Generating Searchable Public-Key Ciphertexts with Hidden Structures for Fast Keyword Search
11 Generating Searchable Public-Key Ciphertextswith Hidden Structures for Fast Keyword Search
Peng Xu,
Member, IEEE,
Qianhong Wu,
Member, IEEE,
Wei Wang,
Member, IEEE,
Willy Susilo,
Senior Member, IEEE,
Josep Domingo-Ferrer,
Fellow, IEEE,
Hai Jin,
Senior Member, IEEE
Abstract —Existing semantically secure public-key search-able encryption schemes take search time linear with thetotal number of the ciphertexts. This makes retrieval fromlarge-scale databases prohibitive. To alleviate this problem,this paper proposes
Searchable Public-Key Ciphertexts withHidden Structures (SPCHS) for keyword search as fast aspossible without sacrificing semantic security of the encryptedkeywords. In SPCHS, all keyword-searchable ciphertexts arestructured by hidden relations, and with the search trapdoorcorresponding to a keyword, the minimum information of therelations is disclosed to a search algorithm as the guidance tofind all matching ciphertexts efficiently. We construct a simpleSPCHS scheme from scratch in which the ciphertexts have ahidden star-like structure. We prove our scheme to be seman-tically secure based on the decisional bilinear Diffie-Hellmanassumption in the Random Oracle (RO) model. The searchcomplexity of our scheme is dependent on the actual number ofthe ciphertexts containing the queried keyword , rather than thenumber of all ciphertexts. Finally, we present a generic SPCHSconstruction from anonymous identity-based encryption and collision-free full-identity malleable
Identity-Based Key Encap-sulation Mechanism (IBKEM) with anonymity. We illustratetwo collision-free full-identity malleable IBKEM instances,which are semantically secure and anonymous, respectively,in the RO and standard models. The latter instance enablesus to construct an SPCHS scheme with semantic security inthe standard model.
Index Terms —Public-key searchable encryption, semanticsecurity, identity-based key encapsulation mechanism, identitybased encryption
I. I
NTRODUCTION P UBLIC-KEY encryption with keyword search (PEKS),introduced by Boneh et al. in [1], has the advantagethat anyone who knows the receiver’s public key can uploadkeyword-searchable ciphertexts to a server. The receiver candelegate the keyword search to the server. More specifically,
P. Xu and H. Jin are with Services Computing Technology and SystemLab, Cluster and Grid Computing Lab, School of Computer Science andTechnology, Huazhong University of Science and Technology, Wuhan,China. E-Mail: { xupeng, hjin } @mail.hust.edu.cn.Q. Wu is with the School of Electronics and Information Engineering,Beihang Univerisity, Beijing, China, and with the State Key Laboratoryof Information Security, Institute of Information Engineering, ChineseAcademy of Sciences, Beijing, China. E-mail: [email protected]. Wang is with Cyber-Physical-Social Systems Lab, School of Com-puter Science and Technology, Huazhong University of Science andTechnology, Wuhan, China. E-Mail: [email protected]. Susilo is with Centre for Computer and Information Security Re-search, School of Computer Science and Software Engineering, Universityof Wollongong, Australia. E-Mail: [email protected]. Domingo-Ferrer is with Universitat Rovira i Virgili, Department ofComputer Engineering and Mathematics, UNESCO Chair in Data Privacy,43007, Tarragona, Catalonia. E-Mail: [email protected]. each sender separately encrypts a file and its extractedkeywords and sends the resulting ciphertexts to a server;when the receiver wants to retrieve the files containing aspecific keyword, he delegates a keyword search trapdoorto the server; the server finds the encrypted files containingthe queried keyword without knowing the original files orthe keyword itself, and returns the corresponding encryptedfiles to the receiver; finally, the receiver decrypts theseencrypted files . The authors of PEKS [1] also presentedsemantic security against chosen keyword attacks (SS-CKA) in the sense that the server cannot distinguish theciphertexts of the keywords of its choice before observingthe corresponding keyword search trapdoors. It seems anappropriate security notion, especially if the keyword spacehas no high min-entropy. Existing semantically securePEKS schemes take search time linear with the total num-ber of all ciphertexts. This makes retrieval from large-scaledatabases prohibitive. Therefore, more efficient searchablepublic-key encryption is crucial for practically deployingPEKS schemes.One of the prominent works to accelerate the searchover encrypted keywords in the public-key setting is de-terministic encryption introduced by Bellare et al . in [2].An encryption scheme is deterministic if the encryptionalgorithm is deterministic. Bellare et al . [2] focus onenabling search over encrypted keywords to be as effi-cient as the search for unencrypted keywords, such thata ciphertext containing a given keyword can be retrievedin time complexity logarithmic in the total number of allciphertexts. This is reasonable because the encrypted key-words can form a tree-like structure when stored accordingto their binary values. However, deterministic encryptionhas two inherent limitations. First, keyword privacy canbe guaranteed only for keywords that are a priori hard-to-guess by the adversary ( i.e. , keywords with high min-entropy to the adversary); second, certain information of amessage leaks inevitably via the ciphertext of the keywordssince the encryption is deterministic. Hence, deterministicencryption is only applicable in special scenarios. A. Our Motivation and Basic Ideas
We are interested in providing highly efficient searchperformance without sacrificing semantic security in PEKS. Since the encryption of the original files can be separately processedwith an independent public-key encryption scheme as in [1], we onlydescribe the encryption of the keywords (unless otherwise clearly statedin the paper). a r X i v : . [ c s . CR ] D ec Head ( ) L W Enc ( ) W Enc ( ) W Enc ( ) L W Enc ( ) L W Enc ( ) W Enc ( ) W Enc ( ) W Enc ( ) W Enc
Figure 1: Hidden star-like structure formed by keywordsearchable ciphertexts. (The dashed arrows denote the hid-den relations.
Enc ( W i ) denotes the searchable ciphertextof keyword W i .)Observe that a keyword space is usually of no high min-entropy in many scenarios. Semantic security is crucialto guarantee keyword privacy in such applications. Thusthe linear search complexity of existing schemes is themajor obstacle to their adoption. Unfortunately, the linearcomplexity seems to be inevitable because the server hasto scan and test each ciphertext, due to the fact that theseciphertexts (corresponding to the same keyword or not) areindistinguishable to the server.A closer look shows that there is still space to improvesearch performance in PEKS without sacrificing semanticsecurity if one can organize the ciphertexts with elegantlydesigned but hidden relations. Intuitively, if the keyword-searchable ciphertexts have a hidden star-like structure, asshown in Figure 1, then search over ciphertexts containing aspecific keywords may be accelerated. Specifically, supposeall ciphertexts of the same keyword form a chain by thecorrelated hidden relations, and also a hidden relation existsfrom a public Head to the first ciphertext of each chain.With a keyword search trapdoor and the
Head , the serverseeks out the first matching ciphertext via the correspondingrelation from the
Head . Then another relation can bedisclosed via the found ciphertext and guides the searcherto seek out the next matching ciphertext. By carrying on inthis way, all matching ciphertexts can be found. Clearly, thesearch time depends on the actual number of the ciphertextscontaining the queried keyword, rather than on the totalnumber of all ciphertexts.To guarantee appropriate security, the hidden star-likestructure should preserve the semantic security of key-words, which indicates that partial relations are disclosedonly when the corresponding keyword search trapdooris known. Each sender should be able to generate thekeyword-searchable ciphertexts with the hidden star-likestructure by the receiver’s public-key; the server having akeyword search trapdoor should be able to disclose partialrelations, which is related to all matching ciphertexts. Semantic security is preserved 1) if no keyword searchtrapdoor is known, all ciphertexts are indistinguishable, andno information is leaked about the structure, and 2) given akeyword search trapdoor, only the corresponding relationscan be disclosed, and the matching ciphertexts leak noinformation about the rest of ciphertexts, except the factthat the rest do not contain the queried keyword.
B. Our Work
We start by formally defining the concept of SearchablePublic-key Ciphertexts with Hidden Structures (SPCHS)and its semantic security. In this new concept, keyword-searchable ciphertexts with their hidden structures can begenerated in the public key setting; with a keyword searchtrapdoor, partial relations can be disclosed to guide thediscovery of all matching ciphertexts. Semantic security isdefined for both the keywords and the hidden structures.It is worth noting that this new concept and its semanticsecurity are suitable for keyword-searchable ciphertextswith any kind of hidden structures. In contrast, the conceptof traditional PEKS does not contain any hidden structureamong the PEKS ciphertexts; correspondingly, its semanticsecurity is only defined for the keywords.Following the SPCHS definition, we construct a simpleSPCHS from scratch in the random oracle (RO) model.The scheme generates keyword-searchable ciphertexts witha hidden star-like structure. The search performance mainlydepends on the actual number of the ciphertexts containingthe queried keyword. For security, the scheme is provensemantically secure based on the Decisional Bilinear Diffie-Hellman (DBDH) assumption [3] in the RO model.We are also interested in providing a generic SPCHS con-struction to generate keyword-searchable ciphertexts with ahidden star-like structure. Our generic SPCHS is inspiredby several interesting observations on Identity-Based KeyEncapsulation Mechanism (IBKEM). In IBKEM, a senderencapsulates a key K to an intended receiver ID . Ofcourse, receiver ID can decapsulate and obtain K , and thesender knows that receiver ID will obtain K . However, anon-intended receiver ID (cid:48) may also try to decapsulate andobtain K (cid:48) . We observe that, (1) it is usually the case that K and K (cid:48) are independent of each other from the view ofthe receivers, and (2) in some IBKEM the sender may alsoknow K (cid:48) obtained by receiver ID (cid:48) . We refer to the formerproperty as collision freeness and to the latter as full-identitymalleability . An IBKEM scheme is said to be collision-freefull-identity malleable if it possesses both properties.We build a generic SPCHS construction with Identity-Based Encryption (IBE) and collision-free full-identitymalleable IBKEM. The resulting SPCHS can generatekeyword-searchable ciphertexts with a hidden star-likestructure. Moreover, if both the underlying IBKEM and IBEhave semantic security and anonymity ( i.e. the privacy ofreceivers’ identities), the resulting SPCHS is semanticallysecure. As there are known IBE schemes [4], [5], [6], [7]in both the RO model and the standard model, an SPCHSconstruction is reduced to collision-free full-identity mal-leable IBKEM with anonymity. In 2013, Abdalla et al. proposed several IBKEM schemes to construct VerifiableRandom Functions (VRF) [8]. We show that one of theseIBKEM schemes is anonymous and collision-free full-identity malleable in the RO model. In [9], Freire et al. utilized the “approximation” of multilinear maps [10] toconstruct a standard-model version of Boneh-and-Franklin(BF) IBE scheme [11]. We transform this IBE scheme into acollision-free full-identity malleable IBKEM scheme withsemantic security and anonymity in the standard model.Hence, this new IBKEM scheme allows us to build SPCHSschemes secure in the standard model with the same searchperformance as the previous SPCHS construction fromscratch in the RO model. C. Other Applications of Collision-Free Full-Identity Mal-leable IBKEM
We note that collision-free full-identity malleableIBKEM is of independent interest. In addition to being abuilding block for the generic SPCHS construction, it mayalso find other applications, as outlined in the sequel.
Batch identity-based key distribution.
A direct appli-cation of collision-free full-identity malleable IBKEM isto achieve batch identity-based key distribution. In such anapplication, a sender would like to distribute different secretsession keys to multiple receivers so that each receivercan only know the session key to himself/herself. Withcollision-free full-identity malleable IBKEM, a sender justneeds to broadcast an IBKEM encapsulation in the identity-based cryptography setting, e.g., encapsulating a sessionkey K to a single user ID . According to the collision-freeness of IBKEM, each receiver ID (cid:48) can decapsulateand obtain a different key K (cid:48) with his/her secret key inthe identity based crypto-system. Due to the full-identitymalleability, the sender knows the decapsulated keys ofall the receivers. In this way, the sender efficiently sharesdifferent session keys with different receivers, at the cost ofonly a single encapsulation and one pass of communication. Anonymous identity-based broadcast encryption.
A slightly more complicated application is anonymousidentity-based broadcast encryption with efficient decryp-tion. An analogous application was proposed respec-tively by Barth et al. [12] and Libert et al. [13] inthe traditional public-key setting. With collision-free full-identity malleable IBKEM, a sender generates an identity-based broadcast ciphertext (cid:104) C , C , ( K || SE ( K , F )) , ... , ( K N || SE ( K N , F N )) (cid:105) , where C and C are two IBKEMencapsulations, K i is the encapsulated key in C forreceiver ID i , K i is the encapsulated key in C for receiver ID i , and SE ( K i , F i ) is the symmetric-key encryption offile F i using the encapsulated key K i . In this ciphertext,the encapsulated key K i is not used to encrypt anything.Indeed, it is an index to secretly inform receiver ID i onwhich part of this ciphertext belongs to him. To decrypt theencrypted file F i , receiver ID i decapsulates and obtains K i from C , finds out K i || SE ( K i , F i ) by matching K i , and VRF behaves like a pseudo-random function but one can verify thatthe output was pseudo-random. finally extracts F i with the decapsulated key K i from C .It can be seen that the application will work if the IBKEMis collision-free full-identity malleable. It preserves theanonymity of receivers if the IBKEM is anonymous. Notethat trivial anonymous broadcast encryption suffers decryp-tion cost linear with the number of the receivers. In contrast,our anonymous identity-based broadcast encryption enjoysconstant decryption cost, plus logarithmic complexity tosearch the matching index in a set ( K , ..., K N ) organizedby a certain partial order, e.g., a dictionary order accordingto their binary representations. D. Related Work
Search on encrypted data has been extensively investi-gated in recent years. From a cryptographic perspective,the existing works fall into two categories, i.e. , symmetricsearchable encryption [14] and public-key searchable en-cryption.Symmetric searchable encryption is occasionally re-ferred to as symmetric-key encryption with keyword search(SEKS). This primitive was introduced by Song et al. in[15]. Their instantiated scheme takes search time linear withthe size of the database. A number of efforts [16], [17],[18], [19], [20] follow this research line and refine Song etal. ’s original work. The SEKS scheme due to Curtmola etal . [14] has been proven to be semantically secure againstan adaptive adversary. It allows the search to be processedin logarithmic time, although the keyword search trapdoorhas length linear with the size of the database. In additionto the above efforts devoted to either provable security orbetter search performance, attention has recently been paidto achieving versatile SEKS schemes as follows. The worksin [14], [21] extend SEKS to a multi-sender scenario. Thework in [22] realizes fuzzy keyword search in the SEKSsetting. The work in [23] shows practical applications ofSEKS and employs it to realize secure and searchableaudit logs. Chase et al. [24] proposed to encrypt structureddata and a secure method to search these data. To supportthe dynamic update of the encrypted data, Kamara et al. proposed the dynamic searchable symmetric encryption in[25] and further enhanced its security in [26] at the cost oflarge index. The very recent work [27] due to Cash et al. simultaneously achieves strong security and high efficiency.Following the seminal work on PEKS, Abdalla et al .[28] fills some gaps w.r.t. consistency for PEKS anddeals with the transformations among primitives relatedto PEKS. Some efforts have also been devoted to makePEKS versatile. The work of this kind includes conjunctivesearch [29], [30], [31], [32], [33], [34], range search [35],[36], [37], subset search [37], time-scope search [28],[38], similarity search [39], authorized search [49], [50],equality test between heterogeneous ciphertexts [51], andfuzzy keyword search [52]. In addition, Arriaga et al. [53]proposed a PEKS scheme to keep the privacy of keywordsearch trapdoors.In the above PEKS schemes, the search complexity takestime linear with the number of all ciphertexts. In [24], an oblivious generation of keyword search trapdoor is tomaintain the privacy of the keyword against a curioustrapdoor generation. A chain-like structure is described tospeed up the search on encrypted keywords. One may notethat the chain in [40] cannot be fully hidden to the serverand leaks the frequency of the keywords (see SupplementalMaterials A for details). To realize an efficient keywordsearch, Bellare et al. [2] introduced deterministic public-key encryption (PKE) and formalized a security notion“as strong as possible” (stronger than onewayness butweaker than semantic security). A deterministic search-able encryption scheme allows efficient keyword searchas if the keywords were not encrypted. Bellare et al. [2]also presented a deterministic PKE scheme ( i.e. , RSA-DOAEP) and a generic transformation from a randomizedPKE to a deterministic PKE in the random oracle model.Subsequently, deterministic PKE schemes secure in thestandard model were independently proposed by Bellare etal. [41] and Boldyreva et al. [42]. The former uses generalcomplexity assumptions and the construction is generic,while the latter exploits concrete complexity assumptionsand has better efficiency. Brakerski et al. [43] proposed thedeterministic PKE schemes with better security, althoughthese schemes are still not semantically secure. So far,deterministic PEKS schemes can guarantee semantic se-curity only if the keyword space has a high min-entropy.Otherwise, an adversary can extract the encrypted keywordby a simple encrypt-and-test attack. Hence, deterministicPEKS schemes are applicable to applications where thekeyword space is of a high min-entropy.
