Secure-channel free searchable encryption with multiple keywords: A generic construction, an instantiation, and its implementation

https://doi.org/10.1016/j.jcss.2020.06.003Get rights and content

Abstract

In public key encryption with keyword search (PEKS), a secure channel is required in order to send trapdoors to the server, whereas in secure-channel free PEKS (SCF-PEKS), no such secure channel is required. In this paper, we propose a generic construction of SCF-PEKS with multiple keywords (SCF-MPEKS) from hidden vector encryption, tag-based encryption, and a one-time signature. Our generic construction provides adaptive security, where the test queries are allowed in the security model, and does not require random oracles. In addition to providing an instantiation of our generic construction, which is the first adaptive secure SCF-MPEKS scheme in the standard model, we implement the SCF-MPEKS scheme by using the PBC library. Moreover, we extend the Boneh-Waters range search technique, and show that the running time of our encryption algorithm is approximately twice as fast as that of the Boneh-Waters encryption algorithm.

Introduction

For searching encrypted data in a secure manner, Boneh et al. proposed public key encryption with keyword search (PEKS) [17]1 that can be adopted to construct an encrypted database. In brief, for keyword ω, trapdoor tω is generated by a receiver, and the receiver uploads it onto a server. The sender makes a ciphertext of keyword ω using the receiver public key, and sends it to the server. The server can test whether ω=ω using tω. Boneh et al. gave a generic construction of PEKS from anonymous identity-based encryption (anonymous IBE); however, Abdalla et al. [2] pointed out that the PEKS generic construction proposed by Boneh et al. does not satisfy consistency, i.e., a ciphertext of ω may be searched by a trapdoor tω even though ωω. They proposed a new generic construction of PEKS from anonymous IBE. In this construction, a keyword is regarded as an identity for the anonymous IBE scheme, and a random message R is encrypted using the keyword. A PEKS ciphertext is the IBE ciphertext and the random message R, and trapdoors are the decryption keys for keywords. Due to anonymity, no information about a keyword is revealed from the ciphertexts. The server can check whether a ciphertext is associated with ω by checking whether the decryption result of the ciphertext under the key tω is R. Later, Abdalla, Bellare, and Neven [3] showed that if the underlying anonymous IBE is robust, then the original Boneh et al. PEKS generic construction also satisfies consistency.

Due to the functionality of PEKS, anyone can run the test algorithm if they obtain trapdoors. Thus, for uploading trapdoors, a secure channel between the receiver and the server is required. Secure-channel free PEKS (SCF-PEKS) [8], [32], [39], [40], [58], [33], [41], [77], [76], [78], [86], [87], which is also known as designated tester PEKS, removes this restriction. The server also has a public/secret key pair, and the sender encrypts a keyword using both the receiver public key and the server public key. The test algorithm is run by using not only trapdoors, but also the server secret key. Note that from the viewpoint of functionality, it seems sufficient to employ SSL/TLS for sending trapdoors to the server. Nevertheless, SCF-PEKS is meaningful from the viewpoint of provable security, where we can guarantee that SCF-PEKS is secure if the underlying complexity assumptions hold. On the other hand, if an additional protocol, such as SSL/TLS, is employed, then we need to assume that the protocol is also secure. In general, however, it is not easy to analyze such protocols, and in fact, many bugs in SSL/TLS have been reported.

Emura et al. [29], [30], [31] showed that SCF-PEKS can be generically constructed from anonymous IBE, tag-based public key encryption (TBE), and one-time signature (OTS). Note that in SCF-PEKS, adversaries who do not have the server's secret key cannot run the test algorithm. However, a malicious-but-legitimate receiver or eavesdropper may send a trapdoor and a ciphertext to the server, and then the server returns the result of the test algorithm. Thus, such adversaries should be allowed to issue test queries adaptively since the server can be regarded as a test oracle. This was formalized as adaptive security [29], [30], [31].

Even though only the single keyword ω is treated in standard PEKS, PEKS schemes with multiple keywords have also been considered. The main tool is the so-called hidden vector encryption (HVE) [18], [21], [44], [81], [50], [71], [69], [67], [68]. Attribute vectors are associated with a ciphertext and a decryption key, and the ciphertext can be decrypted by the key if two vectors match. Moreover, wildcards ‘‘⁎” can be specified for decryption keys.2 By employing HVE, Boneh and Waters [18] showed that conjunctive comparison, range, and subset queries on encrypted data can be implemented.

