Abstract
The well-known open problem in public key encryption with keyword search is how to avoid internal adversaries as the server. Implicitly, the internal attack is implemented as follows. Upon receiving a trapdoor, the probability polynomial time internal adversary can always act as a sender to produce each ciphertext for each keyword if keyword space is bounded by a polynomial of the security parameter. Then, the adversary runs the test algorithm for the trapdoor and all produced ciphertext, and then infer the correct keyword. To overcome this problem, the original framework must be changed slightly. A fundamental goal is creates a secure bridge between the sender and receiver. It not only keeps testability of the server, but also avoids imitating a sender. Witness-based searchable encryption (WBSE) is a manner to realize the design goal. In this paper, we formalize an abstracted notion, witness-based searchable encryption with aggregative trapdoor. Under the notion, we present a nearly optimal solution for WBSE under the barrier with trapdoor size proportional to n (the number of senders). Comparing with the existing scheme with trapdoor size O(n), the proposed scheme is based on bilinear map, and offers size only in n.
This work supported in part by the Innovation Center for Big-Data and Digital Convergence, Yuan Ze University, and Ministry of Science and Technology of Taiwan, under grant MOST 106-2218-E-115-008-MY3.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Keep encoding implicitly. Intuitively, we say that encoding converts an input x to a group element with some additional randomness.
References
Baek, J., Safavi-Naini, R., Susilo, W.: Public key encryption with keyword search revisited. In: International Conference on Computational Science and Its Applications, pp. 1249–1259. Springer (2008)
Ballard, L., Kamara, S., Monrose, F.: Achieving efficient conjunctive keyword searches over encrypted data. In: International Conference on Information and Communications Security, pp. 414–426. Springer (2005)
Behnia, R., Heng, S.-H., Tan, S.-Y.: On the security of a certificateless short signature scheme. Malays. J. Math. Sci. 9, 103–113 (2015)
BingJian, W., TzungHer, C., FuhGwo, J.: Security improvement against malicious server’s attack for a dpeks scheme. Int. J. Technol. Des. Educ. 1, 350–353 (2011)
Boneh, D.: The decision Diffie-Hellman problem. In: International Algorithmic Number Theory Symposium, pp. 48–63. Springer (1998)
Boneh, D., Di Crescenzo, G., Ostrovsky, R., Persiano, G.: Public key encryption with keyword search. In: International Conference on the Theory and Applications of Cryptographic Techniques, pp. 506–522. Springer (2004)
Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. In: Annual International Cryptology Conference, pp. 213–229. Springer (2001)
Chen, J., Lim, H.W., Ling, S., Wang, H., Wee, H.: Shorter IBE and signatures via asymmetric pairings. In: International Conference on Pairing-Based Cryptography, pp. 122–140. Springer (2012)
Cheng, L., Jin, Z., Wen, O., Zhang, H.: A novel privacy preserving keyword searching for cloud storage. In: 2013 Eleventh Annual International Conference on Privacy, Security and Trust (PST), pp. 77–81. IEEE (2013)
Eisenträger, K., Lauter, K., Montgomery, P.L.: Fast elliptic curve arithmetic and improved Weil pairing evaluation. In: Cryptographers’ Track at the RSA Conference, pp. 343–354. Springer (2003)
Fang, L., Susilo, W., Ge, C., Wang, J.: Public key encryption with keyword search secure against keyword guessing attacks without random oracle. Inf. Sci. 238, 221–241 (2013)
Garg, S., Gentry, C., Sahai, A., Waters, B.: Witness encryption and its applications. In: Proceedings of the Forty-Fifth Annual ACM Symposium on Theory of Computing, pp. 467–476. ACM (2013)