E. Organization of this article
The remaining sections are as follows. Section II definesSPCHS and its semantic security. A simple SPCHS schemeis constructed in Section III. A general construction ofSPCHS is given in Section IV. Two collision-free full-identity malleable IBKEM schemes, respectively in the ROand standard models, are introduced in Section V. SectionVI concludes this paper.II. M
ODELING
SPCHSWe first explain intuitions behind SPCHS. We describe ahidden structure formed by ciphertexts as ( C , Pri , Pub ) ,where C denotes the set of all ciphertexts, Pri de-notes the hidden relations among C , and Pub de-notes the public parts. In case there is more thanone hidden structure formed by ciphertexts, the descrip-tion of multiple hidden structures formed by cipher-texts can be ( C , ( Pri , Pub ) , ..., ( Pri N , Pub N )) , where N ∈ N . Moreover, given ( C , Pub , ..., Pub N ) and ( Pri , ..., Pri N ) except ( Pri i , Pri j ) (where i (cid:54) = j ), onecan neither learn anything about ( Pri i , Pri j ) nor decidewhether a ciphertext is associated with Pub i or Pub j .In SPCHS, the encryption algorithm has two function-alities. One is to encrypt a keyword, and the other is togenerate a hidden relation, which can associate the gen-erated ciphertext to the hidden structure. Let ( Pri , Pub ) be the hidden structure. The encryption algorithm musttake Pri as input, otherwise the hidden relation cannot begenerated since
Pub does not contain anything about thehidden relations. At the end of the encryption procedure,the
Pri should be updated since a hidden relation is newlygenerated (but the specific method to update
Pri relieson the specific instance of SPCHS). In addition, SPCHSneeds an algorithm to initialize ( Pri , Pub ) by taking themaster public key as input, and this algorithm will berun before the first time to generate a ciphertext. With akeyword search trapdoor, the search algorithm of SPCHScan disclose partial relations to guide the discovery of theciphertexts containing the queried keyword with the hiddenstructure. Definition 1 (SPCHS) . SPCHS consists of five algorithms: • SystemSetup (1 k , W ) : Take as input a security pa-rameter k and a keyword space W , and probabilis-tically output a pair of master public-and-secret keys ( PK , SK ) , where PK includes the keyword space W and the ciphertext space C . • StructureInitialization ( PK ) : Take as input PK ,and probabilistically initialize a hidden structure byoutputting its private and public parts ( Pri , Pub ) . • StructuredEncryption ( PK , W, Pri ) : Take as in-puts PK , a keyword W ∈ W and a hidden struc-ture’s private part Pri , and probabilistically output akeyword-searchable ciphertext C of keyword W withthe hidden structure, and update Pri . • Trapdoor ( SK , W ) : Take as inputs SK and a key-word W ∈ W , and output a keyword search trapdoor T W of W . • StructuredSearch ( PK , Pub , C , T W ) : Take as in-puts PK , a hidden structure’s public part Pub ,all keyword-searchable ciphertexts C and a keywordsearch trapdoor T W of keyword W , disclose partialrelations to guide finding out the ciphertexts contain-ing keyword W with the hidden structure.An SPCHS scheme must be consistent in the sensethat given any keyword search trapdoor T W andany hidden structure’s public part Pub , algorithm
StructuredSearch ( PK , Pub , C , T W ) finds out all ci-phertexts of keyword W with the hidden structure Pub . In the application of SPCHS, a receiver runs algo-rithm
SystemSetup to set up SPCHS. Each senderuploads the public part of his hidden structure andkeyword-searchable ciphertexts to a server, respec-tively by algorithms
StructureInitialization and
StructuredEncryption . Algorithm
Trapdoor al-lows the receiver to delegate a keyword search trap-door to the server. Then the server runs algorithm
StructuredSearch for all senders’ structures to find outthe ciphertexts of the queried keyword.The above SPCHS definition requires each sender tomaintain the private part of his hidden structure for al-gorithm
StructuredEncryption . A similar requirementappears in symmetric-key encryption with keyword search(SEKS) in which each sender is required to maintain a secret key shared with the receiver. This implies interactionsvia authenticated confidential channels before a senderencrypts the keywords to the receiver in SEKS. In contrast,each sender in SPCHS just generates and maintains his/herprivate values locally, i.e., without requirement of extrasecure interactions before encrypting keywords.In the general case of SPCHS, each sender keeps his/herprivate values
Pri . We could let each sender be statelessby storing his/her
Pri in encrypted form at a server andhaving each sender download and re-encrypt his/her
Pri for each update of
Pri . A similar method also has beensuggested by [27].The semantic security of SPCHS is to resist adaptivelychosen keyword and structure attacks (SS-CKSA). In thissecurity notion, a probabilistic polynomial-time (PPT) ad-versary is allowed to know all structures’ public parts, querythe trapdoors for adaptively chosen keywords, query theprivate parts of adaptively chosen structures, and query theciphertexts of adaptively chosen keywords and structures(including the keywords and structures which the adversarywould like to be challenged). The adversary will choosetwo challenge keyword-structure pairs. The SS-CKSA se-curity means that for a ciphertext of one of two challengekeyword-structure pairs, the adversary cannot determinewhich challenge keyword or which challenge structurethe challenge ciphertext corresponds to, provided that theadversary does not know the two challenge keywords’search trapdoors and the two challenge structures’ privateparts.
Definition 2 (SS-CKSA Security) . Suppose there are atmost N ∈ N hidden structures. An SPCHS scheme is SS-CKSA secure, if any PPT adversary A has only a negligibleadvantage Adv
SS-CKSA
SP CHS, A to win in the following SS-CKSAgame: • Setup Phase : A challenger sets up the SPCHS schemeby running algorithm
SystemSetup to generate apair of master public-and-secret keys ( PK , SK ) , andinitializes N hidden structures by running algorithm StructureInitialization N times (let PSet be theset of all public parts of these N hidden structures.);finally the challenger sends PK and PSet to A . • Query Phase 1 : A adaptively issues the followingqueries multiple times. – Trapdoor Query Q T rap ( W ) : Taking as input akeyword W ∈ W , the challenger outputs thekeyword search trapdoor of keyword W ; – Privacy Query Q P ri ( Pub ) : Taking as input ahidden structure’s public part Pub ∈ PSet , thechallenger outputs the corresponding private partof this structure; – Encryption Query Q Enc ( W, Pub ) : Taking as in-puts a keyword W ∈ W and a hidden struc-ture’s public part Pub , the challenger outputs anSPCHS ciphertext of keyword W with the hiddenstructure Pub . • Challenge Phase : A sends two challenge keyword-and-structure pairs ( W ∗ , Pub ∗ ) ∈ W × PSet and ( W ∗ , Pub ∗ ) ∈ W × PSet to the challenger; Thechallenger randomly chooses d ∈ { , } , and sendsa challenge ciphertext C ∗ d of keyword W ∗ d with thehidden structure Pub ∗ d to A . • Query Phase 2 : This phase is the same as
QueryPhase 1 . Note that in
Query Phase 1 and
QueryPhase 2 , A cannot query the corresponding privateparts both of Pub ∗ and Pub ∗ and the keyword searchtrapdoors both of W ∗ and W ∗ . • Guess Phase : A sends a guess d (cid:48) to the challenger.We say that A wins if d = d (cid:48) . And let Adv
SS-CKSA
SP CHS, A = P r [ d = d (cid:48) ] − be the advantage of A to win in theabove game. A weaker security definition of SPCHS is the selective-keyword security. We refer to this weaker security notion asSS-sK-CKSA security, and the corresponding attack gameas SS-sK-CKSA game. In this attack game, the adversary A chooses two challenge keywords before the SPCHSscheme is set up, but the adversary still adaptively choosestwo challenge hidden structures at Challenge Phase . Let
Adv
SS-sK-CKSA
SP CHS, A denote the advantage of adversary A to winin this game.III. A S IMPLE
SPCHS S
CHEME FROM S CRATCH
Let γ $ ← (cid:60) denote an element γ randomly sampledfrom (cid:60) . Let G and G denote two multiplicative groups ofprime order q . Let g be a generator of G . A bilinear map ˆ e : G × G → G [44], [45] is an efficiently computableand non-degenerate function, with the bilinearity property ˆ e ( g a , g b ) = ˆ e ( g, g ) ab , where ( a, b ) $ ← Z ∗ q and ˆ e ( g, g ) isa generator of G . Let BGen (1 k ) be an efficient bilinearmap generator that takes as input a security parameter k and probabilistically outputs ( q, G , G , g, ˆ e ) . Let keywordspace W = { , } ∗ .A simple SPCHS scheme secure in the random oraclemodel is constructed as follows. • SystemSetup (1 k , W ) : Take as input k and thekeyword space W , compute ( q, G , G , g, ˆ e ) = BGen (1 k ) , pick s $ ← Z ∗ q , set P = g s , choose acryptographic hash function H : W → G , set the ci-phertext space C ⊆ G × G × G , and finally output themaster public key PK = ( q, G , G , g, ˆ e, P, H, W , C ) ,and the master secret key SK = s . • StructureInitialization ( PK ) : Take as input PK ,pick u $ ← Z ∗ q , and initialize a hidden structure byoutputting a pair of private-and-public parts ( Pri =( u ) , Pub = g u ) . Note that Pri here is a variable listformed as ( u, { ( W, P t [ u, W ]) | W ∈ W} ) , which isinitialized as ( u ) . • StructuredEncryption ( PK , W, Pri ) : Take as in-puts PK , a keyword W ∈ W , a hidden structure’sprivate part Pri , pick r $ ← Z ∗ q and do the followingsteps:1) Search ( W, P t [ u, W ]) for W in Pri ;2) If it is not found, insert ( W, P t [ u, W ] $ ← G ) to Pri , and output the keyword-searchable ci- phertext C = (ˆ e ( P, H ( W )) u , g r , ˆ e ( P, H ( W )) r · P t [ u, W ]) ;3) Otherwise, pick R $ ← G , set C = ( P t [ u, W ] , g r , ˆ e ( P, H ( W )) r · R ) , update P t [ u, W ] = R , and output the keyword-searchable ciphertext C ; • Trapdoor ( SK , W ) : Take as inputs SK and a key-word W ∈ W , and output a keyword search trapdoor T W = H ( W ) s of keyword W . • StructuredSearch ( PK , Pub , C , T W ) : Take as in-puts PK , a hidden structure’s public part Pub , allkeyword-searchable ciphertexts C (let C [ i ] denote oneciphertext of C , and this ciphertext can be parsed as ( C [ i, , C [ i, , C [ i, ∈ G × G × G ) and a keywordtrapdoor T W of keyword W , set C (cid:48) = φ , and do thefollowing steps:1) Compute P t (cid:48) = ˆ e ( Pub , T W ) ;2) Seek a ciphertext C [ i ] having C [ i,
1] =
P t (cid:48) ; if itexists, add C [ i ] into C (cid:48) ;3) If no matching ciphertext is found, output C (cid:48) ;4) Compute P t (cid:48) = ˆ e ( C [ i, , T W ) − · C [ i, , and goto Step 2.Figure 2 shows a hidden star-like structure, which isgenerated by the SPCHS instance. When running algorithm StructuredSearch ( PK , Pub , C , T W i ) , it discloses thevalue ˆ e ( P, H ( W i )) u by computing ˆ e ( Pub , T W i ) , andmatches ˆ e ( P, H ( W i )) u with all ciphertexts to find out theciphertext (ˆ e ( P, H ( W i )) u , g r , ˆ e ( P, H ( W i )) r · P t [ u, W i ]) .Then the algorithm discloses P t [ u, W i ] by computing ˆ e ( g r , T W i ) − · ˆ e ( P, H ( W i )) r · P t [ u, W i ] , and matches P t [ u, W i ] with all ciphertexts to find out the ciphertext ( P t [ u, W i ] , g r , ˆ e ( P, H ( W i )) r · R ) . By carrying on in thisway, the algorithm will find out all ciphertexts of keyword W i with the hidden star-like structure, and stop the searchif no matching ciphertext is found. Consistency.
Roughly speaking, algorithm
StructuredSearch repetitively discloses the valueof
P t (cid:48) and matches the value with all ciphertexts’ firstparts to find out the matching ciphertexts. Since alldisclosed values of
P t (cid:48) are either collision-free (due tothe hash function H ) and random (according to algorithm StructuredEncryption ), no more than one ciphertextmatches in each matching process. The found ciphertextsshould contain the queried keyword, since given a keywordsearch trapdoor, algorithm
StructuredSearch only candisclose the values of
P t (cid:48) , which are corresponding tothe queried keyword. Formally, we have Theorem 1 onconsistency whose proof can be found in SupplementalMaterials B.
Theorem 1.
Suppose the hash function H is collision-free, except with a negligible probability in the securityparameter k . The above SPCHS instance is consistent,also except with a negligible probability in the securityparameter k . Semantic Security.
The SS-CKSA security of theabove SPCHS scheme relies on the DBDH assumption in
BGen (1 k ) . The definition of DBDH assumption [3] is asfollows. Definition 3 (The DBDH Assumption) . The DBDHproblem in
BGen (1 k ) = ( q, G , G , g, ˆ e ) is de-fined as the advantage of any PPT algorithm B to distinguish the tuples ( g a , g b , g c , ˆ e ( g, g ) abc ) and ( g a , g b , g c , ˆ e ( g, g ) y ) , where ( a, b, c, y ) $ ← Z ∗ q . Let Adv
DBDH B (1 k ) = Pr [ B ( g a , g b , g c , ˆ e ( g, g ) abc ) = 1] − Pr [ B ( g a , g b , g c , ˆ e ( g, g ) y ) = 1] be the advantage of algo-rithm B to solve the DBDH problem. We say that theDBDH assumption holds in BGen (1 k ) , if the advantage Adv
DBDH B (1 k ) is negligible in the parameter k . In the security proof, we prove that if there is anadversary who can break the SS-CKSA security of theabove SPCHS instance in the RO model, then there isan algorithm which can solve the DBDH problem in
BGen (1 k ) . Formally we have Theorem 2 whose proof canbe found in Supplemental Materials C. Theorem 2.
Let the hash function H be modeled as therandom oracle Q H ( · ) . Suppose there are at most N ∈ N hidden structures, and a PPT adversary A wins in the SS-CKSA game of the above SPCHS instance with advantage Adv
SS-CKSA
SP CHS, A , in which A makes at most q t queries tooracle Q T rap ( · ) and at most q p queries to oracle Q P ri ( · ) .Then there is a PPT algorithm B that solves the DBDHproblem in BGen (1 k ) with advantage Adv
DBDH B (1 k ) ≈ e · q t · q p ) · Adv
SS-CKSA
SP CHS, A , where e is the base of natural logarithms. Forward and Backward Security.
Even in the casethat a sender gets his local privacy
Pri compromised,SPCHS still offers forward security. This means that theexisting hidden structure of ciphertexts stays confidential,since the local privacy only contains the relationship of thenew generated ciphertexts. To offer backward security withSPCHS, the sender can initialize a new structure by al-gorithm
StructureInitialization for the new generatedciphertexts. Because the new structure is independent of theold one, the compromised local privacy will not leak thenew generated structure.
Search Complexity.
All keyword-searchable ciphertextscan be indexed by their first parts’ binary bits. Assume thatthere are in total n ciphertexts from n S hidden structures,and the i -th hidden structure contains n W ,i ciphertexts ofkeyword W ∈ W . With the i -th hidden structure, the searchcomplexity is O ( n W ,i log n ) . For all hidden structures, thesum search complexity is O (( n S + n W ) log n ) , where n W = (cid:80) n S i =1 n W ,i . Since n = (cid:80) W ∈W n W and n W = (cid:80) n S i =1 n W ,i , wehave that n S (cid:28) n W (cid:28) n . Thus the above SPCHS instanceallows a much more efficient search than existing PEKSschemes, which have O ( n ) search complexity.One may note that SPCHS loses its significant advantagein search performance compared with PEKS if n S = n holds. However, this special case seldom happens. In prac-tice, a sender will extract several keywords from each of Imply the following value Imply the following valueHave the same value Have the same value u = g Pub ˆ ˆ( , ( )) , , ( , ( )) [ , ] u r rL L L e P H W g e P H W Pt u W ⋅ ˆ[ , ], , ( , ( )) r r Pt u W g e P H W R ⋅ ˆ[ , ], , ( , ( )) r r Pt u W g e P H W R ⋅ ˆ[ , ], , ( , ( )) r rL L Pt u W g e P H W R ⋅ ˆ[ , ], , ( , ( )) r rL L Pt u W g e P H W R ⋅ Have the same valueHave the same value Have the same valueHave the same value ˆ ˆ( , ( )) , , ( , ( )) [ , ] u r r e P H W g e P H W Pt u W ⋅ [ , ] ( [1, ]) i When Pt u W i Lthe SPCHS ciphertexts are ∉ ∈
Pri [ , ] ( [1, ]) i When Pt u W i Lthe SPCHS ciphertexts are ∈ ∈
Pri
Note that, in each ciphertext, the value R and the value r are randomly chosen. For i ∈ [1 , L ] , P t [ u, W i ] is initialized with a random value when generating the first ciphertext of keyword W i ,and it will be updated into R after generating each subsequent ciphertext of keyword W i .Figure 2: Hidden star-like structure generated by the above SPCHS instanceTable I: System parameters Hardware Intel CPU E5300 @ 2.60GHzOS and compiler Win XP and Microsoft VC++ 6.0Program library MIRACL version 5.4.1Parameters of bilinear mapElliptic curve y = x + A · x + B · x Pentanomial basis t m + t a + t b + t c + 1 Base field: m m = 379 A 1B 1Group order: q m + 2 ( m +1) / + 1 a 315b 301c 287The default unit is decimal. his files. So we usually have n S (cid:28) n even if each senderonly has one file. In addition, most related works on SEKSand PEKS assume that each file has several keywords. Experiment.
