Generic constructions of integrated PKE and PEKS

Abstract

In this paper we investigate the topic of integrated public-key encryption (PKE) and public-key encryption with keyword search (PEKS) schemes (PKE–PEKS as shorthand). We first formalize the strongest security notion to date for PKE–PEKS schemes, named joint CCA-security. We then propose two simple constructions of jointly CCA-secure PKE–PEKS schemes from anonymous (hierarchical) identity-based encryption schemes. Besides, we also define the notion of consistency for PKE–PEKS schemes, as well as revisit its related notions (including consistency of PEKS schemes, robustness and collision-freeness of IBE schemes), which may be of independent interest.

Appendix: Review of standard definitions

1.1 Public-key encryption with keyword search

A non-interactive PEKS scheme [12] consists of four PPT algorithms as follows:

• \(\mathsf {KeyGen}(\kappa )\): take as input a security parameter \(\kappa \), output a public/secret key pair \((pk, sk)\). Let \(W\) be the set of all possible keywords.

• \(\mathsf {Encrypt}(pk, w)\): take as input a public key \(pk\) and a keyword \(w \in W\), output a ciphertext \(s\).

• \(\mathsf {TokenGen}(sk, w)\): take as input a secret key \(sk\) and a keyword \(w \in W\), output a token \(t_w\).

• \(\mathsf {Test}(t_w, s)\): take as input a token \(t_w\) and a ciphertext \(s \leftarrow \mathsf {Encrypt}(pk, w')\), output 1 if \(w' = w\) and 0 otherwise.

The IND-PEKS-CPA security for PEKS schemes is defined by the following experiment:

Setup: \(\mathcal {CH}\) runs \(\mathsf {KeyGen}(\kappa )\) to generate \((pk, sk)\) and gives \(\mathcal {A}\) the public key \(pk\).

Phase 1: \(\mathcal {A}\) can adaptively make token queries \(\langle w \rangle \). \(\mathcal {CH}\) responds with \(t_w \leftarrow \mathsf {TokenGen}(sk, w)\).

Challenge: \(\mathcal {A}\) outputs two distinct keywords \(w_0^*, w_1^* \in W\) subject to the restriction that they had not been asked for tokens in Phase 1. \(\mathcal {CH}\) picks a random bit \(b\) and sends \(c^* \leftarrow \mathsf {Encrypt}(pk, w_b^*)\) to \(\mathcal {A}\) as the challenge ciphertext.

Phase 2: \(\mathcal {A}\) can adaptively make more token queries \(\langle w \rangle \) subject to the restriction that \(w \ne w_0^*, w_1^*\). \(\mathcal {CH}\) responds the same way as in Phase 1.

Guess: \(\mathcal {A}\) outputs a guess \(b'\) for \(b\) and succeeds if \(b' = b\). We denote this event by \({\mathsf {SuccA}}\) and define \(\mathcal {A}\)’s advantage as \(\mathrm {Adv}_{\mathcal {A}, \text {PEKS}}^{\text {IND-CPA}}(\kappa ) \mathop {=}\limits ^{def }|\Pr [{\mathsf {SuccA}}] - 1/2|\).

Definition 8.1

A PEKS scheme is \((t, q_w, \epsilon )\) IND-PEKS-CPA secure if for all \(t\)-time adversaries making at most \(q_w\) token queries have advantage at most \(\epsilon \) in the above experiment.

The IND-PEKS-CCA security for PEKS schemes can be defined by a similar experiment by giving the adversary access to an additional test oracle which can determine if \(c\) is an encryption of \(w\). To avoid triviality, test queries \(\langle c^*, w_0^* \rangle \) and \(\langle c^*, w_1^* \rangle \) are not allowed in Phase 2.

Definition 8.2

A PEKS scheme is \((t, q_w, q_t, \epsilon )\) IND-PEKS-CCA secure if for all \(t\)-time adversaries making at most \(q_w\) token queries and at most \(q_t\) test queries have advantage at most \(\epsilon \) in the IND-PEKS-CCA experiment.

1.2 Hierarchical identity-based encryption

Hierarchical identity-based encryption (HIBE) [29, 34] is a generalization of IBE [9] to identities supporting hierarchical structures. In an HIBE scheme, identities are hierarchical and take the form \(id = (id_1, id_2, \dots )\). Each user in the hierarchy can act as a local key-generation authority for all subordinate hierarchical identities. An HIBE scheme consists of five PPT algorithms as follows:

• \(\mathsf {KeyGen}(\kappa , \ell )\): take as input a security parameter \(\kappa \) and a parameter \(\ell \) for the maximum depth of the HIBE, output a master public/secret key pair \((mpk, msk)\). Let \(I\) be the identity space, \(M\) be the message space, and \(C\) be the ciphertext space. We assume \(mpk\) is used as an implicit input for algorithms \(\mathsf {Extract}\), \(\mathsf {Derive}\), as well as \(\mathsf {Decrypt}\),

• \(\mathsf {Extract}(msk, id)\): take as input \(msk\) and an identity \(id \in I\), output a decryption key \(dk_{id}\).⁸

• \(\mathsf {Derive}(dk_{id}, id')\): take as input a decryption key \(dk_{id}\) for identity \(id = (id_1, \dots , id_{j-1})\) of depth \(j-1\) and an identity \(id' = (id_1, \dots , id_j)\) of depth \(j\), output a decryption key \(dk_{id'}\) for \(id'\).

