Trapdoor security in a searchable public-key encryption scheme with a designated tester

Trapdoor security in a searchable public-key encryption scheme with a designated tester

The Journal of Systems and Software 83 (2010) 763–771 Contents lists available at ScienceDirect The Journal of Systems and Software journal homepage...
Download PDF
265KB Sizes 3 Downloads 138 Views
Report

The Journal of Systems and Software 83 (2010) 763–771

Contents lists available at ScienceDirect

The Journal of Systems and Software journal homepage: www.elsevier.com/locate/jss

Trapdoor security in a searchable public-key encryption scheme with a designated tester q Hyun Sook Rhee a, Jong Hwan Park b, Willy Susilo c, Dong Hoon Lee a,* a

Graduate School of Information Management and Security, Korea University, 1, 5-ka, Anam-dong, Sungbuk-ku, Seoul 136-701, Republic of Korea Department of Applied Mathematics, College of Applied Science, Kyung Hee University, Seocheon-dong, Giheung-gu, Yongin-si, Gyeonggi-do 446-701, Republic of Korea c Centre for Computer and Information Security Research, School of Computer Science and Software Engineering, University of Wollongong, Northfields Avenue, NSW 2522, Australia b

a r t i c l e

i n f o

Article history: Received 22 January 2009 Received in revised form 16 November 2009 Accepted 18 November 2009 Available online 26 November 2009 Keywords: Keyword search on encrypted data Designated tester Data security

a b s t r a c t We study a secure searchable public-key encryption scheme with a designated tester (dPEKS). The contributions of this paper are threefold. First, we enhance the existing security model to incorporate the realistic abilities of dPEKS attackers. Second, we introduce the concept of ‘‘trapdoor indistinguishability” and show that trapdoor indistinguishability is a sufficient condition for thwarting keyword-guessing attacks. This answers the open problem of how to construct PEKS (dPEKS) schemes that are provably secure against keyword-guessing attacks. Finally, we propose a dPEKS scheme that is secure in the enhanced security model. The scheme is the first dPEKS scheme that is secure against keyword-guessing attacks. Ó 2009 Elsevier Inc. All rights reserved.

1. Introduction With the rapid developments of Internet technologies, the amount of sensitive data to be stored and managed on networked servers rapidly increases. The protection of the perimeters of networks has turned out to be an unattractive option since an outside attacker needs to find only one way for accessing sensitive information. To protect the sensitive data from outside attackers, a cryptographic encryption module may be implemented in the database management system (DBMS) such as Oracle 10g and MS Access that actually performs encryptions and decryptions for the stored data. This approach is only secure when there is complete trust in the inside system manager, such as the system administrator of the database. We note that according to the annual CSI computer crime and security survey report (Richardson, 2007), slightly more than 63% of respondents thought that insider threats account for their organization’s cyber losses. To ensure the privacy and confidentiality of sensitive data from even inside attackers such as a malicious system administrator of a database, a user herself may encrypt the sensitive data before uploading the data into a database server. The user should securely manage encryption keys without revealing them to the internal system manager. However, secure encryption transforms data into

q An extended abstract of this paper will be appeared in Proceedings of ASIACCS 2009. This is the full version. * Corresponding author. Tel.: +82 2 3290 4892; fax: +82 2 928 9109. E-mail addresses: [email protected] (H.S. Rhee), [email protected] (J.H. Park), [email protected] (W. Susilo), [email protected] (D.H. Lee).

0164-1212/$ - see front matter Ó 2009 Elsevier Inc. All rights reserved. doi:10.1016/j.jss.2009.11.726

random strings that are not readable to anyone except the holder of the corresponding decryption key. In turn, this renders a DBMS unable to perform searches for retrieving the data upon a query from a user. To resolve this problem, keyword search over encrypted data has received close attention in various environments such as encrypted web hard-systems, intelligent email routing, encrypted vendor systems, etc. (Song et al., 2000; Boneh et al., 2004; Golle et al., 2004; Ogata and Kurosawa, 2004; Park et al., 2004; Rhee et al., 2006; Boneh and Waters, 2007; Hwang and Lee, 2007; Katz et al., 2008). Keyword search enables a user to search encrypted data without revealing any information on the query and data, even to the database server. Keyword search systems over encrypted data can be classified into three different types. The first type is a public storage system, where a user stores her encrypted data in a non-trusted database and later searches the data with a keyword that is chosen by the user (Song et al., 2000; Golle et al., 2004). For this system, Song et al. first studied a secure keyword search scheme by using a symmetric cipher and Golle et al. (2004) proposed a conjunctive keyword search that allows the user to search the conjunction of multiple keywords with one encrypted query. The second type is a vendor system, where the data supplier is the same as the database manager, and where, by using the encrypted query, a user can retrieve data that contain a keyword. Ogata et al. suggested an oblivious keyword search scheme that uses oblivious transfer. The scheme was subsequently improved by Rhee et al. (2006). The third type is a store-and-forward system, such as an email system, where a receiver can search data that are encrypted under the receiver’s public key on a storage system. For this system, Boneh

764

H.S. Rhee et al. / The Journal of Systems and Software 83 (2010) 763–771

et al. first suggested a public-key encryption keyword search scheme (PEKS) (Boneh et al., 2004). This construction was later improved by several researchers (Park et al., 2004; Abdalla et al., 2005; Baek et al., 2006; Boneh et al., 2007; Hwang and Lee, 2007). Recently, Hwang and Lee (2007) proposed a searchable public-key encryption in a multi-receiver setting, which they termed a multi-user PEKS scheme. In Boneh et al. (2007), Boneh et al. proposed a new public-key encryption scheme with keyword search that uses a private information retrieval (PIR) protocol (Kushilevitz and Ostrovsky, 1997; Cachin et al., 1999) that is contained in techniques that allow keyword search on non-encrypted data. Their scheme does not reveal any partial information, such as the access pattern, regarding the receiver’s search. That is, even the email server cannot learn anything about the messages that the email receiver wishes to find out from the email database in the scheme. However, to hide any information such as the access pattern, the email sender and the email receiver should repeatedly execute the PIR protocol through interaction with the email server, which is unlike a normal store-and-forward system such as an email system. In this paper, we focus on secure keyword search for the third type of systems, i.e., store-and-forward systems. The keyword search scheme of Boneh et al. that uses a PEKS ensures the privacy of emails against the outside/inside attackers in the following scenario; An email sender, Bob, generates an encrypted email (comprising of an encrypted email body and an encrypted list of keywords, called PEKS ciphertexts) by using the public key of an email receiver, Alice, and sends the encrypted email to Alice through a gateway (or an email server). Bob can use a standard public-key encryption scheme for encrypting the body of the email, and a PEKS scheme for each keyword in the list of keywords. To search the encrypted emails on the email server, Alice provides the server with a trapdoor that is generated through her secret key and a keyword chosen by her. The server then tests whether the keyword of the trapdoor is identical to one of the PEKS ciphertexts, without revealing any information on the encrypted list of keywords. Boneh et al. considered the security of a PEKS ciphertext in the sense of semantic-security. This ‘‘ciphertext indistinguishability” ensures that an attacker even with the ability to obtain a trapdoor for any keyword chosen by himself is not able to distinguish the PEKS ciphertext of a keyword, w0 , from the ciphertext of a keyword, w1 , unless the trapdoors of w0 and w1 are given. Baek et al. (2006) later pointed out that anyone can easily identify which encrypted emails are related with the given trapdoor of the known keyword. That is, for a given trapdoor, the linkability of encrypted emails (i.e., whether or not the ciphertexts are related with the given trapdoor) can be revealed to anyone. To protect from this attack, a secure (encrypted and authenticated) channel between Alice (the receiver) and the sever should be assumed in PEKS. In Baek et al. (2006), Baek et al. also proposed a searchable public-key encryption for a designated tester (dPEKS) to remove the secure-channel assumption of Boneh et al. (2004). In dPEKS, only the server can test whether or not a given dPEKS ciphertext is related with a trapdoor by using its private key. To provide this functionality, Bob generates a dPEKS ciphertext by using Alice’s public key and the email server’s public key. The provable security of the dPEKS scheme was shown under the same security model of Boneh et al.’s PEKS (Boneh et al., 2004) against two types of attackers, the server and an outside attacker (including the receiver). Unfortunately, their security model (Baek et al., 2006) fails to incorporate the abilities of a practical attacker. That is,either a malicious email server or a malicious receiver is required to reveal a private key for launching an attack. This will seriously limit the ability of attackers. An attacker should be allowed to launch an attack without revealing private keys.

