Skip to main content
Springer Nature Link
Log in

Statistically Consistent Broadcast Authenticated Encryption with Keyword Search

Adaptive Security from Standard Assumptions

  • Conference paper
  • First Online:
Information Security and Privacy (ACISP 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13915))

Included in the following conference series:

  • 935 Accesses

Abstract

Searchable Encryption (SE) allows users to perform a keyword search over encrypted documents. In Eurocrypt’04, Boneh et al. introduced Public-key Encryption with Keyword Search (PEKS). Broadcast Encryption with Keyword Search (BEKS) is a natural progression to allow some amount of access control. Unfortunately, PEKS and BEKS suffer from keyword-guessing attacks (KGA). In the case of KGA, an adversary guesses the keyword encoded in a trapdoor by creating a ciphertext on a sequence of keywords of its choice and testing them against the trapdoor. In ACISP’21, Liu et al. introduced a variant of BEKS called Broadcast Authenticated Encryption with Keyword Search (BAEKS), which tried to mitigate KGA in BEKS. This construction did not argue consistency and achieved weaker security in the random oracle model.

In this work, we first introduce the notion of consistency for BAEKS and introduce security models much stronger than those of Liu et al. We propose a new statistically-consistent construction of BAEKS in the standard model that achieves security in the newly introduced models. Our proposal is proven adaptively secure under the well-studied bilateral Matrix Diffie-Hellman Assumption and still achieves asymptotic efficiency similar to that of Liu et al.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Abdalla, M., et al.: Searchable encryption revisited: consistency properties, relation to anonymous IBE, and extensions. J. Cryptol. 21(3), 350–391 (2007). https://doi.org/10.1007/s00145-007-9006-6

    Article  MathSciNet  MATH  Google Scholar 

  2. Attrapadung, N., Furukawa, J., Imai, H.: Forward-secure and searchable broadcast encryption with short ciphertexts and private keys. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 161–177. Springer, Heidelberg (2006). https://doi.org/10.1007/11935230_11

    Chapter  Google Scholar 

  3. Baek, J., Safavi-Naini, R., Susilo, W.: Public key encryption with keyword search revisited. In: Gervasi, O., Murgante, B., Laganà, A., Taniar, D., Mun, Y., Gavrilova, M.L. (eds.) ICCSA 2008. LNCS, vol. 5072, pp. 1249–1259. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-69839-5_96

    Chapter  Google Scholar 

  4. Boneh, D., Boyen, X.: Efficient selective-id secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_14

    Chapter  Google Scholar 

  5. Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with constant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_26

    Chapter  Google Scholar 

  6. Boneh, D., Di Crescenzo, G., Ostrovsky, R., Persiano, G.: Public key encryption with keyword search. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 506–522. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_30

    Chapter  Google Scholar 

  7. Boneh, D., Gentry, C., Waters, B.: Collusion resistant broadcast encryption with short ciphertexts and private keys. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 258–275. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_16

    Chapter  Google Scholar 

  8. Boneh, D., Waters, B.: Conjunctive, subset, and range queries on encrypted data. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 535–554. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-70936-7_29

    Chapter  Google Scholar 

  9. Byun, J.W., Rhee, H.S., Park, H.-A., Lee, D.H.: Off-line keyword guessing attacks on recent keyword search schemes over encrypted data. In: Jonker, W., Petković, M. (eds.) SDM 2006. LNCS, vol. 4165, pp. 75–83. Springer, Heidelberg (2006). https://doi.org/10.1007/11844662_6

    Chapter  Google Scholar 

  10. Chatterjee, S., Mukherjee, S.: Keyword search meets membership testing: adaptive security from SXDH. In: Chakraborty, D., Iwata, T. (eds.) INDOCRYPT 2018. LNCS, vol. 11356, pp. 21–43. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-05378-9_2

    Chapter  Google Scholar 

  11. Chen, J., Gay, R., Wee, H.: Improved dual system ABE in prime-order groups via predicate encodings. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 595–624. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_20

    Chapter  Google Scholar 

  12. Chi, T., Qin, B., Zheng, D.: An efficient searchable public-key authenticated encryption for cloud-assisted medical internet of things. Wirel. Commun. Mobile Comput. 2020, 8816172 (2020). https://doi.org/10.1155/2020/8816172