Wang et al. [93] extended SCF-PEKS to support multiple keywords (SCF-MPEKS). Instead of employing HVE, they employed the randomness re-use technique [9] for reducing the size of ciphertext. Although they claimed that this is the first SCF-MPEKS construction, there is room for improvement in their security model. First, they only considered weak attribute hiding. That is, an adversary is allowed to issue token generation queries for attribute vectors that do not match the challenge attribute. Second, they did not consider adaptive security. More concretely, they did not consider the test oracle in their security model. Third, their scheme was proven to be secure in the random oracle model. Thus, proposing full attribute hiding and adaptively secure SCF-MPEKS in the standard model is still an open problem.3

In this paper, we propose a generic construction of SCF-MPEKS. Instead of employing anonymous IBE, we employ HVE as a building block of the generic construction of adaptive secure SCF-PEKS [30], and show that the construction still works. Next, we instantiate the construction from the Park-Lee-Susilo-Lee HVE scheme [69], the Kiltz TBE scheme [59], and the Wee OTS scheme [94]. This is the first adaptively secure SCF-MPEKS scheme in the standard model. Moreover, the scheme supports wildcards, and provides full attribute hiding and constant-size token. We show the comparison in Table 1.

We also implement the SCF-MPEKS instantiation by using the PBC library [1], and show that the running times of encryption and searching algorithms are less than 700 msec and 150 msec, respectively, when eight keywords are employed. Moreover, we implement range queries on encrypted data in the SCF-MPEKS setting. This is an extension of the Boneh-Waters technique [18] that realizes range queries by using HVE. We adopt their technique in the SCF-MPEKS setting, and also reduce the length of the vectors to be encrypted and to be employed for generating trapdoors by half. We show that the running time of our encryption algorithm is approximately two times faster than that of the Boneh-Waters encryption algorithm, and we also show that the running time of the searching algorithm is approximately 150 msec when a range contained in [1,1000] is employed.

Golle, Staddon, and Waters [38] proposed conjunctive keyword search over encrypted data in the symmetric key setting, and Park et al. [66] extended their security model in the public key setting. Hwang and Lee [49] improved the efficiency of the Park et al. scheme, and additionally considered the multi-user setting. Although these schemes support conjunctive keyword search, they do not support wildcards unlike HVE. As an independent work of Boneh and Waters [18] that proposed HVE, Shi et al. [83] also proposed a scheme providing range queries on encrypted data that they call Multi-Dimensional Range Query over Encrypted Data (MRQED). Although the performance, especially the search cost, is better than that of HVE, they employed a weaker security model that they call match-revealing security where it does not protect the privacy of the attributes if an entry is matched by the query. On the other hand, HVE employs a stronger security model that they call match-concealing security where it requires the attribute values to remain hidden even when an entry matches a query. In the HVE context, match-revealing security is the same as weak attribute hiding, and match-concealing security is the same as full attribute hiding. Later, Gay et al. [37] proposed a lattice-based variant of the Shi et al. MRQED scheme. As an application of HVE, Chatterjee and Mukherjee [22] proposed a general search framework. They assumed HVE constructed in private key setting and with key confidentiality, and introduced the Blundo-Iovino-Persiano HVE scheme [13] as its candidate. One drawback to the HVE scheme, beside private key setting, is that it considers weak attribute hiding only. Tseng et al. [89] proposed a framework to compute statistics on encrypted data by using HVE, and their framework also supports range operations. Remark that the functionality of their range search is different from that of the Boneh-Waters and ours (Section 2.2 and Section 6). Briefly, a ciphertext and a trapdoor are associated with keyword vectors W and W, respectively, and the trapdoor works if all keywords contained in W are contained in W.

Lu [62] proposed a logarithmic-time search scheme on encrypted data. He considered a cloud storage scenario where a data owner prepares ciphertexts of data (by using a secret key) and preserves them on a database in the cloud. On the basis of a request from users, the data owner computes search tokens and sends them to users. That is, the Lu scheme provides search delegation capability, but the encryption procedure is not public. He proposed range predicate encryption based on the symmetric-key variant of inner-product predicate encryption [82]. Although the Lu scheme supports logarithmic-time search, one drawback of the scheme is privacy leakage when multi-dimensional range queries are considered. For example, if a range with two dimensions X[a,b]Y[c,d] is queried, then the scheme allows us to search X[a,b] and Y[c,d] independently, and it reveals more private information, e.g., X[a,b]Y[c,d] or X[a,b]Y[c,d]. This leakage, called single-dimensional privacy, was pointed out by Wang et al. [90]. They also pointed out that a scheme proposed by Wang et al. [92] has the same privacy leakage. Although HVE supports single-dimensional privacy, the search cost of HVE is linear. Accordingly, Wang et al. [90] proposed a tree-based public-key MRQED scheme with faster-than-linear search time that provides single-dimensional privacy. They called the scheme Maple, and it employs multi-dimensional tree structures (R-trees [42], [48]) for indexing data records. They mentioned that R-trees do not guarantee a good worst-case performance but they generally perform well with real-word data, and thus they insisted that Maple supports faster-than-linear search time in an empirical sense.

Later, Hahn and Kerschbaum [43] mentioned that the order of all indexed elements is revealed from the index in the Lu scheme [62], the bucketization of indexed ciphertexts is leaked in Maple [90], and the relative distance of all indexed ciphertexts is leaked in the Wang et al. scheme [92]. Owing to the result by Naveed et al. [64], the leakage of all these indexes results in vulnerability.

Although range queries can be employed for several applications such as geometric range search [91], however, Lacharité, Minaud, and Paterson [60] showed that several searchable encryption schemes supporting range queries are vulnerable. Since they did not explicitly consider public key setting such as HVE, it would be interesting to investigate whether or not their analysis can be employed in HVE with range queries.

Since PEKS can be generically constructed from anonymous IBE [2], it seems natural to consider attribute-based encryption (ABE) or functional encryption that imply IBE [46] for realizing expressive keyword search, to name a few [65], [61], [63], [26], [85], [84], [25], [72]. In fact, HVE can be seen as key-policy ABE (KP-ABE) since a policy can be specified for decryption keys by using wildcards. More concretely, HVE can be seen as anonymous key-policy ABE since it supports attribute hiding. Since Hayata et al. [45] showed that PEKS supporting logical disjunctions and logical conjunctions imply anonymous key-policy ABE, employing HVE in our generic construction is a reasonable choice. Toward access control in addition to expressive search, Shi, Lai, Li, Deng, and Weng [84] proposed authorized keyword search on encrypted data, which ensures that only authorized users can search and further access the encrypted data. Their scheme can be seen as dual-policy ABE [6] with attribute hiding. A ciphertext is associated with a set of keywords and an access structure, and a search token is also associated with a search predicate and a set of attributes. If the set of keywords satisfy the predicate and the set of attributes satisfy the access structure, then the test algorithm outputs 1, and 0 otherwise. As a follow-up to Shi et al.'s work, several authorized keyword search schemes have been proposed [51], [85], [25]. As a range-specific ABE, time-specific encryption [70], [53], [54] and ABE for range [5] have been proposed. However, these do not support attribute hiding, and thus they are not directly employed in searchable encryption.

For achieving fast search capability, other attempts have been proposed at the expense of security, e.g., deterministic encryption [11], [10], [16], [34], order preserving encryption [4], [15], [14], [57], [55], [56], [74], [88], and comparable encryption [35], [36], [52], [47] that reveal partial information and thus they provide an efficient search cost.

To sum up, although HVE does not support fast search functionality, it provides strong security (full attribute hiding). Since fast searching currently requires several information leakages and many attacks have been reported, we employ HVE as a building block of SCF-MPEKS from the viewpoint of security in this paper.

Here, we explain the additional contents from the proceedings version [28]. First, we proposed a range search technique by extending the Boneh-Waters technique [18] in Section 6. We reduce the length of vectors to be encrypted and to be employed for generating trapdoors by half. Second, by using the PBC library [1], we implement our SCF-MPEKS instantiation and also implement the proposed range search in Section 7. We also improve the related work section that were omitted in the proceedings version due to the page limitation.

We note that we employ the symmetric pairing setting due to the Park-Lee-Susilo-Lee HVE scheme [69]. For achieving 128-bit security, the order of the underlying elliptic curve is desired to be 256 bits. Since such a curve is not contained in the PBC library, we generated parameters for the curve by using the PairingParametersGenerator API supported by jPBC [27].

Section snippets

Cryptographic tools

This section, we define the building blocks for our generic construction. x$S means that x is chosen uniformly from a set S. yA(x) means that y is an output of an algorithm A with an input x.

First, we give the definition of HVE. We mainly borrow the notations given in [69]. Let Σ be an arbitrary set of attributes, and ⁎ be a wildcard character, and set Σ:=Σ{}. Let be the dimension of vectors, and for two vectors x=(x1,,x)Σ and y=(y1,,y)Σ, define a predicate function P:Σ×Σ{

Definitions of SCF-MPEKS

In this section, we give the definition of SCF-MPEKS. We mainly borrow the definition of Wang et al. [93]. Remark that the SCF-MPEKS.Trapdoor algorithm in the Wang et al. definition generates a trapdoor for a keyword ω, say tω, and for a ciphertext associated with a keyword vector W=(ω1,,ω), the SCF-MPEKS.Test algorithm with tω outputs 1 if W includes ω. In our definition, the SCF-MPEKS.Trapdoor algorithm generates a trapdoor for a keyword vector W, and the SCF-MPEKS.Test algorithm with tW

Proposed generic construction of SCF-MPEKS

In this section, we construct SCF-MPEKS from HVE=(HVE.Setup,HVE.Enc,HVE.GenToken,HVE.Dec), TBE=(TBE.KeyGen,TBE.Enc,TBE.Dec), and OTS=(Sig.KeyGen,Sign,Verify). Let Htag:{0,1}T be a target collision-resistant (TCR) hash function [12]. Briefly, collision resistance requires that it is infeasible for any polynomial-time adversary to find two distinct values where these hashed values are the same. Target collision resistance is a weaker notion, where given a random element, it is infeasible for

Our SCF-MPEKS instantiation

In this section, we instantiate our generic construction from the Park-Lee-Susilo-Lee HVE scheme [69], the Kiltz tag-based KEM scheme [59], and the Wee OTS scheme [94]. For encrypting a longer plaintext, we simply employ AES (with a suitable mode of operation). We denote AES.Enc(K,M) as a AES ciphertext of a plaintext M using a key K, and AES.Dec(K,) as its decryption.

Let G and GT be cyclic groups of prime order p, gG be a generator, and e be an efficiently computable bilinear map e:G×GGT.

Proposed range queries on encrypted data

In this section, we propose a system that supports range queries on encrypted data. As discussed in Section 2.2, a ciphertext and trapdoor must be generated for vectors of length 2n, when x,a,bT={1,,n}. Here, we reduce the length of vectors from 2n to n. As in the Boneh-Waters construction, we test (xa)(xb) to test x[a,b]. Then, we point out that the encoding of x is the same for both cases in the Boneh-Waters construction (Fig. 1, Fig. 2). In other words, for i=0,,n, xi=1 if ix (and 0

Implementation environment

For the server that runs the SCF-MPEKS.Test algorithm, we employ a workstation. For the sender, who runs the SCF-MPEKS.Enc algorithm, and for the receiver, who runs the SCF-MPEKS.Trapdoor algorithm, we employ a Laptop PC. Our implementation environment is detailed in Table 2.

Parameters

We employ the PBC library [1] (pbc-0.5.14) and y2=x3+x (Type A, defined on a 2048-bit prime field and the order is 256 bits) as the underlying elliptic curve. Since such a curve is not contained in the PBC library, we

Conclusion

In this paper, we propose a generic construction of SCF-MPEKS. By instantiating the construction, we provide the first adaptive SCF-MPEKS scheme secure in the standard model. Moreover, we implement an instantiation of our generic construction and demonstrate that it is efficient in practice. We also propose a system that supports range queries and show that our construction is more efficient than the Boneh-Waters construction.

Since we do not consider keyword guessing attacks [33], [41], [20],

Declaration of Competing Interest

This work was partially supported by JSPS KAKENHI Grant Numbers JP15K00185 and JP16H02808, and MIC/SCOPE #162108102.

References (96)

  • Nuttapong Attrapadung et al.

    Dual-policy attribute based encryption: simultaneous access control with ciphertext and key policies

    IEICE Trans.

    (2010)
  • Joonsang Baek et al.

    On the integration of public key data encryption and public key encryption with keyword search

  • Joonsang Baek et al.

    Public key encryption with keyword search revisited

  • Mihir Bellare et al.

    Multirecipient encryption schemes: how to save on bandwidth and computation without sacrificing security

    IEEE Trans. Inf. Theory

    (2007)
  • Mihir Bellare et al.

    How secure is deterministic encryption?

  • Mihir Bellare et al.

    Deterministic encryption: definitional equivalences and constructions without random oracles

  • Mihir Bellare et al.

    Collision-resistant hashing: towards making UOWHFs practical

  • Carlo Blundo et al.

    Private-key hidden vector encryption with key confidentiality

  • Alexandra Boldyreva et al.

    Order-preserving symmetric encryption

  • Alexandra Boldyreva et al.

    Order-preserving encryption revisited: improved security analysis and alternative solutions

  • Alexandra Boldyreva et al.

    On notions of security for deterministic encryption, and efficient constructions without random oracles

  • Dan Boneh et al.

    Public key encryption with keyword search

  • Dan Boneh et al.

    Conjunctive, subset, and range queries on encrypted data

  • Francesco Buccafurri et al.

    Practical and secure integrated PKE+PEKS with keyword privacy

  • Jin Wook Byun et al.

    Off-line keyword guessing attacks on recent keyword search schemes over encrypted data

  • Angelo De Caro et al.

    Fully secure hidden vector encryption

  • Sanjit Chatterjee et al.

    Framework for efficient search and statistics computation on encrypted cloud data

  • Rongmao Chen et al.

    Dual-server public-key encryption with keyword search for secure cloud storage

    IEEE Trans. Inf. Forensics Secur.

    (2016)
  • Yu Chen et al.

    Generic constructions of integrated PKE and PEKS

    Des. Codes Cryptogr.

    (2016)
  • Hui Cui et al.

    Attribute-based encryption with expressive and authorized keyword search

  • Hui Cui et al.

    Efficient and expressive keyword search over encrypted data in the cloud

    IEEE Trans. Dependable Secure Comput.

    (2018)
  • Angelo De Caro et al.

    JPBC: Java pairing based cryptography

  • Emura Keita

    A generic construction of secure-channel free searchable encryption with multiple keywords

  • Keita Emura et al.

    Adaptive secure-channel free public-key encryption with keyword search implies timed release encryption

  • Keita Emura et al.

    Generic constructions of secure-channel free searchable encryption with adaptive security

    Secur. Commun. Netw.

    (2015)
  • Keita Emura et al.

    Constructing secure-channel free searchable encryption from anonymous IBE with partitioned ciphertext structure

  • Liming Fang et al.

    A secure channel free public key encryption with keyword search scheme without random oracles

  • Benjamin Fuller et al.

    A unified approach to deterministic encryption: new constructions and a connection to computational entropy

  • Jun Furukawa

    Request-based comparable encryption

  • Jun Furukawa

    Short comparable encryption

  • Romain Gay et al.

    Predicate encryption for multi-dimensional range queries from lattices

  • Philippe Golle et al.

    Secure conjunctive keyword search over encrypted data

  • Chunxiang Gu et al.

    New efficient searchable encryption schemes from bilinear pairings

    Int. J. Netw. Secur.

    (2010)
  • Chunxiang Gu et al.

    Efficient public key encryption with keyword search schemes from pairings

  • Antonin Guttman

    R-trees: a dynamic index structure for spatial searching

  • Florian Hahn et al.

    Poly-logarithmic range queries on encrypted data with small leakage

  • Mitsuhiro Hattori et al.

    Ciphertext-policy delegatable hidden vector encryption and its application to searchable encryption in multi-user setting

  • Junichiro Hayata et al.

    Generic construction of adaptively secure anonymous key-policy attribute-based encryption from public-key searchable encryption

    IEICE Trans.

    (2020)
  • Cited by (0)

    View full text