Hu, C., Liu, P.: A secure searchable public key encryption scheme with a designated tester against keyword guessing attacks and its extension. In: International Conference on Computer Science, Environment, Ecoinformatics, and Education, pp. 131–136. Springer (2011)
Huang, Q., Li, H.: An efficient public-key searchable encryption scheme secure against inside keyword guessing attacks. Inf. Sci. 403, 1–14 (2017)
Lindell, Y., Katz, J.: Introduction to Modern Cryptography. Chapman and Hall/CRC, Boca Raton (2014)
Liu, Q., Wang, G., Wu, J.: An efficient privacy preserving keyword search scheme in cloud computing. In: International Conference on Computational Science and Engineering, CSE 2009, vol. 2, pp. 715–720. IEEE (2009)
Ma, S., Yi, M., Susilo, W., Yang, B.: Witness-based searchable encryption. Inf. Sci. 453, 364–378 (2018)
Rhee, H.S., Park, J.H., Susilo, W., Lee, D.H.: Trapdoor security in a searchable public-key encryption scheme with a designated tester. J. Syst. Softw. 83(5), 763–771 (2010)
Shao, Z.-Y., Yang, B.: On security against the server in designated tester public key encryption with keyword search. Inf. Process. Lett. 115(12), 957–961 (2015)
Yang, Y., Liu, X., Zheng, X., Rong, C., Guo, W.: Efficient traceable authorization search system for secure cloud storage. IEEE Trans. Cloud Comput. (2018)
Zhao, Q., Zeng, Q., Liu, X., Xu, H.: Simulation-based security of function-hiding inner product encryption. Sci. China Inf. Sci. 61(4), 048102 (2018)
Zhou, Y., Zhao, X., Liu, S., Long, X., Luo, W.: A time-aware searchable encryption scheme for EHRs. Digit. Commun. Netw. (2018)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Security Definition of WBSE
A Security Definition of WBSE
1.1 A.1 Ciphertext Security
About \(\mathcal {WBSE}\) ciphertext security, a ciphertext \(\textsf {WBSE}(pk,m;w)\) does not reveal any information about m unless the trapdoor \(T_w\) for (m, t) is available under the witness relation R(w, t), where adversary can access to the trapdoor oracle for any keyword-instance pair (m, t).
Experiment \(\varvec{Exp}_{\mathcal{WBSE},\mathcal{A}}^\mathbf{WB-IND-CCA }{} \mathbf ( \varvec{\lambda }{} \mathbf ) \). Let \(\lambda \) be the security parameter and \(\mathcal {A}\) be the adversary against the ciphertext security of witness-based searchable encryption, defined as witness-based indistinguishable encryption under chosen ciphertext attack.
-
1.
Steup: The challenger runs the \(\textsf {KeyGen}(1^{\lambda })\) algorithm to generate a public/private key pair (pk, sk). Secondly, it generates \(WtList=\{w_1,w_2,...,w_n\} \overset{\$}{\leftarrow } \mathcal {WT}\), then use \(\textsf {InsGen}(w_i)\) to generate instance list \(InsList=\{t_1,t_2,...,t_n\}\). It gives (pk, InsList) to \(\mathcal {A}\).
-
2.
Phase I: The adversary \(\mathcal {A}\) can adaptively ask the trapdoor \(T_w\) for any keyword m and instance \(t\in InsList\). It returns the trapdoor \(T_w=(h_k,t_d)\).
-
3.
Challege: The adversary \(\mathcal {A}\) sends the challenger two keywords \((m_0,m_1)\) and a instance \(t^{*}\in InsList\). The only restriction is that the adversary can not ask the previously trapdoors \(T_{w_0}\) of keyword-instance pair \((m_0,t^{*})\) or \(T_{w_1}\) of keyword-instance pair \((m_1,t^{*})\). The challenger picks a random \(b\in \{0,1\}\) and choose the witness \(w^{*}\in WtList\) according to \(t^{*}\) under the relation of \(R(w^{*},t^{*})=1\). Finally, the challenger runs \(\textsf {WBSE}(pk,m_b;w^{*})\) to generate ciphertext \(c^{*}\) and return \(c^{*}\) to \(\mathcal {A}\).
-
4.
Phase II: The adversary \(\mathcal {A}\) can continue to ask for trapdoor \(T_w\) for its chosen keyword m and instance t as long as (m, t) not equal to \((m_0,t^{*})\) or \((m_1,t^{*})\).
-
5.