  13. Emura, K.: Generic construction of public-key authenticated encryption with keyword search revisited: stronger security and efficient construction. In: ASIA Public-Key Cryptography Workshop. pp. 39–49. APKC ’22, Association for Computing Machinery, New York, NY, USA (2022). https://doi.org/10.1145/3494105.3526237

  14. Emura, K., Miyaji, A., Rahman, M.S., Omote, K.: Generic constructions of secure-channel free searchable encryption with adaptive security. Secur. Commun. Netw. 8(8), 1547–1560 (2015). https://doi.org/10.1002/sec.1103

  15. Escala, A., Herold, G., Kiltz, E., Ràfols, C., Villar, J.: An algebraic framework for diffie–hellman assumptions. J. Cryptol. 30(1), 242–288 (2015). https://doi.org/10.1007/s00145-015-9220-6

    Article  MathSciNet  MATH  Google Scholar 

  16. Fang, L., Susilo, W., Ge, C., Wang, J.: A secure channel free public key encryption with keyword search scheme without random oracle. In: Garay, J.A., Miyaji, A., Otsuka, A. (eds.) CANS 2009. LNCS, vol. 5888, pp. 248–258. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10433-6_16

    Chapter  Google Scholar 

  17. Gentry, C., Waters, B.: Adaptive security in broadcast encryption systems (with short ciphertexts). In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 171–188. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_10

    Chapter  MATH  Google Scholar 

  18. Huang, Q., Li, H.: An efficient public-key searchable encryption scheme secure against inside keyword guessing attacks. Inf. Sci. 403–404, 1–14 (2017). https://doi.org/10.1016/j.ins.2017.03.038, https://www.sciencedirect.com/science/article/pii/S0020025516321090

  19. Jutla, C.S., Roy, A.: Shorter quasi-adaptive NIZK proofs for linear subspaces. J. Cryptol. 30(4), 1116–1156 (2016). https://doi.org/10.1007/s00145-016-9243-7

    Article  MathSciNet  MATH  Google Scholar 

  20. Liu, X., He, K., Yang, G., Susilo, W., Tonien, J., Huang, Q.: Broadcast authenticated encryption with keyword search. In: Baek, J., Ruj, S. (eds.) ACISP 2021. LNCS, vol. 13083, pp. 193–213. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-90567-5_10

    Chapter  Google Scholar 

  21. Pan, X., Li, F.: Public-key authenticated encryption with keyword search achieving both multi-ciphertext and multi-trapdoor indistinguishability. J. Syst. Architect. 115, 102075 (2021). https://doi.org/10.1016/j.sysarc.2021.102075, https://www.sciencedirect.com/science/article/pii/S1383762121000643

  22. Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619–636. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_36

    Chapter  Google Scholar 

  23. Yau, W.-C., Heng, S.-H., Goi, B.-M.: Off-line keyword guessing attacks on recent public key encryption with keyword search schemes. In: Rong, C., Jaatun, M.G., Sandnes, F.E., Yang, L.T., Ma, J. (eds.) ATC 2008. LNCS, vol. 5060, pp. 100–105. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-69295-9_10

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, Indian Institute of Technology, Jammu, India

    Sayantan Mukherjee

Authors
  1. Sayantan Mukherjee
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sayantan Mukherjee .

Editor information

Editors and Affiliations

  1. Queensland University of Technology, Brisbane, QLD, Australia

    Leonie Simpson

  2. Queensland University of Technology, Brisbane, QLD, Australia

    Mir Ali Rezazadeh Baee

A Security Models of [20]

A Security Models of [20]

In [20], Liu et al. introduced broadcast authenticated encryption with keyword search (BAEKS) as an extension of public-key authenticated encryption with keyword search (PAEKS) [18]. To capture the challenges in case of this new primitive, [20] introduced several security games. We reproduce the games from [20] next for completeness. They introduced four security games– two games to capture the security of trapdoors and two to capture the security of ciphertexts.

Trapdoor Privacy. Informally, trapdoor privacy captures trapdoors do not leak the keywords encoded. The formal security game next is reproduced verbatim from [20].