• \(\mathsf {Encrypt}(mpk, id, m)\): take as input \(mpk\), an identity \(id \in I\), and a message \(m \in M\), output a ciphertext \(c \in C\).

• \(\mathsf {Decrypt}(dk_{id}, c)\): take as input a decryption key \(dk_{id}\) for identity \(id\) and a ciphertext \(c \in C\), output a message \(m \in M\) or a reject symbol \(\bot \) indicating \(c\) is invalid.

The basic security notion for HIBE schemes is indistinguishability against adaptive chosen-plaintext attack (IND-HIBE-CPA), which is defined by the following experiment:

Setup: \(\mathcal {CH}\) runs \(\mathsf {KeyGen}(\kappa , \ell )\) to generate \((pk, sk)\) and gives \(\mathcal {A}\) the master public key \(mpk\).

Phase 1: \(\mathcal {A}\) can adaptively make decryption key extraction queries \(\langle id \rangle \). \(\mathcal {CH}\) responds with \(dk_{id} \leftarrow \mathsf {Extract}(msk, id)\).

Challenge: \(\mathcal {A}\) outputs two distinct messages \(m_0^*\), \(m_1^*\) and an identity \(id^*\) subject to the restriction that any prefix of \(id^*\) had not been queried for decryption keys in Phase 1. \(\mathcal {CH}\) randomly picks a bit \(b\) and sends \(c^* \leftarrow \mathsf {Encrypt}(mpk, id^*, m_b^*)\) to \(\mathcal {A}\) as the challenge ciphertext.

Phase 2: \(\mathcal {A}\) can adaptively make more decryption key extraction queries \(\langle id \rangle \) subject to the restriction that \(id\) is not a prefix of \(id^*\). \(\mathcal {CH}\) responds the same way as in Phase 1.

Guess: \(\mathcal {A}\) outputs a guess \(b'\) for \(b\) and succeeds if \(b' = b\). We denote this event by \({\mathsf {SuccA}}\) and define \(\mathcal {A}\)’s advantage as \(Adv _{\mathcal {A}, \text {HIBE}}^{\text {IND-CPA}}(\kappa ) \mathop {=}\limits ^{def }|\Pr [{\mathsf {SuccA}}]- 1/2|\).

Definition 8.3

A HIBE scheme is \((t, q_k, \epsilon )\) IND-HIBE-CPA secure if for all \(t\)-time adversaries making at most \(q_k\) decryption key extraction queries have advantage at most \(\epsilon \) in the above experiment.

Selective-identity IND-HIBE-CPA security can be defined similarly. The difference is that the adversary has to commit a target identity \(id^*\) before seeing \(mpk\) and is not allowed to query decryption keys for any prefix of \(id^*\) throughout the experiment.

Orthogonal to security, anonymity is introduced to capture identity privacy, which ensures the ciphertext reveals no information about the recipient’s identity. To allow a fine-grained treatment, Abdalla et al. [2] defined anonymity regarding to a set \(L\) of levels, meaning that in the anonymous experiment the adversary is challenged to distinguished two distinct identities differing only at levels \(l \in L\). For ease of notation, we will write \(l\) rather than \(\{l\}\) when \(L = \{l\}\) is a singleton set. Let \(\mathsf {diff}(\cdot , \cdot )\) be a function outputting the set of levels at which the two input identities differ. We recall the definition of anonymity for HIBE schemes as follows:

Setup: \(\mathcal {CH}\) runs \(\mathsf {KeyGen}(\kappa )\) to generate \((pk, sk)\) and gives \(\mathcal {A}\) the master public key \(mpk\).

Phase 1: \(\mathcal {A}\) can adaptively make decryption key queries \(\langle id \rangle \). \(\mathcal {CH}\) responds with \(dk_{id} \leftarrow \mathsf {Extract}(msk, id)\).

Challenge: \(\mathcal {A}\) outputs a message \(m^*\) and two distinct identities \(id_0^*\), \(id_1^*\) subject to the restrictions that any prefix of \(id_0^*\) and \(id_1^*\) had not been asked for decryption keys and \(\mathsf {diff}(id_0^*, id_1^*) \subset L\). \(\mathcal {CH}\) picks a random \(b \in \{0,1\}\) and gives \(c^* \leftarrow \mathsf {Encrypt}(mpk, id_b^*, m^*)\) to \(\mathcal {A}\) as the challenge ciphertext.