We coded our SPCHS scheme, and testedthe time cost of algorithm
StructuredSearch to executeits cryptographic operations for different numbers of match-ing ciphertexts. We also coded the PEKS scheme [1]. TableI shows the system parameters including hardware, softwareand the chosen elliptic curve. Assume there are in total searchable ciphertexts. PEKS takes about 53.8 secondssearch time per keyword, since it must test all ciphertextsfor each search. Figure 3 shows the experimental results ofSPCHS. It is clear that the time cost of SPCHS is linearwith the number of matching ciphertexts, whereas for PEKSit is linear with the number of total ciphertexts. Hence,SPCHS is much more efficient than PEKS.IV. A G ENERIC C ONSTRUCTION OF
SPCHS
FROM
IBKEM
AND
IBEIn this section, we formalize collision-free full-identitymalleable IBKEM and a generic SPCHS construction fromIBKEM and IBE.
Time(s)
T h e n u m b e r o f m a t c h i n g c i p h e r t e x t s
Figure 3: Time cost of SPCHS
A. Reviewing IBE
Before the generic SPCHS construction, let us reviewthe concept of IBE and its Anonymity and Semantic Secu-rity both under adaptive-ID and Chosen Plaintext Attacks(Anon-SS-ID-CPA).
Definition 4 (IBE [11]) . IBE consists of four algorithms: • Setup
IBE (1 k , ID IBE ) : Take as inputs a security param-eter k and an identity space ID IBE , and probabilis-tically output the master public-and-secret-key pair ( PK IBE , SK IBE ) , where PK IBE includes the messagespace M IBE , the ciphertext space C IBE and the identityspace ID IBE . • Extract
IBE ( SK IBE , ID ) : Take as inputs SK IBE and anidentity ID ∈ ID IBE , and output a decryption key ˜ S ID of ID . • Enc
IBE ( PK IBE , ID, M ) : Take as inputs PK IBE , anidentity ID ∈ ID IBE and a message M , and proba-bilistically output a ciphertext ˜ C . • Dec
IBE ( ˜ S ID (cid:48) , ˜ C ) : Take as inputs the decryption key ˜ S ID (cid:48) of identity ID (cid:48) and a ciphertext ˜ C , and outputa message or ⊥ , if the ciphertext is invalid.An IBE scheme must be consistent in the sense thatfor any ˜ C = Enc
IBE ( PK IBE , ID, M ) and ˜ S ID (cid:48) = Extract
IBE ( SK IBE , ID (cid:48) ) , Dec
IBE ( ˜ S ID (cid:48) , ˜ C ) = M holds if ID (cid:48) = ID , except with a negligible probability in thesecurity parameter k . In the Anon-SS-ID-CPA security notion of IBE, a PPTadversary is allowed to query the decryption keys foradaptively chosen identities, and adaptively choose twochallenge identity-and-message pairs. The Anon-SS-ID-CPA security of IBE means that for a challenge ciphertext,the adversary cannot determine which challenge identityand which challenge message it corresponds to, providedthat the adversary does not know the two challenge identi-ties’ decryption keys. The Anon-SS-ID-CPA security of anIBE scheme is as follows.
Definition 5 (Anon-SS-ID-CPA security of IBE [46]) . AnIBE scheme is Anon-SS-ID-CPA secure if any PPT adver-sary B has only a negligible advantage Adv
Anon-SS-ID-CPA
IBE, B towin in the following Anon-SS-ID-CPA game: • Setup Phase : A challenger sets up the IBE scheme byrunning algorithm
Setup
IBE to generate the masterpublic-and-secret-keys pair ( PK IBE , SK IBE ) , and sends PK IBE to B . • Query Phase 1 : Adversary B adaptively issues thefollowing query multiple times. – Decryption Key Query Q IBEDK ( ID ) : Taking asinput an identity ID ∈ ID IBE , the challengeroutputs the decryption key of identity ID . • Challenge Phase : Adversary B sends two chal-lenge identity-and-message pairs ( ID ∗ , M ∗ ) and ( ID ∗ , M ∗ ) to the challenger; the challenger picks ˜ d $ ← { , } , and sends the challenge IBE ciphertext ˜ C ∗ ˜ d = Enc
IBE ( PK IBE , ID ∗ ˜ d , M ∗ ˜ d ) to B . • Query Phase 2 : This phase is the same as
QueryPhase 1 . Note that in
Query Phase 1 and
Query Phase2 , B cannot query the decryption key correspondingto the challenge identity ID ∗ or ID ∗ . • Guess Phase : Adversary B sends a guess ˜ d (cid:48) to thechallenger. We say that B wins if ˜ d (cid:48) = ˜ d . Let Adv
Anon-SS-ID-CPA
IBE, B = P r [ ˜ d (cid:48) = ˜ d ] − be the advantageof B to win in the above game.B. The Collision-Free Full-Identity Malleable IBKEM Our generic construction also relies on a notion ofcollision-free full-identity malleable IBKEM. The follow-ing IBKEM definition is derived from [47]. A differenceonly appears in algorithm
Encaps
IBKEM . In order to high-light that the generator of an IBKEM encapsulation knowsthe chosen random value used in algorithm
Encaps
IBKEM ,we take the random value as an input of the algorithm.
Definition 6 (IBKEM) . IBKEM consists of four algorithms: • Setup
IBKEM (1 k , ID IBKEM ) : Take as inputs a securityparameter k and an identity space ID IBKEM , andprobabilistically output the master public-and-secret-keys pair ( PK IBKEM , SK IBKEM ) , where PK IBKEM includesthe identity space ID IBKEM , the encapsulated key space K IBKEM and the encapsulation space C IBKEM . • Extract
IBKEM ( SK IBKEM , ID ) : Take as inputs SK IBKEM and an identity ID ∈ ID IBKEM , and output a decryptionkey ˆ S ID of ID . • Encaps
IBKEM ( PK IBKEM , ID, r ) : Take as inputs PK IBKEM ,an identity ID ∈ ID IBKEM and a random value r , anddeterministically output a key-and-encapsulation pair ( ˆ K, ˆ C ) of ID . • Decaps
IBKEM ( ˆ S ID (cid:48) , ˆ C ) : Take as inputs the decryptionkey ˆ S ID (cid:48) of identity ID (cid:48) and an encapsulation ˆ C , andoutput an encapsulated key or ⊥ , if the encapsulationis invalid.An IBKEM scheme must be consistent in the sensethat for any ( ˆ K, ˆ C ) = Encaps
IBKEM ( PK IBKEM , ID, r ) , Decaps
IBKEM ( ˆ S ID (cid:48) , ˆ C ) = ˆ K holds if ID (cid:48) = ID , exceptwith a negligible probability in the security parameter k . The collision-free full-identity malleable IBKEM impliesthe following characteristics: all identities’ decryption keyscan decapsulate the same encapsulation; all decapsulatedkeys are collision-free; the generator of the encapsulationcan also compute these decapsulated keys; the decapsulatedkeys of different encapsulations are also collision-free.
Definition 7 (Collision-Free Full-Identity MalleableIBKEM) . IBKEM is collision-free full-identity malleable,if there is an efficient function
FIM that for any ( ˆ K, ˆ C ) = Encaps
IBKEM ( PK IBKEM , ID, r ) , the function FIM satisfiesthe following features: • (Full-Identity Malleability) For any identity ID (cid:48) ∈ ID IBKEM , the equation
FIM ( ID (cid:48) , r ) = Decaps
IBKEM ( ˆ S ID (cid:48) , ˆ C ) always holds, where ˆ S ID (cid:48) = Extract
IBKEM ( SK IBKEM , ID (cid:48) ) ; • (Collision-Freeness) For any identity ID (cid:48) ∈ ID IBKEM and any random value r (cid:48) , if ID (cid:54) = ID (cid:48) (cid:87) r (cid:54) = r (cid:48) , then FIM ( ID, r ) (cid:54) = FIM ( ID (cid:48) , r (cid:48) ) holds, except with anegligible probability in the security parameter k . A collision-free full-identity malleable IBKEM schememay preserve semantic security and anonymity. We incor-porate the semantic security and anonymity into Anon-SS-ID-CPA secure IBKEM. But this security is differentfrom the traditional version [47] of the Anon-SS-ID-CPAsecurity due to the full-identity malleability of IBKEM. Thedifference will be introduced after defining that security.In that security, a PPT adversary is allowed to querythe decryption keys for adaptively chosen identities, andadaptively choose two challenge identities. The Anon-SS-ID-CPA security of IBKEM means that for a challengekey-and-encapsulation pair, the adversary cannot determinethe correctness of this pair and the challenge identity ofthis pair, given that the adversary does not know thetwo challenging identities’ decryption keys. The Anon-SS-ID-CPA security of a collision-free full-identity malleableIBKEM scheme is as follows.
Definition 8 (Anon-SS-ID-CPA security of IBKEM) . AnIBKEM scheme is Anon-SS-ID-CPA secure if any PPT ad-versary B has only a negligible advantage Adv
Anon-SS-ID-CPA
IBKEM, B to win in the following Anon-SS-ID-CPA game: • Setup Phase : A challenger sets up the IBKEM schemeby running algorithm
Setup
IBKEM to generate themaster public-and-secret-keys pair ( PK IBKEM , SK IBKEM ) ,and sends PK IBKEM to B . • Query Phase 1 : B adaptively issues the followingquery multiple times. – Decryption Key Query Q IBKEMDK ( ID ) : Taking asinput an identity ID ∈ ID IBKEM , the challengeroutputs the decryption key of identity ID . • Challenge Phase : B sends two challenge identi-ties ID ∗ and ID ∗ to the challenger; the chal-lenger picks ˆ d $ ← { , } , computes ( ˆ K ∗ , ˆ C ∗ ) = Encaps
IBKEM ( P K
IBKEM , ID ∗ , r ) and ( ˆ K ∗ , ˆ C ∗ ) = Encaps
IBKEM ( P K
IBKEM , ID ∗ , r ) , and sends the chal-lenge key-and-encapsulation pair ( ˆ K ∗ ˆ d , ˆ C ∗ ) to B ,where r and r are randomly chosen. • Query Phase 2 : This phase is the same as
QueryPhase 1 . Note that in
Query Phase 1 and
QueryPhase 2 , B cannot query the decryption keys both ofthe challenge identities ID ∗ and ID ∗ . • Guess Phase : B sends a guess ˆ d (cid:48) to the challenger.We say that B wins if ˆ d (cid:48) = ˆ d . Let Adv
Anon-SS-ID-CPA
IBKEM, B = P r [ ˆ d (cid:48) = ˆ d ] − be the advantage of B to win in theabove game. In the above definition, the anonymity of the encapsu-lated keys is defined by the indistinguishability of ˆ K ∗ and ˆ K ∗ . But we do not define the anonymity of the IBKEMencapsulations ( i.e. the challenge key-and-encapsulationpair consists of ˆ C ∗ instead of ˆ C ∗ ˆ d ), since the full-identitymalleability of IBKEM implies that any IBKEM encapsu-lation is valid for all identities.A weaker security definition of IBKEM is the selective-identity security, referred to as the Anon-SS-sID-CPA se-curity. The corresponding attack game is called the Anon-SS-sID-CPA game in which the adversary must commit tothe two challenge identities before the system is set up. C. The Proposed Generic SPCHS Construction
Let keyword space
W ⊂ ID
IBKEM = ID IBE . Our genericSPCHS construction from the collision-free full-identitymalleable IBKEM and IBE is as follows. • SystemSetup (1 k , W ) : Take as inputs a secu-rity parameter k and the keyword space W , run ( PK IBKEM , SK IBKEM ) =
Setup
IBKEM (1 k , ID IBKEM ) and ( PK IBE , SK IBE ) =
Setup
IBE (1 k , ID IBE ) , and outputa pair of master public-and-secret keys ( PK =( PK IBKEM , PK IBE ) , SK = ( SK IBKEM , SK IBE )) . Let theSPCHS ciphertext space C = K IBKEM × C
IBE , and K IBKEM = M IBE . • StructureInitialization ( PK ) : Take as input PK ,arbitrarily pick a keyword W ∈ W and a randomvalue u , generate an IBKEM encapsulated key and itsencapsulation ( ˆ K, ˆ C ) = Encaps
IBKEM ( PK IBKEM , W, u ) ,and initialize a hidden structure by outputting a pairof private-and-public parts ( Pri = ( u ) , Pub = ˆ C ) .Note that Pri here is a variable list formed as ( u, { ( W, P t [ u, W ]) | W ∈ W} ) , which is initialized as ( u ) .(In the above, an IBKEM encapsulation and its relatedrandom value are respectively taken as the public-and-private parts of a hidden structure. To generate thesetwo parts , an arbitrary keyword have to be chosen torun algorithm Encaps
IBKEM .) • StructuredEncryption ( PK , W, Pri ) : Take as in-puts PK , a keyword W ∈ W , a hidden structure’sprivate part Pri , and do the following steps:1) Search ( W, P t [ u, W ]) for W in Pri ;2) If it is not found, insert ( W, P t [ u, W ] $ ←M IBE ) to Pri , and output thekeyword-searchable ciphertext C =( FIM ( W, u ) , Enc
IBE ( PK IBE , W, P t [ u, W ]) ;3) Otherwise, pick R $ ← M IBE , set C = ( P t [ u, W ] , Enc
IBE ( PK IBE , W, R )) , update P t [ u, W ] = R , and output the keyword-searchable ciphertext C ; • Trapdoor ( SK , W ) : Take as inputs SK and a key-word W ∈ W , run ˆ S W = Extract
IBKEM ( SK IBKEM , W ) and ˜ S W = Extract
IBE ( SK IBE , W ) , and output a key-word search trapdoor T W = ( ˆ S W , ˜ S W ) of keyword W . • StructuredSearch ( PK , Pub , C , T W ) : Take as in-puts PK , a hidden structure’s public part Pub , allkeyword-searchable ciphertexts C (let C [ i ] denote oneciphertext of C , and this ciphertext can be parsed as ( C [ i, , C [ i, ∈ C = K IBKEM × C
IBE ) and a keywordtrapdoor T W = ( ˆ S W , ˜ S W ) of keyword W , set C (cid:48) = φ ,and do the following steps:1) Compute P t (cid:48) = Decaps
IBKEM ( ˆ S W , Pub ) ;2) Seek a ciphertext C [ i ] having C [ i,
1] =
P t (cid:48) ; if itexists, add C [ i ] into C (cid:48) ;3) If no matching ciphertext is found, output C (cid:48) ;4) Compute P t (cid:48) = Dec
IBE ( ˜ S ID (cid:48) , C [ i, , go to step2;Figure 4 shows a hidden star-like structure generated bythe generic SPCHS construction. When running algorithm StructuredSearch ( PK , Pub , C , T W i ) , the full-identitymalleability of IBKEM allows the algorithm to disclosethe value FIM ( W i , u ) by computing FIM ( W i , u ) = Decaps
IBKEM ( ˆ S W i , Pub ) and find out the ciphertext ( FIM ( W i , u ) , Enc
IBE ( PK IBE , W i , P t [ u, W i ])) . Then theconsistency of IBE allows the algorithm to disclose P t [ u, W i ] by decrypting Enc
IBE ( PK IBE , W i , P t [ u, W i ]) andfind out the ciphertext ( P t [ u, W i ] , Enc
IBE ( PK IBE , W i , R )) .By carrying on in this way, the consistency of IBE allowsthe algorithm to find out the rest of ciphertexts of keyword W i with the hidden star-like structure, and stop the searchif no more ciphertexts are found. Consistency.
When running the above algorithm
StructuredSearch ( PK , Pub , C , T W ) , the consistencyand full-identity malleability of IBKEM assures that FIM ( W, u ) =
Decaps
IBKEM ( ˆ S W , Pub ) holds. Thecollision-freeness of IBKEM assures that only one cipher-text containing keyword W has the value FIM ( W, u ) as Imply the following value Imply the following valueHave the same value Have the same value ˆ ˆˆ ( , , )
IBKEM IBKEM = C, where (K,C) W u = Pub PK
Encaps ( , ), ( , , [ , ])
L IBE IBE L L
W u W Pt u W PK FIM Enc [ , ], ( , , )
IBE IBE
Pt u W W R PK Enc [ , ], ( , , )
IBE IBE
Pt u W W R PK Enc [ , ], ( , , )
L IBE IBE L
Pt u W W R PK Enc [ , ], ( , , )
L IBE IBE L
Pt u W W R PK Enc
Have the same valueHave the same value Have the same valueHave the same value ( , ), ( , , [ , ])
IBE IBE
W u W Pt u W PK FIM Enc [ , ] ( [1, ]) i When Pt u W i Lthe SPCHS ciphertexts are ∉ ∈
Pri [ , ] ( [1, ]) i When Pt u W i Lthe SPCHS ciphertexts are ∈ ∈
Pri
Note that in each ciphertext, the value R is randomly chosen. For i ∈ [1 , L ] , P t [ u, W i ] is initializedwith a random value when generating the first ciphertext of keyword W i , and it will be updatedinto R after generating each subsequent ciphertext of keyword W i .Figure 4: Hidden star-like structure generated by the generic SPCHS constructionits first part. Therefore the algorithm can find out thefirst ciphertext of keyword W with the hidden structure Pub . Then the consistency of IBE allows the algorithm
StructuredSearch to find out the rest of ciphertextscontaining keyword W with the hidden structure Pub .Formally we have Theorem 3. The proof can be found inSupplemental Materials D.
