Keyword Search Meets Membership Testing: Adaptive Security from SXDH

Abstract

Searchable encryption (SE) allows users to securely store sensitive data in encrypted form on cloud and at the same time perform keyword search over the encrypted documents. In this work, we focus on variants of SE schemes that along with keyword search, also support membership testing. The problem can be formulated in two flavors depending on whether the search policy is encoded in the ciphertext or in the trapdoor. The ciphertext-policy variant is called Broadcast Encryption with Keyword Search (BEKS) and allows only privileged users to perform keyword search on an encrypted file. Available dedicated constructions could achieve selective security under parameterized assumption. The key-policy variant, called Key-Aggregate Searchable Encryption (KASE), restricts the keyword search within a particular set of documents. Naive application of existing SE schemes in this scenario leads to inefficient protocols with either variable length trapdoor or exponential blowup of storage requirement in terms of the document set size. This therefore calls for an efficient solution that allows such subset based restricted search with constant trapdoor size.

In this work, we have presented adaptively secure solutions for both the above problems. Our BEKS construction achieves constant-size ciphertext whereas the KASE construction achieves constant-size trapdoor. Both the constructions are instantiated in prime-order bilinear groups and are proven anonymous CPA-secure under SXDH assumption by extending Jutla-Roy technique. Our proposed solutions improve upon the only other adaptively secure schemes that can be obtained using the generic technique of Ambrona et al.

A Insecurity of KASE Construction of [17]

Recently, [17] presented a construction of that they named controlled-access searchable encryption (CASE). The primary emphasis of [17] is to propose an FPGA implementation of their construction. They also argued the security of their scheme.

We however demonstrate a simple mix-and-match attack on the construction in their security model. The security model, described in [17, Definition A.3], is a weaker version of IND-CKA1 [10]. Here we first present the security model followed by an attack on the construction of [17]. The description of their construction can be found in [17, Sect. 3.3]. To understand our attack, it is enough to take a look at the GenTrpdr function of their description. Essentially, our attack exploits the deterministic nature of the \(\mathsf {GenTrpdr}\) of [17].

1.1 A.1 Security Model

We discuss the security game between the challenger \(\mathcal {C}\) and adversary \(\mathcal {A}\) below. Let \(\mathbf {D}\) be a dataset and we perform search on key-indices \(\{(S_j,\mathsf {\omega }_j)\}_j\). Then, trace \((\tau )\) of a search history \((\mathbf {D}, \{(S_j,\mathsf {\omega }_j)\}_j)\) is defined to be the list of access pattern. Informally, access pattern of \((\mathbf {D}, (\mathsf {\Omega }, \mathsf {\omega }))\) is the result denoted by \(\delta (\mathbf {D}, (\mathsf {\Omega }, \mathsf {\omega }))\) where \(\delta \) is a function that takes dataset \(\mathbf {D}\) and the \(\mathsf {x}_{}=(\mathsf {\Omega }, \mathsf {\omega })\) and outputs document identifiers that satisfy this .

Informally, the adversary \(\mathcal {A}\) gives two datasets \((\mathbf {D}_0, \mathbf {D}_1)\) of its own choice. It is allowed to make queries that does not trivially distinguish the secure indexes \(\mathbf {I}_0\) and \(\mathbf {I}_1\) where \(\mathbf {I}_i\leftarrow \mathsf {BuildIndex}(\mathsf {pk}, \mathbf {D}_i)\) for \(i\in \left\{ 0,1 \right\} \). At the end, the adversary has to distinguish if \(\mathbf {I}_0\) or \(\mathbf {I}_1\) was given as the challenge secure index. We now formally define the model where non-trivially is ensured by the restriction due to trace \(\tau \).

• \(\mathbf {Setup}\mathbf{.}\) \(\mathcal {C}\) generates \(\mathsf {msk}, pk\) and gives pk to \(\mathcal {A}\).

• \(\mathbf {Trapdoor\ Queries}\mathbf{.}\) Given \(j^{th}\) trapdoor query \(\mathsf {x}_{j}=(S_j,\mathsf {\omega }_j)\), \(\mathcal {C}\) outputs \(\varGamma \leftarrow \mathsf {GenTrpdr}(\mathsf {msk}, \mathsf {x}_{j})\).

• \(\mathbf {Challenge}\mathbf{.}\) On receiving two file collections \(\mathbf {D}_0\) and \(\mathbf {D}_1\) as challenge with the restriction \(\tau (\mathbf {D}_0, \{(S_j,\mathsf {\omega }_j)\}_j) = \tau (\mathbf {D}_1, \{(S_j,\mathsf {\omega }_j)\}_j)\), \(\mathcal {C}\) picks \(b\hookleftarrow \left\{ 0,1 \right\} \) and outputs \(\mathbf {I}_b\leftarrow \mathsf {BuildIndex}(pk, \mathbf {D}_b)\).