Phase 2: \(\mathcal {A}\) can adaptively make more decryption key extraction queries for any identity \(id\) subject to the restriction that \(id\) is not a prefix of \(id_0^*\) or \(id_1^*\). \(\mathcal {CH}\) responds the same way as in Phase 1.

Guess: \(\mathcal {A}\) outputs a guess \(b'\) for \(b\) and succeeds if \(b'=b\). We denote this event by \({\mathsf {SuccA}}\) and define \(\mathcal {A}\)’s advantage as \(Adv _{\mathcal {A}, \text {HIBE}}^{\text {ANO-CPA}}(\kappa ) \mathop {=}\limits ^{def }|\Pr [{\mathsf {SuccA}}]- 1/2|\).

Definition 8.4

A HIBE scheme is \((t, q_k, \epsilon )\) ANO-HIBE-CPA \([L]\)-anonymous if for all \(t\)-time adversaries making at most \(q_k\) decryption key extraction queries have advantage at most \(\epsilon \) in the above experiment.

When considering anonymity for HIBE schemes in the presence of chosen-ciphertext attack, we obtain the ANO-PEKS-CCA security [3], which is defined by a similar experiment as above by giving the adversary additional access to a decryption oracle subject the natural restriction that decryption queries \(\langle id_0^*, c^* \rangle \) and \(\langle id_1^*, c^* \rangle \) are not allowed in Phase 2.

Definition 8.5

A HIBE scheme is \((t, q_k, q_d, \epsilon )\) ANO-HIBE-CCA \([L]\)-anonymous if for all \(t\)-time adversaries making at most \(q_k\) decryption key extraction queries and at most \(q_d\) decryption queries have advantage at most \(\epsilon \) in the ANO-HIBE-CCA experiment.

1.3 Signatures

A signature scheme consists of three PPT algorithms as follows:

• \(\mathsf {KeyGen}(\kappa )\): take as input a security parameter \(\kappa \), output a verification key \(vk\) and a signing key \(sk_\sigma \). Let \(M\) be the message space.

• \(\mathsf {Sign}(sk_\sigma , m)\): take as input a signing key \(sk_\sigma \) and a message \(m \in M\), output a signature \(\sigma \).

• \(\mathsf {Verify}(vk, m, \sigma )\): take as input a verification key \(vk\), a message \(m\), and a signature \(\sigma \), output \(1\) indicates “acceptance” and \(0\) indicates “rejection”.

For the correctness of a signature scheme, we require that for all \((vk,sk_\sigma ) \leftarrow \mathsf {KeyGen}(\kappa )\) and all \(m \in M\), \(\mathsf {Verify}(vk, m, \mathsf {Sign}(sk_\sigma ,m)) = 1\) always holds. If \((\sigma , m)\) satisfies \(\mathsf {Verify}(vk, m, \sigma ) = 1\), then \(\sigma \) is said to be a valid signature of message \(m\) under the verification key \(vk\).

A strong notion of security for signature schemes is strong existential unforgeability under adaptive chosen-message attack (sEUF-CMA), which is defined by the following experiment:

Setup: \(\mathcal {CH}\) runs \(\mathsf {KeyGen}(\kappa )\) to generate \((vk, sk_\sigma )\) and gives \(\mathcal {A}\) the verification key \(vk\).

Forgery: \(\mathcal {A}\) may do one of the following:

• \(\mathcal {A}\) adaptively make signing queries \(\langle m_i \rangle \), and is then given in return \(\sigma _i \leftarrow \mathsf {Sign}(sk_\sigma , m_i)\). After this, \(\mathcal {A}\) outputs \((m^*, \sigma ^*)\).

• \(\mathcal {A}\) outputs \((m^*, \sigma ^*)\) without making any signing queries. In this case \((m_i, \sigma _i)\) are undefined.

We denote the event that \(\mathcal {A}\) outputs \((m^*, \sigma ^*)\) such that \(\mathsf {Verify}(vk, m^*, \sigma ^*) = 1\) but \((m^*, \sigma ^*) \ne (m_i, \sigma _i)\) (if \((m_i, \sigma _i)\) are defined) as \({\mathsf {SuccA}}\), and define \(\mathcal {A}\)’s advantage as \(\mathrm {Adv}_{\mathcal {A}, \text {SIG}}^{\text {sEUF-CMA}} \mathop {=}\limits ^{def }\Pr [{\mathsf {SuccA}}]\).

Definition 8.6

A signature scheme is \((t, q_s, \epsilon )\) sEUF-CMA secure if for all \(t\)-time adversaries making at most \(q_s\) signing queries have advantage at most \(\epsilon \) in the above experiment. Particularly, a signature scheme is one-time strongly unforgeable if it is \((t, 1, \epsilon )\) sEUF-CMA secure.