Theorem 3.
The above generic SPCHS scheme is consis-tent if its underlying collision-free full-identity malleableIBKEM and IBE schemes are both consistent.
Semantic Security.
The SS-sK-CKSA security of theabove generic SPCHS construction relies on the Anon-SS-sID-CPA security of the underlying IBKEM and theAnon-SS-ID-CPA security of the underlying IBE. In thesecurity proof, we prove that if there is an adversary whocan break the SS-sK-CKSA security of the above genericSPCHS construction, then there is another adversary whocan break the Anon-SS-sID-CPA security of the underlyingIBKEM or the Anon-SS-ID-CPA security of the underlyingIBE. Theorem 4 formally states the semantic security ofour generic SPCHS construction. The proof can be foundin Supplemental Materials E.
Theorem 4.
Suppose there are at most N ∈ N hiddenstructures, and a PPT adversary A wins in the SS-sK-CKSA game with advantage Adv
SS-sK-CKSA
SP CHS, A . Then there is aPPT adversary B , who utilizes the capability of A to winin the Anon-SS-sID-CPA game of the underlying IBKEMor the Anon-SS-ID-CPA game of the underlying IBE withadvantage N · Adv
SS-sK-CKSA
SP CHS, A . V. T WO C OLLISION -F REE F ULL -I DENTITY M ALLEABLE
IBKEM I
NSTANCES
The Instance in the RO Model.
Abdalla et al. pro-posed several VRF-suitable IBKEM instances in [8]. AnIBKEM instance is VRF-suitable if it provides uniquedecapsulation . This means that given any encapsulation,all the decryption keys corresponding to the same identity decapsulate out the same encapsulated key, and the keyis pseudo-random. Here, the decryption key extraction isprobabilistic and for the same identity, different decryptionkey may be extracted in different runs of the key extractionalgorithm. It is clear that our proposed collision-free full-identity malleability not only implies unique decapsulation ,but also implies that the generator of an encapsulationknows what keys will be decapsulated by the decryptionkeys of all identities. In Supplemental Materials F, weprove that the VRF-suitable IBKEM instance proposed inAppendix A.2 of [8] is collision-free full-identity malleable.Even though this IBKEM scheme has the traditional Anon-SS-ID-CPA security, we further prove that this IBKEMscheme is Anon-SS-ID-CPA secure based on the DBDHassumption in the RO model according to Definition 8.
The Instance in the Standard Model.
In [9], Freire et al. utilized the “approximation” of multilinear maps[10] to construct a programmable hash function in themultilinear setting (MPHF). Then Freire et al. utilized thishash function to replace the traditional hash functions of theBF IBE scheme in [11] and reconstructed this IBE schemein the multilinear setting. They finally constructed a newIBE scheme with semantic security in the standard model.We find that this new IBE scheme can be easily transformedinto a collision-free full-identity malleable IBKEM schemewith Anon-SS-ID-CPA security in the standard model. Tosimplify the description of this IBKEM scheme, we donot consider the “approximation” of multilinear maps. Thismeans that we will leave out the functions that are theencoding of a group element, the re-randomization of anencoding and the extraction of an encoding. Some relateddefinitions are reviewed as follows.
Definition 9 (Multilinear Maps [9]) . An (cid:96) -group sys-tem in the multilinear setting consists of (cid:96) cyclic groups G , · · · , G (cid:96) of prime order p , along with bilinear maps ˆ e i,j : G i × G j → G i + j for all i, j ≥ with i + j ≤ (cid:96) . Let g i be a generator of G i . The map ˆ e i,j satisfies ˆ e i,j ( g ai , g bj ) = g abi + j (for all a, b ∈ Z p ). When i, j are clear, we will simply write ˆ e instead of ˆ e i,j . It will also be convenient to abbrevi-ate ˆ e ( h , · · · , h j ) = ˆ e ( h , ˆ e ( h , · · · , ˆ e ( h j − , h j ) · · · )) for h j ∈ G i j and i = ( i + i + · · · + i j ) ≤ (cid:96) . By induction,it is easy to see that this map is j -linear. Additionally, Wedefine ˆ e ( g ) = g . Finally, it can also be useful to define thegroup G = Z + | G | of exponents to which this pairing familynaturally extends. In the following, we will assume an (cid:96) -group system MPG (cid:96) = {{ G i } i ∈ [1 ,(cid:96) ] , p, { ˆ e i,j } i,j ≥ ,i + j ≤ (cid:96) } generated by a multilinear maps parameter generator MG (cid:96) on input a security parameter k . Definition 10 (The (cid:96) -MDDH Assumption [9]) . Given ( g, g x , · · · , g x (cid:96) +1 ) (for g $ ← G and uniform expo-nents x i ), the (cid:96) -MDDH assumption is that the element ˆ e ( g x , · · · , g x (cid:96) ) x (cid:96) +1 ∈ G (cid:96) is computationally indistinguish-able from a uniform G (cid:96) -element. Definition 11 (Group hash function [9]) . A group hashfunction H into G consists of two polynomial-time algo-rithms: the probabilistic algorithm HGen (1 k ) outputs akey hk , and HEval ( hk, X ) (for a key hk and X ∈{ , } k ) deterministically outputs an image H hk ( X ) ∈ G . Definition 12 (MPHF [9]) . Assume an (cid:96) (cid:48) -group system
MPG (cid:96) (cid:48) as generated by MG (cid:96) (cid:48) (1 k ) . Let H be a grouphash function into G (cid:96) ( (cid:96) ≤ (cid:96) (cid:48) ) , and let m, n ∈ N . Wesay that H is an (m,n)-programmable hash function inthe multilinear setting ((m,n)-MPHF) if there are PPTalgorithms TGen and
TEval as follows. • TGen (1 k , c , · · · , c l , h ) (for c i , h ∈ G and h (cid:54) = 1 )outputs a key hk and a trapdoor td . We require thatfor all c i , h , that distribution of hk is statistically closeto the output of HGen . • TEval ( td, X ) (for a trapdoor td and X ∈ { , } k )deterministically outputs a X ∈ Z ∗ p and B X ∈ G (cid:96) − with H hk ( X ) = ˆ e ( c , · · · , c (cid:96) ) a X · ˆ e ( B X , h ) . We re-quire that there is a polynomial p ( k ) such that forall hk and X , · · · , X m , Z , · · · , Z n ∈ { , } k with { X i } i (cid:84) { Z j } j = ∅ , P hk, { X i } , { Z j } = P r [( a X = · · · = a X m = 0) ∧ ( a Z , · · · , a X n (cid:54) = 0)] ≥ /p ( k ) ,where the probability is over possible trapdoors td output by TGen along with the given hk . Further-more, we require that P hk, { X i } , { Z j } is close to statis-tically independent of hk . (Formally, | P hk, { X i } , { Z j } − P hk (cid:48) , { X i } , { Z j } | ≤ v ( k ) for all hk and hk (cid:48) in the rangeof TGen , all { X i } , { Z j } , and negligible v ( k ) .)We say that H is a ( poly , n ) -MPHF if it is a ( q ( k ) , n ) -MPHF for every polynomial q ( k ) . Note that TEval algo-rithm of an MPHF into G yields B X ∈ G , i.e., exponents B X . Let identity space ID IBKEM = { , } k . The IBKEMinstance in the standard model is as follows. • Setup
IBKEM (1 k , ID IBKEM ) : Take as input a securityparameter k and the identity space ID IBKEM ,generate an ( (cid:96) + 1) -group system MPG (cid:96) +1 = {{ G i } i ∈ [1 ,(cid:96) +1] , p, { ˆ e i,j } i,j ≥ ,i + j ≤ (cid:96) +1 } ← MG (cid:96) +1 (1 k ) , generate a ( poly , -MPHF H into G (cid:96) and hk ← HGen (1 k ) , choose h $ ← G and x $ ← Z p , set the encapsulated key space K IBKEM = G (cid:96) +1 , set the encapsulation space C IBKEM = G , and output the master public key PK IBKEM = (
MPG (cid:96) +1 , hk, H , h, h x , ID IBKEM , K IBKEM , C IBKEM ) and the master secret key SK IBKEM = ( hk, x ) . • Extract
IBKEM ( SK IBKEM , ID ) : Take as inputs SK IBKEM and an identity ID ∈ ID IBKEM , and output a decryptionkey ˆ S ID = H hk ( ID ) x of ID . • Encaps
IBKEM ( PK IBKEM , ID, r ) : Take as inputs PK IBKEM , an identity ID ∈ ID IBKEM and a randomvalue r ∈ Z ∗ p , and output a key-and-encapsulationpair ( ˆ K, ˆ C ) , where ˆ K = ˆ e ( H hk ( ID ) , h x ) r ∈ G (cid:96) +1 and ˆ C = h r . • Decaps
IBKEM ( ˆ S ID (cid:48) , ˆ C ) : Take as inputs the decryptionkey ˆ S ID (cid:48) of identity ID (cid:48) and an encapsulation ˆ C , andoutput the encapsulated key ˆ K = ˆ e ( ˆ C, ˆ S ID (cid:48) ) ∈ G (cid:96) +1 if ˆ C ∈ G or output ⊥ otherwise. Consistency.
According to Definitions 9 and 11, it isvery easy to verify the consistency of the above IBKEMscheme.
Collision-Free Full-Identity Malleability.
Let the func-tion
FIM ( ID, r ) = ˆ e ( h x , H hk ( ID )) r ∈ G (cid:96) +1 for anyidentity ID ∈ ID IBKEM and any random value r ∈ Z ∗ p . Givenany ( ˆ K, ˆ C ) ← Encaps
IBKEM ( PK IBKEM , ID, r ) , we clearlyhave that: (1) for any identity ID (cid:48) , equation FIM ( ID (cid:48) ,r ) = Decaps
IBKEM ( ˆ S ID (cid:48) , ˆ C ) holds; (2) for any identity ID (cid:48) and any random value r (cid:48) , if ID (cid:48) (cid:54) = ID (cid:87) r (cid:48) (cid:54) = r holds,equation FIM ( ID, r ) (cid:54) = FIM ( ID (cid:48) , r (cid:48) ) holds except witha negligible probability. So the above IBKEM scheme iscollision-free full-identity malleable. Anon-SS-ID-CPA Security.
In [9], Freire et al. utilizeda ( poly , -MPHF to construct a standard-model versionof the BF IBE scheme with the SS-ID-CPA security. Onthe contrary, we use a ( poly , -MPHF in constructing theabove IBKEM scheme, since this kind of MPHF is moreuseful in proving the Anon-SS-ID-CPA security. Theorem 5formally states the Anon-SS-ID-CPA security of the aboveIBKEM scheme. The proof can be found in SupplementalMaterials G. Theorem 5.
Assume the above IBKEM scheme is imple-mented in an ( (cid:96) + 1) -group system, and with a ( poly , -MPHF H into G (cid:96) . Then, under the ( (cid:96) +1) -MDDH assump-tion, this IBKEM scheme is Anon-SS-ID-CPA secure. According to Theorem 4 and 5, the generic SPCHSconstruction implies a SPCHS instance with SS-sK-CKSAsecurity in the standard model. Indeed, this SPCHS instancecan be provably SS-CKSA secure.VI. C
ONCLUSION AND F UTURE W ORK
This paper investigated as-fast-as-possible search inPEKS with semantic security. We proposed the concept ofSPCHS as a variant of PEKS. The new concept allowskeyword-searchable ciphertexts to be generated with ahidden structure. Given a keyword search trapdoor, thesearch algorithm of SPCHS can disclose part of this hiddenstructure for guidance on finding out the ciphertexts of the queried keyword. Semantic security of SPCHS captures theprivacy of the keywords and the invisibility of the hiddenstructures. We proposed an SPCHS scheme from scratchwith semantic security in the RO model. The schemegenerates keyword-searchable ciphertexts with a hiddenstar-like structure. It has search complexity mainly linearwith the exact number of the ciphertexts containing thequeried keyword. It outperforms existing PEKS schemeswith semantic security, whose search complexity is linearwith the number of all ciphertexts. We identified several in-teresting properties, i.e., collision-freeness and full-identitymalleability in some IBKEM instances, and formalizedthese properties to build a generic SPCHS construction. Weillustrated two collision-free full-identity malleable IBKEMinstances, which are respectively secure in the RO andstandard models.SPCHS seems a promising tool to solve some chal-lenging problems in public-key searchable encryption. Oneapplication may be to achieve retrieval completeness ver-ification which, to the best of our knowledge, has notbeen achieved in existing PEKS schemes. Specifically, byforming a hidden ring-like structure, i.e., letting the lasthidden pointer always point to the head, one can obtainPEKS allowing to check the completeness of the retrievedciphertexts by checking whether the pointers of the returnedciphertexts form a ring.Another application may be to realize public key encryp-tion with content search, a similar functionality realizedby symmetric searchable encryption. Such kind of content-searchable encryption is useful in practice, e.g., to filterthe encrypted spams. Specially, by forming a hidden tree-like structure between the sequentially encrypted words inone file, one can obtain public-key searchable encryptionallowing content search (e.g., to find whether there are spe-cific contents in an encrypted file). The search complexityis linear with the size of the queried content.A CKNOWLEDGMENTS
The authors would like to thank the reviewers for theirvaluable suggestions that helped to improve the papergreatly. The first author is partly supported by the Na-tional Natural Science Foundation of China under grant no.61472156 and the National Program on Key Basic ResearchProject (973 Program) under grant no. 2014CB340600.The second author is supported by by the Chinese Na-tional Key Basic Research Program (973 program) throughproject 2012CB315905, the Natural Science Foundation ofChina through projects 61370190, 61173154, 61472429,61402029, 61272501, 61202465, 61321064 and 61003214,the Beijing Natural Science Foundation through project4132056, the Fundamental Research Funds for the CentralUniversities, and the Research Funds (No. 14XNLF02) ofRenmin University of China and the Open Research Fundof Beijing Key Laboratory of Trusted Computing. Thefifth author is partly support by the European Commission(H2020 project “CLARUS”), the Government of Catalo-nia (grant 2014 SGR 537 and ICREA Acad`emia Award 2013) and the Spanish Government (TIN2011-27076-C03-01 “CO-PRIVACY”). The views in this paper do notnecessarily reflect the views of UNESCO.R
