Witness-Based Searchable Encryption with Aggregative Trapdoor

Abstract

The well-known open problem in public key encryption with keyword search is how to avoid internal adversaries as the server. Implicitly, the internal attack is implemented as follows. Upon receiving a trapdoor, the probability polynomial time internal adversary can always act as a sender to produce each ciphertext for each keyword if keyword space is bounded by a polynomial of the security parameter. Then, the adversary runs the test algorithm for the trapdoor and all produced ciphertext, and then infer the correct keyword. To overcome this problem, the original framework must be changed slightly. A fundamental goal is creates a secure bridge between the sender and receiver. It not only keeps testability of the server, but also avoids imitating a sender. Witness-based searchable encryption (WBSE) is a manner to realize the design goal. In this paper, we formalize an abstracted notion, witness-based searchable encryption with aggregative trapdoor. Under the notion, we present a nearly optimal solution for WBSE under the barrier with trapdoor size proportional to n (the number of senders). Comparing with the existing scheme with trapdoor size O(n), the proposed scheme is based on bilinear map, and offers size only in n.

This work supported in part by the Innovation Center for Big-Data and Digital Convergence, Yuan Ze University, and Ministry of Science and Technology of Taiwan, under grant MOST 106-2218-E-115-008-MY3.

A Security Definition of WBSE

1.1 A.1 Ciphertext Security

About \(\mathcal {WBSE}\) ciphertext security, a ciphertext \(\textsf {WBSE}(pk,m;w)\) does not reveal any information about m unless the trapdoor \(T_w\) for (m, t) is available under the witness relation R(w, t), where adversary can access to the trapdoor oracle for any keyword-instance pair (m, t).

Experiment \(\varvec{Exp}_{\mathcal{WBSE},\mathcal{A}}^\mathbf{WB-IND-CCA }{} \mathbf ( \varvec{\lambda }{} \mathbf ) \). Let \(\lambda \) be the security parameter and \(\mathcal {A}\) be the adversary against the ciphertext security of witness-based searchable encryption, defined as witness-based indistinguishable encryption under chosen ciphertext attack.

1. 1.

   Steup: The challenger runs the \(\textsf {KeyGen}(1^{\lambda })\) algorithm to generate a public/private key pair (pk, sk). Secondly, it generates \(WtList=\{w_1,w_2,...,w_n\} \overset{\$}{\leftarrow } \mathcal {WT}\), then use \(\textsf {InsGen}(w_i)\) to generate instance list \(InsList=\{t_1,t_2,...,t_n\}\). It gives (pk, InsList) to \(\mathcal {A}\).

2. 2.

   Phase I: The adversary \(\mathcal {A}\) can adaptively ask the trapdoor \(T_w\) for any keyword m and instance \(t\in InsList\). It returns the trapdoor \(T_w=(h_k,t_d)\).

3. 3.

   Challege: The adversary \(\mathcal {A}\) sends the challenger two keywords \((m_0,m_1)\) and a instance \(t^{*}\in InsList\). The only restriction is that the adversary can not ask the previously trapdoors \(T_{w_0}\) of keyword-instance pair \((m_0,t^{*})\) or \(T_{w_1}\) of keyword-instance pair \((m_1,t^{*})\). The challenger picks a random \(b\in \{0,1\}\) and choose the witness \(w^{*}\in WtList\) according to \(t^{*}\) under the relation of \(R(w^{*},t^{*})=1\). Finally, the challenger runs \(\textsf {WBSE}(pk,m_b;w^{*})\) to generate ciphertext \(c^{*}\) and return \(c^{*}\) to \(\mathcal {A}\).

4. 4.

   Phase II: The adversary \(\mathcal {A}\) can continue to ask for trapdoor \(T_w\) for its chosen keyword m and instance t as long as (m, t) not equal to \((m_0,t^{*})\) or \((m_1,t^{*})\).

5. 5.