• \(\mathbf {Key\ Queries}\mathbf{.}\) \(\mathcal {A}\) continues querying with \(\mathsf {x}_{}=(\mathsf {\Omega },\mathsf {\omega })\) with the restriction \(\tau (\mathbf {D}_0, \{(\mathsf {\Omega },\mathsf {\omega })\}) = \tau (\mathbf {D}_1, \{(\mathsf {\Omega },\mathsf {\omega })\})\).

• \(\mathbf {Guess}\mathbf{.}\) \(\mathcal {A}\) outputs a guess \(b'\) and wins if \(b=b'\).

Intuitively, for a secure searchable scheme, for every \(j^{th}\) query \(\mathsf {x}_{j}\), if \(\delta (\mathbf {D}_0, \mathsf {x}_{j})=\delta (\mathbf {D}_1, \mathsf {x}_{j})\), \(\mathcal {A}\) will not be able to guess b except with negligible probability.

1.2 A.2 Attack Details

We present a simple attack on the KASE construction of [17]. Informally, in this attack, we make few permitted queries to get corresponding trapdoors. Then we mix-and-match those trapdoors to create a new trapdoor. The new trapdoor will allow us to guess the challenge bit b with probability 1. Thereby, the adversary can trivially distinguish \(\mathbf {I}_0\) and \(\mathbf {I}_1\). Observe that, the \(\mathsf {GenTrpdr}\) [17, Sect. 3.3] is deterministic. Thus each trapdoor does not have their own randomness. We exploit this property to mount a mix-n-match attack on the said construction that we present next. Note that, the natural restriction allows the adversary to query for \(\mathsf {x}_{}\) only if \(\tau (\mathbf {D}_0, \mathsf {x}_{})=\tau (\mathbf {D}_1, \mathsf {x}_{})\).

Now, for \(\mathsf {msk}=(\mathfrak {a}, \mathfrak {b})\), the trapdoor is \((H_1(\mathsf {\omega }), (\mathfrak {a}F_S(\alpha )+\mathfrak {b}H_1(\mathsf {\omega }))P_2)\leftarrow \mathsf {GenTrpdr}(\mathsf {msk}, (\mathsf {\Omega },\mathsf {\omega }))\) where \(P_2\) is group generator, \(H_1\) is CRHF and for any set \(\mathsf {\Omega }\), the unique signature of \(\mathsf {\Omega }\) is \(F_S(\mathsf {x}_{})=\underset{\mathscr {z}\in \mathsf {\Omega }}{\prod } (\mathsf {x}_{}-i)\) (see [17, Sect. 3.3] for more details). We discuss the attack below as a game between challenger \(\mathcal {C}\) and adversary \(\mathcal {A}\).

• \(\mathbf {Setup}\mathbf{.}\) \(\mathcal {C}\) gives pk to \(\mathcal {A}\) and keeps \(\mathsf {msk}\). Let \(\mathsf {msk}=(\mathfrak {a}, \mathfrak {b})\). \(\mathcal {A}\) directly goes for challenge phase.

• \(\mathbf {Challenge}\mathbf{.}\) \(\mathcal {A}\) defines document collection \(\mathbf {D}_0=\{i_0\}\) and \(\mathbf {D}_1=\{i_0,i_1\}\) where file \(i_0\) contains keyword \(\mathsf {\omega }\) and file \(i_1\) contains keyword \(\mathsf {\omega }^*\). Lets assume \(\mathsf {\Omega }^*=\{i_0, i_1, i_2\}\) and \(\mathsf {\Omega }=\{i_2\}\). \(\mathcal {A}\) sends \((\mathbf {D}_0, \mathbf {D}_1)\) to \(\mathcal {C}\) who picks \(b\hookleftarrow \{0,1\}\) and returns \(\mathbf {I}_b\leftarrow \mathsf{BuildIndex}(pk, \mathbf {D}_b)\).

• \(\mathbf {Key\ Queries}\mathbf{.}\) \(\mathcal {A}\) makes following 3 queries.

  1. 1.