EFERENCES[1] Boneh D., Crescenzo G. D., Ostrovsky R., Persiano G.: PublicKey Encryption with Keyword Search. In: Cachin C., Camenisch J.(eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 506-522. Springer,Heidelberg (2004)[2] Bellare M., Boldyreva A., O’Neill A.: Deterministic and EfficientlySearchable Encryption. In: Menezes A. (ed.) CRYPTO 2007. LNCS,vol. 4622, pp. 535-552. Springer, Heidelberg (2007)[3] Boneh D., Boyen X.: Efficient Selective-ID Secure Identity-BasedEncryption Without Random Oracles. In: Cachin C., Camenisch J.(eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223-238. Springer,Heidelberg (2004)[4] Boyen X., Waters B. R.: Anonymous Hierarchical Identity-BasedEncryption (Without Random Oracles). In: Dwork C. (ed.) CRYPTO2006. LNCS, vol. 4117, pp. 290-307. Springer, Heidelberg (2006)[5] Gentry C.: Practical Identity-Based Encyrption Without RandomOracles. In: Vaudenay S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004,pp.445-464. Springer, Heidelberg (2006)[6] Ateniese G., Gasti P.: Universally Anonymous IBE Based on theQuadratic Residuosity Assumption. In: Fischlin M. (ed.) CT-RSA2009. LNCS, vol. 5473, pp. 32-47. Springer, Heidelberg (2009)[7] Ducas L.: Anonymity from Asymmetry: New Constructions forAnonymous HIBE. In: Pieprzyk J. (ed.) CT-RSA 2010. LNCS, vol.5985, pp. 148-164. Springer, Heidelberg (2010)[8] Abdalla M., Catalano D., Fiore D.: Verifiable Random Functions: Re-lations to Identity-Based Key Encapsulation and New Constructions.Journal of Cryptology, 27(3), pp. 544-593 (2013)[9] Freire E.S.V., Hofheinz D., Paterson K.G., Striecks C.: ProgrammableHash Functions in the Multilinear Setting. In: Canetti R., Garay J.A.(eds.) Advances in Cryptology - CRYPTO 2013. LNCS, vol. 8042,pp. 513-530. Springer, Heidelberg (2013)[10] Garg S., Gentry C., Halevi S.: Candidate Multilinear Maps fromIdeal Lattices. In: Johansson T., Nguyen P. (eds.) Advances in Cryp-tology - EUROCRYPT 2013. LNCS, vol. 7881, pp. 1-17. Springer,Heidelberg (2013)[11] Boneh D., Franklin M.: Identity-Based Encryption from the WeilPairing. In: Kilian J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213-239. Springer, Heidelberg (2001)[12] Barth A., Boneh D., Waters B.: Privacy in Encrypted ContentDistribution Using Private Broadcast Encryption. In: Di CrescenzoG., Rubin A.(eds.) FC 2006. LNCS, vol. 4107, pp. 52-64. Springer,Heidelberg (2006)[13] Libert B., Paterson K. G., Quaglia E. A.: Anonymous BroadcastEncryption: Adaptive Security and Efficient Constructions in theStandard Model. In: Fischlin M., Buchmann J., Manulis M. (eds.)PKC 2012. LNCS, vol. 7293, pp. 206-224. Springer, Heidelberg(2012)[14] Curtmola R., Garay J., Kamara S., Ostrovsky R.: Searchable Sym-metric Encryption: Improved Definitions and Efficient Constructions.In: ACM CCS 2006, pp. 79-88. ACM (2006)[15] Song D. X., Wagner D., Perrig A.: Practical techniques for searcheson encrypted data. In: IEEE S&P 2000, pp. 44-55. IEEE (2000)[16] Goh E.-J.: Secure Indexes. Cryptography ePrint Archive, Report2003/216 (2003)[17] Bellovin S. M., Cheswick W.R.: Privacy-Enhanced Searches Us-ing Encrypted Bloom Filters. Cryptography ePrint Archive, Report2004/022 (2004)[18] Agrawal R., Kiernan J., Srikant R., Xu Y.: Order Preserving Encryp-tion for Numeric Data. In: Proceedings of the 2004 ACM SIGMODinternational conference on Management of data, pp. 563-574. ACM(2004)[19] Chang Y.-C., Mitzenmacher M.: Privacy Preserving KeywordSearches on Remote Encrypted Data. In: Ioannidis J., Keromytis A.and Yung M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 442-455.Springer, Heidelberg (2005)[20] Boldyreva A., Chenette N., Lee Y., O’Neill A. : Order-PreservingSymmetric Encryption. In: Joux A. (ed.) EUROCRYPT 2009. LNCS,vol. 5479, pp. 224-241. Springer, Heidelberg (2009)[21] Bao F., Deng R. H., Ding X., Yang Y.: Private Query on EncryptedData in Multi-User Settings. In: Chen L., Mu Y., Susilo W. (eds.)ISPEC 2008. LNCS, vol. 4991, pp. 71-85. Springer, Heidelberg (2008) [22] Li J., Wang Q., Wang C., Cao N., Ren K., Lou W.: Fuzzy KeywordSearch over Encrypted Data in Cloud Computing. In: IEEE INFO-COM 2010, pp. 1-5. (2010)[23] Waters B. R., Balfanz D., Durfee G., Smetters D. K.: Building anEncrypted and Searchable Audit Log. In: NDSS 2004 (2004)[24] Chase M., Kamara S.: Structured Encryption and Controlled Disclo-sure. In: M. Abe (ed.) Advances in Cryptology - ASIACRYPT 2010.LNCS, vol. 6477, pp. 577-594. Springer, Heidelberg (2010)[25] Kamara S., Papamanthou C., Roeder T.: Dynamic searchable sym-metric encryption. In ACM Conference on Computer and Communi-cations Security, pp. 965976 (2012)[26] Kamara S., Papamanthou C.: Parallel and Dynamic SearchableSymmetric Encryption. In: Sadeghi A.-R. (ed.) FC 2013. LNCS,vol.7859, pp. 258-274. Springer, Heidelberg (2013)[27] Cash D., Jaeger J., Jarecki S., Jutla C., Krawczyk H., Ros M.-C.,Steiner M.: Dynamic Searchable Encryption in Very Large Databases:Data Structures and Implementation. In: NDSS 2014.[28] Abdalla M., Bellare M., Catalano D., Kiltz E., Kohno T., Lange T.,Malone-Lee J., Neven G., Paillier P., Shi H.: Searchable EncryptionRevisited: Consistency Properties, Relation to Anonymous IBE, andExtensions. In: Shoup V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp.205-222. Springer, Heidelberg (2005)[29] Park D. J., Kim K., Lee P. J.: Public Key Encryption with Conjunc-tive Field Keyword Search. In: Lim C. H. and Yung M. (eds.) WISA2004. LNCS, vol. 3325, pp. 73-86. Springer, Heidelberg (2004)[30] Golle P., Staddon J., Waters B. R.: Secure Conjunctive KeywordSearch over Encrypted Data. In: Jakobsson M., Yung M., Zhou J.(eds.) ACNS 2004. LNCS, vol. 3089, pp. 31-45. Springer, Heidelberg(2004)[31] Ballard L., Kamara S., Monrose F.: Achieving Efficient ConjunctiveKeyword Searches over Encrypted Data. In: Qing S. et al. (eds.) ICICS2005. LNCS, vol. 3783, pp. 414-426. Springer, Heidelberg (2005)[32] Hwang Y. H., Lee P. J.: Public Key Encryption with ConjunctiveKeyword Search and Its Extension to a Multi-user System. In: TakagiT., Okamoto T., Okamoto E. and Okamoto T. (eds.) Pairing 2007.LNCS, vol. 4575, pp. 2-22. Springer, Heidelberg (2007)[33] Ryu E.K., Takagi T.: Efficient Conjunctive Keyword-Searchable En-cryption. In: 21st International Conference on Advanced InformationNetworking and Applications Workshops, pp. 409-414. IEEE (2007)[34] Baek J., Safavi-Naini R., Susilo W.: Public Key Encryption withKeyword Search Revisited. In: Gervasi O. (ed.) ICCSA 2008. LNCS,vol. 5072, pp. 1249-1259. Springer, Heidelberg (2008)[35] Bethencourt J., Chan T.-H. H., Perrig A., Shi E., Song D.: Anony-mous Multi-Attribute Encryption with Range Query and ConditionalDecryption. Technical Report CMU-CS-06-135 (2006)[36] Shi E., Bethencourt J., Chan T.-H. H., Song D., Perrig A.: Multi-Dimensional Range Query over Encrypted Data. In: IEEE S&P 2007,pp. 350-364. IEEE (2007)[37] Boneh D., Waters B. R.: Conjunctive, Subset, and Range Queries onEncrypted Data. In: Vadhan S. P. (ed.) TCC 2007. LNCS, vol. 4392,pp. 535-554. Springer, Heidelberg (2007)[38] Davis D., Monrose F., Reiter M. K.: Time-Scoped Searching ofEncrypted Audit Logs. In: Lopez J., Qing S., Okamoto E. (eds.) ICICS2004. LNCS, vol. 3269, pp. 532-545. Springer, Heidelberg (2004)[39] Cheung D. W., Mamoulis N., Wong W. K., Yiu S. M., Zhang Y.:Anonymous Fuzzy Identity-based Encryption for Similarity Search.In: Cheong O., Chwa K.-Y and Park K. (eds.) ISAAC 2010. LNCS,vol. 6505, pp. 61-72. Springer, Heidelberg (2010)[40] Camenisch J., Kohlweiss M., Rial A., Sheedy C.: Blind and Anony-mous Identity-Based Encryption and Authorised Private Searches onPublic Key Encrypted Data. In: Jarecki S. and Tsudik G. (eds.) PKC2009. LNCS, vol. 5443, pp. 196-214. Springer, Heidelberg (2009)[41] Bellare M., Fischlin M., O’Neill A., Ristenpart T.: DeterministicEncryption: Definitional Equivalences and Constructions without Ran-dom Oracles. In: Wagner D. (ed.) CRYPTO 2008. LNCS, vol. 5157,pp. 360-378. Springer, Heidelberg (2008)[42] Boldyreva A., Fehr S., O’Neill A. : On Notions of Security for De-terministic Encryption, and Efficient Constructions without RandomOracles. In: Wagner D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp.335-359. Springer, Heidelberg (2008)[43] Brakerski Z., Segev G.: Better Security for Deterministic Public-Key Encryption: The Auxiliary-Input Setting. In: Rogaway P. (ed.)CRYPTO 2011. LNCS, vol. 6841, pp. 543-560. Springer, Heidelberg(2011)[44] Menezes A. J., Okamoto T., Vanstone S. A.: Reducing Elliptic CurveLogarithms to Logarithms in a Finite Field. IEEE Transactions onInformation Theory, 39(5), pp. 1639-1646 (1993) [45] Frey G., Muller M., Ruck H.-G.: The Tate Pairing and the DiscreteLogarithm Applied to Elliptic Curve Cryptosystems. IEEE Transac-tions on Information Theory, vol. 45, no. 5, pp. 1717-1719 (1999)[46] Abdalla M., Bellare M., Neven G.: Robust encryption. In: MicciancioG. (ed.) TCC 2010. LNCS, vol. 5978, pp. 480497. Springer, Heidel-berg (2010)[47] Izabach ` e ne M., Pointcheval D.: New Anonymity Notions forIdentity-Based Encryption. In: Ostrovsky R., De Prisco R. and Vis-conti I. (eds.) SCN 2008. LNCE, vol. 5229, pp. 375-391. Springer,Heidelberg (2008)[48] Waters B.: Efficient Identity-Based Encryption Without RandomOracles. In: Cramer R. (ed.), Advances in Cryptology - EUROCRYPT2005. LNCS, vol. 3494, pp. 1-17. Springer, Heidelberg (2005)[49] Tang Q., Chen X.: Towards asymmetric searchable encryption withmessage recovery and flexible search authorization. ASIACCS 2013,pp. 253-264 (2013)[50] Ibraimi L., Nikova S., Hartel P. H., Jonker W.: Public-Key Encryp-tion with Delegated Search. In: Lopez J. and Tsudik G. (eds.) ACNS2011. LNCS, vol. 6715, pp. 532-549. Springer, Heidelberg (2011)[51] Yang G., Tan C. H., Huang Q., Wong D. S.: Probabilistic Public KeyEncryption with Equality Test. In: Pieprzyk J. (ed.) CT-RSA 2010.LNCS, vol. 5985, pp. 119-131. Springer, Heidelberg (2010)[52] Xu P., Jin H., Wu Q., Wang W.: Public-Key Encryption withFuzzy Keyword Search: A Provably Secure Scheme under KeywordGuessing Attack. IEEE Transactions on Computers, 62(11), pp. 2266-2277 (2013)[53] Arriaga A., Tang Q., Ryan P.: Trapdoor Privacy in AsymmetricSearchable Encryption Schemes. In: Pointcheval D. and Vergnaud D.(eds.) AFRICACRYPT 2014. LNCS, vol. 8469, pp. 31-50. Springer,Heidelberg (2014) Peng Xu received the B.A. degree in computerscience from Wuhan university of science andtechnique, Wuhan, China, in 2003, the Masterand Ph.D. degree in computer science fromHuazhong university of science and technol-ogy, Wuhan, China, respectively in 2006 and2010. Since 2010, he works as a post-doctor atHuazhong university of science and technology,Wuhan, China. He was PI in three grants respec-tively from National Natural Science Foundationof China (No. 61472156 and No. 61100222) andChina Postdoctoral Science Foundation (No. 20100480900), and a keymember in several projects supported by 973 (No. 2014CB340600). Hehas authored over 20 research papers. He is a member of ACM and IEEE.
Qianhong Wu received his Ph.D. in Cryptog-raphy from Xidian University in 2004. Sincethen, he has been with Wollongong University(Australia) as an associate research fellow, withWuhan University (China) as an associate profes-sor, with Universitat Rovira i Virgili (Catalonia)as a research director and now with BeihangUniversity (China) as a full professor. His re-search interests include cryptography, informa-tion security and privacy, and ad hoc networksecurity. He has been a holder/co-holder of 7China/Australia/Spain funded projects. He has authored 7 patents and over100 publications. He has served in the program committee of severalinternational conferences in information security and privacy. He is amember of IACR, ACM and IEEE. Wei Wang received the B.S. and Ph.D. degreesin Electronic and Communication Engineeringfrom Huazhong University of Science and Tech-nology, Wuhan, China, in 2006 and 2011, re-spectively. Currently she is a researcher withCyber-Physical-Social Systems Lab, HuazhongUniversity of Science and Technology, Wuhan,China. She was a Post-doctoral researcher withPeking University, Beijing, China from April2012 to July 2014. Her research interests includecloud security, network coding and multimediatransmission. She has published over 10 papers in international journalsand conferences.
Josep Domingo-Ferrer is a Distinguished Pro-fessor of Computer Science and an ICREA-Acad`emia Researcher at Universitat Rovira iVirgili, Tarragona, Catalonia, where he holds theUNESCO Chair in Data Privacy. His researchinterests are in data privacy and data security. Hereceived his M. Sc. and Ph. D. degrees in Com-puter Science from the Autonomous Universityof Barcelona in 1988 and 1991, respectively. Healso holds an M. Sc. in Mathematics. He has wonseveral research and technology transfer awards,including twice the ICREA Academia Prize (2008 and 2013) and the“Narc´ıs Monturiol” Medal to the Scientific Merit, both awarded by theGovernment of Catalonia, and a Google Faculty Research Award (2014).He has authored 5 patents and over 350 publications. He has been theco-ordinator of projects funded by the European Union and the Spanishgovernment. He has been the PI of US-funded research contracts andcurrently of a Templeton World Charity Foundation grant. He has heldvisiting appointments at Princeton, Leuven and Rome. He is a co-Editor-in-Chief of
Transactions on Data Privacy . He is an IEEE Fellow and anElected Member of Academia Europaea.
Hai Jin received his PhD in computer engi-neering from HUST in 1994. In 1996, he wasawarded a German Academic Exchange Servicefellowship to visit the Technical University ofChemnitz in Germany. He worked at The Uni-versity of Hong Kong between 1998 and 2000,and as a visiting scholar at the University ofSouthern California between 1999 and 2000. Hewas awarded Excellent Youth Award from theNational Science Foundation of China in 2001.He is the chief scientist of National 973 BasicResearch Program Project of Virtualization Technology of ComputingSystem. He has co-authored 15 books and published over 400 researchpapers. He is a senior member of the IEEE and a member of the ACM.