Guess: In the end, the adversary \(\mathcal {A}\) must guess \(b^{'}\), \(\mathcal {A}\) win the game if \(b=b^{'}\), indicating that the experiment outputs is 1, 0 otherwise. In other words, the adversary wins the game if he can correctly guess whether he was given the WBSE for the \(m_0\) or \(m_1\). We define \(\mathcal {A}\)’s advantage as
$$\begin{aligned} Adv_{\mathcal{WBSE},\mathcal{A}}^{WB-IND-CCA}=\left| Pr\left[ Exp_{\mathcal{WBSE},\mathcal{A}}^{WB-IND-CCA}(\lambda )=1 \right] -\frac{1}{2} \right| . \end{aligned}$$
Definition 3
(\(\mathcal{WBSE}\)-WB-IND-CCA). We say that \(\mathcal{WBSE} = (\textsf {KeyGen}, \textsf {WBSE}, \textsf {Trapdoor}, \textsf {Test})\) is witness-based indistinguishable under chosen ciphertext attack if for all probabilistic polynomial time adversary \(\mathcal{A}\), \(Adv_{\mathcal{WBSE},\mathcal{A}}^{WB-IND-CCA}\) is a negligible function.
1.2 A.2 Trapdooor Security
Regarding \(\mathcal {WBSE}\) trapdoor security, a trapdoor \(\textsf {Trapdoor}(sk,m,t)\) does not reveal any information about m under the witness relation R(w, t), where adversary can access to the trapdoor oracle for any keyword-instance pair (m, t) without returning the trapdoor containing the challenge instance \(t^{*}\).
Experiment \(\varvec{Exp_{\mathcal {WBSE}, \mathcal {A}}^{WB-IND-TD}(\lambda )}\). Let \(\lambda \) be the security parameter and \(\mathcal {A}\) be the adversary against the trapdoor security of witness-based searchable encryption, defined as witness-based indistinguishable trapdoor.
-
1.
Steup: The challenger runs the \(\textsf {KeyGen}(1^{\lambda })\) algorithm to generate a public/private key pair (pk, sk). Secondly, it generates \(WtList=\{w_1,w_2,...,w_n\} \overset{\$}{\leftarrow } \mathcal {WT}\), then use \(\textsf {InsGen}(w_i)\) to generate instance list \(InsList=\{t_1,t_2,...,t_n\}\). Besides, We choose randomly a witness \(w^{*}\) and compute its instance \(t^{*}\). Assume that \(InsList^{*}=InsList\bigcup t^{*}\). It gives \((pk,InsList^{*})\) to \(\mathcal {A}\).
-
2.
Phase I: The adversary \(\mathcal {A}\) can adaptively ask the trapdoor \(T_w\) for any keyword m and instance \(t\in InsList\) (hence \(t\ne t^{*}\)). It returns the trapdoor \(T_w=(h_k,t_d)\).
-
3.
Challege: The adversary \(\mathcal {A}\) sends the challenger two keywords \((m_0,m_1)\). The challenger picks a random \(b\in \{0,1\}\), generates the challenge trapdoor \({T_{w}}^{*}=(h_k^{*},t_d^{*})\) by running the \(\textsf {Trapdoor}(sk,m_b,t^{*})\) algorithm and return \({T_w}^{*}\) to \(\mathcal {A}\).
-
4.
Phase II: The adversary \(\mathcal {A}\) continue to ask for the trapdoor oracle the same as Phase I.
-
5.
Guess: In the end, the adversary \(\mathcal {A}\) must guess \(b^{'}\), \(\mathcal {A}\) win the game if \(b=b^{'}\), indicating that the experiment outputs is 1, 0 otherwise. In other words, the adversary wins the game if he can correctly guess whether he was given the Trapdoor for the \(m_0\) or \(m_1\). We define \(\mathcal {A}\)’s advantage as
$$\begin{aligned} Adv_{\mathcal {WBSE},\mathcal {A}}^{WB-IND-TD}=\left| Pr\left[ Exp_{\mathcal {WBSE},\mathcal {A}}^{WB-IND-TD}(\lambda )=1 \right] -\frac{1}{2} \right| . \end{aligned}$$
Definition 4
(\(\mathcal {WBSE}\)-WB-IND-TD). We say that \(\mathcal {WBSE}=(\textsf {KeyGen},\textsf {WBSE}, \textsf {Trapdoor},\textsf {Test})\) is witness-based indistinguishable trapdoor if for all probabilistic polynomial time adversary \(\mathcal {A}\), \(Adv_{\mathcal {WBSE},\mathcal {A}}^{WB-IND-TD}\) is a negligible function.