Recently, Byun et al. (2006) showed that the PEKS scheme is insecure against Off-line keyword-guessing attack. That is, given a trapdoor, an attacker can learn which keyword is used to generate the trapdoor. Since a user usually queries commonly-used keywords with low entropy, the keyword-guessing attacks are meaningful. In fact, the latest Merriam-Webseter’s collegiate dictionary contains only 225,000 keyword definitions (Chang and Mitzenmacher, 2004). In PEKS (dPEKS), even an outside attacker, A, can obtain the information of the keyword from the trapdoor by using Off-line keyword-guessing attacks (Byun et al., 2006). Using the above keyword-guessing attack, an attacker can also find the plaintext of a PEKS ciphertext. When the email server sends a PEKS (or dPEKS) ciphertext, C, as a reply for the trapdoor of a keyword, w, to a receiver, an eavesdropping attacker can obtain the keyword, w, by using the keyword-guessing attack and the information that C is the PEKS (or dPEKS) ciphertext of w. This implies that the security for PEKS ciphertext (dPEKS ciphertext) cannot be guaranteed without provision of the security against keyword-guessing attacks on trapdoors. It has noted as an open problem in Byun et al. (2006) to construct PEKS schemes that are secure against keyword-guessing attacks. Meanwhile, Shen et al. (2009) mentioned that predicate privacy (i.e. trapdoor privacy in the PEKS/dPEKS scheme) is inherently impossible to achieve in a public-key setting. In the PEKS scheme, since it is possible for everyone to generate a PEKS ciphertext, C w ¼ PEKSðw; pkÞ, by using the guessed keyword, w, and the receiver’s public key, pk, the adversary can obtain the test result and can guess the keyword, w, from the acquired trapdoor, T w0 . In Beck et al.’s dPEKS scheme, originally, only the server can process the test as described above. However, the structure of a trapdoor in the dPEKS scheme is same to one in the PEKS scheme, even though the outside attacker can guess the keyword from the given trapdoor in Baek et al.’s dPEKS scheme by using a keyword-guessing attack. To protect the dPEKS scheme from a keyword-guessing attack by an outside attacker, the structure of the trapdoor should be modified. 1.1. Our contributions Our contributions in this paper are threefold.  We enhance the existing security model of Baek et al. for dPEKS to remedy the problem mentioned above. In our enhanced security model, an attacker is not required to reveal its secret key when making trapdoor and challenge queries. This relaxation is very realistic and strengthen the power of the attacker in the sense that it has more control of the exposure of the key than in previous models (Baek et al., 2006).  We define the ‘‘trapdoor indistinguishability” in dPEKS against an active attacker who is able to get trapdoors for any keyword of his choice. This security of a trapdoor guarantees that the trapdoor does not reveal any information on any keyword without the server’s private key. We further investigate the relation between the security of a trapdoor and the security against Offline keyword-guessing attack (in Theorem 6). It turns out that the security of a trapdoor is a sufficient condition for ensuring the security against keyword-guessing attacks. That is, the security of a trapdoor guarantees that the dPEKS scheme is secure against Off-line keyword-guessing attack of trapdoors. In this paper, although we consider only outside attacker, we first propose a secure dPEKS scheme against keyword-guessing attack and formally prove the securities of the ciphertext and the trapdoor queries. This paper gives answer to the open problem proposed by Byun et al.

765

H.S. Rhee et al. / The Journal of Systems and Software 83 (2010) 763–771 Table 1 Comparison of security and performance between our scheme and the others. Scheme

Functionalities

Performances

CT Ind

Trap Ind

SC

Size(CT)

Size(Trap)

Comp(Test)

BSS (Baek et al., 2006) BCOP (Boneh et al., 2004) PKL (Park et al., 2004) HL (Hwang and Lee, 2007) Proposed scheme

Satisfied Satisfied Satisfied Satisfied Satisfied

Not satisfied Not satisfied Not satisfied Not satisfied Satisfied

Required Required Required Required Not required

Gþk Gþk 2G þ GT 2G þ GT Gþk

G G G þ jZp j 3G 2G

e + p + De p + De e + p + De 3p + De e+p

CT Ind: PEKS(dPEKS) Ciphertext Indistinguishability. Trap Ind: Trapdoor(dTrapdoor) Indistinguishability. SC: Secure Channel between a receiver and the server. Size(CT): Size of PEKS(dPEKS) Ciphertext. Size(Trap): Size of Trapdoor(dTrapdoor). Comp(Test): Computation Cost of Test(dTest). G: element in G; GT : element in GT ; p: pairings; e: exponentials. En: encryption; De: decryption corresponding to En.

 We construct a dPEKS scheme and formally prove that our construction satisfies (a) dPEKS indistinguishability under the 1BDHI and BDH assumptions in our enhanced security model and (b) trapdoor indistinguishability in our enhanced security model under the HDH assumption (Abdalla et al., 2001). Until now, none of the previous PEKS (dPEKS) schemes (Boneh et al., 2004; Park et al., 2004; Baek et al., 2006; Hwang and Lee, 2007) considers the security of a trapdoor in the sense of semantic-security. Table 1 shows a comparison between the other PEKS (dPEKS) schemes and our schemes in terms of functionalities and performances. It shows that our scheme satisfies a trapdoor indistinguishability without an additional secure channel. For providing ‘‘trapdoor indistinguishability”, in comparison with Baek et al.’s scheme, our scheme requires only the same size in terms of the ciphertext and computations for the test phase and twice the size in terms of the trapdoor. However, for providing the security against keyword-guessing attacks, the other all schemes require an additional encryption in the trapdoor generation process and a decryption of the given trapdoor by using the corresponding decryption key to an encryption key in the test process, respectively.

1.2. Paper organization The remainder of this paper is organized as follows. In Section 2, we review the bilinear map and hardness assumptions for our constructions and point out our observation on the weakness of the security model of Baek et al.’s scheme. We define an enhanced model for ‘‘dPEKS ciphertext” and a new security model for ‘‘trapdoor indistinguishability” in dPEKS. In Section 3, we construct a new dPEKS scheme and prove the security of our scheme in our enhanced security models. Finally, Section 4 concludes the paper.

particular keyword. This approach was firstly proposed by Baek et al. (2006). In Baek et al.’s dPEKS scheme, the trapdoor algorithm is same to one of Boneh et al.’s PEKS scheme (Boneh et al., 2004). In this paper, to provide both the security for a dPEKS ciphertext (dPEKS ciphertext indistinguishability) and the security for the trapdoor (trapdoor indistinguishability), we newly modify the structure of a trapdoor. That is, trapdoor algorithm additionally requires the server’s public key in our definition of dPEKS scheme. The new definition of dPEKS ¼ ðGlobalSetup; KeyGenServer ; KeyGenReceiver ; dPEKS; dTrapdoor; dTestÞ is as follows. Definition 1. A searchable public-key encryption scheme for a designated tester (dPEKS) consists of the following polynomialtime randomized algorithms where GP denotes a set of global parameters.

 GlobalSetupðkÞ takes a security parameter k as input, and generates a global parameter GP.  KeyGenServer ðGPÞ takes input, GP, and outputs a pair of public and secret keys, ðpkS ; skS Þ, of the server, S.  KeyGenReceiver ðGPÞ takes as input GP and generates a pair of public and secret keys, ðpkR ; skR Þ, of the receiver, R.  dTrapdoorðGP; pkS ; skR ; wÞ takes as input, GP, the server’s public key, pkS , the receiver’s secret key, skR , and a keyword, w. It then generates a trapdoor, T w .  dPEKSðGP; pkR ; pkS ; wÞ takes as input, GP, the receiver’s public key, pkR , the server’s public key, pkS , and a keyword, w. It returns a dPEKS ciphertext, C, of w.  dTest(GP; C; skS ; T w ) takes as input, GP, a dPEKS ciphertext, C, the server’s secret key, skS , and a trapdoor, T w . It outputs ‘yes’ if w ¼ w0 and ‘no’ otherwise, where C ¼ dPEKSðGP; pkR ; pkS ; w0 Þ.