UPPLEMENTAL M ATERIALS
A. Analysis on The Work [40]
A sender generates the searchable ciphertexts of any keyword W i ∈ W by the following steps:1) The first time to encrypt keyword W i , he uploads P EKS ( P ub, W i , K i || P i ) , P i || E ( K i , P i || K i ||P i ) , P i to the server, and asks the server to store E ( K i , P i || K i ||P i ) in position P i and store a flag inposition P i .Note: algorithm P EKS ( P ub, W i , K i || P i ) = IBE ( P ub, W i , K i || P i || C ) || C takes public pa-rameter P ub , identity W i and plaintext K i || P i || C as inputs and generates an IBE ciphertext, andfinally outputs the IBE ciphertext and C , where the symmetric key K i and C are randomly chosen.Algorithm E ( K i , P i || K i ||P i ) denotes using the symmetric key K i to encrypt P i || K i ||P i , wherethe symmetric key K i is randomly chosen, and P i denotes the parameters for private informationretrieval (they will be used to retrieve the corresponding data when the keyword W i is queried).2) The second time to encrypt keyword W i , he uploads P i || E ( K i , P i || K i ||P i ) , P i to the server, andasks the server to store E ( K i , P i || K i ||P i ) in position P i and store the flag in position P i .3) The subsequent encryptions of keyword W i are similar to Step 2.Figure 5: Procedure to generate keyword searchable ciphertexts in [40].In Fig. 5, we first review how to generate keyword-searchable ciphertexts according to [40] such that the ciphertextsof the same keyword form a chain. Then we analyze why the chain of any keyword is visible in the view of the server,and give a straightforward method to make the chain invisible. But this method seems to be impractical.According to the first step in Fig. 5, the server trivially knows the relation between ciphertexts P EKS ( P ub, W i , K i || P i ) and E ( K i , P i || K i ||P i ) , and knows that if a subsequent ciphertext is stored in the position P , this subsequent ciphertext is related to E ( K i , P i || K i ||P i ) . So in the second step, the server knows the relationbetween ciphertexts E ( K i , P i || K i ||P i ) and E ( K i , P i || K i ||P i ) , and knows that if another subsequent ciphertext isstored in the position P , this subsequent ciphertext is related to E ( K i , P i || K i ||P i ) . By the same method, the serverwill know the chain of keyword W i even without the keyword search trapdoor of keyword W i . Furthermore, the lengthof the chain leaks the frequency of keyword W i .A sender generates the searchable ciphertexts of any keyword W i ∈ W by the following steps:1) At the setup phase, he uploads { P EKS ( P ub, W i , K i || P i ) | i ∈ [1 , |W| ] } to the server, where |W| denotes the size of keyword space W .2) The first time to encrypt keyword W i , he uploads P i || E ( K i , P i || K i ||P i ) to the server, and asksthe server to store E ( K i , P i || K i ||P i ) in position P i .3) The second time to encrypt keyword W i , he uploads P i || E ( K i , P i || K i ||P i ) to the server, and asksthe server to store E ( K i , P i || K i ||P i ) in position P i .4) The subsequent encryptions of keyword W i are similar to Step 3.Figure 6: New procedure to generate keyword-searchable ciphertexts for [40].In order to keep the privacy of the chain, a straightforward method is to generate the PEKS ciphertexts for all keywordsat the setup phase and delete the flag. The specific procedure is given in Fig. 6. This method hides the relation betweenthe PEKS ciphertext and the symmetric-key ciphertext of any keyword, and the relation between two symmetric-keyciphertexts of any keyword also is hidden. But it seems that this method is impractical from a performance viewpoint,since each sender must generate the PEKS ciphertexts for all keywords at the setup phase and remember lots of privateinformation which are encrypted by these PEKS ciphertexts. B. Proof of Theorem 1Proof:
Without loss of generality, it is sufficient to prove that given the keyword-searchable trapdoor T W i = H ( W i ) s of keyword W i and the hidden structure’s public part Pub = g u , algorithm StructuredSearch ( PK , Pub , C , T W i ) only finds out all ciphertexts of keyword W i with the hidden structure Pub . Note that P = g s .Algorithm StructuredSearch ( PK , Pub , C , T W i ) computes P t (cid:48) = ˆ e ( Pub , T W i ) in its first step. Since ˆ e ( Pub , T W i ) = ˆ e ( P, H ( W i )) u , algorithm StructuredSearch ( PK , Pub , C , T W i ) finds out the ciphertext (ˆ e ( P, H ( W i )) u , g r , ˆ e ( P, H ( W i )) r · P t [ u, W i ]) by matching P t (cid:48) with all ciphertexts’ first part in its second step. Moreover,ue to the collision-freeness of hash function H , only keyword W i has P t (cid:48) = ˆ e ( P, H ( W i )) u , except with a negligibleprobability in the security parameter k . So only the ciphertext (ˆ e ( P, H ( W i )) u , g r , ˆ e ( P, H ( W i )) r · P t [ u, W i ]) is foundwith overwhelming probability in this step.Then algorithm StructuredSearch ( PK , Pub , C , T W i ) discloses P t [ u, W i ] from the ciphertext (ˆ e ( P, H ( W i )) u , g r , ˆ e ( P, H ( W i )) r · P t [ u, W i ]) by computing P t (cid:48) = P t [ u, W i ] = ˆ e ( g r , T W i ) − · ˆ e ( P, H ( W i )) r · P t [ u, W i ] .Recall that in algorithm StructuredEncryption , P t [ u, W i ] was randomly chosen in G and taken asthe first part of only one ciphertext of keyword W i with the hidden structure Pub . So when algorithm
StructuredSearch ( PK , Pub , C , T W i ) goes back to its second step, only the ciphertext ( P t [ u, W i ] , g r , ˆ e ( P, H ( W i )) r · R ) is found with overwhelming probability.By carrying on in this way, algorithm StructuredSearch ( PK , Pub , C , T W i ) only finds out all ciphertexts ofkeyword W i with the hidden structure Pub , except with a negligible probability in the security parameter k . And thealgorithm will stop, since the random value R contained in the last found ciphertext does not match any other ciphertext’sfirst part. C. Proof of Theorem 2Proof:
To prove this theorem, we will construct a PPT algorithm B that plays the SS-CKSA game with adversary A and utilizes the capability of A to solve the DBDH problem in BGen (1 k ) with advantage approximately e · q t · q p ) · Adv
SS-CKSA
SP CHS, A . Let Coin σ ← { , } denote the operation that picks Coin ∈ { , } according to the probability P r [ Coin =1] = σ (the specified value of σ will be decided latter). The constructed algorithm B in the SS-CKSA game is as follows. • Setup Phase : Algorithm B takes as inputs ( q, G , G , g, ˆ e, g a , g b , g c , Z ) (where Z equals either ˆ e ( g, g ) abc or ˆ e ( g, g ) y )and the keyword space W , and performs the following steps:1) Initialize the three lists Pt = ∅ ⊆ W × G × G , SList = ∅ ⊆ G × Z ∗ q × { , } and HList = ∅ ⊆W × G × Z ∗ q × { , } ;2) Set the ciphertext space C = G × G × G and PK = ( q, G , G , g, ˆ e, P = g a , W , C ) ;3) Initialize N hidden structures by repeating the following steps for i ∈ [1 , N ] :a) Pick u i $ ← Z ∗ q and Coin i σ ← { , } ;b) If Coin i = 1 , compute Pub i = g b · u i ;c) Otherwise, compute Pub i = g u i ;4) Set PSet = { Pub i | i ∈ [1 , N ] } and SList = { ( Pub i , u i , Coin i ) | i ∈ [1 , N ] } ;5) Send PK and PSet to adversary A . • Query Phase 1 : Adversary A adaptively issues the following queries multiple times. – Hash Query Q H ( W ) : Taking as input a keyword W ∈ W , algorithm B does the following steps:1) Pick x $ ← Z ∗ q and Coin σ ← { , } ;2) If Coin = 0 , add ( W, g x , x, Coin ) into HList and output g x ;3) Otherwise, add ( W, g c · x , x, Coin ) into HList and output g c · x ; – Trapdoor Query Q T rap ( W ) : Taking as input a keyword W ∈ W , algorithm B does the following steps:1) If ( W, ∗ , ∗ , ∗ ) / ∈ HList , query Q H ( W ) ;2) According to W , retrieve ( W, X, x, Coin ) from HList ;3) If
Coin = 0 , output g a · x ; otherwise abort and output ⊥ ; – Privacy Query Q P ri ( Pub ) : Taking as input a structure’s public part Pub ∈ PSet , algorithm B does thefollowing steps:1) According to Pub , retrieve ( Pub , u, Coin ) from SList ;2) If
Coin = 0 , output u ; otherwise abort and output ⊥ ; – Encryption Query Q Enc ( W, Pub ) : Taking as inputs a keyword W ∈ W and a structure’s public part Pub ,algorithm B does the following steps:1) If ( W, ∗ , ∗ , ∗ ) / ∈ HList , query Q H ( W ) ;2) According to W and Pub , retrieve ( W, X, x, Coin ) and ( Pub , u, Coin (cid:48) ) respectively from HList and
SList ;3) Pick r $ ← Z ∗ q , and search ( W, Pub , P t [ u, W ]) for W and Pub in Pt ;4) If W is not found, insert ( W, Pub , P t [ u, W ] $ ← G ) to Pt and do the following steps:a) If Coin = 1 (cid:86)
Coin (cid:48) = 1 , output C = ( Z x · u , g r , ˆ e ( g a , X ) r · P t [ u, W ]) ;b) If Coin = 0 (cid:86)
Coin (cid:48) = 1 , output C = (ˆ e ( g a , g b · u ) x , g r , ˆ e ( g a , X ) r · P t [ u, W ]) ;c) If Coin (cid:48) = 0 , output C = (ˆ e ( g a , X ) u , g r , ˆ e ( g a , X ) r · P t [ u, W ]) ;5) Otherwise, pick R $ ← G , set C = ( P t [ u, W ] , g r , ˆ e ( g a , X ) r · R ) , update P t [ u, W ] = R and output C ; Challenge Phase : Adversary A sends two challenge keyword-structure pairs ( W ∗ , Pub ∗ ) ∈ W × PSet and ( W ∗ , Pub ∗ ) ∈ W × PSet to algorithm B ; B picks d $ ← { , } , and does the following steps:1) According to Pub ∗ and Pub ∗ , retrieve ( Pub ∗ , u ∗ , Coin ∗ ) and ( Pub ∗ , u ∗ , Coin ∗ ) from SList ; and if
Coin ∗ = 0 (cid:87) Coin ∗ = 0 , then abort and output ⊥ ;2) If ( W ∗ d , ∗ , ∗ , ∗ ) / ∈ HList , query Q H ( W ∗ d ) ;3) According to W ∗ d , retrieve ( W ∗ d , X ∗ d , x ∗ d , Coin ) from HList ; and if
Coin = 0 , then abort and output ⊥ ;4) Search ( W ∗ d , Pub ∗ d , P t [ u ∗ d , W ∗ d ]) for W ∗ d and Pub ∗ d in Pt ;5) If it is not found, insert ( W ∗ d , Pub ∗ d , P t [ u ∗ d , W ∗ d ] $ ← G ) to Pt , and send C ∗ d = ( Z x ∗ d · u ∗ d , g b , Z x ∗ d · P t [ u ∗ d , W ∗ d ]) to adversary A ;6) Otherwise, pick R $ ← G , set C ∗ d = ( P t [ u ∗ d , W ∗ d ] , g b , Z x ∗ d · R ) , update P t [ u ∗ d , W ∗ d ] = R , and send C ∗ d toadversary A ; • Query Phase 2 : This phase is the same as
Query Phase 1 . Note that in
Query Phase 1 and
Query Phase 2 ,adversary A cannot query the corresponding private parts both of Pub ∗ and Pub ∗ and the keyword search trapdoorsboth of W ∗ and W ∗ . • Guess Phase : Adversary A sends a guess d (cid:48) to algorithm B . If d = d (cid:48) , B output 1; otherwise, output 0.Let Abort denote the event that algorithm B does not abort in the above game. Next, we will compute the probabilities P r [ Abort ] , P r [ B = 1 | Z = ˆ e ( g, g ) abc ] and P r [ B = 1 | Z = ˆ e ( g, g ) y ] , and the advantage Adv
DBDH B (1 k ) .According to the above game, the probability of the event Abort only relies on the probability σ and the numberof times that adversary A queries oracles Q T rap ( · ) and Q P ri ( · ) . We have that P r [ Abort ] = (1 − σ ) q t · q p · σ . Let σ = q t · q p . We have that P r [ Abort ] ≈ e · q t · q p ) , where e is the base of natural logarithms.When Z = ˆ e ( g, g ) abc and the event Abort holds, it is easy to find that algorithm B simulates a real SS-CKSA gamein adversary A ’s mind. So we have P r [ d = d (cid:48) | Abort (cid:94) Z = ˆ e ( g, g ) abc ] = ( Adv
SS-CKSA
SP CHS, A + 12 ) . When Z = ˆ e ( g, g ) y and the event Abort holds, algorithm B generates a challenge ciphertext, which is independent ofthe challenge keywords W ∗ and W ∗ . So we have P r [ d = d (cid:48) | Abort (cid:94) Z = ˆ e ( g, g ) y ] = 12 . Now, we can compute the advantage
Adv
DBDH B (1 k ) as follows: Adv
DBDH B (1 k ) = P r [ B = 1 | Z = ˆ e ( g, g ) abc ] − P r [ B = 1 | Z = ˆ e ( g, g ) y ]= P r [ d = d (cid:48) (cid:94) Abort | Z = ˆ e ( g, g ) abc ] − P r [ d = d (cid:48) (cid:94) Abort | Z = ˆ e ( g, g ) y ]= P r [ d = d (cid:48) | Abort (cid:94) Z = ˆ e ( g, g ) abc ] · P r [ Abort | Z = ˆ e ( g, g ) abc ] − P r [ d = d (cid:48) | Abort (cid:94) Z = ˆ e ( g, g ) y ] · P r [ Abort | Z = ˆ e ( g, g ) y ] ≈ ( Adv
SS-CKSA
SP CHS, A + 12 ) · e · q t · q p ) − · e · q t · q p ) ≈ e · q t · q p ) · Adv
SS-CKSA
SP CHS, A In addition, it is clear that algorithm B is a PPT algorithm, if adversary A is a PPT adversary. In conclusion, if aPPT adversary A wins in the SS-CKSA game of the above SPCHS instance with advantage Adv
SS-CKSA
SP CHS, A , in which A makes at most q t queries to oracle Q T rap ( · ) and at most q p queries to oracle Q P ri ( · ) , then there is a PPT algorithm B that solves the DBDH problem in BGen (1 k ) with advantage approximately Adv
DBDH B (1 k ) ≈ e · q t · q p ) · Adv
SS-CKSA
SP CHS, A where e is the base of natural logarithms. D. Proof of Theorem 3Proof:
Without loss of generality, it is sufficient to prove that given the keyword-searchable trap-door T W i = ( ˆ S W i , ˜ S W i ) of keyword W i and the hidden structure’s public part Pub = ˆ C , algorithm StructuredSearch ( PK , Pub , C , T W i ) only finds out all ciphertexts of keyword W i with the hidden struc-ture Pub , where ˆ S W i = Extract
IBKEM ( SK IBKEM , W i ) , ˜ S W i = Extract
IBE ( SK IBE , W i ) , ˆ C is from ( ˆ K, ˆ C ) = Encaps
IBKEM ( PK IBKEM , W, u ) , keyword W is arbitrarily chosen in W , and u is a random value.lgorithm StructuredSearch ( PK , Pub , C , T W i ) computes P t (cid:48) = Decaps
IBKEM ( ˆ S W i , Pub ) in its firststep. According to the full-identity malleability of IBKEM in Definition 7, we have FIM ( W i , u ) = Decaps
IBKEM ( ˆ S W i , Pub ) . So algorithm StructuredSearch ( PK , Pub , C , T W i ) finds out the ciphertext ( FIM ( W i , u ) , Enc
IBE ( PK IBE , W i , P t [ u, W i ])) by matching P t (cid:48) with all ciphertexts’ first part in its second step.Moreover, due to the collision-freeness of IBKEM in Definition 7, there is no keyword W j ( (cid:54) = W i ) to meet FIM ( W i , u ) = FIM ( W j , u ) , and no hidden structure Pub (cid:48) ( (cid:54) = Pub ) to meet
FIM ( W i , u ) = FIM ( W i , u (cid:48) ) , where Pub (cid:48) is generated by algorithm
StructureInitialization ( PK ) with the random value u (cid:48) . So only the ciphertext ( FIM ( W i , u ) , Enc
IBE ( PK IBE , W i , P t [ u, W i ])) is found in this step, except with a negligible probability in the securityparameter k . Then, according to the consistency of IBE, algorithm StructuredSearch ( PK , Pub , C , T W i ) can decrypt P t [ u, W i ] by algorithm Dec
IBE ( ˜ S W i , Enc
IBE ( PK IBE , W i , P t [ u, W i ])) .Recall that in algorithm StructuredEncryption , P t [ u, W i ] was randomly chosen in G and taken as the firstpart of only one ciphertext of keyword W i . So when StructuredSearch ( PK , Pub , C , T W i ) goes back to its secondstep, only the ciphertext ( P t [ u, W i ] , Enc
IBE ( PK IBE , W i , R )) is found, except with a negligible probability in the securityparameter k .By carrying on in the same way, algorithm StructuredSearch ( PK , Pub , C , T W i ) only finds out all ciphertextsof keyword W i with the hidden structure Pub , except with a negligible probability in the security parameter k . And thealgorithm will stop, since the random value R contained in the last found ciphertext of keyword W i fails to match anyother ciphertext’s first part. E. Proof of Theorem 4Proof:
Let G and G be the challengers respectively in the Anon-SS-sID-CPA game of the underlying IBKEMscheme and the Anon-SS-ID-CPA game of the underlying IBE scheme. A constructed adversary B in the SS-sK-CKSAgame of the generic SPCHS construction is as follows. • Setup Phase : In this phase,1) A sends two challenge keywords ( W ∗ , W ∗ ) to B .2) B arbitrarily picks I ∗ ← ( ID IBKEM −W ) , and sends two challenge identities ( W ∗ , I ∗ ) to G . (The I ∗ is existing,since we have W ⊂ ID
IBKEM .)3) G generates ( PK IBKEM , SK IBKEM ) by algorithm Setup
IBKEM and sends PK IBKEM to B .4) B queries G for the challenge key-and-encapsulation pair.5) G picks ˆ d $ ← { , } , generates ( ˆ K ∗ , ˆ C ∗ ) = Encaps
IBKEM ( PK IBKEM , W ∗ , r ) and ( ˆ K ∗ , ˆ C ∗ ) = Encaps
IBKEM ( PK IBKEM , I ∗ , r ) , and sends ( ˆ K ∗ ˆ d , ˆ C ∗ ) to B , where r and r are randomly chosen.6) B adds ˆ C ∗ into the set PSet ⊆ C
IBKEM .7) G generates ( PK IBE , SK IBE ) by algorithm Setup
IBE , and sends PK IBE to B .8) B initializes the two lists SList = ∅ ⊆ C IBKEM × { , } ∗ and Pt = ∅ ⊆ W × C IBKEM × M
IBE , and initializes N − hidden structures by repeating the following steps for i ∈ [1 , N − :a) Pick a random value u i and an arbitrary keyword W i ∈ W ;b) Generate ( ˆ K i , ˆ C i ) = Encaps
IBKEM ( PK IBKEM , W i , u i ) , add Pub i = ˆ C i into the set PSet , and add ( Pub i , u i ) into SList ;9) B finally sends PK and PSet to A . • Query Phase 1 : In this phase, adversary A adaptively issues the following queries multiple times. – Trapdoor Query Q T rap ( W ) : Taking as input a keyword W ∈ W , B forwards the query W both to the decryptionkey oracles ˆ S W = Q IBKEMDK ( W ) and ˜ S W = Q IBEDK ( W ) , and sends T W = ( ˆ S W , ˜ S W ) to A .(In this query, A cannot query the keyword search trapdoor corresponding to the challenge keyword W ∗ or W ∗ . In addition, one may find that B cannot respond the query Q T rap ( I ∗ ) . However, this is not a problem,since we let I ∗ ∈ ( ID IBKEM − W ) . So A never issues that query.) – Privacy Query Q P ri ( Pub ) : Taking as input a structure’s public part Pub ∈ PSet , B aborts and outputs ⊥ if Pub = ˆ C ∗ ; otherwise, B retrieves ( Pub , u ) from SList according to
Pub and outputs u . – Encryption Query Q Enc ( W, Pub ) : Taking as inputs a keyword W ∈ W and a structure’s public part Pub , B does the following steps:1) If Pub = ˆ C ∗ (cid:86) W (cid:54) = W ∗ , thena) Search ( W, Pub , P t [ u ∗ , W ]) for W and Pub in Pt ;(Note that u ∗ is not a really known value. It is just a symbol to denote the random value used to generate Pub = ˆ C ∗ .)b) If it is not found, query ˆ S W = Q IBKEMDK ( W ) , insert ( W, Pub , P t [ u ∗ , W ] $ ← M IBE ) to Pt and output C = ( Decaps
IBKEM ( ˆ S W , Pub ) , Enc
IBE ( PK IBE , W, P t [ u ∗ , W ])) ;Note that when W = W ∗ , B still can query ˆ S W = Q IBKEMDK ( W ) , since W ∗ is not a challenge IBKEMidentity in the above Setup Phase . )c) Otherwise, pick R $ ← M IBE , set C = ( P t [ u ∗ , W ] , Enc
IBE ( PK IBE , W, R )) , update P t [ u ∗ , W ] = R andoutput C ;2) If Pub = ˆ C ∗ (cid:86) W = W ∗ , thena) Search ( W, Pub , P t [ u ∗ , W ]) for W and Pub in Pt ;b) If it is not found, insert ( W, Pub , P t [ u ∗ , W ] $ ← M IBE ) to Pt , and output C =( ˆ K ∗ ˆ d , Enc
IBE ( PK IBE , W, P t [ u ∗ , W ])) ;(Note that if ˆ d = 0 , the output ciphertext C is correct, since the full-identity malleability of the IBKEMscheme allows FIM ( ˆ C ∗ , W ∗ , u ∗ ) = ˆ K ∗ ˆ d . Otherwise, the output ciphertext C is incorrect. If A can findthis incorrectness, it implies that ˆ d = 1 holds. Accordingly, B has advantage to win in the Anon-SS-sID-CPA game of the IBKEM scheme.)c) Otherwise, pick R $ ← M IBE , set C = ( P t [ u ∗ , W ] , Enc
IBE ( PK IBE , W, R )) , update P t [ u ∗ , W ] = R andoutput C ;3) If Pub (cid:54) = ˆ C ∗ , thena) According to Pub , retrieve ( Pub , u ) from SList ;b) Search ( W, Pub , P t [ u, W ]) for W and Pub in Pt ;c) If it is not found, insert ( W, Pub , P t [ u, W ] $ ← M IBE ) to Pt and output C =( FIM ( W, u ) , Enc
IBE ( Pk IBE , W, P t [ u, W ])) ;d) Otherwise, pick R $ ← M IBE , set C = ( P t [ u, W ] , Enc
IBE ( PK IBE , W, R )) , update P t [ u, W ] = R and output C ; • Challenge Phase : In this phase,1) A sends two challenge structures ( Pub ∗ , Pub ∗ ) ∈ PSet × PSet to B ;2) B does the following steps:a) If Pub ∗ (cid:54) = ˆ C ∗ , then abort and output ⊥ ;b) Send two challenge IBE identity-and-message pairs ( W ∗ , M ∗ ) and ( I ∗ , M ∗ ) to G , where M ∗ ← M IBE and M ∗ ← M IBE ;3) G picks ˜ d $ ← { , } , and sends the challenge IBE ciphertext ˜ C ∗ ˜ d = Enc
IBE ( PK IBE , W ∗ , M ∗ ) to B if ˜ d = 0 ,otherwise sends ˜ C ˜ d = Enc
IBE ( PK IBE , I ∗ , M ∗ ) to B .4) B does the following steps:a) Search ( W ∗ , Pub ∗ , P t [ u ∗ , W ∗ ]) for W ∗ and Pub ∗ in Pt ;b) If it is not found, insert ( W ∗ , Pub ∗ , P t [ u ∗ , W ∗ ] = M ∗ ) to Pt , output the challenge ciphertext C ∗ to A and stop this phase, where C ∗ = ( ˆ K ∗ ˆ d , ˜ C ˜ d ) ;(Note that if ˆ d = 0 and ˜ d = 0 , the C ∗ is a correct one. Otherwise, it is an incorrect one. If A confirmsthe incorrectness of C ∗ , it implies that ˆ d = 1 or ˜ d = 1 holds. Accordingly, B has advantage to win in theAnon-SS-sID-CPA game of the IBKEM or the Anon-SS-ID-CPA game of the IBE scheme.)c) Otherwise, set the challenge ciphertext C ∗ = ( P t [ u ∗ , W ∗ ] , ˜ C ˜ d ) , update P t [ u ∗ , W ∗ ] = M ∗ , send C ∗ to A and stop this phase.(Note that if ˜ d = 0 , the C ∗ is a correct one. Otherwise, it is an incorrect one. If A confirms the incorrectnessof C ∗ , it implies that ˜ d = 1 holds. Accordingly, B has advantage to win in the Anon-SS-ID-CPA game ofthe IBE scheme.) • Query Phase 2 : This phase is the same as
Query Phase 1 . Note that in
Query Phase 1 and
Query Phase 2 ,adversary A cannot query the private part corresponding to the structure Pub ∗ or Pub ∗ and the keyword searchtrapdoor corresponding to the challenge keyword W ∗ or W ∗ . • Guess Phase : Adversary A sends a guess d (cid:48) to adversary B . B takes d (cid:48) as his guess at both ˆ d and ˜ d , and forwards d (cid:48) to challengers G and G .Let Abort denote the event that adversary B does not abort in the above game. Suppose adversary A totally queries Q P ri for q p times. Then we have P r [ Abort ] = N − q p N · N − q p = N . Note that q p ≤ ( N − always holds, since adversary A cannot query Q P ri for the challenge structures ( Pub ∗ , Pub ∗ ) .Let W in
Anon-SS-sID-CPA
IBKEM, B denote the event that B wins in the Anon-SS-sID-CPA game of the underlying IBKEM schemeunder the condition that B does not abort. Let W in
Anon-SS-ID-CPA
IBE, B denote the event that B wins in the Anon-SS-ID-CPAgame of the underlying IBE scheme under the condition that B does not abort. Let Adv B be the advantage of B to have W in
Anon-SS-sID-CPA
IBKEM, B or W in
Anon-SS-ID-CPA
IBE, B holds. Since B has the probability no less than to have W in
Anon-SS-sID-CPA
IBKEM, B or W in
Anon-SS-ID-CPA
IBE, B holds under the condition that B does not abort, we clearly have dv B = ( P r [ W in
Anon-SS-sID-CPA
IBKEM, B (cid:95) W in
Anon-SS-ID-CPA
IBE, B | Abort ] −
34 ) · P r [ Abort ]= (
P r [ W in
Anon-SS-sID-CPA
IBKEM, B | Abort ] +
P r [ W in
Anon-SS-ID-CPA
IBE, B | Abort ] − P r [ W in
Anon-SS-sID-CPA
IBKEM, B (cid:94) W in
Anon-SS-ID-CPA
IBE, B | Abort ] −
34 ) · P r [ Abort ] Let
Belong denote the event that ( W ∗ , Pub ∗ , P t [ u ∗ , W ∗ ]) / ∈ Pt holds in the above Challenge Phase . On the contrary,let
Belong denote the event that ( W ∗ , Pub ∗ , P t [ u ∗ , W ∗ ]) ∈ Pt holds in the above Challenge Phase .We compute the probability
P r [ W in
Anon-SS-sID-CPA
IBKEM, B | Abort ] +
P r [ W in
Anon-SS-ID-CPA
IBE, B | Abort ] as follows. P r [ W in
Anon-SS-sID-CPA
IBKEM, B | Abort ] +
P r [ W in
Anon-SS-ID-CPA
IBE, B | Abort ]= P r [ d (cid:48) = ˆ d | Abort (cid:94)
Belong ] · P r [ Belong ] +
P r [ d (cid:48) = ˆ d | Abort (cid:94)
Belong ] · P r [ Belong ]+ P r [ d (cid:48) = ˜ d | Abort (cid:94)
Belong ] · P r [ Belong ] +
P r [ d (cid:48) = ˜ d | Abort (cid:94)
Belong ] · P r [ Belong ]= (
P r [ d (cid:48) = ˆ d | Abort (cid:94)
Belong (cid:94) ˆ d = 0 (cid:94) ˜ d = 0] · P r [ ˆ d = 0 (cid:94) ˜ d = 0]+ P r [ d (cid:48) = ˆ d | Abort (cid:94)
Belong (cid:94) ˆ d = 1 (cid:94) ˜ d = 0] · P r [ ˆ d = 1 (cid:94) ˜ d = 0]+ P r [ d (cid:48) = ˆ d | Abort (cid:94)
Belong (cid:94) ˆ d = 0 (cid:94) ˜ d = 1] · P r [ ˆ d = 0 (cid:94) ˜ d = 1]+ P r [ d (cid:48) = ˆ d | Abort (cid:94)
Belong (cid:94) ˆ d = 1 (cid:94) ˜ d = 1] · P r [ ˆ d = 1 (cid:94) ˜ d = 1]) · P r [ Belong ]+ (
P r [ d (cid:48) = ˆ d | Abort (cid:94)
Belong (cid:94) ˆ d = 0 (cid:94) ˜ d = 0] · P r [ ˆ d = 0 (cid:94) ˜ d = 0]+ P r [ d (cid:48) = ˆ d | Abort (cid:94)
Belong (cid:94) ˆ d = 1 (cid:94) ˜ d = 0] · P r [ ˆ d = 1 (cid:94) ˜ d = 0]+ P r [ d (cid:48) = ˆ d | Abort (cid:94)
Belong (cid:94) ˆ d = 0 (cid:94) ˜ d = 1] · P r [ ˆ d = 0 (cid:94) ˜ d = 1]+ P r [ d (cid:48) = ˆ d | Abort (cid:94)
Belong (cid:94) ˆ d = 1 (cid:94) ˜ d = 1] · P r [ ˆ d = 1 (cid:94) ˜ d = 1]) · P r [ Belong ]+ (
P r [ d (cid:48) = ˜ d | Abort (cid:94)
Belong (cid:94) ˆ d = 0 (cid:94) ˜ d = 0] · P r [ ˆ d = 0 (cid:94) ˜ d = 0]+ P r [ d (cid:48) = ˜ d | Abort (cid:94)
Belong (cid:94) ˆ d = 1 (cid:94) ˜ d = 0] · P r [ ˆ d = 1 (cid:94) ˜ d = 0]+ P r [ d (cid:48) = ˜ d | Abort (cid:94)
Belong (cid:94) ˆ d = 0 (cid:94) ˜ d = 1] · P r [ ˆ d = 0 (cid:94) ˜ d = 1]+ P r [ d (cid:48) = ˜ d | Abort (cid:94)
Belong (cid:94) ˆ d = 1 (cid:94) ˜ d = 1] · P r [ ˆ d = 1 (cid:94) ˜ d = 1]) · P r [ Belong ]+ (
P r [ d (cid:48) = ˜ d | Abort (cid:94)
Belong (cid:94) ˆ d = 0 (cid:94) ˜ d = 0] · P r [ ˆ d = 0 (cid:94) ˜ d = 0]+ P r [ d (cid:48) = ˜ d | Abort (cid:94)
Belong (cid:94) ˆ d = 1 (cid:94) ˜ d = 0] · P r [ ˆ d = 1 (cid:94) ˜ d = 0]+ P r [ d (cid:48) = ˜ d | Abort (cid:94)
Belong (cid:94) ˆ d = 0 (cid:94) ˜ d = 1] · P r [ ˆ d = 0 (cid:94) ˜ d = 1]+ P r [ d (cid:48) = ˜ d | Abort (cid:94)
Belong (cid:94) ˆ d = 1 (cid:94) ˜ d = 1] · P r [ ˆ d = 1 (cid:94) ˜ d = 1]) · P r [ Belong ]= (2 · Adv
SS-sK-CKSA
SP CHS, A + 3 + P r [ d (cid:48) = ˆ d | Abort (cid:94)
Belong (cid:94) ˆ d = 1 (cid:94) ˜ d = 1]+ P r [ d (cid:48) = ˜ d | Abort (cid:94)
Belong (cid:94) ˆ d = 1 (cid:94) ˜ d = 1]) · · P r [ Belong ]+ (2 · Adv
SS-sK-CKSA
SP CHS, A + 3 + P r [ d (cid:48) = ˆ d | Abort (cid:94)
Belong (cid:94) ˆ d = 1 (cid:94) ˜ d = 1]+ P r [ d (cid:48) = ˜ d | Abort (cid:94)
Belong (cid:94) ˆ d = 1 (cid:94) ˜ d = 1]) · · P r [ Belong ]= (2 · Adv
SS-sK-CKSA
SP CHS, A + 3 + 2 · P r [ d (cid:48) = ˆ d = ˜ d | Abort (cid:94)
Belong (cid:94) ˆ d = 1 (cid:94) ˜ d = 1]) · · P r [ Belong ]+ (2 · Adv
SS-sK-CKSA
SP CHS, A + 3 + 2 · P r [ d (cid:48) = ˆ d = ˜ d | Abort (cid:94)
Belong (cid:94) ˆ d = 1 (cid:94) ˜ d = 1]) · · P r [ Belong ]= (2 · Adv
SS-sK-CKSA
SP CHS, A + 3) ·
14 + 2 · P r [ d (cid:48) = ˆ d = ˜ d | Abort (cid:94) ˆ d = 1 (cid:94) ˜ d = 1] ·
14= 12 · Adv
SS-sK-CKSA
SP CHS, A + 1 We compute the probability
P r [ W in
Anon-SS-sID-CPA
IBKEM, B (cid:86) W in
Anon-SS-ID-CPA
IBE, B | Abort ] as follows. r [ W in
Anon-SS-sID-CPA
IBKEM, B (cid:94) W in
Anon-SS-ID-CPA
IBE, B | Abort ]= P r [ d (cid:48) = ˆ d = ˜ d | Abort (cid:94)
Belong ] · P r [ Belong ] +
P r [ d (cid:48) = ˆ d = ˜ d | Abort (cid:94)
Belong ] · P r [ Belong ]= (
P r [ d (cid:48) = ˆ d = ˜ d | Abort (cid:94)
Belong (cid:94) ˆ d = 0 (cid:94) ˜ d = 0] · P r [ ˆ d = 0 (cid:94) ˜ d = 0]+ P r [ d (cid:48) = ˆ d = ˜ d | Abort (cid:94)
Belong (cid:94) ˆ d = 1 (cid:94) ˜ d = 1] · P r [ ˆ d = 1 (cid:94) ˜ d = 1]) · P r [ Belong ]+ (
P r [ d (cid:48) = ˆ d = ˜ d | Abort (cid:94)
Belong (cid:94) ˆ d = 0 (cid:94) ˜ d = 0] · P r [ ˆ d = 0 (cid:94) ˜ d = 0]+ P r [ d (cid:48) = ˆ d = ˜ d | Abort (cid:94)
Belong (cid:94) ˆ d = 1 (cid:94) ˜ d = 1] · P r [ ˆ d = 1 (cid:94) ˜ d = 1]) · P r [ Belong ]= (
Adv
SS-sK-CKSA
SP CHS, A + 12 + P r [ d (cid:48) = ˆ d = ˜ d | Abort (cid:94)
Belong (cid:94) ˆ d = 1 (cid:94) ˜ d = 1]) · · P r [ Belong ]+ (
Adv
SS-sK-CKSA
SP CHS, A + 12 + P r [ d (cid:48) = ˆ d = ˜ d | Abort (cid:94)
Belong (cid:94) ˆ d = 1 (cid:94) ˜ d = 1]) · · P r [ Belong ]= (
Adv
SS-sK-CKSA
SP CHS, A + 12 ) ·
14 +
P r [ d (cid:48) = ˆ d = ˜ d | Abort (cid:94) ˆ d = 1 (cid:94) ˜ d = 1] ·
14 = 14 · Adv
SS-sK-CKSA
SP CHS, A + 14 According to the above computations, we have
Adv B = ( P r [ W in
Anon-SS-sID-CPA
IBKEM, B (cid:95) W in
Anon-SS-ID-CPA
IBE, B | Abort ] −
34 ) · P r [ Abort ]= (
P r [ W in
Anon-SS-sID-CPA
IBKEM, B | Abort ] +
P r [ W in
Anon-SS-ID-CPA
IBE, B | Abort ] − P r [ W in
Anon-SS-sID-CPA
IBKEM, B (cid:94) W in
Anon-SS-ID-CPA
IBE, B | Abort ] −
34 ) · P r [ Abort ]= 14 N · Adv
SS-sK-CKSA
SP CHS, A In addition, it is clear that adversary B is a PPT adversary, if A is a PPT adversary. In conclusion, we have that if a PPTadversary A wins in the SS-sK-CKSA game of the generic SPCHS construction with advantage Adv
SS-sK-CKSA
SP CHS, A , then theabove PPT adversary B can utilize the capability of adversary A to win in the Anon-SS-sID-CPA game of the underlyingIBKEM scheme or the Anon-SS-ID-CPA game of the underlying IBE scheme with advantage N · Adv
SS-sK-CKSA
SP CHS, A . F. A Collision-free Full-identity Malleable IBKEM Instance in the RO Model
We first review the VRF-suitable IBKEM instance proposed in Appendix A.2 of [8]. Then we prove its collision-freefull-identity malleability and the Anon-SS-ID-CPA security in the RO model. Let identity space ID IBKEM = { , } ∗ . ThisIBKEM instance is as follows. • Setup
IBKEM (1 k , ID IBKEM ) : Take as input a security parameter k and the identity space ID IBKEM , compute ( q, G , G , g, ˆ e ) $ ← BGen (1 k ) , pick s $ ← Z ∗ q , set P ← g s , choose a cryptographic hash function H : { , } ∗ → G ,set the encapsulated key space K IBKEM = G , set the encapsulation space C IBKEM = G , and output the master publickey PK IBKEM = ( q, G , G , g, ˆ e, P, H, ID IBKEM , K IBKEM , C IBKEM ) and the master secret key SK IBKEM = s . • Extract
IBKEM ( SK IBKEM , ID ) : Take as inputs SK IBKEM and an identity ID ∈ ID IBKEM , and output a decryption key ˆ S ID = H ( ID ) s of ID . • Encaps
IBKEM ( PK IBKEM , ID, r ) : Take as inputs PK IBKEM , an identity ID ∈ ID IBKEM and a random value r , and outputa key-and-encapsulation pair ( ˆ K, ˆ C ) , where ˆ K = ˆ e ( P, H ( ID )) r and ˆ C = g r . • Decaps
IBKEM ( ˆ S ID (cid:48) , ˆ C ) : Take as inputs the decryption key ˆ S ID (cid:48) of identity ID (cid:48) and an encapsulation ˆ C , and outputthe encapsulated key ˆ K = ˆ e ( ˆ C, ˆ S ID (cid:48) ) if ˆ C ∈ G or output ⊥ otherwise. Collision-Free Full-Identity Malleability.
Let the function
FIM ( ID, r ) = ˆ e ( P, H ( ID )) r for any identity ID ∈ID IBKEM and any random value r ∈ Z ∗ q . Clearly, the function FIM is efficient. Moreover, it is easy to find that thefunction
FIM has collision-freeness and full-identity malleability by the following reasons.For any ( ˆ K, ˆ C ) = Encaps
IBKEM ( PK IBKEM , ID, r ) and any identity ID (cid:48) ∈ ID IBKEM , it is clear that
FIM ( ID (cid:48) , r ) =ˆ e ( P, H ( ID (cid:48) )) r = Decaps
IBKEM ( ˆ S ID (cid:48) , ˆ C ) holds. So the function FIM has full-identity malleability. In addition, for anyidentity ID (cid:48) ∈ ID IBKEM , if ID (cid:54) = ID (cid:48) , we clearly have FIM ( ID, r ) (cid:54) = FIM ( ID (cid:48) , r ) due to the collision freeness ofthe hash function H ; for any random value r (cid:48) ∈ Z ∗ q , if r (cid:54) = r (cid:48) , we clearly have FIM ( ID, r ) (cid:54) = FIM ( ID, r (cid:48) ) due tothe randomness of the values r and r (cid:48) . Therefore, the function FIM offers collision-freeness, except with a negligibleprobability in the security parameter k . Anon-SS-ID-CPA Security.
The Anon-SS-ID-CPA security of the above IBKEM instance is based on the DBDHassumption in the RO model. The formal result is the following theorem.
Theorem 6.
Let the hash function H be modeled as the random oracle Q H ( · ) . Suppose a PPT adversary A wins inthe Anon-SS-ID-CPA game of the above IBKEM instance with advantage Adv
Anon-SS-ID-CPA
IBKEM, A , in which A makes at most p queries to oracle Q IBKEMDK ( · ) . Then there is a PPT algorithm B that solves the DBDH problem in BGen (1 k ) withadvantage approximately Adv
DBDH B (1 k ) ≈ e · q p ) · Adv
Anon-SS-ID-CPA
IBKEM, A where e is the base of natural logarithms.Proof: To prove this theorem, we will construct a PPT algorithm B that plays the Anon-SS-ID-CPA game withadversary A and utilizes the capability of A to solve the DBDH problem in BGen (1 k ) with advantage approximately e · q p ) · Adv
Anon-SS-ID-CPA
IBKEM, A . Let Coin σ ← { , } denote the operation that picks Coin ∈ { , } according to the probability P r [ Coin = 1] = σ (the specified value of σ will be decided latter). The constructed algorithm B in the Anon-SS-ID-CPAgame is as follows. • Setup Phase : Algorithm B takes as inputs ( q, G , G , g, ˆ e, g a , g b , g c , Z ) (where Z equals either ˆ e ( g, g ) abc or ˆ e ( g, g ) y )and the identity space ID IBKEM , and does the following steps:1) Initialize a list
HList = ∅ ⊆ ID IBKEM × G × Z ∗ q × { , } ;2) Set the encapsulated key space K IBKEM = G , the encapsulation space C IBKEM = G and PK IBKEM =( q, G , G , g, ˆ e, P = g a , ID IBKEM , K IBKEM , C IBKEM ) ;3) Send PK IBKEM to adversary A ; • Query Phase 1 : Adversary A adaptively issues the following queries multiple times. – Hash Query Q H ( ID ) : Taking as input an identity ID ∈ ID IBKEM , algorithm B does the following steps:1) Pick x $ ← Z ∗ q and Coin σ ← { , } ;2) If Coin = 0 , add ( ID, g x , x, Coin ) into HList and output g x ;3) Otherwise, add ( ID, g c · x , x, Coin ) into HList and output g c · x ; – Decryption Key Query Q IBKEMDK ( ID ) : Taking as input an identity ID ∈ ID IBKEM , algorithm B does thefollowing steps:1) If ( ID, ∗ , ∗ , ∗ ) / ∈ HList , query Q H ( ID ) ;2) According to ID , retrieve ( ID, X, x, Coin ) from HList ;3) If
Coin = 0 , output g a · x ; otherwise, abort and output ⊥ ; • Challenge Phase : Adversary A sends two challenge identities ID ∗ ∈ ID IBKEM and ID ∗ ∈ ID IBKEM to algorithm B ; B picks ˆ d $ ← { , } , and does the following steps:1) If ( ID ∗ , ∗ , ∗ , ∗ ) / ∈ HList , query Q H ( ID ∗ ) ;2) If ( ID ∗ , ∗ , ∗ , ∗ ) / ∈ HList , query Q H ( ID ∗ ) ;3) According to ID ∗ and ID ∗ , retrieve ( ID ∗ , X ∗ , x ∗ , Coin ∗ ) and ( ID ∗ , X ∗ , x ∗ , Coin ∗ ) from HList ;4) If
Coin ∗ = 0 (cid:87) Coin ∗ = 0 , then abort and output ⊥ ;5) Finally send the challenge key-and-encapsulation pair ( Z x ∗ ˆ d , g b ) to adversary A ; • Query Phase 2 : This phase is the same as
Query Phase 2 . Note that in
Query Phase 1 and
Query Phase 2 ,adversary A cannot query the decryption key corresponding to the challenge identity ID ∗ or ID ∗ . • Guess Phase : Adversary A sends a guess ˆ d (cid:48) to algorithm B . If ˆ d = ˆ d (cid:48) , B output 1; otherwise, output 0.Let Abort denote the event that algorithm B does not abort in the above game. Next, we will compute the probabilities P r [ Abort ] , P r [ B = 1 | Z = ˆ e ( g, g ) abc ] and P r [ B = 1 | Z = ˆ e ( g, g ) y ] , and the advantage Adv
DBDH B (1 k ) .According to the above game, the probability of the event Abort only relies on the probability σ and the number oftimes of adversary A to query oracle Q IBKEMDK ( ID ) . We have that P r [ Abort ] = (1 − σ ) q p · σ . Let σ = q p . We havethat P r [ Abort ] ≈ e · q p ) , where e is the base of natural logarithms.When Z = ˆ e ( g, g ) abc and the event Abort holds, it is easy to find that algorithm B simulates a real Anon-SS-ID-CPAgame in adversary A ’s mind. So we have P r [ ˆ d = ˆ d (cid:48) | Abort (cid:86) Z = ˆ e ( g, g ) abc ] = ( Adv
Anon-SS-ID-CPA
IBKEM, A + ) .When Z = ˆ e ( g, g ) y and the event Abort holds, algorithm B generates an incorrect challenge ciphertext, and it isindependent of the challenge identities ID ∗ and ID ∗ . So we have P r [ ˆ d = ˆ d (cid:48) | Abort (cid:86) Z = ˆ e ( g, g ) y ] = .Now, we can compute the advantage Adv
DBDH B (1 k ) as follows: Adv
DBDH B (1 k ) = P r [ B = 1 | Z = ˆ e ( g, g ) abc ] − P r [ B = 1 | Z = ˆ e ( g, g ) y ]= P r [ ˆ d = ˆ d (cid:48) (cid:94) Abort | Z = ˆ e ( g, g ) abc ] − P r [ ˆ d = ˆ d (cid:48) (cid:94) Abort | Z = ˆ e ( g, g ) y ]= P r [ ˆ d = ˆ d (cid:48) | Abort (cid:94) Z = ˆ e ( g, g ) abc ] · P r [ Abort | Z = ˆ e ( g, g ) abc ] − P r [ ˆ d = ˆ d (cid:48) | Abort (cid:94) Z = ˆ e ( g, g ) y ] · P r [ Abort | Z = ˆ e ( g, g ) y ] ≈ ( Adv
Anon-SS-ID-CPA
IBKEM, A + 12 ) · e · q p ) − · e · q p ) = 4( e · q p ) · Adv
Anon-SS-ID-CPA
IBKEM, A n addition, it is clear that algorithm B is a PPT algorithm, if adversary A is a PPT adversary. In conclusion, if aPPT adversary A wins in the Anon-SS-ID-CPA game of the above IBKEM instance with advantage Adv
Anon-SS-ID-CPA
IBKEM, A ,in which A makes at most q p queries to oracle Q IBKEMDK ( · ) , then there is a PPT algorithm B that solves the DBDHproblem in BGen (1 k ) with advantage approximately Adv
DBDH B (1 k ) ≈ e · q p ) · Adv
Anon-SS-ID-CPA
IBKEM, A where e is the base of natural logarithms. G. Proof of Theorem 5Proof:
Suppose a PPT adversary A wins in the Anon-SS-ID-CPA game of the above IBKEM instance with advantage Adv
Anon-SS-ID-CPA
IBKEM, A , in which A makes at most q p queries to oracle Q IBKEMDK ( · ) . To prove this theorem, we will constructa PPT algorithm B that plays the Anon-SS-ID-CPA game with adversary A and utilizes the capability of A to break the ( (cid:96) + 1) -MDDH assumption in MG (cid:96) +1 (1 k ) . The constructed algorithm B in the Anon-SS-ID-CPA game is as follows. • Setup Phase : Algorithm B gets as input an ( (cid:96) + 1) -group system MPG (cid:96) +1 and group elements g, g x , · · · , g x (cid:96) +2 ∈ G and S ∈ G (cid:96) +1 , where either S = ˆ e ( g x , · · · , g x (cid:96) +1 ) x (cid:96) +2 (i.e., S is real) or S ∈ G (cid:96) +1 uniformly (i.e., S is random). B generates a ( q p , -MPHF H into G (cid:96) , sets up the master public key as PK = ( MPG (cid:96) +1 , hk, H , h, h (cid:48) , ID , K , C ) for ( h, h (cid:48) ) = ( g, g x (cid:96) +1 ) and ( hk, td ) ← TGen (1 k , g x , · · · , g x (cid:96) , g ) , finally sends PK IBKEM to adversary A . Here,we use the TGen and
TEval algorithms of the ( q p , -MPHF property of H . • Query Phase 1 : Adversary A adaptively issues the following query multiple times. – Decryption Key Query Q IBKEMDK ( ID ) : Taking as input an identity ID ∈ ID IBKEM , algorithm B does thefollowing steps:1) Compute TEval ( td, ID ) = ( a ID , B ID ) ;2) If a ID = 0 , return ˆ S ID = ˆ e ( B ID , h (cid:48) ) ; otherwise, abort and output ⊥ ;Note that we have ˆ S ID = ˆ e ( B ID , h (cid:48) ) = ˆ e ( B ID , h ) x (cid:96) +1 = H hk ( ID ) x (cid:96) +1 . So B can answer a Q IBKEMDK ( ID ) query of A for identity ID precisely when a ID = 0 . • Challenge Phase : Adversary A sends two challenge identities ID ∗ ∈ ID IBKEM and ID ∗ ∈ ID IBKEM to algorihm B ; B picks ˆ d $ ← { , } , and does the following steps:1) Compute TEval ( td, ID ∗ ) = ( a ID ∗ , B ID ∗ ) and TEval ( td, ID ∗ ) = ( a ID ∗ , B ID ∗ ) ;2) If a ID ∗ = 0 (cid:87) a ID ∗ = 0 , then abort and output ⊥ ;3) Send the challenge key-and-encapsulation pair ( ˆ K ∗ ˆ d = S a ID ∗ ˆ d · ˆ e ( B ID ∗ ˆ d , g x (cid:96) +1 , g x (cid:96) +2 ) , ˆ C ∗ = g x (cid:96) +2 ) to adversary A ;Suppose algorithm B does not abort (i.e., both a ID ∗ (cid:54) = 0 and a ID ∗ (cid:54) = 0 hold), we have H hk ( ID ∗ ) =ˆ e ( g x , · · · , g x (cid:96) ) a ID ∗ · ˆ e ( B ID ∗ , h ) and H hk ( ID ∗ ) = ˆ e ( g x , · · · , g x (cid:96) ) a ID ∗ · ˆ e ( B ID ∗ , h ) . Furthermore, if S =ˆ e ( g x , · · · , g x (cid:96) +1 ) x (cid:96) +2 , we have ˆ K ∗ ˆ d = S a ID ∗ ˆ d · ˆ e ( B ID ∗ ˆ d , g x (cid:96) +1 , g x (cid:96) +2 ) = ˆ e ( H hk ( ID ∗ ˆ d ) , g x (cid:96) +1 ) x (cid:96) +2 . This impliesthat the challenge key-and-encapsulation pair ( ˆ K ∗ ˆ d , ˆ C ∗ ) is a valid one in this case. Otherwise, ˆ K ∗ ˆ d contains noinformation about ˆ d . • Query Phase 2 : This phase is the same as
Query Phase 2 . Note that in
Query Phase 1 and
Query Phase 2 ,adversary A cannot query the decryption key corresponding to the challenge identity ID ∗ or ID ∗ . • Guess Phase : Adversary A sends a guess ˆ d (cid:48) to algorithm B . Let Abort (cid:48) denote the event that B does not abort inthe previous phases. Let I = { ID , · · · , ID q p , ID ∗ , ID ∗ } be the set of the queried IDs by A and the challengeidentities ID ∗ and ID ∗ . Let P I = P r [ Abort (cid:48) |I ] , which will be decided later. As in [9], [48], B “artificially” abortswith probability − / ( P I · p ( k )) for the polynomial p ( k ) from Definition 12 and outputs ⊥ . If it does not abort, B uses the guess of A . This means that if ˆ d = ˆ d (cid:48) , B outputs 1, otherwise it outputs 0.In Guess Phase , B did not directly use the guess of A , since event Abort (cid:48) might not be independent of the identitiesin I . So B “artificially” aborts to achieve the independence. Let Abort be the event that B does not abort in theabove game. We have that P r [ Abort ] = 1 − P r [ Abort (cid:48) |I ] − P r [ Abort (cid:48) |I ] · (1 − / ( P I · p ( k ))) = 1 /p ( k ) . Hence, wehave P r [ B = 1 | S is real ] = P r [ Abort ] · ( + Adv
Anon-SS-ID-CPA
IBKEM, A ) and P r [ B = 1 | S is random ] = P r [ Abort ] · , where + Adv
Anon-SS-ID-CPA
IBKEM, A is the probability that A succeeds in the Anon-SS-ID-CPA game of IBKEM. Further, we have P r [ B = 1 | S is real ] − P r [ B = 1 | S is random ] = 1 p ( k ) · Adv
Anon-SS-ID-CPA