  • \(\textbf{Setup}\): Given security parameter, the challenger \(\mathcal {C}\) sends the public parameter \(\textsf{pp}\), the challenge sender’s public key \((\textsf{pk}_{{\textsf{S}}^*})\) and the challenge receiver’s public key \((\textsf{pk}_{{\textsf{R}}^*})\) to the adversary \(\mathcal {A}\).

  • \(\mathbf {Query\ Phase}\text {-}\textsf{I}\):

    • Hash Queries: \(\mathcal {C}\) responds to hash queries with random numbers.

    • Ciphertext Query: Given a keyword \(\omega \), a receiver set’s public keys \(\mathcal {R}= \{\textsf{pk}_{\textsf{R}_1},\ldots ,\textsf{pk}_{\textsf{R}_\ell }\}\), \(\mathcal {C}\) computes a ciphertext w.r.t \(\textsf{sk}_{{\textsf{S}}^*}\), \(\omega \) and \(\mathcal {R}\) and returns it to \(\mathcal {A}\).

    • Trapdoor Query: Given a keyword \(\tilde{\omega }\), a sender’s public key \(\textsf{pk}_{\widetilde{\textsf{S}}}\), a chosen public key \(\textsf{pk}_{\textsf{R}_i}\in \mathcal {R}\), it computes a trapdoor \(\textsf{Tr}\) w.r.t. \(\textsf{pk}_{\widetilde{\textsf{S}}}\), \(\tilde{\omega }\) and \(\textsf{pk}_{\textsf{R}_i}\), returns it to \(\mathcal {A}\).

  • \(\textbf{Challenge}\): \(\mathcal {A}\) chooses two keywords \(({\tilde{\omega }}^*_0,{\tilde{\omega }}^*_1)\) such that \(({\tilde{\omega }}^*_0,\mathcal {R})\) and \(({\tilde{\omega }}^*_1,\mathcal {R})\) have not been queried for ciphertexts where \(\textsf{pk}_{{\textsf{R}}^*}\in \mathcal {R}\), and \(({\tilde{\omega }}^*_0,\textsf{pk}_{{\textsf{S}}^*})\) and \(({\tilde{\omega }}^*_1,\textsf{pk}_{{\textsf{S}}^*})\) have not been queried for trapdoors and sends them to \(\mathcal {C}\). \(\mathcal {C}\) randomly chooses a bit \(b\hookleftarrow \{0,1\}\) and provides \(\mathcal {A}\) with a trapdoor \(\textsf{Tr}^*\leftarrow \textsf{Trapdoor}(\textsf{pk}_{{\textsf{S}}^*},{\tilde{\omega }}^*_b,\textsf{sk}_{{\textsf{R}}^*})\) and returns it to \(\mathcal {A}\).

  • \(\mathbf {Query\ Phase}\text {-}\textsf{II}\): Similar to \(\mathbf {Query\ Phase}\text {-}\textsf{I}\) maintaining natural restrictions.

  • \(\textbf{Guess}\): \(\mathcal {A}\) guesses a bit \(b'\) and wins if \(b = b'\).

Ciphertext Indistinguishability. Informally, ciphertext indistinguishability captures ciphertexts do not leak the keywords encoded. The formal security game is as follows.

  • \(\textbf{Setup}\): Given security parameter, the challenger \(\mathcal {C}\) sends the public parameter \(\textsf{pp}\), the challenge sender’s public key \((\textsf{pk}_{{\textsf{S}}^*})\) and the challenge receiver’s set public key \(({{\mathcal {R}}^*} = \{\textsf{pk}_{{\textsf{R}}^*_1},\ldots ,\textsf{pk}_{{\textsf{R}}^*_\ell }\})\) to the adversary \(\mathcal {A}\).

  • \(\mathbf {Query\ Phase}\text {-}\textsf{I}\):

    • Hash Queries: \(\mathcal {C}\) responds to hash queries with random numbers.

    • Ciphertext Query: Given a keyword \(\omega \), a receiver set’s public keys \(\mathcal {R}= \{\textsf{pk}_{\textsf{R}_1},\ldots ,\textsf{pk}_{\textsf{R}_\ell }\}\), \(\mathcal {C}\) computes a ciphertext w.r.t \(\textsf{sk}_{{\textsf{S}}^*}\), \(\omega \) and \(\mathcal {R}\) and returns it to \(\mathcal {A}\).