2. Preliminaries

2.2. Security of dPEKS ciphertext

In this section, we review notations and briefly formalize the model of a searchable public-key encryption scheme with a designated tester (dPEKS) and refine the security of dPEKS ciphertext. We first define a new dPEKS (considering ‘‘trapdoor indistinguishability”) and the security of trapdoor queries (dTrapdoor-IND-CPA). Next, we review the definition of bilinear pairings and the complexity assumption for our scheme.

As stated in the previous section, an attacker should reveal its secret key in Baek et al.’s security model. To remedy this problems, we refine the security model for dPEKS. The security for a dPEKS requires that (1) a malicious server should not be able to distinguish between the dPEKS ciphertexts of two challenge keywords w0 and w1 of its choice, under the situation that it is allowed to obtain trapdoors for any non-challenge keywords and (2) a malicious outside attacker (including the receiver) can directly generate a trapdoor for any keyword. Additionally, in our security model, it is not necessary that the attacker’s secret key be revealed to a third party. Let Ai ði ¼ 1; 2Þ be an attacker whose running time is bounded by t, which is polynomial in a security parameter, k. To describe the

2.1. Definition of dPEKS A searchable public-key encryption scheme with a designated tester dPEKS is a mechanism whereby only the designated server (designated tester) can perform a test on a dPEKS ciphertext for a

766

H.S. Rhee et al. / The Journal of Systems and Software 83 (2010) 763–771

security for dPEKS, we define the following two games between the attackers, A1 (or A2 ), and a challenger, B, as follows. Game1 : A1 is assumed to be a malicious server.  Setup: A1 generates his/her public/private key pair, ðpks ; sks Þ, and gives pks ¼ pkA1 to B. B generates the receiver’s public/private key pair ðpkR ; skR Þ and gives pkR to A1 . Here, ðpks ; sks Þ and pkR are given to A1 and pks and ðpkR ; skR Þ are given to the challenger B.  Phase 1 (Trapdoor queries): A1 makes the trapdoor queries of the form, w, and B can adaptively asks T w ¼ dTrapdoorðpkS ; skR ; wÞ for any keyword w 2 f0; 1g .  Challenge: A1 gives B two keywords, w0 and w1 , on which it wishes to be challenged. The restriction is that the attacker did not previously ask for the trapdoors, T w0 and T w1 . B picks a random b 2 f0; 1g and computes dPEKSðpkR ; pks ; wb Þ, and sends a dPEKS ciphertext C ast C  to A1 .  Phase 2 (Trapdoor queries): A1 makes trapdoor queries of the form, w, and B can adaptively ask T w ¼ dTrapdoorðpkS ; skR ; wÞ for any keyword w 2 f0; 1g , as long as w–w0 ; w1 . 0  Guess: A1 outputs its guess b 2 f0; 1g and wins Game1 , if 0 b¼b. Game2 : A2 is assumed to be an outside attacker (including a malicious receiver R).  Setup: A2 generates his public/private key pair ðpkR ; skR Þ and gives pkR ¼ pkA2 to B. B generates the server’s public/private key pair ðpks ; sks Þ and gives pks to A2 . Here, ðpkR ; skR Þ and pks are given to A2 and pkR and ðpks ; sks Þ are given to the challenger, B.  Challenge: A2 gives the challenger two keywords, w0 and w1 , on which it wishes to be challenged. The restriction is that the attacker did not previously ask the dTest oracle for the trapdoors, T w0 and T w1 . B picks a random b 2 f0; 1g, computes a dPEKS ciphertext, dPEKSðpkS ; pkR ; wb Þ, and sends C  to A2 . C 0  Guess: A2 outputs its guess b 2 f0; 1g and wins Game2 , if 0 b¼b. The advantage of Ai ði ¼ 1; 2Þ in breaking a dPEKS scheme is defined as: dpeks-ind-cpa AdvdPEKS;Ai ðkÞ

0

¼ jPr½b ¼ b   1=2j:

Definition 2. We say that a dPEKS scheme satisfies dPEKS indistinguishability against an adaptive chosen plaintext attack if for dpeks-ind-cpa any polynomial-time attackers, Ai ði ¼ 1; 2Þ; Adv dPEKS;Ai ðkÞ is 1 negligible.

2.3. Security of trapdoor In this subsection, we first define the security for a trapdoor, in the sense of semantic-security. The security for a trapdoor (dTrapdoor-IND-CPA) asks that an outside attacker (excluding the server and the receiver) should not be able to distinguish between the trapdoors of two challenge keywords, w0 and w1 , of its choice, under the situation that it is allowed to obtain trapdoors for any nonchallenge keywords, i.e., w–w0 ; w1 . Let A3 be an outside attacker whose running time is bounded by t, which is a polynomial in a security parameter, k. To describe the security for the trapdoor, 1

If h is negligible, for any constant k, there exists N such that hðnÞ < 1=nk for n > N.

Table 2 The security against keyword-guessing attack in dPEKS. Exp

keyword-guess-atk ðkÞ dPEKS;A4

GP GlobalSetupðkÞ; ðpkS ; skS Þ KeyGenServer ðGPÞ ðpkR ; skR Þ KeyGenReceiver ðGPÞ; T w dTrapdoorðGP; pkS ; skR ; wÞ w0 AðpkR ; pks ; T w Þ; C w0 dPEKSðGP; pkR ; pkS ; w0 Þ If dTestðT w ; C w0 ; skS Þ ¼ 1 then return 1 else return 0

we define the following game, Game3 , between an attacker, A3 , and the challenger, B. This security model requires a trapdoor oracle, dTrapdoor, in Phase 1 and 2. Game3 : A3 is assumed to be an outside attacker.  Setup: The global parameter generation algorithm, GlobalSetupðkÞ, and the two key generation algorithms, KeyGenReceiver ðGPÞ and KeyGenServer ðGPÞ, are run. A global parameter, GP; pkR , and pkS are given to A3 while skR and skS are kept secret from A3 .  Phase 1 (Trapdoor queries): A3 makes the trapdoor queries of the form, w, and B can adaptively asks T w ¼ dTrapdoorðpkS ; skR ; wÞ for any keyword w 2 f0; 1g .  Challenge: A3 gives B two keywords, w0 and w1 , on which it wishes to be challenged. The restrictions are that none of w0 and w1 has been queried for obtaining the corresponding trapdoors, T w0 and T w1 , and that the attacker did not previously ask for the trapdoors, T w0 and T w1 , in Phase 1. B picks a random b 2 f0; 1g and computes a trapdTrapdoorðpkR ; pks ; wb Þ; then, he sends T wb to door T wb A3 .  Phase 2 (Trapdoor queries): A3 makes trapdoor queries of the form, w, and B can adaptively ask T w ¼ dTrapdoorðpkS ; skR ; wÞ for any keyword w 2 f0; 1g , as long as w–w0 ; w1 . 0  Guess: A3 outputs its guess b 2 f0; 1g and wins Game3 , if 0 b¼b. The advantage of A3 in breaking trapdoor indistinguishability in a dPEKS scheme is defined as dtrapdoor-ind-cpa

AdvdPEKS;A3

0

ðkÞ ¼ jPr½b ¼ b   1=2j:

