 , r2 ← Z∗p , W3∗.1 ← {0, 1}l1 +l2 , W3∗.2 ← G, Ci∗∗ , j∗ = (C1∗ , C2∗ , C3∗ , C4∗ , C5∗ ) deﬁned as follows:

C1∗ = gxi∗ s1 r1 , C2∗ = H1 (Mb )xi∗ r1 · W3∗.2 , C3∗ = gr2 , C4∗ = W3∗.1 , C5∗ = H4 (C1∗ ||C2∗ ||C3∗ ||C4∗ ||Mb ||r1 ). Add the tuple (gx j∗ r2 , W3∗.1 (Mb ||r1 )) into table T3 for OH3 and the tuple (gs2 r2 , W3∗.2 ) into table T2 for OH2 , respectively. OH ,OH ,OH ,OH ,OKey ,OEnc ,ODec

4) b ← A2 1 2 3 4 does not appear in ODec oracle.

(Ci∗∗ , j∗ ). The constraint are that j∗ does not appear in OKey oracle and (i∗ , j∗ , Ci∗∗ , j∗ )

Let S2.3 be the event that b = b in Game 2.3. Since the idealness of the random oracle, Game 2.3 is identical to Game 2.2. We have that

Pr[S2.3 ] = Pr[S2.2 ].

(10)

Game 2.4 R

R

1) P P ← (G, GT , p, g, e ), xi ← Z∗p , ski = xi , pki = gxi , where 1 ≤ i ≤ n, s1 , s2 ← Z∗p , gsk = (s1 , s2 ), gpki = (gxi s1 , gs2 ), where R i∗ , j ∗ ←

1 ≤ i ≤ n, gtd = s2 , {1, 2, . . . , n}. H1 , H2 , H3 and H4 are set as random oracles. Hash query. At any time A2 can query the random oracle H1 , H2 , H3 and H4 . The challenger prepares four hash tables to record all queries and responses as follows, where all hash tables are empty at the beginning. OH1 query v1 , OH3 query v1 and OH4 query v1 : Same as that in Game 2.3. OH2 query v1 : Same as that in Game 2.3, except that if A2 asks (C3∗ )s2 . We denote the event by E3 . OH ,OH ,OH ,OH ,OKey ,OEnc ,ODec

2) {M0 , M1 } ← A2 1 2 3 4 (PP, { pki , gpki }ni=1 , i∗ , j∗ ), where the oracles are simulated as follows. The constraint is that j∗ does not appear in OKey oracle. OKey query i and OEnc query i, j, M: Same as that in Game 2.3. ODec query i, j, Ci,j : Same as that in Game 2.3, except that if A2 asks for decryption of (C1∗ , (C2∗ ) , C3∗ , (C4∗ ) , C5∗ ) after obtaining the challenge ciphertext Ci∗∗ , j∗ (see below), where (C2∗ ) = C2∗ and (C4∗ ) = C4∗ , ⊥ is returned. R

R

R

R

3) b ← {0, 1}, r1 , r2 ← Z∗p , W4∗.1 ← {0, 1}l1 +l2 , W4∗.2 ← G, Ci∗∗ , j∗ = (C1∗ , C2∗ , C3∗ , C4∗ , C5∗ ) deﬁned as follows:

C1∗ = gxi∗ s1 r1 , C2∗ = W4∗.2 , C3∗ = gr2 , C4∗ = W4∗.1 , C5∗ = H4 (C1∗ ||C2∗ ||C3∗ ||C4∗ ||Mb ||r1 ). Add the tuple (gx j∗ r2 , W4∗.1 (Mb ||r1 )) into table T3 for OH3 and the tuple (gs2 r2 , W4∗.2 /H1 (Mb )xi∗ r1 ) into table T2 for OH2 , respectively.

Y. Ling, S. Ma and Q. Huang et al. / Information Sciences 510 (2020) 16–32 OH ,OH ,OH ,OH ,OKey ,OEnc ,ODec

4) b ← A2 1 2 3 4 does not appear in ODec oracle.

29

(Ci∗∗ , j∗ ). The constraint are that j∗ does not appear in OKey oracle and (i∗ , j∗ , Ci∗∗ , j∗ )

Let S2.4 be the event that b = b in Game 2.4. Since C2∗ is a random value in both Game 2.4 and Game 2.3, the challenge ciphertext generated in Game 2.4 is identically distributed to that in Game 2.3. Therefore, if event E3 does not occur, Game 2.4 is identical to Game 2.3. We have that

|Pr[S2.4 ] − Pr[S2.3 ]| ≤ Pr[E3 ].