    • Trapdoor Query: Given a keyword \(\tilde{\omega }\), a sender’s public key \(\textsf{pk}_{\widetilde{\textsf{S}}}\), a chosen public key \(\textsf{pk}_{\textsf{R}_i}\in \mathcal {R}\), it computes a trapdoor \(\textsf{Tr}\) w.r.t. \(\textsf{pk}_{\widetilde{\textsf{S}}}\), \(\tilde{\omega }\) and \(\textsf{sk}_{\textsf{R}_i}\), returns it to \(\mathcal {A}\).

  • \(\textbf{Challenge}\): \(\mathcal {A}\) chooses two keywords \(({\omega }^*_0,{\omega }^*_1)\) such that \(({\omega }^*_0,\textsf{pk}_{{\textsf{S}}^*})\) and \(({\omega }^*_1,\textsf{pk}_{{\textsf{S}}^*})\) have not been queried for trapdoors and sends them to \(\mathcal {C}\). \(\mathcal {C}\) randomly chooses a bit \(b\hookleftarrow \{0,1\}\) and provides \(\mathcal {A}\) with a ciphertext \(\textsf{Ct}^*\leftarrow \textsf{SrchEnc}(\textsf{sk}_{{\textsf{S}}^*},{\omega }^*_b,{{\mathcal {R}}^*})\) and returns it to \(\mathcal {A}\).

  • \(\mathbf {Query\ Phase}\text {-}\textsf{II}\): Similar to \(\mathbf {Query\ Phase}\text {-}\textsf{I}\) maintaining natural restrictions.

  • \(\textbf{Guess}\): The adversary guesses a bit \(b'\) and wins if \(b = b'\).

Anonymity. Informally, anonymity captures ciphertexts do not leak the receiver set encoded. The formal security game is as follows.

  • \(\textbf{Setup}\): Given security parameter, the challenger \(\mathcal {C}\) sends the public parameter \(\textsf{pp}\), the challenge sender’s public key \((\textsf{pk}_{{\textsf{S}}^*})\) and the challenge receiver’s set public key \(({\mathcal {R}}^*_0 = \{\textsf{pk}_{{\textsf{R}}^*_0},\textsf{pk}_{{\textsf{R}}^*_2},\ldots ,\textsf{pk}_{{\textsf{R}}^*_\ell }\})\), \(({\mathcal {R}}^*_1 = \{\textsf{pk}_{{\textsf{R}}^*_1},\textsf{pk}_{{\textsf{R}}^*_2},\ldots ,\textsf{pk}_{{\textsf{R}}^*_\ell }\})\) to the adversary \(\mathcal {A}\).

  • \(\mathbf {Query\ Phase}\text {-}\textsf{I}\):

    • Hash Queries: \(\mathcal {C}\) responds to hash queries with random numbers.

    • Ciphertext Query: Given a keyword \(\omega \), a receiver set’s public keys \(\mathcal {R}= \{\textsf{pk}_{\textsf{R}_1},\ldots ,\textsf{pk}_{\textsf{R}_\ell }\}\), \(\mathcal {C}\) computes a ciphertext w.r.t \(\textsf{sk}_{{\textsf{S}}^*}\), \(\omega \) and \(\mathcal {R}\) and returns it to \(\mathcal {A}\).

    • Trapdoor Query: Given a keyword \(\tilde{\omega }\), a sender’s public key \(\textsf{pk}_{\widetilde{\textsf{S}}}\), a chosen public key from \(\{\textsf{pk}_{\textsf{R}_0},\textsf{pk}_{\textsf{R}_1}\}\), it computes a trapdoor \(\textsf{Tr}\) w.r.t. \(\textsf{pk}_{\widetilde{\textsf{S}}}\), \(\tilde{\omega }\) and \(\textsf{pk}_{\textsf{R}_i}\) for \(i\in \{0,1\}\), returns it to \(\mathcal {A}\).

  • \(\textbf{Challenge}\): \(\mathcal {A}\) chooses a keyword \({\omega }^*\) such that \(({\omega }^*,\textsf{pk}_{{\textsf{S}}^*})\) has not been queried for trapdoors and sends them to \(\mathcal {C}\). \(\mathcal {C}\) randomly chooses a bit \(b\hookleftarrow \{0,1\}\) and provides \(\mathcal {A}\) with \(\textsf{Ct}^*\leftarrow \textsf{SrchEnc}(\textsf{sk}_{{\textsf{S}}^*},{\omega }^*,{{\textsf{R}}^*_b})\) and returns it to \(\mathcal {A}\).