Definition 3. We say that a dPEKS scheme satisfies trapdoor indistinguishability against an adaptive chosen plaintext attack if dtrapdoorindcpa

for any polynomial-time attackers, A3 ; AdvdPEKS;A3

ðkÞ is

negligible. 2.4. Trapdoor security vs. off-line keyword-guessing attack In this subsection, we formally define the security against an Off-line keyword-guessing attack in the dPEKS scheme and investigate the relation between the security against an Off-line keyword-guessing attack and a trapdoor indistinguishability in the sense of semantic-security. Let KS be a keyword space, w 2 KS be an unknown keyword, and T w be a trapdoor of w. A4 is assumed to be an outside attacker (excluding both the server and the receiver) who wants to determine which keyword was used to generate the trapdoor and whose running time is bounded by t, which is a polynomial in a security parameter, k. Let PEKS ¼ ðGen; Trapdoor; PEKS; TestÞ be a PEKS scheme. An adversary A4 is associated with the following experiment (see Table 2). We define the advantage of A4 in the corresponding experiment as

767

H.S. Rhee et al. / The Journal of Systems and Software 83 (2010) 763–771 keywordguess

AdvdPEKS;A4

 h i   atk ðkÞ ¼ Pr Expkeyword-guess-atk ðkÞ ¼ 1 ; dPEKS;A4

where the probability is taken over all possible coin flips of all the algorithms involved. Definition 4. We say that a dPEKS scheme is secure against an Offline keyword-guessing attack if for any polynomial-time attackers keyword-guess-atk ðkÞ is negligible. A4 , the advantage AdvdPEKS;A4 Theorem 5. If dPEKS is dTrapdoor-IND-CPA secure then dPEKS is secure against Off-line Keyword-Guessing attack. Proof. Let A4 be any Polynomial Time Attacker (PTA), whose task is to break the dPEKS scheme with a keyword-guessing attack, and consider the following PTA (excluding the malicious server and receiver), A3 , which is attacking the dTrapdoor-IND-CPA security of the dPEKS scheme. In the Challenge phase, A3 provides two keywords, w0 and w1 2 KS, to the challenger and receives a challenge trapdoor, T wb . If A3 gives this challenge trapdoor T wb and the receiver’s public key, pkR , to A4 , then A4 outputs the guessed keyword w0 2 KS by using a keyword-guessing attack. When A4 0 gives the result w0 to A3 , if w0 ¼ wb0 for some b 2 f0; 1g, then A3 0 0 answers b ; otherwise, A3 randomly chooses b 2 f0; 1g and 0 answers b . It is easy to see that

h i h i Pr Expdtrapdoor-ind-cpa-b ðkÞ ¼ b P Pr Expkeyword-guess-atk ðkÞ ¼ 0 ; dPEKS;A3 dPEKS;A4 h i dtrapdoor-ind-cpa-ð1bÞ Pr ExpdPEKS;A3 ðkÞ ¼ b 6 2k : keyword guessatk

dtrapdoorindcpa

Therefore, AdvdPEKS;A4 ðkÞ 6 AdvdPEKS;A3 This completes the proof of Theorem 6. h

ðkÞ þ 2k .

2.5.3. The Hash Diffie–Hellman (HDH) assumption (Abdalla et al., 2001) Let hLen be a number and H : f0; 1g ! f0; 1ghLen be a hash function. The HDH problem in G is defined as follows: given ðg; g a ; g b ; Hðg c ÞÞ 2 G3  f0; 1ghLen and H : f0; 1g ! f0; 1ghLen as inputs, output ‘‘yes” if a  b ¼ c and ‘‘no” otherwise. An algorithm A 0 that outputs b 2 f0; 1g has an advantage  in solving the HDH problem in G if

jPr½Aðg; g a ; g b ; Hðg ab ÞÞ ¼ \yes" : g

G; a; b

¼ \yes" : g

G; g

Zp   Pr½Aðg; g a ; g b ; gÞ f0; 1ghLen ; a; b

Zp j P ;

where the probability is taken over the random choice of g 2 G, the random choice of g 2 f0; 1ghLen , the random choice of a; b 2 Zp , and the random bits of A. We say that the HDH assumption holds in G if no t-time algorithm has an advantage at least e in solving the HDH problem in G. 2.5.4. The Bilinear Diffie–Hellman Inversion (BDHI) assumption (Boneh and Boyen, 2004) The 1-BDHI problem in G is defined as follows: given the 2-tuple ðg; g x Þ 2 G2 as input, compute eðg; gÞ1=x 2 GT . An algorithm A has advantage  in solving the 1-BDHI problem in G if

Pr½Aðg; g x Þ ¼ eðg; gÞ1=x j P ; where the probability is taken over the random choice of g 2 G, the random choice of x 2 Zp , and the random bits of A. We say that the 1-BDHI assumption holds in G if no t-time algorithm has advantage at least e in solving the 1-BDHI problem in G.

2.5. Bilinear pairings and complexity assumption

3. A searchable public-key encryption with a designated tester

We briefly review bilinear pairings, and describe the following assumptions required for security proofs.

In this section, we construct a searchable public-key encryption scheme with a designated tester dPEKS ¼ ðGlobalSetup; KeyGenServer ; KeyGenReceiver ; dPEKS; dTrapdoor; dTestÞ as follows.

2.5.1. Bilinear pairings We follow the notations in Boneh and Boyen (2004) and Boneh and Waters (2007). Let Z be the set of integers and Zp be the group of prime order p. Let G and GT be two (multiplicative) cyclic groups of prime order p, with an admissible bilinear map, e : G  G ! GT , and let g be a generator of G. Let e : G  G ! GT be a map that has the following properties.  Bilinear: For all u; v 2 G and a; b 2 Z, we have eðua ; v b Þ ¼ eðu; v Þab .  Non-degenerate: eðg; gÞ–1.  Computable: There is an efficient algorithm for computing the map e. Then, we say that G is a bilinear group and the map e is a bilinear pairing in G. Note that eð; Þ is symmetric since eðg a ; g b Þ ¼ eðg; gÞab ¼ eðg b ; g a Þ. 2.5.2. The Bilinear Diffie–Hellman (BDH) assumption (Boneh et al., 2004) The BDH problem in G is defined as follows: given ðg; g a ; g b ; g c Þ 2 G4 as input, compute eðg; gÞabc 2 GT . An algorithm A has advantage  in solving the BDH problem in G if

Pr½Aðg; g a ; g b ; g c Þ ¼ eðg; gÞabc j P ; where the probability is taken over the random choice of g 2 G, the random choice of a; b; c 2 Zp , and the random bits of A. We say that the BDH assumption holds in G if no t-time algorithm has advantage at least e in solving the BDH problem in G.

 GlobalSetupðkÞ: Let G and GT be bilinear groups of prime order p. Given a security parameter k, this algorithm first picks a random ~ 2 G. Let generator g 2 G and several random elements u; u H : f0; 1g ! G; H1 : f0; 1g ! G and H2 : GT ! f0; 1gk be hash functions that are modeled as a random oracle. This algorithm returns a global parameter GP ¼ ðp; G; GT ; e; HðÞ; H1 ðÞ; H2 ðÞ; g; ~ Þ. u; u  KeyGenServer ðGPÞ: Takes as an input GP. This algorithm chooses a random exponent  a2Z p , and sets sks ¼ a, and computes 1 pks ¼ ðpks;1 ; pks;2 Þ ¼ g a ; ua . This algorithm outputs ðpks ; sks Þ.  KeyGenReceiver ðGPÞ: Takes as an input GP. This algorithm chooses a random exponent b 2 Zp , and sets skR ¼ b, and computes ~ b Þ. This algorithm outputs ðpkR ; skR Þ. pkR ¼ ðpkR;1 ; pkR;2 Þ ¼ ðg b ; u  dPEKSðGP; pkR ; pks ; wÞ: Takes as inputs GP, the receiver’s public key pkR ¼ ðpkR;1 ; pkR;2 Þ, the server’s public key pks ¼ ðpks;1 ; pks;2 Þ, and a keyword w. This algorithm chooses a random value r 2 Zp r and sets A ¼ pkR;1 and B ¼ H2 ðeðpks;1 ; H1 ðwÞr ÞÞ. This algorithm outr puts a dPEKS ciphertext C ¼ ½A; B ¼ ½pkR;1 ; H2 ðeðpks;1 ; H1 ðwÞr ÞÞ.  dTrapdoorðGP; pkS ; skR ; wÞ: Takes as inputs GP, the server’s public key pkS ¼ ðpks;1 ; pks;2 Þ, the receiver’s secret key skR ¼ b, and a keyword w. This algorithm chooses a random value r0 2 Zp and 1 0 r0 Þ. This algorithm outcomputes T 1 ¼ g r and T 2 ¼ H1 ðwÞ h b  Hðpks;1 i 1 r0 r0 puts a trapdoor T w ¼ ½T 1 ; T 2  ¼ g ; H1 ðwÞb  Hðpks;1 Þ .  dTestðGP; C; sks ; T w Þ: Takes as inputs GP, a dPEKS ciphertext C ¼ ½A; B, the server’s secret key sks ¼ a, and a trapdoor T w ¼ ½T 1 ; T 2 . This algorithm computes T ¼ T 2 =HðT a1 Þ and checks if B ¼ H2 ðeðA; ðTÞa ÞÞ holds. If the above equalities are satisfied, then output ‘yes’; otherwise, output ‘no’.