1.3 A.3 Trapdoor Unforgeability
Regarding \(\mathcal {WBSE}\) trapdoor unforgeability, given the public key pk generated by the receiver, the adversary is allowed to choose the keyword-instance pair \((m^{*},t^{*})\) to generate the trapdoor \({T_w}^{*}\), but the adversary cannot output a meaningful trapdoor except the keyword-instance pair he has previously asked. The “meaningful” trapdoor as follows: Given a trapdoor that generates an existing instance of the available ciphertext as input (the witness of the instance is unknown), we say that the trapdoor is meaningful for its testing of the available ciphertext. Otherwise, given a trapdoor which is generated on an instance produced by itself (the witness of the instance is known), we say that the trapdoor is meaningless, and because of the witness relation, any others can generate the ciphertext of its chosen keyword to do the trapdoor test.
Experiment \(\varvec{Exp_{\mathcal {WBSE},\mathcal {A}}^{EUFT-CIA}(\lambda )}\). Let \(\lambda \) be the security parameter and \(\mathcal {A}\) be the adversary against the trapdoor unforgeability of witness-based searchable encryption. The concept of a meaningful trapdoor security is called as the existence of an unforgeable trapdoor against chosen instance attack (EUFT-CIA).
-
1.
Steup: The challenger runs the \(\textsf {KeyGen}(1^{\lambda })\) algorithm to generate a public/private key pair (pk, sk). Secondly, it generates \(WtList=\{w_1,w_2,...,w_n\} \overset{\$}{\leftarrow } \mathcal {WT}\mathcal {WT}\), then use \(\textsf {InsGen}(w_i)\) to generate instance list \(InsList=\{t_1,t_2,...,t_n\}\). It gives (pk, InsList) to \(\mathcal {A}\).
-
2.
Phase: The adversary \(\mathcal {A}\) can adaptively ask the trapdoor \(T_w\) for any keyword m and instance \(t\in InsList\). It returns the trapdoor \(T_w=(h_k,t_d)\).
-
3.
Challege: The adversary \(\mathcal {A}\) outputs a challenge forged trapdoor \({T_w}^{*}\) for its chosen \((m^{*},t^{*})\): \(((m^{*},t^{*}),{T_w}^{*})\) = \(((m^{*},t^{*}),(h_k^{*},t_d^{*}))\) and \((h_k^{*},t_d^{*})\) does not appear before.
-
4.
Guess: The adversary \(\mathcal {A}\) wins the game if \(\textsf {Trapdoor}(sk,m^{*},t^{*}) = {T_w}^{*}\), indicating that the experiment outputs is 1, 0 otherwise.
$$\begin{aligned} Adv_{\mathcal {WBSE},\mathcal {A}}^{TDUnforgeability}=\left| Pr\left[ Exp_{\mathcal {WBSE},\mathcal {A}}^{EUFT-CIA}(\lambda )=1 \right] \right| . \end{aligned}$$
Definition 5
(\(\mathcal {WBSE}-Trapdoor\) Unforgeability). We say that \(\mathcal {WBSE}= (\textsf {KeyGen},\textsf {WBSE}, \textsf {Trapdoor},\textsf {Test})\) is witness-based indistinguishable trapdoor if for all probabilistic polynomial time adversary \(\mathcal {A}\), \(Adv_{\mathcal {WBSE},\mathcal {A}}^{TDUnforgeability}\) is a negligible function.
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Xie, X., Chen, YC., Wang, JR., Wu, Y. (2020). Witness-Based Searchable Encryption with Aggregative Trapdoor. In: Yang, CN., Peng, SL., Jain, L. (eds) Security with Intelligent Computing and Big-data Services. SICBS 2018. Advances in Intelligent Systems and Computing, vol 895. Springer, Cham. https://doi.org/10.1007/978-3-030-16946-6_45
Download citation
DOI: https://doi.org/10.1007/978-3-030-16946-6_45
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-16945-9
Online ISBN: 978-3-030-16946-6
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)