   Guess: In the end, the adversary \(\mathcal {A}\) must guess \(b^{'}\), \(\mathcal {A}\) win the game if \(b=b^{'}\), indicating that the experiment outputs is 1, 0 otherwise. In other words, the adversary wins the game if he can correctly guess whether he was given the WBSE for the \(m_0\) or \(m_1\). We define \(\mathcal {A}\)’s advantage as

   $$\begin{aligned} Adv_{\mathcal{WBSE},\mathcal{A}}^{WB-IND-CCA}=\left| Pr\left[ Exp_{\mathcal{WBSE},\mathcal{A}}^{WB-IND-CCA}(\lambda )=1 \right] -\frac{1}{2} \right| . \end{aligned}$$

Definition 3

(\(\mathcal{WBSE}\)-WB-IND-CCA). We say that \(\mathcal{WBSE} = (\textsf {KeyGen}, \textsf {WBSE}, \textsf {Trapdoor}, \textsf {Test})\) is witness-based indistinguishable under chosen ciphertext attack if for all probabilistic polynomial time adversary \(\mathcal{A}\), \(Adv_{\mathcal{WBSE},\mathcal{A}}^{WB-IND-CCA}\) is a negligible function.

1.2 A.2 Trapdooor Security

Regarding \(\mathcal {WBSE}\) trapdoor security, a trapdoor \(\textsf {Trapdoor}(sk,m,t)\) does not reveal any information about m under the witness relation R(w, t), where adversary can access to the trapdoor oracle for any keyword-instance pair (m, t) without returning the trapdoor containing the challenge instance \(t^{*}\).

Experiment \(\varvec{Exp_{\mathcal {WBSE}, \mathcal {A}}^{WB-IND-TD}(\lambda )}\). Let \(\lambda \) be the security parameter and \(\mathcal {A}\) be the adversary against the trapdoor security of witness-based searchable encryption, defined as witness-based indistinguishable trapdoor.

1. 1.

   Steup: The challenger runs the \(\textsf {KeyGen}(1^{\lambda })\) algorithm to generate a public/private key pair (pk, sk). Secondly, it generates \(WtList=\{w_1,w_2,...,w_n\} \overset{\$}{\leftarrow } \mathcal {WT}\), then use \(\textsf {InsGen}(w_i)\) to generate instance list \(InsList=\{t_1,t_2,...,t_n\}\). Besides, We choose randomly a witness \(w^{*}\) and compute its instance \(t^{*}\). Assume that \(InsList^{*}=InsList\bigcup t^{*}\). It gives \((pk,InsList^{*})\) to \(\mathcal {A}\).

2. 2.

   Phase I: The adversary \(\mathcal {A}\) can adaptively ask the trapdoor \(T_w\) for any keyword m and instance \(t\in InsList\) (hence \(t\ne t^{*}\)). It returns the trapdoor \(T_w=(h_k,t_d)\).

3. 3.

   Challege: The adversary \(\mathcal {A}\) sends the challenger two keywords \((m_0,m_1)\). The challenger picks a random \(b\in \{0,1\}\), generates the challenge trapdoor \({T_{w}}^{*}=(h_k^{*},t_d^{*})\) by running the \(\textsf {Trapdoor}(sk,m_b,t^{*})\) algorithm and return \({T_w}^{*}\) to \(\mathcal {A}\).

4. 4.

   Phase II: The adversary \(\mathcal {A}\) continue to ask for the trapdoor oracle the same as Phase I.

5. 5.

   Guess: In the end, the adversary \(\mathcal {A}\) must guess \(b^{'}\), \(\mathcal {A}\) win the game if \(b=b^{'}\), indicating that the experiment outputs is 1, 0 otherwise. In other words, the adversary wins the game if he can correctly guess whether he was given the Trapdoor for the \(m_0\) or \(m_1\). We define \(\mathcal {A}\)’s advantage as

   $$\begin{aligned} Adv_{\mathcal {WBSE},\mathcal {A}}^{WB-IND-TD}=\left| Pr\left[ Exp_{\mathcal {WBSE},\mathcal {A}}^{WB-IND-TD}(\lambda )=1 \right] -\frac{1}{2} \right| . \end{aligned}$$

Definition 4

(\(\mathcal {WBSE}\)-WB-IND-TD). We say that \(\mathcal {WBSE}=(\textsf {KeyGen},\textsf {WBSE}, \textsf {Trapdoor},\textsf {Test})\) is witness-based indistinguishable trapdoor if for all probabilistic polynomial time adversary \(\mathcal {A}\), \(Adv_{\mathcal {WBSE},\mathcal {A}}^{WB-IND-TD}\) is a negligible function.