768

H.S. Rhee et al. / The Journal of Systems and Software 83 (2010) 763–771

h r Correctness: When assuming the ciphertext pkR;1 ; H2 ðeðpks;1 ; i h 1 0 H1 ðw0 Þr ÞÞ is valid for w0 and the trapdoor T w ¼ g r ; H1 ðwÞ s  i r0 Hðpks;1 Þ for w, the correctness of the dTest algorithm is verified as r0

1



H1 ðwÞb  Hðpks;1 Þ Hððg r0 Þa Þ

1

¼ H1 ðwÞb ; 1

H2 ðeðA; ðTÞa ÞÞ ¼ H2 ðeðpkR;1 ; ðTÞa1 ÞÞ ¼ H2 ðeðg br ; ðH1 ðwÞb Þa ÞÞ r

¼ H2 ðeðg a ; H1 ðwÞr ÞÞ ¼ H2 ðeðpks;1 ; H1 ðwÞr ÞÞ: Observe that if w is identical to w0 , the dTest algorithm outputs ‘yes’. 3.1. Security We now show that our scheme satisfies a dPEKS ciphertext indistinguishability (dPEKS-IND-CPA) and a trapdoor indistinguishability (dTrapdoor-IND-CPA) against a chosen plaintext attack. 3.1.1. dPEKS ciphertext Indistinguishability We prove the security of a dPEKS ciphertext (dPEKS-IND-CPA) for a dPEKS scheme under 1-BDHI and BDH assumptions described earlier. The structure of our proof of security is similar to that described in (Boneh et al., 2004).

3. B adds the tuple hwi ; hi ; ei ; ci i to the H1 -list and responds to A1 by setting H1 ðwi Þ ¼ hi . Note that either way, hi is uniform in G and is independent of A1 ’s view as required. H2 -queries: Similarly, A1 can issue a query t 2 GT to H2 . If there exists a t 2 GT such that ðt; VÞ 2 H2 -list, then B responds with H2 ðtÞ ¼ V. Otherwise, B responds to a query for H2 ðtÞ by picking a random value V 2 f0; 1gk for each t and setting H2 ðtÞ ¼ V and adds the pair ðt; VÞ to the H2 -list. The H2 -list is initially empty. Trapdoor queries: When A1 asks the trapdoor, T w , of a keyword, w, B responds as follows. – Let hwj ; hj ; ej ; cj i be the corresponding tuple on the H1 -list such that wj ¼ w. B can obtain hj 2 G such that H1 ðwÞ ¼ H1 ðwj Þ ¼ hj 2 G. If ci ¼ 0, then B reports failure and terminates. – Otherwise, since hj ¼ ðu1 Þej 2 G; B chooses a random value 0 e 0 0 0 r0 r0 2 Zp and sets T 1 ¼ g r and T 2 ¼ ðu1j Þxx  pkS;1 ¼ g ej =x  g a1 r , where x0 2 Zp is the value selected in the Setup Phase and there exists hwj ; hj ; ej ; cj i 2 H1 -list such that wj ¼ w and ej is the corresponding value of wj . 0 – By the setting of pkR in above, pkR;1 ¼ ux1 ¼ g b and 0 1=b xej 1=xx ej =x0 ¼g are satisfied. Hence, T w is a valid H1 ðwÞ ¼ ðg Þ trapdoor for w. B gives T w ¼ ðT 1 ; T 2 Þ to A1 .

Theorem 6. The searchable public-key encryption scheme with a designated tester (dPEKS) satisfies dPEKS ciphertext indistinguishability (dPEKS-IND-CPA) against a chosen plaintext attack under the random oracle model, under the assumption that 1-BDHI and BDH are intractable.

Challenge: A1 produces keywords, w0 and w1 , that she wishes to be challenged on. To obtain h0 ; h1 2 G such that H1 ðw0 Þ ¼ h0 and H1 ðw1 Þ ¼ h1 ; B runs the above algorithm in relation to H1 -queries. Let hwb ; hb ; eb ; cb i 2 H1 -list ðb ¼ 0; 1Þ. If both c0 ¼ 1 and c1 ¼ 1, then B reports failure and terminates. Otherwise, since at least one of c0 and c1 is equal to 0, B picks b 2 f0; 1g such that cb ¼ 0 and responds with the challenge, dPEKS ciphertext C  ¼ ½A ; B , as follows.

Proof of Theorem 6. Lemmas 1 and 2 prove Theorem 6. h

– B chooses a random value k 2 Zp and lets r ¼ akx 2 Zp , for some

Lemma 1. Our scheme satisfies the dPEKS ciphertext indistinguishability (dPEKS-IND-CPA) against a chosen plaintext attack in Game1 under the random oracle model assuming 1-BDHI are intractable. Proof. Assume that A1 is a malicious server with an advantage  in breaking the proposed scheme. Suppose that A1 makes at most qH2 queries and at most qT trapdoor queries. We construct a simulator B which has an advantage 0 ¼ =eqT qH2 in solving the 1-BDHI problem in G, where e is the base of the natural logarithm. Given a random challenge ðg; u1 ¼ g x Þ 2 G, the goal of B is to compute eðg; gÞ1=x 2 GT . B randomly chooses p; p0 2 Zp and lets the random ~ ¼ g p0 . B interacts with A1 as follows. values u ¼ g p , and u Setup: A1 generates the pair of his public and secret keys ðpks ; sks Þ and publishes his public key pks ¼ ðpks;1 ; pks;2 Þ such that eðpks;1 ; pks;2 Þ ¼ eðg; uÞ and keeps the secret key sks ¼ a for herself. Here, by the definition of pks , there exists an unknown secret key sks ¼ a such that pks;1 ¼ g a and pks;2 ¼ g p=a . To simulate the pair of the receiver’s public and secret keys ðpkR ; skR Þ, the public key, pkR , ~ Þ ¼ eðpkR;2 ; gÞ. B randomly should satisfy the equation eðpkR;1 ; u 0 0 0 chooses x0 2 Zp and lets pkR ¼ ðux1 ; up1 x Þ, where p0 is the selected ~ value in the setting of u. B gives pkR to A1 . H1 -queries: An attacker, A1 , can query the random oracle, H1 . To respond to H1 queries, B maintains a list of tuples hwj ; hj ; ej ; cj i called the H1 -list. The H1 -list is initially empty. When A1 queries the random oracle, H1 , at a point wi 2 f0; 1g ; B responds as follows. 1. If the query, wi , already appears in the H1 -list in a tuple hwi ; hi ; ei ; ci i, then B responds with H1 ðwi Þ ¼ hi 2 G. 2. Otherwise, B generates a random coin ci 2 f0; 1g so that Pr½ci ¼ 0 ¼ 1=ðqT þ 1Þ. B picks a random value ei 2 Zp and sets hi ¼ g ei 2 G if ci ¼ 0 and sets hi ¼ ðu1 Þei ¼ g xei 2 G otherwise.

0

0

r

k0

 xx r ðg xx Þax unknown values x0 k0 a; x 2 Zp . Since pkR;1 ¼ ðg Þ 0 ¼ x0 k0 1=p 1=p x k0  ¼ g a ¼ pks;2 is satisfied, B sets A ¼ ðpks;2 Þ , where 0

0

x0 ; p is the value selected in the Setup phase. – B chooses a random Z 2 f0; 1gk and sets B ¼ Z. With this definition, C  ¼ ½A ; B  is a valid dPEKS ciphertext for wb , as required. Trapdoor queries: A1 can ask the trapdoor queries for w, where the restriction is that w–w0 ; w1 . B responds identically in Phase 1. 0 Output: A1 outputs its guess, b 2 f0; 1g. We set that pks;1 ¼ g a 0 and r ¼ k =ða  xÞ, Further, the value hi ¼ g ei was set with the probability 1=ðqT þ 1Þ in the setting of the H1 queries. Since A1 queries the H2 oracle regarding the value of the form eðpks;1 ; k0 probability 1=ðqT þ 1Þ, there H1 ðwb ÞÞr ¼ eðg a ; g eb Þax with the same eb k0 exists one pair of the form ðeðg; gÞ x ; H2 ðeðpks;1 ; H1 ðwb ÞÞr ÞÞ 2 H2 -list (here, the unknown value a is removed from the first component of the pair). Therefore, B picks a random pair, ðt; VÞ 2 H2 -list, and 1

0

1

0

outputs teb k as its guess for eðg; gÞx , where eb and k are values that are used in the Challenge phase. The description for B is completed. 1 To show that B correctly outputs eðg; gÞa with probability at 0 least  , we analyze the probability that B does not abort during the simulation. We define the following events: E1 : B does not abort as a result of any of A1 ’s Trapdoor queries. E2 : B does not abort during a Challenge Phase. E3 : A1 does not issue a query for either one of r r H2 ðeðH1 ðw0 Þ; pks;1 ÞÞ and H2 ðeðH1 ðw1 Þ; pks;1 ÞÞ in the real attack. We now show in the same the manner as in (Boneh et al., 2004) that E1 and E2 occur with sufficiently high probability.

769

H.S. Rhee et al. / The Journal of Systems and Software 83 (2010) 763–771

Claim 1. Pr½E1  P 1=e. Proof of Claim 1. Without loss of generality, we suppose that A1 does not ask for the dTrapdoor of the same keyword twice. To show that Pr½:E1  P 1=ðqT þ 1Þ, we suppose that T wi is A1 ’s i’th trapdoor query and hwi ; hi ; ei ; ci i is the corresponding tuple in the H1 -list. Since the only value that can be given to A1 that depends on ci is H1 ðwi Þ and since A1 makes at most qT trapdoor queries, the probability that B does not abort as a result of all trapdoor queries is at least ð1  1=ðqT þ 1ÞÞqT P 1=e. Claim 2. Pr½E2  P 1=qT .

where t 1 2 Zp is the chosen value in setting u ¼ ðu1 Þt1 ¼ g a t1 .

Proof of Claim 2. If A1 can issue the trapdoor queries about, wo and w1 , then c0 ¼ c1 ¼ 1 ,where hwi ; hi ; ei ; ci i is the tuple in the H1 -list and B will abort in the Challenge phase. Since A1 has not queried the dTrapdoor oracle for w0 and w1 , both c0 and c1 are independent of A1 ’s view in the simulation. Since Pr½ci ¼ 0 ¼ 1=qT for i ¼ 0; 1, Therefore, we know that ð1  1=ðqT þ 1ÞÞ2 6 1  1=qT . Since A1 can never issue a trapdoor query for Pr½E2  P 1=qT . the challenge keywords, w0 and w1 ; Pr½E1 ^ E2  P 1=eqT . Finally, we should show that during the simulation, A1 issues a query for H2 ðeðHðwb Þ; u1 ÞÞ with a probability that is at least . Claim 3. Pr½E3  P 2. Proof of Claim 3. Suppose that in a real game A1 is given the public 0 key ðg; ux1 Þ and A1 asks to be challenged on the keywords, w0 and w1 . In response, A1 is given a challenge C  ¼ ½A ; B . Now, we show r that A1 issues a query for either H2 ðeðHðw0 Þ; pks;1 ÞÞ or r H2 ðeðHðw1 Þ; pks;1 ÞÞ with a probability that is at least 2. If the event E3 occurs, we know that the bit b 2 f0; 1g, which indicates whether C  is a dPEKS ciphertext of w0 or one of w1 , is independent of A1 ’s 0 0 view. Therefore, A1 ’s output b will satisfy b ¼ b with a probability of at most 1/2. By showing that these two facts imply that Pr½:E3  P 2 as follows: 0

of the natural logarithm. Given g, u1 ¼ g a ; u2 ¼ g b , and u3 ¼ g c 2 G, the goal of B is to compute eðg; gÞabc 2 GT . B randomly chooses t1 ; t2 2 Zp and lets the random values u ¼ ðu1 Þt1 ¼ g at1 , and ~ ¼ ðu3 Þt2 ¼ g ct2 in G. B interacts with A2 as follows. u Setup: A2 generates the pair of his public and secret keys ðpkR ; skR Þ and publishes his public key pkR ¼ ðpkR;1 ; pkR;2 Þ and keeps ~ Þ ¼ eðpkR;2 ; gÞ should the secret key skR ¼ b for itself. Since eðpkR;1 ; u be satisfied, if there exists an unknown secret key skR ¼ b such that ~ b ¼ g ct2 b should be satisfied. To simulate pkR;1 ¼ g b , then pkR;2 ¼ u the server’s pair of public and secret keys ðpks ; sks Þ, the public key pks should satisfy the equation, eðpks;1 ; pks;2 Þ ¼ eðg; uÞ. B chooses a   t1 random value, t3 2 Zp , and lets pks ¼ ðpks;1 ; pks;2 Þ ¼ ut13 ; g t3 ,

0

0

Pr½b ¼ b  ¼ Pr½b ¼ b jE3 Pr½E3  þ Pr½b ¼ b j:E3 Pr½:E3  1 0 6 Pr½b ¼ b jE3 Pr½E3  þ Pr½:E3  ¼ Pr½E3  þ Pr½:E3  2 1 1 ¼ þ Pr½:E3 ; 2 2 1 0 0 Pr½b ¼ b  P Pr½b ¼ b jE3 Pr½E3  ¼ Pr½E3  2 1 1 ¼  Pr½:E3 : 2 2 0

It follows that  6 jPr½b ¼ b   1=2j 6 12 Pr½:E3 . Hence, Pr½:E3  P 2. Consequently, by Claim 3, B will choose the correct pair with a probability of at least 1=qH2 and thereby the correct answer with a probability of at least =qH2 . Since B does not abort with a probability of at least 1=ðeqT Þ we see that B’s overall probability of success is at least =ðeqT qH2 Þ, as required. h Lemma 2. Our scheme satisfies the dPEKS ciphertext indistinguishability (dPEKS-IND-CPA) against a chosen plaintext attack in Game2 under the random oracle model, under assumption that BDH is intractable. Proof. Assume that A2 is a malicious receiver with an advantage  in breaking the proposed scheme. Suppose that A1 makes at most qH2 queries. We construct a simulator B that has an advantage 0 ¼ =ðeqH2 Þ in solving the BDH problem in G, where e is the base

H1 -queries: By a similar method to the one in Lemma 1, B can simulate H1 queries. We describe only the difference with regard to H1 queries in Lemma 1. When A2 queries the random oracle, H1 , at the point, wi 2 f0; 1g ; B sets the H1 -list and responds to H1 queries in the same manner as in Lemma 1. Then, B picks a random ei 2 Zp and sets hi ¼ ue2i 2 G. B adds the tuple hwi ; hi ; ei i to the H1 list and responds to A2 by setting H1 ðwi Þ ¼ hi . H2 -queries: By the same method as the one for Lemma 1, B can simulate H2 queries. We omit the detailed simulation. Challenge: A2 produces keywords, w0 and w1 , which she wishes to be challenged on. To obtain h0 ; h1 2 G such that H1 ðw0 Þ ¼ h0 and H1 ðw1 Þ ¼ h1 ; B runs the above algorithm for responding to H1 -queries. Let hwb ; hb ; eb i be the corresponding tuples on the H1 -list ðb ¼ 0; 1Þ. B picks b 2 f0; 1g and responds with the challenge C  ¼ ½A ; B  as follows. c

1 t

2 ~ skR ¼ ðg ct2 Þb is satisfied,B sets A ¼ pkR;1 ¼ pkR;2 – Since pkR;2 ¼ u c  to generate A ¼ pkR;1 without the knowledge c, where u3 ¼ g c is the component of the BDH tuple and t 2 is used in ~. setting u – B chooses a random Z 2 f0; 1gk and sets B ¼ Z.