  • \(\mathbf {Query\ Phase}\text {-}\textsf{II}\): Similar to \(\mathbf {Query\ Phase}\text {-}\textsf{I}\) maintaining natural restrictions.

  • \(\textbf{Guess}\): The adversary guesses a bit \(b'\) and wins if \(b = b'\).

Trapdoor Anonymity. Informally, trapdoor anonymity captures trapdoors do not leak the receiver information encoded. The formal security game is as follows.

  • \(\textbf{Setup}\): Given security parameter, the challenger \(\mathcal {C}\) sends the public parameter \(\textsf{pp}\), the challenge sender’s public key \((\textsf{pk}_{{\textsf{S}}^*})\) and two challenge receiver’s public key \((\textsf{pk}_{{\textsf{R}}^*_0},\textsf{pk}_{{\textsf{R}}^*_1})\) to the adversary \(\mathcal {A}\).

  • \(\mathbf {Query\ Phase}\text {-}\textsf{I}\):

    • Hash Queries: \(\mathcal {C}\) responds to hash queries with random numbers.

    • Ciphertext Query: Given a keyword \(\omega \), a receiver set’s public keys \(\mathcal {R}= \{\textsf{pk}_{\textsf{R}_1},\ldots ,\textsf{pk}_{\textsf{R}_\ell }\}\), \(\mathcal {C}\) computes a ciphertext w.r.t \(\textsf{sk}_{{\textsf{S}}^*}\), \(\omega \) and \(\mathcal {R}\) and returns it to \(\mathcal {A}\).

    • Trapdoor Query: Given a keyword \(\tilde{\omega }\), a sender’s public key \(\textsf{pk}_{\widetilde{\textsf{S}}}\), a chosen public key from \(\{\textsf{pk}_{\textsf{R}_0},\textsf{pk}_{\textsf{R}_1}\}\), it computes a trapdoor \(\textsf{Tr}\) w.r.t. \(\textsf{pk}_{\widetilde{\textsf{S}}}\), \(\tilde{\omega }\) and \(\textsf{pk}_{\textsf{R}_i}\) for \(i\in \{0,1\}\), returns it to \(\mathcal {A}\).

  • \(\textbf{Challenge}\): \(\mathcal {A}\) chooses a keyword \({\tilde{\omega }}^*\) such that \(({\tilde{\omega }}^*_0,\textsf{pk}_{{\textsf{S}}^*})\) has not been queried for trapdoors and \(({\tilde{\omega }}^*,\mathcal {R})\) has not been queried for ciphertexts where \({\textsf{R}}^*_0,{\textsf{R}}^*_1\) have different inclusion relationships with \(\mathcal {R}\), and sends them to \(\mathcal {C}\). \(\mathcal {C}\) randomly chooses a bit \(b\hookleftarrow \{0,1\}\) and provides \(\mathcal {A}\) with a trapdoor \(\textsf{Tr}^*\leftarrow \textsf{Trapdoor}(\textsf{pk}_{{\textsf{S}}^*},{\tilde{\omega }}^*,\textsf{sk}_{{\textsf{R}}^*_b})\) and returns it to \(\mathcal {A}\).

  • \(\mathbf {Query\ Phase}\text {-}\textsf{II}\): Similar to \(\mathbf {Query\ Phase}\text {-}\textsf{I}\) maintaining natural restrictions.

  • \(\textbf{Guess}\): \(\mathcal {A}\) guesses a bit \(b'\) and wins if \(b = b'\).

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Mukherjee, S. (2023). Statistically Consistent Broadcast Authenticated Encryption with Keyword Search. In: Simpson, L., Rezazadeh Baee, M.A. (eds) Information Security and Privacy. ACISP 2023. Lecture Notes in Computer Science, vol 13915. Springer, Cham. https://doi.org/10.1007/978-3-031-35486-1_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-35486-1_23

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-35485-4

  • Online ISBN: 978-3-031-35486-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics