Privacy-preserving conjunctive keyword search on encrypted data with enhanced fine-grained access control

Abstract

Cloud storage over the internet gives opportunities for easy data sharing. To preserve the privacy of sharing data, the outsourced data is usually encrypted. The searchable encryption technique provides a solution to find the target data in the encrypted form. And the public-key encryption with keyword search is regarded as a major approach for the searchable encryption technique. However, there are still several privacy leakage challenges for the further adoption of these major schemes. One is how to resist the keyword guessing attack which still leaks data user’s keywords privacy. Another is how to construct the access control policy to prevent illegal access of outsourced data sharing since illegal access always leak the privacy of user’s attribute. In our paper, we firstly try to design a novel secure keyword index to resist the keyword guessing attack from access pattern and search pattern. Second, we propose an attribute-based encryption scheme which supports an enhanced fine-grained access control search. This allows the authenticated users to access different data although their searching request contains the same queried keywords, and meanwhile unauthenticated users cannot get any attribute privacy information. Third, we give security proofs to show that the construction of keyword index is against keyword guessing attack from the access pattern and search pattern, and our scheme is proved to be IND-CPA secure (the indistinguishability under chosen plaintext attack) under the standard model. Finally, theoretical analyses and a series of experiments are conducted to demonstrate the efficiency of our scheme.

Appendices

Appendix A: Construction algorithms of γ, A, C

In this part, the construction algorithms about the γ, A, C are given, that is, the keywords encryption and generation of empty array B[N₁] (Algorithm 1), the construction of TKFT (Algorithm 2), the construction of GIP (Algorithm 3) and the files encryption of CP-ABE (Algorithm 4). We give these 4 detailed sub-algorithms respectively below.

In Algorithm 1, the keyword entry pair (KEP) is obtained by keywords encryption, and the “B[N₁]” is a empty array with size N₁ which will be used to indicate the containing relationships between each keyword in M^′ and true files in F₁. This algorithm will output \(KEP=\left \{{I_{1}},{I_{2}},\cdots ,{I_{m^{\prime }}}\right \}\) and \(B[N_{1}]=\left \{{B_{1}[N_{1}]},{B_{2}[N_{1}]},\cdots ,{B_{m^{\prime }}[N_{1}]}\right \}\).

In Algorithm 2, we show the detailed construction of true keyword-files table (e.g., Table 1 in Section 3). First, we should point out that the identifier f_μ in Algorithm 2 is only an identifier instead of the file content. Second, step 1 to 19 in Algorithm 2 indicate the construction of TKFT, where N₂ means that we need to add N₂ fake files so that the generated GIP is of resistance to KGA from access pattern; Third, we get the second empty array “C[N₂]” with size N₂ that will be used in the next Algorithm 3. By Algorithm 2, we can get TKFT (\(P=\left \{{P_{1}},{P_{2}},\cdots ,{P_{m^{\prime }}}\right \}\)) and empty array C[N₂] (\(C[N_{2}]=\left \{{C_{1}[N_{2}]},{C_{2}[N_{2}]},\cdots ,{C_{m^{\prime }}[N_{2}]}\right \}\)).

In Algorithm 3, we present the specific steps of constructing the GIP. According to each keyword w_j’s d(w_j), we randomly find (d₁ − d(w_j)) fake file identifiers and choose (d₁ − d(w_j)) elements of C_j[N₂], 1 ≤ j ≤ m^′. Next, the fake file identifiers substitute the initial elements of C_j[N₂]. In this way, all keywords’ d(w) are equal, where the clearly results of these four steps can be found in Tables 2, 3 and 4 of Section 3. By Algorithm 3, it will return the final GIP (\(\gamma =\left \{{\gamma _{1}},{\gamma _{2}},\cdots ,{\gamma _{m^{\prime }}}\right \}\)).

In Algorithm 4, we give the detailed attribute-based encryption scheme which supports the enhanced fine-grained access control. By steps in algorithm 4, we can get the attribute-file identifier list A (A = {AF^ϕ(1), AF^ϕ(2),⋯ ,AF^ϕ(m)}), and the files ciphertexts C (C = {C₁, C₂,⋯ ,C_N}).

Appendix B: Security proofs

In this part, we will give detailed security proofs for Theorem 1 and Theorem 2.

Theorem 1

By the construction of global index pair, the advantage of adversary inkeyword guessing attack from access pattern and search pattern is less than\(\frac {4}{N^{2}}\)and\(\frac {1}{2^{y}}+negl(\lambda )\),respectively, wherenegl(⋅) is a negligible function.

Proof

By the above search process, we can get a conclusion that the CSP or any un-authenticated entities learn nothing about keywords from the view of access pattern and search pattern simultaneously.

The security of access pattern :

We analyze security about resisting the inside KGA from access pattern in our proposed scheme. Since we add some fake files to F which make the frequencies of keyword d(w_j)(1 ≤ j ≤ m^′) all the same, the CSP cannot get any true high frequency terms by statistical attacks as well as true containing relationships between these real top keywords and the related files from the DO’s access pattern. Suppose the insider attacker CSP wants to get the keywords privacy from DO’s access pattern, we define the advantage of the CSP in this inside attack Pr[success].

Clearly, if the CSP initiates this inside KGA if and only if the following events E₀, E₁ and E₂ hold in the same time:

E₀::

he knows exactly the value of N₁, where N = N₁ + N₂, \(N>N_{1}>N_{2}\geqslant \)1;

E₁::

he can distinguish N₁ true files from N stored files;

E₂::

he gets each keyword’s d(w), where w is in M^′ and |M^′| = m^′.

Hence, the advantage Pr[success] = Pr[E₀ ∧ E₁ ∧ E₂]. Furthermore,

$$\begin{array}{@{}rcl@{}} \text{Pr}[E_{0}\wedge E_{1}\wedge E_{2}] &=&\text{Pr}[E_{0}\wedge E_{1}]\cdot Pr[E_{2}|E_{0}\wedge E_{1}]\\ &=&\text{Pr}[E_{0}\wedge E_{1}]\\ &=&\text{Pr}[E_{0}]\cdot Pr[E_{1}|E_{0}]\\ \end{array} $$

Since N = N₁ + N₂, \(N>N_{1}>N_{2}\geqslant \)1, we can get that 2N₁ > N, Pr[E₀]\(< \frac {1}{\lfloor \frac {N}{2}\rfloor }\) and Pr[E₁|E₀]=\(\frac {1}{\binom {N}{N_{1}}}\). Furthermore,

$$\begin{array}{@{}rcl@{}} \binom{N}{N_{1}}={\frac{N!}{N_{1}!\cdot(N-N_{1})!}} &=&{\frac{N!}{N_{1}!\cdot N_{2}!}}\\ &=&\frac{N(N-1){\cdots} (N_{1}+ 1)}{N_{2}!}\\ &=&\frac{(N_{1}+N_{2})(N_{1}+N_{2}-1)\cdots(N_{1}+ 1)}{N_{2}!}> \frac{(N_{1})^{N_{2}}}{N_{2}!}\\ \end{array} $$

Thus, we have \(\text {Pr[success]}=\text {Pr} [E_{0}\wedge E_{1}\wedge E_{2}] < \frac {1}{\lfloor \frac {N}{2}\rfloor }\cdot \frac {{N_{2}}^{N_{2}-1}}{(N_{1})^{N_{2}}} < \frac {1}{\lfloor \frac {N}{2}\rfloor }\cdot \frac {{N_{1}}^{N_{2}-1}}{(N_{1})^{N_{2}}} < \frac {1}{\lfloor \frac {N}{2}\rfloor }\cdot \frac {1}{N_{1}} < \frac {1}{\lfloor \frac {N}{2}\rfloor }\cdot \frac {1}{\lfloor \frac {N}{2}\rfloor } \approx \frac {4}{N^{2}}\).

According to the security analyses above, the advantage of the adversary launches a successful inside KGA from the access pattern is less than \(\frac {4}{N^{2}}\). That is, the advantage of insider attacker learns keywords privacy from the access pattern is negligible especially in the actual scenario (i.e., N is much larger) and the proposed scheme is secure against the KGA from access pattern.

The security of Search pattern :

We analyze security of the proposed scheme to resist the inside KGA from search pattern. Assume a probabilistic polynomial-time (PPT) adversary \(\mathcal {A}\), who may be an unauthorized DU. In this attack \(\mathcal {A}\) has a valid search token and he knows the set of all keywords. He wants to find a keyword corresponding to a search token. The adversary \(\mathcal {A}\) runs the following KGA algorithm for each keyword:

1. 1)

   \(\mathcal {A}\) encrypts the keyword, generates a keyword ciphertext and then uploads the keyword ciphertext to the CSP;

2. 2)

   \(\mathcal {A}\) sends the valid search token to the CSP;

3. 3)

   The CSP then sends search results to \(\mathcal {A}\).

If the search results match the ciphertext of some keyword, \(\mathcal {A}\) returns the related keyword.

In the most previous PEKS schemes, \(\mathcal {A}\) can easily runs the above algorithm and find the correct keyword with high probability [33], because in these schemes a search token corresponds to a special keyword and the algorithm only outputs the encrypted keyword. So the adversary \(\mathcal {A}\) ensures that the KGA algorithm outputs the correct keyword. In our proposed scheme, we have mitigated this drawback by using fuzzy search token f_tk and true search token t_tk. Assume that the adversary \(\mathcal {A}\) has a valid fuzzy search token f_tk about a keyword and knows the set of all keywords \(M^{\prime }=\left \{ {w_{1}},{w_{2}},\cdots ,{w_{m^{\prime }}}\right \}\). \(\mathcal {A}\) implements the KGA algorithm as follows:

1. 1)

   \(\mathcal {A}\) sets i = 1;

2. 2)

   \(\mathcal {A}\) generates the corresponding keyword ciphertext I_i to the keyword w_i by using hash function h(x),g(x). Then he outsources I_i to the CSP, 1 ≤ i ≤ m^′;

3. 3)

   \(\mathcal {A}\) sends f_tk about only one queried keyword to the CSP;

4. 4)

   The CSP then sends search results q₁ to \(\mathcal {A}\). If \(C_{w_{i}} \in R\), \(\mathcal {A}\) returns w_i, else i = i + 1 and returns to step 2). If i = m and \(C_{w_{i}} \notin R\), \(\mathcal {A}\) returns ⊥.

Because the f_tk is valid, any adversary \(\mathcal {A}\) never returns ⊥. Assume that for an index j ∈{1, 2,⋯ ,m^′}, \(\mathcal {A}\) returns w_j. Then according to the definition of fuzzy search token and true search token, he also returns w_j− 1 or w_j+ 1. Now in order to successfully attack, \(\mathcal {A}\) must make a correct guess between j and j − 1 (or j + 1). So the probability of success in this attack for \(\mathcal {A}\) is Pr[Success] = Pr[guess].

According to the definition of search algorithm and decryption algorithm, the DU only submits the fuzzy search token to the CSP, and then the CSP returns a part of global index pair (i.e., q₁) as query-index where there is a bundled relationship between each queried keyword and a pair of entries in this returned index. Upon receiving the query-index from the CSP, only the DU can extract one of each pair of query entries according to the remainder true search token g(t_w), where the extracted query entries have one-to-one correspondence to this queried keyword. However, the CSP or any un-authenticated entities cannot judge whether two queries are for the same queried keyword or not, since they cannot find the correspondence between the real query entries and queried keyword on the condition that \(\mathcal {A}\) has no information about the true search token. So \(\text {Pr[Success]} \leqslant \frac {1}{2}\), when the value y = 1. So the probability of the adversary successfully getting keywords privacy by the inside KGA from search pattern for y queried keywords is

$$\text{Pr[Success]}\leqslant \frac{1}{2^{y}}+negl(\lambda) $$

for some negligible function negl(⋅). Hence, the proposed scheme is more secure against the inside KGA from search pattern with the larger y. In conclusion, the CSP or other un-authenticated entities cannot get any keywords privacy by effectively launching the inside KGA from access pattern and search pattern.

□

Theorem 2

Assume that there is a PPT adversary \(\mathcal {A}\) breaking our CP-ABE game with non-negligible advantage ε , then a simulator \(\mathcal {S}\) can be constructed which can solve a DBDH instance with a non-negligible advantage \(\frac {\varepsilon }{2}\) .

Proof

We now demonstrate the chosen plaintext attack (CPA) security of our scheme under the decisional bilinear Diffie-Hellman (DBDH) assumption. Given a DBDH problem [\(g,g^{z_{1}},g^{z_{2}},g^{z_{3}},Z\)], the simulator \(\mathcal {S}\) interacts with adversary \(\mathcal {A}\) as following simulation.

Init::

\(\mathcal {A}\) submits the challenge access structures policies \(W^{*}=[W_{1}^{*},W_{2}^{*},{\cdots } W_{i}^{*},\cdots ,W_{n}^{*}]\) to \(\mathcal {S}\).

Setup: \(\mathcal {S}\) runs Setup to generate global parameter GP and master key Msk. That is, \(\mathcal {S}\) sets \(Y_{2}=e(g^{z_{1}},g^{z_{2}})=e(g,g)^{z_{1}z_{2}}\) which implies α = z₁z₂. For each attribute i, 1 ≤ i ≤ n, \(\mathcal {S}\) computes \(A_{it}=g^{a_{it}}\) if \(v_{it}\in W_{i}^{*}\) and \(A_{it}=(g^{z_{1}})^{a_{it}}\) otherwise, where \({\left \{{a_{it}\in {Z_{q}}^{*}}\right \}}_{1\leqslant t\leqslant n_{i}}\) are random. Then \(\mathcal {S}\) publishes GP in the real scheme.

Phase1::

\(\mathcal {A}\) submits the attribute list L for a Gen-private-key query. If L does not satisfy W^∗, \(\mathcal {S}\) will return secret key sk_L. That is, there must be k ∈ {1, 2,⋯ ,n} such that \(L_{k}=v_{kt_{k}}\not \in W_{k}^{*}\). Then for 1 ≤ i ≤ n, \(\mathcal {S}\) selects randomly \({\alpha ^{\prime }_{ui}}\in Z_{q}^{*}\) and \(a_{it_{i}}^{\prime }\in Z_{q}^{*}\). Next, \(\mathcal {S}\) computes \(D_{0}=g^{\alpha -\alpha _{u}}=g^{z_{1}z_{2}-\alpha _{u}}=(g^{z_{2}})^{-{\sum }_{i = 1}^{n} \alpha ^{\prime }_{ui}}\). For the computation of D₁, \(\mathcal {S}\) carries out the following computations. For i = k, \(\mathcal {S}\) computes \(D_{1k}=g^{\frac {\alpha _{uk}}{a_{kt_{k}}}}=g^{\frac {z_{1}z_{2}+z_{2}\cdot \alpha ^{\prime }_{uk}}{z_{2}\cdot a_{kt_{k}}^{\prime }}}=(g^{z_{1}})^{\frac {1}{a_{kt_{k}}^{\prime }}}\cdot g^{\frac {\alpha ^{\prime }_{uk}}{a_{kt_{k}}^{\prime }}}\) and for i≠k, \(D_{1i}=g^{\frac {\alpha _{ui}}{a_{it_{i}}}}=(g^{z_{2}})^{\frac {\alpha ^{\prime }_{ui}}{a_{it_{i}}^{\prime }}}\). It is noted that, from the construction of D₀, D₁, \(\alpha _{uk}=z_{1}z_{2}+z_{2}\cdot {\alpha ^{\prime }_{uk}}\), \(a_{kt_{k}}=z_{2}\cdot a_{kt_{k}}^{\prime }(i=k)\), and \(\alpha _{ui}=\alpha ^{\prime }_{ui}\cdot z_{2}\), \(a_{it_{i}}=a_{it_{i}}^{\prime }\) (i≠k) and so \(\alpha _{u}={\sum }_{i = 1,i\neq k}^{n} \alpha _{ui}+\alpha _{uk}=z_{1}z_{2}+{\sum }_{i = 1}^{n} \alpha ^{\prime }_{ui}\cdot z_{2}\).

Challenge::

\(\mathcal {A}\) submits two equal length challenge values k₀, k₁ to \(\mathcal {S}\). \(\mathcal {S}\) chooses a value μ, μ ∈ {0, 1} and sets \(C_{0}=k_{\mu }\cdot Z, C_{1}=g^{z_{3}}\) which implies s_μ = z₃, and computes the corresponding ciphertext \(\left \{{C_{i,2,t}}\right \}_{{1\leqslant i\leqslant n,1\leqslant t \leqslant n_{i}}}\) for W^∗ as follows: if \(v_{it}\in W_{i}^{*}\), \(C_{i,2,t}=(A_{it})^{z_{3}}=(g^{z_{3}})^{a_{it}}\) (well-formed); if \(v_{it}\not \in W_{i}^{*}\), C_i,2,t are random (mal-formed). Finally, these challenge ciphertexts are sent to \(\mathcal {A}\).

Phase2::

Phase1 is repeated under the premise that the adversary cannot submit such L which L does satisfy W^∗.

Guess::

After the PPT queries in phase 1 and 2, \(\mathcal {A}\) is asked to output a guess μ^′ of μ. If μ^′ = μ, \(\mathcal {S}\) outputs 1 and returns 0 otherwise. If \(Z=e(g,g)^{z_{1}z_{2}z_{3}}\), then challenge ciphertexts are valid, and the advantage of \(\mathcal {A}\) is ε, i.e., the advantage in winning game is \(\left | \text {Pr}[\mathcal {S}\rightarrow 1]|\textit {Z}=\textit {e}(\textit {g},\textit {g})^{\textit {z}_{1}\textit {z}_{2}\textit {z}_{3}}\right |=\left |\text {Pr}[\mu ^{\prime }=\mu ]|\textit {Z}=\textit {e}(\textit {g},\textit {g})^{\textit {z}_{1}\textit {z}_{2}\textit {z}_{3}}\right |=\frac {1}{2}+\varepsilon \). If Z is random, then the challenge ciphertexts are random from the view of \(\mathcal {A}\), and the advantage of \(\mathcal {A}\) is \(\left |\text {Pr}[\mathcal {S}\rightarrow 1]|\textit {Z}\right |=\frac {1}{2}\).

Hence, we can get the conclusion that the simulator \(\mathcal {S}\) has the advantage \(\frac {\varepsilon }{2}\) to solve a given DBDH instance based on the following inference.

$$\begin{array}{@{}rcl@{}} \varepsilon^{\prime}=\left\lvert \text{Pr}[\mu^{\prime}=\mu]-\frac{1}{2}\right\rvert&=&\left\lvert \text{Pr}[\mu^{\prime}=\mu|\mu= 1]\cdot \text{Pr}[\mu= 1]+\text{Pr}[\mu^{\prime}=\mu|\mu= 0]\vphantom{\frac{1}{2}}\right.\\ &&\left.\cdot\text{Pr}[\mu= 0]-\frac{1}{2}\right\rvert=(\varepsilon+\frac{1}{2})\cdot\frac{1}{2}+\frac{1}{2}\cdot\frac{1}{2}-\frac{1}{2}=\frac{\varepsilon}{2} \end{array} $$

(2)

□