With this definition, C  ¼ ½A ; B  is a valid dPEKS ciphertext for wb , as required. 0 Output: A2 outputs its guess b 2 f0; 1g. We set that pks;1 ¼ g at3 and r ¼ c and the value hi ¼ ue2i was set with the probability 1 in the setting of the H1 queries. Since A1 queries the value of the form eðpks;1 ; H1 ðwb ÞÞr ¼ eðut13 ; ue2b Þc ¼ eðg; gÞabcðeb t3 Þ to H2 oracle with the r

same probability 1, there exists ðeðg; gÞabcðeb t3 Þ , H2 ðeðpkS;1 ; H1 ðwb ÞÞÞÞ 2 H2 -list. Therefore, B picks a random pair, ðt; VÞ 2 H2 -list, and 1

outputs t eb t3 as its guess for eðg; gÞabc , where eb and t3 are the values that are set with regard to the Challenge phase and the setting of parameters. The description for B is completed. The description of algorithm B is completed. To show that B correctly outputs eðg; gÞabc with a probability of at least 0 , we analyze the probability that B does not abort during the simulation. We define the following events. E1 : B does not abort during the challenge phase. E2 : A1 does not issue a query for either one of r r H2 ðeðH1 ðw0 Þ; pks;1 ÞÞ and H2 ðeðH1 ðw1 Þ; pks;1 ÞÞ in the real attack. Claim 4. Pr½E1  P 1. Proof of Claim 4. Since there is no restriction on the challenge phase and challenge value can be constructed by using BDH tuples, Algorithm B dose not abort during the challenge phase. Therefore, Pr½E1  P 1. Finally, we should show that during the simulation A2 issues a query for H2 ðeðHðwb Þ; ua2 ÞÞ with a probability of at least .

770

H.S. Rhee et al. / The Journal of Systems and Software 83 (2010) 763–771

Claim 5. Suppose that in a real game A is given the public key ½g; u2  and A2 asks to be challenged on the keywords w0 and w1 . In a response, A is given a challenge C  . In this case, A issues a query for either r r H2 ðeðH1 ðw0 Þ; pks;1 ÞÞ or H2 ðeðH1 ðw1 Þ; pks;1 ÞÞ with a probability of at least 2. Proof of Claim 5. If the event E2 occurs, we know that the bit b 2 f0; 1g indicating whether C  is a dPEKS ciphertext of w0 or w1 0 is independent of A’s view. Therefore, A2 ’s output b will satisfy 0 b ¼ b with a probability of at most 1/2. By showing that these two facts imply that Pr½:E2  P 2 as follows: 0

0

0

Pr½b ¼ b  ¼ Pr½b ¼ b jE2  Pr½E2  þ Pr½b ¼ b j:E2 Pr½:E2  1 0 6 Pr½b ¼ b jE2 Pr½E2  þ Pr½:E2  ¼ Pr½E2  þ Pr½:E2  2 1 1 ¼ þ Pr½:E2 ; 2 2 1 0 0 Pr½b ¼ b  P Pr½b ¼ b jE2  Pr½E2  ¼ Pr½E2  2 1 1 ¼  Pr½:E2 : 2 2 0

It follows that  6 jPr½b ¼ b   1=2j 6 12 Pr½:E2 . Hence, Pr½:E2  P 2, as required. Consequently, by Claim 3, B will choose the correct pair with a probability of at least 1=qH2 and thereby the correct answer with a probability of at least =qH2 . Since B does not abort with a probability 1, we see that B’s overall probability of success is at least =ðeqH2 Þ, as required. h 3.1.2. Trapdoor indistinguishability We prove the security of a trapdoor value under the HDH assumption that was described earlier. Theorem 7. Our scheme satisfies the trapdoor indistinguishability (dTrapdoor-IND-CPA) against a chosen keyword attack in Game3 , under assumption that Hash Diffie-Hellman (HDH) is intractable. Proof. Assume there exists a malicious outside attacker A3 with an advantage  in breaking the trapdoor indistinguishability of the proposed scheme. Let A3 be an outside attacker. Suppose that A3 makes at most qT trapdoor queries ðqT > 0Þ. We build an algorithm B which has an advantage 0 ¼  in solving the Hash DiffieHellan (HDH) problem in G. B takes as input a random HDH challenge ðg; g a ; g b ; gÞ 2 G4 and H : f0; 1g ! G, where H : f0; 1g ! G is a hash function and g is either Hðg ab Þ or a random element of G. B randomly chooses d1 ; d2 2 Zp and lets the random values ~ ¼ g d2 . B also chooses the hash functions H1 and u ¼ ðg a Þd1 and u H2 at random. Algorithm B proceeds and interacts with A3 as follows. Setup: Algorithm B randomly chooses the receiver’s secret key skR ¼ b and sets the receiver’s public key as pkR ¼ ðpkR;1 ; pkR;2 Þ ~ b Þ. It chooses a random value l 2 Zp and sets the server’s ¼ ðg b ; u public key pkS ¼ ðpks;1 ; pks;2 Þ ¼ ððg a Þl ; u1=al Þ ¼ ððg a Þl ; g d1 =l Þ. Here, there exists an unknown value a such that skS ¼ a ¼ al. By the definition of the server’s and the receiver’s public keys, the ~ Þ ¼ eðpkR;2 ; gÞ should equations eðpks;1 ; pks;2 Þ ¼ eðg; uÞ and eðpkR;1 ; u be satisfied. Trapdoor queries: When A3 issues a query for the dTrapdoor that corresponds to the word, wj ; B responds as follows. 0

– B randomly chooses r 0 2 Zp and computes T 1 ¼ g r and 0 T 2 ¼ H1 ðwÞ1=b  Hððg a Þlr Þ, where s; l 2 Zp are selected values selected in the Setup phase. – B responds to A3 with the trapdoor, T wj ¼ ½T 1 ; T 2 , of wj .

Challenge: A3 outputs two keywords, w0 and w1 , that she wishes to be challenged on. B generates the challenge trapdoor, T wb ¼ ½T 1 ; T 2 , as follows. ~ 2 f0; 1g, and sets T  ¼ ðg b Þ1=l and – B picks a random bit, b 1 1  b T 2 ¼ H1 ðwb~ Þ  g, where l 2 Zp is the value that is selected in the Setup phase and g is a component of the HDH challenge. – B responds with the challenge trapdoor, T w~ ¼ ½T 1 ; T 2 . b

ab

T w~ b

is a valid challenge trapdoor of wb~ under If g ¼ Hðg Þ then randomness b, with the uniformly distributed randomization value, l 2 Zp . On the other hand, when g a ; g b and HðgÞ are uniform ~ in G, then, in the attacker’s view, T w~ is independent of the bit, b. b Trapdoor queries: A3 can issue trapdoor queries for the keyword, wj . The restriction is that wj –w1 ; w2 . Algorithm B responds to these queries as before. 0 Output: Eventually, A3 outputs its guess, b 2 f0; 1g, which indicates whether the challenge T w~ is dTrapdoorðGP; skR ; pks ; w0 Þ ~ ¼ bb0 , then B outputs 1, meaning or dTrapdoorðGP; skR ; pks ; w1 Þ. If b ab g ¼ Hðg Þ; otherwise, it outputs 0, meaning g–Hðg ab Þ. Perfect Simulation: When g ¼ Hðg ab Þ, the public keys of the receiver and the server and challenge ciphertext that is issued by B come from a distribution that is identical to that in the actual 1 construction. Since H1 is chosen uniformly at random, H1 ðwb~ Þb is uniformly random and independent from A3 ’s view. Hence, the trapdoors issued by B are appropriately distributed. Probability Analysis: We show that when the input tuple is sampled from PHDH (where g ¼ Hðg ab Þ), then Hðg ab Þ in which case, ~ ¼ b0   1=2j > . On the other hand, when A3 must satisfy j Pr½b the input tuple is sampled from RHDH (where g0 is uniform over G), 1 then g and T 2 ¼ H1 ðwb~ Þb  g0 are uniform and independent over G in 0 ~ ¼ b  ¼ 1=2. Therefore, with g, g a ; g b and g being which case Pr½b uniform over G, we have

jPr½Bðg; g a ; g b ; Hðg ab ÞÞ ¼ 0  Pr½Bðg; g a ; g b ; g0 Þ ¼ 0j   1 1 Pj    j P ; 2 2 as required. In this simulation, the probability that B aborts as a result of any of A3 ’s trapdoor queries or that B aborts during a challenge phase is 0. Therefore, we can establish that B’s overall probability of success is same to A3 ’s probability of success. Time-Complexity : In the simulation, B’s overhead is dominated by computing T w in response to A3 ’s trapdoor query on w, where T w consists of three components. Each components requires Oð1Þ exponentiation in G. Since A3 makes at most q  1 such queries, t ¼ t0 þ Oðt exp  qÞ. Hence, the proof of Theorem 7 is completed. h

4. Conclusion In this paper, we have refined dPEKS ciphertext indistinguishability and newly defined trapdoor indistinguishability. We have shown the relation between trapdoor indistinguishability and the security against keyword-guessing attacks and constructed a searchable public-key encryption scheme with a designated tester (dPEKS) that satisfies both dPEKS ciphertext indistinguishability and trapdoor indistinguishability. Recently, research that extends the types of queries on encrypted data is receiving much attention. Examples are conjunctive keyword searches, range queries, similarity searches, etc. As noted in (Byun et al., 2006), keyword search is intrinsically vulnerable to Off-line keyword-guessing attack. In the efforts to extend the types of queries, the security against Off-line keyword-guessing attack

H.S. Rhee et al. / The Journal of Systems and Software 83 (2010) 763–771

has not been properly considered thus far. This would be a promising area of study in the field of keyword search on encrypted data.

Acknowledgments This work was partially supported by Defense Acquisition Program Administration and Agency for Defense Development under the contract.

771

Ogata, W., Kurosawa, K., 2004. Oblivious keyword search. In: Journal of Complexity’04, pp. 356–371. Park, D., Kim, K., Lee, P., 2004. Public key encryption with conjunctive field keyword search. In: Fifth International Workshop WISA’04. LNCS, vol. 3325, pp. 73–86. Rhee, H.S., Byun, J.W., Lee, D.H., Lim, J., 2006. Oblivious conjunctive keyword search. In: Proceedings of WISA’05. LNCS, vol. 3886, pp. 535–554. Richardson, R., 2007. 2007 CSI computer crime and security survey. In: 12th Annual Report of Computer Security Society, CSI. Shen, E., Shi, E., Waters, B., 2009. Predicate privacy in encryption systems. In: Proceedings of TCC2009, pp. 457–473. Song, D., Wagner, D., Perrige, A., 2000. Practical techniques for searches on encrypted data. In: Proceedings of the 2000 IEEE Security and Privacy Symposium, pp. 44–55.

References Abdalla, M., Bellare, M., Rogaway, P., 2001. DHIES: an encryption scheme based on the Diffie–Hellman problem. In: Proceedings of CT-RSA’01. LNCS, vol. 2020, pp. 143–158. Abdalla, M., Bellare, M., Catalano, D., Kiltz, E., Kohno, T., Lange, T., Malone-Lee, J., Neven, G., Paillier, P., Shi, H., 2005. Searchable encryption revisited: consistency properties, relation to anonymous IBE, and extensions. In: Proceedings of Crypto’05. LNCS, vol. 3621, pp. 205–222. Baek, J., Safavi-Naini, R., Susilo, W., 2006. Public key encryption with keyword search revisited. In: Proceedings of ACIS’06. Boneh, D., Boyen, X., 2004. Efficient selective-ID secure identity based encryption without random oracle. In: Proceedings of EURO 2004. LNCS, vol. 3027. Boneh, D., Waters, B., 2007. Conjunctive, subset, and range queries on encrypted data. In: Proceedings of TCC’07. LNCS, vol. 4392, pp. 535–554. Boneh, D., Crescenzo, G.D., Ostrovsky, R., Persiano, G., 2004. Public key encryption with keyword search. In: Proceedings of EUROCRYPT’04. LNCS, vol. 3027, pp. 506–522. Boneh, D., Keshilevitz, E., Ostrovsky, R., Skeith, W.E., 2007. Public key encryption that allows PIR queries. In: Proceedings of Crypto’07. LNCS, vol. 4622, pp. 50–67. Byun, J.W., Rhee, H.S., Park, H.A., Lee, D.H., 2006. Off -line keyword guessing attacks on recent keyword search schemes over encrypted data. In: Proceedings of SDM’06. LNCS, vol. 4165, pp. 75–83. Cachin, C., Micali, S., Stadler, M., 1999. Computationally private information retrieval with polylogarithmic communication. In: Proceedings of Eurocrypt’99. LNCS, vol. 1666, pp. 402–414. Chang, Y.C., Mitzenmacher, M., 2004. Privacy preserving keyword searches on remote encrypted data. Cryptology ePrint Archive: Report 2004/051. Golle, P., Staddon, J., Waters, B., 2004. Secure conjunctive keyword search over encrypted data. In: Proceedings of the Second International Conference on ACNS: Applied Cryptography and Network Security. LNCS, vol. 3089, pp. 31–45. Hwang, Y.H., Lee, P.J., 2007. Public key encryption with conjunctive keyword search and its extension to a multi-user system. In: Proceedings of Pairing 2007. LNCS, vol. 4575, pp. 2–22. Katz, J., Sahai, A., Waters, B., 2008. Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Proceedings of Eurocrypt’08. Kushilevitz, E., Ostrovsky, R., 1997. Replication is not needed: single database, computationally-private information retrieval. In: Proceedings of the 38th Annu. IEEE Symp. on Foundations of Computer Science, pp. 364–373.

Hyun Sook Rhee received the B.S. and the M.S. degrees in Department of Mathematics from Dankook University, Korea, in 1998 and 2000, respectively. She received the Ph.D. degree in Information Security from Korea University, Korea, in 2008. In 2008, she was in a research fellow position in Wollongong University, Australia. Since 2009, she has served as a research professor in the Information Security from Korea University, Korea. Her research areas include public-key encryption, searchable encryption, and privacy enhanced technologies.

Jong Hwan Park received the B.S. degree in Department of Mathematics from Korea University, Seoul, Korea, in 1999, and the M.S. and Ph.D. degrees in Information Security from Korea University, Seoul, Korea, in 2004 and 2008, respectively. In 2008, he was in a postdoc position in Korea University. Since 2009, he has served as a research professor in the Department of Applied Mathematics from Kyung Hee University, Young-in, Korea. His research areas include pairing-based encryption, broadcast encryption, and searchable encryption.

Willy Susilo received the B.S. degree in the in Computer Science from Universitas Surabaya, Indonesia, in 1994, and the M.Comp.Sc. and Ph.D. degrees in Computer Science from University of Wollongong, Australia in 1996 and 2001, respectively. He is currently a full Professor and Head of School of Computer Science and Software Engineering. He is the Director of Centre for Computer and Information Security Research. His research areas include cryptography, information security, computer security and network security, in particular the design of digital signature schemes.

Dong Hoon Lee received the B.S. degree in Economics from Korea University, Korea, in 1984. He received the M.S. and Ph.D. degrees in Computer Science from University of Oklahoma, USA, in 1988 and 1992, respectively. He is currently a full professor of Korea University. His research areas include cryptography and information security.