1.3 A.3 Trapdoor Unforgeability

Regarding \(\mathcal {WBSE}\) trapdoor unforgeability, given the public key pk generated by the receiver, the adversary is allowed to choose the keyword-instance pair \((m^{*},t^{*})\) to generate the trapdoor \({T_w}^{*}\), but the adversary cannot output a meaningful trapdoor except the keyword-instance pair he has previously asked. The “meaningful” trapdoor as follows: Given a trapdoor that generates an existing instance of the available ciphertext as input (the witness of the instance is unknown), we say that the trapdoor is meaningful for its testing of the available ciphertext. Otherwise, given a trapdoor which is generated on an instance produced by itself (the witness of the instance is known), we say that the trapdoor is meaningless, and because of the witness relation, any others can generate the ciphertext of its chosen keyword to do the trapdoor test.

Experiment \(\varvec{Exp_{\mathcal {WBSE},\mathcal {A}}^{EUFT-CIA}(\lambda )}\). Let \(\lambda \) be the security parameter and \(\mathcal {A}\) be the adversary against the trapdoor unforgeability of witness-based searchable encryption. The concept of a meaningful trapdoor security is called as the existence of an unforgeable trapdoor against chosen instance attack (EUFT-CIA).

1. 1.

   Steup: The challenger runs the \(\textsf {KeyGen}(1^{\lambda })\) algorithm to generate a public/private key pair (pk, sk). Secondly, it generates \(WtList=\{w_1,w_2,...,w_n\} \overset{\$}{\leftarrow } \mathcal {WT}\mathcal {WT}\), then use \(\textsf {InsGen}(w_i)\) to generate instance list \(InsList=\{t_1,t_2,...,t_n\}\). It gives (pk, InsList) to \(\mathcal {A}\).

2. 2.

   Phase: The adversary \(\mathcal {A}\) can adaptively ask the trapdoor \(T_w\) for any keyword m and instance \(t\in InsList\). It returns the trapdoor \(T_w=(h_k,t_d)\).

3. 3.

   Challege: The adversary \(\mathcal {A}\) outputs a challenge forged trapdoor \({T_w}^{*}\) for its chosen \((m^{*},t^{*})\): \(((m^{*},t^{*}),{T_w}^{*})\) = \(((m^{*},t^{*}),(h_k^{*},t_d^{*}))\) and \((h_k^{*},t_d^{*})\) does not appear before.

4. 4.

   Guess: The adversary \(\mathcal {A}\) wins the game if \(\textsf {Trapdoor}(sk,m^{*},t^{*}) = {T_w}^{*}\), indicating that the experiment outputs is 1, 0 otherwise.

   $$\begin{aligned} Adv_{\mathcal {WBSE},\mathcal {A}}^{TDUnforgeability}=\left| Pr\left[ Exp_{\mathcal {WBSE},\mathcal {A}}^{EUFT-CIA}(\lambda )=1 \right] \right| . \end{aligned}$$

Definition 5

(\(\mathcal {WBSE}-Trapdoor\) Unforgeability). We say that \(\mathcal {WBSE}= (\textsf {KeyGen},\textsf {WBSE}, \textsf {Trapdoor},\textsf {Test})\) is witness-based indistinguishable trapdoor if for all probabilistic polynomial time adversary \(\mathcal {A}\), \(Adv_{\mathcal {WBSE},\mathcal {A}}^{TDUnforgeability}\) is a negligible function.