     On query \(\mathsf {x}_{1}=(\mathsf {\Omega },\mathsf {\omega })\): As both \(i_0, i_1\notin \mathsf {\Omega }\), result is \(\phi \) in both the cases. Therefore \(\tau (\mathbf {D}_0, \mathsf {x}_{1}) = \tau (\mathbf {D}_1, \mathsf {x}_{1})\). \(\mathcal {C}\) runs \(\mathsf {GenTrpdr}(msk, \mathsf {x}_{1})\) to compute \(\varGamma _1=(H_1(\mathsf {\omega }), (\mathfrak {a}F_S(\alpha )+\mathfrak {b}H_1(\mathsf {\omega }))P_2)\).

  2. 2.

     On query \(\mathsf {x}_{2}=(\mathsf {\Omega },\mathsf {\omega }^*)\): As both \(i_0, i_1\notin \mathsf {\Omega }\), result is \(\phi \) in both the cases. Therefore \(\tau (\mathbf {D}_0, \mathsf {x}_{2}) = \tau (\mathbf {D}_1, \mathsf {x}_{2})\). \(\mathcal {C}\) runs \(\mathsf {GenTrpdr}(msk, \mathsf {x}_{2})\) to compute \(\varGamma _2=(H_1(\mathsf {\omega }^*), (\mathfrak {a}F_S(\alpha )+\mathfrak {b}H_1(\mathsf {\omega }^*))P_2)\).

  3. 3.

     On query \(\mathsf {x}_{3}=(\mathsf {\Omega }^*,\mathsf {\omega })\): Here both \(i_0, i_1\in \mathsf {\Omega }^*\). As only \(i_0\) contain \(\mathsf {\omega }\), result is \(\{i_0\}\) in both the cases. Therefore \(\tau (\mathbf {D}_0, \mathsf {x}_{3}) = \tau (\mathbf {D}_1, \mathsf {x}_{3})\). \(\mathcal {C}\) runs \(\mathsf {GenTrpdr}(msk, \mathsf {x}_{3})\) to compute \(\varGamma _3=(H_1(\mathsf {\omega }^*), (\mathfrak {a}F_S(\alpha )+\mathfrak {b}H_1(\mathsf {\omega }^*))P_2)\).

  Now \(\mathcal {A}\) computes, \(Z=\frac{\varGamma _2[2]}{\varGamma _1[2]}=\mathfrak {b}(H_1(\mathsf {\omega }^*)-H_1(\mathsf {\omega }))P_2\).

  $$\begin{aligned} \text {Then it computes}&\widehat{Z}=Z\times \varGamma _3[2] \\&=\mathfrak {b}(H_1(\mathsf {\omega }^*)-H_1(\mathsf {\omega }))P_2 + (\mathfrak {a}F_{\mathsf {\Omega }^*}(\alpha )+\mathfrak {b}H_1(\mathsf {\omega }))P_2\\&=(\mathfrak {a}F_{\mathsf {\Omega }^*}(\alpha )+\mathfrak {b}H_1(\mathsf {\omega }^*))P_2. \end{aligned}$$

  Then it defines \(\widehat{\varGamma }_3\) to be a valid trapdoor for \((\mathsf {\Omega }^*,\mathsf {\omega }^*)\).

  $$\begin{aligned} \widehat{\varGamma }_3=(\varGamma _2[1], \widehat{Z})= (H_1(\mathsf {\omega }^*), (\mathfrak {a}F_{\mathsf {\Omega }^*}(\alpha )+\mathfrak {b}H_1(\mathsf {\omega }^*))P_2). \end{aligned}$$

  (4)

• \(\mathbf {Guess}\mathbf{.}\) \(\mathcal {A}\) outputs \(b'=0\) if \(\mathsf{Search}(\mathbf {I}_b, \widehat{\varGamma }_3, \mathsf {\Omega }^*)=\phi \), else outputs \(b'=1\).

We already have shown, \(\mathcal {A}\) gets hold of a valid trapdoor \(\widehat{\varGamma }_3\) on \((\mathsf {\Omega }^*, \mathsf {\omega }^*)\) in Eq. (4). As,

• \(\delta (\mathbf {D}_0,(\mathsf {\Omega }^*, \mathsf {\omega }^*))=\phi \) as \(\mathbf {D}_0=\{i_0\}\) and \(i_0\) doesn’t contain keyword \(\mathsf {\omega }^*\).

• \(\delta (\mathbf {D}_1,(\mathsf {\Omega }^*, \mathsf {\omega }^*))=\{i_1\}\) as \(\mathbf {D}_1=\{i_0,i_1\}\), \(i_1\in \mathsf {\Omega }^*\) and \(i_1\) contains keyword \(\mathsf {\omega }^*\).

Therefore \(\mathcal {A}\) wins the game with probability 1. This simple attack renders the KASE construction by [17] insecure.