Elsevier

Information Sciences

Volume 462, September 2018, Pages 76-92
Information Sciences

Certificateless public key encryption with equality test

https://doi.org/10.1016/j.ins.2018.06.025Get rights and content

Abstract

In this paper, we present the concept of certificateless public key encryption with equality test (CL-PKEET), which integrates certificateless public key cryptography (CL-PKC) into public key encryption with equality test (PKEET) to solve the key escrow problem of identity-based encryption with equality test (IBEET). In the CL-PKEET scheme, the receiver first computes his private key with the receiver’s secret value and the partial private key generated by the key generation center (KGC). The trapdoor is generated with this private key. Then, using the trapdoor, the receiver authorizes the cloud server to test the equivalence between his ciphertexts and others’ ciphertexts. We formalize the system model and definition of CL-PKEET, propose the security models by considering four types of adversaries, and then present a concrete CL-PKEET scheme. Our proposal achieves the IND-CCA security against adversaries without trapdoor, and the OW-CCA security against adversaries with trapdoor. Furthermore, compared with IBEET and PKEET, our proposal which has the features of CL-PKC solves certificate management and key escrow problems simultaneously.

Introduction

In the cloud era, plenty of cloud services offer a broad set of global computation, analytics, storage, deployment, and application services to help organizations run faster and lower IT costs. Considering the potential risks of privacy disclosure, cryptosystems are introduced to encrypt the private data. In order to preserve users’ privacy and meanwhile support searching on the encrypted data, the notion of searchable encryption (SE) was proposed [16]. Based on SE, the well-known public key encryption with keyword search (PEKS) [2], [9] was presented as a solution to support keyword searching over ciphertexts without retrieving messages by using the corresponding trapdoors [3]. However, the PEKS is not suitable for the scenarios participated by multiple users in cloud computing since the ciphertexts are encrypted under the identical public key.

A new notion, called public key encryption with equality test (PKEET), was conceived by Yang et al. [24] to support comparing on the encrypted data with respect to different public keys. This primitive can be used to test whether ciphertexts are generated on the same message in outsourced database. Equality test can be defined like that: let C, C′ be two ciphertexts encrypted under two different public keys, where C=Encrypt(M,PK) and C=Encrypt(M,PK), this algorithm can determine if M=M holds only via comparing C and C′. If it is the case, the algorithm returns 1, or 0 otherwise. Even if the private data are encrypted under different public keys, anyone is able to search data by using the PKEET test function. In some specific scenarios, PKEET, which trivially supports the traditional functionality of PEKS, is an extension of PEKS.

PKEET has many interesting applications, for example, partitioning encrypted email [13] and constructing internet-based personal health record (PHR) [18], [21]. In an email system, the encrypted emails can be classified into different partitions according to the emails’ encrypted keywords. And in a PHR system, the service provider can permit patients to match their encrypted data with those of others. Then the patients with the same illness can get help by exchanging their treatment experiences and mental processes. As all mentioned applications above, the server can check the equality of the provided ciphertexts but learn nothing about the real contents.

However, anyone is able to verify the equality of ciphertexts without any authorization in Yang et al.’s scheme, which violates the data owners’ privacy. Hence, several PKEET schemes with authorization mechanism were proposed. Recently, Ma [13] proposed identity-based encryption with equality test (IBEET), which simplifies the certificate management problem of PKEET and supports user-level authorization.

IBE/CL-PKC. Deriving the receiver’s public key from his identity, formalized by Shamir [17] as identity-based cryptography, is a solution for the certificate management problem of the traditional public key encryption. Based on identity-based cryptography, an important primitive called identity-based encryption (IBE) was presented. Then Boneh and Franklin [4] presented the first practical IBE scheme based on bilinear pairings. Cocks [7] presented a typical IBE scheme based on quadratic residues. IBE is immune to the certificate management problem, such as storage, distribution, verification and revocation. However, it introduces key escrow problem since the receivers’ private keys are generated by the key generation center (KGC). Obviously, IBEET exists the key escrow problem as well. To deal with this problem, an important notion, called certificateless public key cryptography (CL-PKC), was presented by Al-Riyami and Paterson [1].

Public key encryption with equality test. Yang et al. [24] first presented the concept of PKEET and their cryptosystem can be used to determine if two messages in outsourced database is equal by checking the corresponding ciphertexts. Then Tang [22] presented a PKEET scheme supporting fine-grained authorization (FG-PKEET), which introduces authorization mechanism for the first time. Tang [21] proposed a notion, called all-or-nothing PKEET (AoN-PKEET), to support user-level authorization by specifying who can independently test the equivalence between two ciphertexts. Tang [23] proposed a two-proxy scheme extended from FG-PKEET to resist the offline message recovery attacks. Later, Ma et al. [15] introduced a significant primitive called public key encryption with delegated equality test (PKE-DET). This primitive allows only the delegated party to verify the equality of ciphertexts in the scenarios participated by multiple users. Huang et al. [10] proposed a public key encryption scheme with authorized equality test (PKE-AET), which strengthens the privacy protection with user-level warrants and cipher-level warrants. Their construction was broken and fixed by Lee et al. [11]. A notion, called public key encryption with equality test supporting flexible authorization (PKEET-FA), was presented by Ma et al. [14] to support four different types of authorization mechanisms. Recently, Ma [13] proposed the concept of IBEET by combining PKEET and IBE [17] to solve the certificate management problem of PKEET. However, the scheme only achieves the OW-ID-CCA security. Lee et al. [12] proposed a semi-generic construction of PKEET, and proposed the first IBEET achieving the IND-ID-CCA security.

We stress here again that the traditional PKEET exists the certificate management problem and IBEET exists the key escrow problem. We believe that a primitive which has the features of CL-PKC and PKEET could solve both problems simultaneously. Hence, we propose a new primitive, called certificateless public key encryption with equality test (CL-PKEET).

In the CL-PKEET scheme, the receiver first computes his private key with the secret value picked by himself and the partial private key obtained from the KGC. The receiver’s trapdoor is generated with his private key. Then, using the trapdoor, the receiver authorizes the cloud server to test his ciphertexts. It is obvious that the key escrow problem of IBEET could be solved in CL-PKEET. The equality testing procedure in CL-PKEET can be briefly described as follows: let CA and tdA be receiver A’s ciphertext and trapdoor, and CB and tdB receiver B’s ciphertext and trapdoor, respectively. Given (CA, tdA) and (CB, tdB), the cloud server can check whether or not MA=MB holds. Meanwhile, the server learns nothing about the messages MA and MB.

The contribution in this paper is listed below:

  • 1.

    We present the concept of CL-PKEET, which integrates the notion of CL-PKC into PKEET to solve the key escrow problem of IBEET and support user-level authorization.

  • 2.

    We give the system model and formal definition of CL-PKEET. Moreover, we formalize the security models for CL-PKEET by considering four types of adversaries.

  • 3.

    We devise a concrete CL-PKEET scheme, which achieves IND-CCA security against adversaries without trapdoor and OW-CCA security against adversaries with trapdoor.

In Section 2, we recall the definition of asymmetric bilinear groups and BDH assumption. The system model, the definition and the security models of CL-PKEET are given in Section 3. The proposed scheme is shown in Section 4. And in Section 5, we prove its security. In Section 6, we compare our proposal with related schemes, which is followed by the last section to conclude our work.

Section snippets

Asymmetric bilinear groups

Given three cyclic groups G1,G2,GT of prime order q and two random generators g1G1, g2G2, the properties of the asymmetric bilinear map e:G1×G2GT are as follows:

  • Bilinear: aG1, bG2 and u,vZq*, e(au,bv)=e(a,b)uv.

  • Non-degenerate: g1G1 and g2G2 such that e(g1, g2) ≠ 1.

Note that the asymmetric bilinear map e and all the group operations are efficiently computable, but there are no efficiently computable isomorphisms in the bilinear groups G1,G2 and GT if no efficiently computable

Definition of CL-PKEET

Here, we formalize the system model and definition of CL-PKEET, and then define the security models by considering four types of adversaries.

The system model is illustrated in Fig. 1. In CL-PKEET, there are five types of entities:

  • Message sender: an entity which generates and uploads the ciphertexts to the cloud server.

  • Receiver: an entity, which downloads the ciphertexts sent by the message senders from the cloud server, can allow the cloud server to test his ciphertexts.

  • KGC: an entity which

The idea behind our construction

Define PP=(G,g1,g2,g1s, H1, H2, H3, H4, H5, H6) as the public parameter, where G=(q,G1,G2,GT,e), s is the master key, Hi(1 ≤ i ≤ 6) are hash functions and g1G1,g2G2 are random generators. Let x be the receiver’s secret value and ID the receiver’s identity. The receiver’s public key is PK=(X,Y)=(g1sx,g2x) and the partial private key is D=(D1,D2)=(H1(ID)s,H2(ID)s). Let M be a message, α and k two random numbers. The corresponding ciphertext is as follows: {C1=g1H5(M,k)C2=g1αC3=H3(e(X,H1(ID))α,C1

Security analysis

Our CL-PKEET scheme is secure due to the hardness of the BDH problem. To prove the security, we use the proof method in [20].

Theorem 1

For any PPT Type-1 adversary, our proposed scheme is IND-CCA secure based on the BDH assumption in the random oracles.

More in details, let A1 be a Type-1 adversary which has advantage ϵ against our proposal in time t. Suppose A1 makes qpar partial private key queries, qprv private key queries, qpub public key queries, qrep replace public key queries, qD decryption

Efficiency

In this section, we compare our proposal with the schemes in [12], [13], [14], which is shown in Table 1.

In conclusion, our proposal solves both certificate management and key escrow problems simultaneously without sacrificing much efficiency in terms of encryption, decryption and equality test.

Conclusion

In this paper, we presented the notion of CL-PKEET to solve the certificate management problem in PKEET and the key escrow problem in IBEET simultaneously. More in details, we formalized the system model and definition of CL-PKEET and defined the security models by considering four types of adversaries. Finally, we presented a concrete CL-PKEET scheme based on BDH assumption in asymmetric bilinear groups, which achievs IND-CCA security against adversaries without trapdoor and OW-CCA security

Acknowledgment

This work was supported by Shandong Special Project of Education Enrollment Examination (No.ZK1 437B005), Chinese Ministry of Education, Humanities and Social Sciences Research Project (No.14YJCZH 136) and Philosophy and Social Sciences Planning Project of Qingdao (No.QDSKL1701086).

References (24)

  • X. Boyen et al.

    Direct chosen ciphertext security from identity-based techniques

    Proceedings of the 12th ACM Conference on Computer and Communications Security

    (2005)
  • C. Cocks

    An identity based encryption scheme based on quadratic residues

    Cryptography and Coding 2011

    (2001)
  • Cited by (67)

    View all citing articles on Scopus
    View full text