(11)

We will show that the event E3 occurs with negligible probability. Lemma 2. Event E3 happens in Game 2.4 with negligible probability if CDH problem is intractable. Proof. Suppose that Pr[E3 ] is non-negligible. We construct a simulator B2 to run A2 for breaking the CDH assumption. Given a tuple (G, GT , p, e, g, ga , gc ), it runs A2 and works as follows. R

1) B2 sets P P = (G, GT , p, g, e ). It randomly selects xi ← Z∗p , and sets ski = xi , pki = gxi , where 1 ≤ i ≤ n. It randomly selects R

R

s1 ← Z∗p , and sets gsk = (s1 , ), gpki = (gxi s1 , ga ), where 1 ≤ i ≤ n, and gtd = . Finally, it randomly selects i∗ , j∗ ← {1, 2, . . . , n}. H1 , H2 , H3 and H4 are set as random oracles. Hash query. At any time A2 can query the random oracle H1 , H2 , H3 and H4 . B2 prepares four hash tables to record all queries and responses as follows, where all hash tables are empty at the beginning. OH1 query v1 , OH3 query v1 and OH4 query v1 : Same as that in Game 2.3. OH2 query v1 : Same as that in Game 2.3, except that if A2 asks (C3∗ )s2 = gac (note that B2 can know if the equation holds by checking if e(v1 , g) and e(ga , gc ) are equal). We denote the event by E3 . OH ,OH ,OH ,OH ,OKey ,OEnc ,ODec

2) state ← A2 1 2 3 4 (PP, { pki , gpki }ni=1 , i∗ , j∗ ), where the oracles are simulated as follows. The constraint is that j∗ does not appear in OKey oracle. OKey query i: Same as that in Game 2.3. OEnc query i, j, M: Same as that in Game 2.3. ODec query i, j, Ci,j : Same as that in Game 2.3. R

R

R

R

3) b ← {0, 1}, r1 ← Z∗p , (W4∗.1 ) ← {0, 1}l1 +l2 , (W4∗.2 ) ← G, Ci∗∗ , j∗ = (C1∗ , C2∗ , C3∗ , C4∗ , C5∗ ) deﬁned as follows:

C1∗ = gxi∗ s1 r1 , C2∗ = (W4∗.2 ) , C3∗ = gc , C4∗ = (W4∗.1 ) , C5∗ = H4 (C1∗ ||C2∗ ||C3∗ ||C4∗ ||Mb ||r1 ). Add the tuple ((gc )x j∗ , (W4∗.1 ) (Mb ||r1 )) into table T3 for OH3 and the tuple (, (W4∗.2 ) /H1 (Mb )xi∗ r1 ) into table T2 for OH2 , respectively. OH ,OH ,OH ,OH ,OKey ,OEnc ,ODec

4) b ← A2 1 2 3 4 does not appear in ODec oracle.

(Ci∗∗ , j∗ ). The constraint are that j∗ does not appear in OKey oracle and (i∗ , j∗ , Ci∗∗ , j∗ )

Indistinguishable simulation. According to the setting of the simulation, the correctness and randomness property of the simulation hold. We focus on the decryption oracle, and have the following cases. 1. C3a has been queried to OH2 before a decryption query is issued. In this case, C4 is uniquely determined after C3a is queried to OH2 . So the decryption oracle is simulated perfectly. 2. C3a has never been queried to OH2 when a decryption query is issued. In this case, ⊥ is returned by the decryption oracle. The simulation fails if Ci,j is a valid ciphertext. However, due to the idealness of the random oracle, this happens with probability 1/p. Denote E4 the event that a valid ciphertext is rejected in the simulation. Then we have Pr[E4 ] ≤ qD /p, which is negligible. Thus, B2 performs the decryption simulation correctly except with negligible probability. Probability of successful simulation. The probability of successful simulation is 1 as the simulated game does not abort. Analysis. Since A2 queries (C3∗ )a to OH2 with probability Pr[E3 ], B2 can solve the CDH problem with probability Pr[E3 ]. We have Pr[E3 ] = AdvA,G . Furthermore, if E4 does not happen, the simulated game is indistinguishable from the Game 2.4. We have Pr[E3 |¬E4 ] = Pr[E3 ]. CDH

Pr[E3 ] = Pr[E3 |E4 ]Pr[E4 ] + Pr[E3 |¬E4 ]Pr[¬E4 ]

≥ Pr[E3 |¬E4 ]Pr[¬E4 ] = Pr[E3 ](1 − Pr[E4 ] ) ≥ Pr[E3 ] − Pr[E4 ].

30

Y. Ling, S. Ma and Q. Huang et al. / Information Sciences 510 (2020) 16–32 CDH

Therefore, AdvA,G ≥ Pr[E3 ] − qD /p. That is, CDH

Pr[E3 ] ≤ AdvA,G + qD /p,

(12)

which is negligible. This completes the proof of Lemma 2.

Game 2.5 R

R

1) P P ← (G, GT , p, g, e ), xi ← Z∗p , ski = xi , pki = gxi , where 1 ≤ i ≤ n, s1 , s2 ← Z∗p , gsk = (s1 , s2 ), gpki = (gxi s1 , gs2 ), where R

1 ≤ i ≤ n, gtd = s2 , i∗ , j∗ ← {1, 2, . . . , n}. H1 , H2 , H3 and H4 are set as random oracles. Hash query. At any time A2 can query the random oracle H1 , H2 , H3 and H4 . The challenger prepares four hash tables to record all queries and responses as follows, where all hash tables are empty at the beginning. OH1 query v1 , OH2 query v1 and OH3 query v1 : Same as that in Game 2.4. OH4 query v1 : Same as that in Game 2.4, except that if A2 asks (C1∗ ||C2∗ ||C3∗ ||C4∗ ||Mb ||r1 ). We denote the event by E5 . OH ,OH ,OH ,OH ,OKey ,OEnc ,ODec

2) {M0 , M1 } ← A2 1 2 3 4 (PP, { pki , gpki }ni=1 , i∗ , j∗ ), where the oracles are simulated as follows. The ∗ constraint is that j does not appear in OKey oracle. OKey query i and OEnc query i, j, M: Same as that in Game 2.4. ODec query i, j, Ci,j : Same as that in Game 2.4, except that if A2 asks for decryption of (C1∗ , (C2∗ ) , C3∗ , (C4∗ ) , (C5∗ ) ) after obtaining the challenge ciphertext Ci∗∗ , j∗ (see below), where (C2∗ ) = C2∗ , (C4∗ ) = C4∗ and (C5∗ ) = C5∗ , ⊥ is returned. R

R

R

R

R

3) b ← {0, 1}, r1 , r2 ← Z∗p , W5∗.1 ← {0, 1}l1 +l2 , W5∗.2 ← G, W5∗.3 ← {0, 1}λ , Ci∗∗ , j∗ = (C1∗ , C2∗ , C3∗ , C4∗ , C5∗ ) deﬁned as follows:

C1∗ = gxi∗ s1 r1 , C2∗ = W5∗.2 , C3∗ = gr2 , C4∗ = W5∗.1 , C5∗ = W5∗.3 . Add the tuple (gx j∗ r2 , W5∗.1 (Mb ||r1 )) into table T3 for OH3 , the tuple (gs2 r2 , W5∗.2 /H1 (Mb )xi∗ r1 ) into table T2 for OH2 and the tuple (C1∗ ||C2∗ ||C3∗ ||C4∗ ||Mb ||r1 , W5∗.3 ) into table T4 for OH4 , respectively. OH ,OH ,OH ,OH ,OKey ,OEnc ,ODec

4) b ← A2 1 2 3 4 does not appear in ODec oracle.

(Ci∗∗ , j∗ ). The constraint are that j∗ does not appear in OKey oracle and (i∗ , j∗ , Ci∗∗ , j∗ )

Let S2.5 be the event that b = b in Game 2.5. Since the idealness of the random oracle, if event E5 does not occur, Game 2.5 is identical to Game 2.4. We have that

|Pr[S2.5 ] − Pr[S2.4 ]| ≤ Pr[E5 ]. Clearly, Pr[E5 ] is negligible as r1 ∈

(13) Z∗p

is a random value to A2 . We have

Pr[E5 ] ≤ 1/( p − 1 ).

(14)

We then analyse the challenge ciphertext Ci∗∗ , j∗ in Game 2.5:

C1∗ = gxi∗ s1 r1 , C2∗ = W5∗.2 , C3∗ = gr2 , C4∗ = W5∗.1 , C5∗ = W5∗.3 . Finally, it is evident that all the ﬁve components in the challenge ciphertext of Game 2.5 are independent of the Mb , so A2 is able to make a correct guess b = b in Game 2.5 with probability at most 1/2. That is,

Pr[S2.5 ] = 1/2. Combining (6)–(15), we have that

AdvG-PKEET,A (qH1 , qH2 , qH3 , qH4 , qKey , qEnc , qDec ) 2 qDec qDec CDH ≤ 2AdvA,G + l +l + + 1/ ( p − 1 ), p 21 2 IND-CCA

which is negligible. The proof of Theorem 3 is completed.

(15)

Y. Ling, S. Ma and Q. Huang et al. / Information Sciences 510 (2020) 16–32

31

Table 2 Comparison.

[26] [5] [13] [15] [18] Ours

Enc

Dec

Test

Security

3Exp 4Exp 6Exp 1P+5Exp 5Exp 5Exp

3Exp 1P+4Exp 5Exp 1P+4Exp 2Exp 2Exp

2P 2P+6Exp 2P+2Exp 4P+2Exp 4P 2P+2Exp

-/OW-CCA OW/IND-CCA OW/IND-CCA OW/IND-CCA OW/IND-CCA OW/IND-CCA

Note: Exp: the exponent computation. P: the pairing computation.

6. Comparison In Table 2 we compare G-PKEET scheme with related PKEET schemes [5,13,15,18,26]. The second to ﬁfth column show the computational eﬃciency of Enc algorithm, Dec algorithm and Test algorithm and the security respectively. It can be learnt from Table 2 that G-PKEET scheme has more eﬃcient Enc algorithm compared with [13,15], more eﬃcient Dec algorithm compared with [5,13,15,26] and more eﬃcient Test algorithm compared with [5,15,18]. With regard to the security, same as [5,13,15,18], G-PKEET scheme also can achieve OW-CCA/IND-CCA against the adversary who has been authorized and the adversary who has not been authorized. 7. Conclusion In this paper, we ﬁrst introduced group mechanism into PKEET and proposed a new primitive, namely group public key encryption with equality test (G-PKEET). G-PKEET can resist the attack that the tester can recover the message from a given ciphertext by exhaustively guessing the message oﬄine. Furthermore, the group mechanism makes PKEET supporting group granularity authorization and could greatly reduce not only the storage cost of trapdoors but also the cost of computation and communication. We deﬁned security models for G-PKEET, presented its concrete construction in bilinear pairings and proved its security in the random oracle model. G-PKEET scheme has eﬃcient algorithms, and also can achieve OW-CCA/INDCCA against the adversary who has been authorized and the adversary who has not been authorized at the same time. With the group mechanism, we can foresee that PKEET can be used in more scenarios. Declaration of Competing Interest The authors declare that they have no known competing ﬁnancial interests or personal relationships that could have appeared to inﬂuence the work reported in this paper. Acknowledgements This work is supported by National Natural Science Foundation of China (No. 61872409, 61872152), Pearl River Nova Program of Guangzhou (No. 201610010037), Guangdong Natural Science Funds for Distinguished Young Scholar (No. 2014A030306021) and Guangdong Program for Special Support of Topnotch Young Professionals (No. 2015TQ01X796). References [1] D. Boneh, G.D. Crescenzo, R. Ostrovsky, G. Persiano, Public key encryption with keyword search, in: Advances in Cryptology - EUROCRYPT 20 04, 20 04, pp. 506–522. [2] R. Chen, Y. Mu, G. Yang, F. Guo, X. Wang, A new general framework for secure public key encryption with keyword search, in: Australasian Conference on Information Security and Privacy (ACISP 2015), 2015, pp. 59–76. [3] R. Chen, Y. Mu, G. Yang, F. Guo, X. Wang, Dual-server public-key encryption with keyword search for secure cloud storage, IEEE Trans. Inf. Forens.Secur. 11 (4) (2016) 789–798. [4] K. Huang, R. Tso, Y. Chen, W. Li, H. Sun, A new public key encryption with equality test, in: International Conference on Network and System Security (NSS 2015), 2015, pp. 550–557. [5] K. Huang, R. Tso, Y. Chen, S. Rahman, A. Almogren, A. Alamri, Pke-aet: public key encryption with authorized equality test, Comput. J. 58 (10) (2015) 2686–2697. [6] Q. Huang, H. Li, An eﬃcient public-key searchable encryption scheme secure against inside keyword guessing attacks, Inf. Sci. 403–404 (2017) 1–14. [7] H. Lee, S. Ling, J. Seo, H. Wang, Semi-generic construction of public key encryption and identity-based encryption with equality test, Inf. Sci. 373 (2016) 419–440. [8] H. Lee, S. Ling, J. Seo, H. Wang, T. Youn, Public key encryption with equality test in the standard model, IACR Cryptol. ePrint Arch. 2016 (2016) 1182. [9] X. Lin, H. Qu, X. Zhang, Public key encryption supporting equality test and ﬂexible authorization without bilinear pairings, IACR Cryptol. ePrint Arch. 2016 (2016) 277. [10] Y. Ling, S. Ma, Q. Huang, X. Li, A general two-server framework for ciphertext-checkable encryption against oﬄine message recovery attack, in: International Conference on Cloud Computing and Security (ICCCS 2018), 2018, pp. 370–382. [11] Y. Ling, S. Ma, Q. Huang, R. Xiang, X. Li, Group ID-Based encryption with equality test, in: Australasian Conference on Information Security and Privacy (ACISP 2019), 2019, pp. 39–57. [12] S. Ma, Authorized equality test of encrypted data for secure cloud databases, in: 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE 2018), 2018, pp. 223–230.

32

Y. Ling, S. Ma and Q. Huang et al. / Information Sciences 510 (2020) 16–32

[13] S. Ma, Q. Huang, M. Zhang, B. Yang, Eﬃcient public key encryption with equality test supporting ﬂexible authorization, IEEE Trans. Inf. Forensic.Secur. 10 (3) (2014) 458–470. [14] S. Ma, Y. Ling, A general two-server cryptosystem supporting complex queries, in: International Workshop on Information Security Applications (WISA2017), 2017, pp. 249–260. [15] S. Ma, M. Zhang, Q. Huang, B. Yang, Public key encryption with delegated equality test in a multi-user setting, Comput. J. 58 (4) (2015) 986–1002. [16] H. Qu, Z. Yan, X. Lin, Q. Zhang, L. Sun, Certiﬁcateless public key encryption with equality test, Inf. Sci. 462 (2018) 76–92. [17] V. Shoup, Sequences of games: a tool for taming complexity in security proofs, IACR Cryptol. ePrint Arch. 2004 (2004) 332. [18] Q. Tang, Towards public key encryption scheme supporting equality test with ﬁne-grained authorization, in: Australasian Conference on Information Security and Privacy (ACISP 2011), 2011, pp. 389–406. [19] Q. Tang, Public key encryption schemes supporting equality test with authorisation of different granularity, Int. J. Appl. Cryptogr. 2 (4) (2012) 304–321. [20] Q. Tang, Public key encryption supporting plaintext equality test and user-speciﬁed authorization, Secur. Commun. Netw. 5 (12) (2012) 1351–1362. [21] C. Wang, T. Tu, Keyword search encryption scheme resistant against keyword-guessing attack by the untrusted server, J. Shanghai Jiaotong Univ. (Sci.) 19 (4) (2014) 440–442. [22] Y. Wang, H. Pang, Probabilistic public key encryption for controlled equijoin in relational databases, Comput. J. 60 (4) (2017) 600–612. [23] L. Wu, Y. Zhang, D. He, Dual server identity-based encryption with equality test for cloud computing, J. Comput. Res. Dev. 54 (10) (2017) 2232–2243. [24] T. Wu, S. Ma, Y. Mu, S. Zeng, ID-based encryption with equality test against insider attack, in: Australasian Conference on Information Security and Privacy (ACISP 2017), 2017, pp. 168–183. [25] Y. Xu, M. Wang, H. Zhong, J. Cui, L. Liu, V. Franqueira, Veriﬁable public key encryption scheme with equality test in 5G networks, IEEE Access 5 (2017) 12702–12713. [26] G. Yang, C. Tan, Q. Huang, D. Wong, Probabilistic public key encryption with equality test, in: Cryptographers’ Track at the RSA Conference (CT-RSA 2010), 2010, pp. 119–131. [27] K. Zhang, J. Chen, H. Lee, H. Qian, H. Wang, Eﬃcient public key encryption with equality test in the standard model, Theor. Comput. Sci. 755 (2019) 65–80.

Group public key encryption with equality test against offline message recovery attack

Group public key encryption with equality test against offline message recovery attack

Recommend Documents