Secure-channel free searchable encryption with multiple keywords: A generic construction, an instantiation, and its implementation
Introduction
For searching encrypted data in a secure manner, Boneh et al. proposed public key encryption with keyword search (PEKS) [17]1 that can be adopted to construct an encrypted database. In brief, for keyword ω, trapdoor is generated by a receiver, and the receiver uploads it onto a server. The sender makes a ciphertext of keyword using the receiver public key, and sends it to the server. The server can test whether using . Boneh et al. gave a generic construction of PEKS from anonymous identity-based encryption (anonymous IBE); however, Abdalla et al. [2] pointed out that the PEKS generic construction proposed by Boneh et al. does not satisfy consistency, i.e., a ciphertext of ω may be searched by a trapdoor even though . They proposed a new generic construction of PEKS from anonymous IBE. In this construction, a keyword is regarded as an identity for the anonymous IBE scheme, and a random message R is encrypted using the keyword. A PEKS ciphertext is the IBE ciphertext and the random message R, and trapdoors are the decryption keys for keywords. Due to anonymity, no information about a keyword is revealed from the ciphertexts. The server can check whether a ciphertext is associated with ω by checking whether the decryption result of the ciphertext under the key is R. Later, Abdalla, Bellare, and Neven [3] showed that if the underlying anonymous IBE is robust, then the original Boneh et al. PEKS generic construction also satisfies consistency.
Due to the functionality of PEKS, anyone can run the test algorithm if they obtain trapdoors. Thus, for uploading trapdoors, a secure channel between the receiver and the server is required. Secure-channel free PEKS (SCF-PEKS) [8], [32], [39], [40], [58], [33], [41], [77], [76], [78], [86], [87], which is also known as designated tester PEKS, removes this restriction. The server also has a public/secret key pair, and the sender encrypts a keyword using both the receiver public key and the server public key. The test algorithm is run by using not only trapdoors, but also the server secret key. Note that from the viewpoint of functionality, it seems sufficient to employ SSL/TLS for sending trapdoors to the server. Nevertheless, SCF-PEKS is meaningful from the viewpoint of provable security, where we can guarantee that SCF-PEKS is secure if the underlying complexity assumptions hold. On the other hand, if an additional protocol, such as SSL/TLS, is employed, then we need to assume that the protocol is also secure. In general, however, it is not easy to analyze such protocols, and in fact, many bugs in SSL/TLS have been reported.
Emura et al. [29], [30], [31] showed that SCF-PEKS can be generically constructed from anonymous IBE, tag-based public key encryption (TBE), and one-time signature (OTS). Note that in SCF-PEKS, adversaries who do not have the server's secret key cannot run the test algorithm. However, a malicious-but-legitimate receiver or eavesdropper may send a trapdoor and a ciphertext to the server, and then the server returns the result of the test algorithm. Thus, such adversaries should be allowed to issue test queries adaptively since the server can be regarded as a test oracle. This was formalized as adaptive security [29], [30], [31].
Even though only the single keyword ω is treated in standard PEKS, PEKS schemes with multiple keywords have also been considered. The main tool is the so-called hidden vector encryption (HVE) [18], [21], [44], [81], [50], [71], [69], [67], [68]. Attribute vectors are associated with a ciphertext and a decryption key, and the ciphertext can be decrypted by the key if two vectors match. Moreover, wildcards ‘‘⁎” can be specified for decryption keys.2 By employing HVE, Boneh and Waters [18] showed that conjunctive comparison, range, and subset queries on encrypted data can be implemented.
Wang et al. [93] extended SCF-PEKS to support multiple keywords (SCF-MPEKS). Instead of employing HVE, they employed the randomness re-use technique [9] for reducing the size of ciphertext. Although they claimed that this is the first SCF-MPEKS construction, there is room for improvement in their security model. First, they only considered weak attribute hiding. That is, an adversary is allowed to issue token generation queries for attribute vectors that do not match the challenge attribute. Second, they did not consider adaptive security. More concretely, they did not consider the test oracle in their security model. Third, their scheme was proven to be secure in the random oracle model. Thus, proposing full attribute hiding and adaptively secure SCF-MPEKS in the standard model is still an open problem.3
In this paper, we propose a generic construction of SCF-MPEKS. Instead of employing anonymous IBE, we employ HVE as a building block of the generic construction of adaptive secure SCF-PEKS [30], and show that the construction still works. Next, we instantiate the construction from the Park-Lee-Susilo-Lee HVE scheme [69], the Kiltz TBE scheme [59], and the Wee OTS scheme [94]. This is the first adaptively secure SCF-MPEKS scheme in the standard model. Moreover, the scheme supports wildcards, and provides full attribute hiding and constant-size token. We show the comparison in Table 1.
We also implement the SCF-MPEKS instantiation by using the PBC library [1], and show that the running times of encryption and searching algorithms are less than 700 msec and 150 msec, respectively, when eight keywords are employed. Moreover, we implement range queries on encrypted data in the SCF-MPEKS setting. This is an extension of the Boneh-Waters technique [18] that realizes range queries by using HVE. We adopt their technique in the SCF-MPEKS setting, and also reduce the length of the vectors to be encrypted and to be employed for generating trapdoors by half. We show that the running time of our encryption algorithm is approximately two times faster than that of the Boneh-Waters encryption algorithm, and we also show that the running time of the searching algorithm is approximately 150 msec when a range contained in [1,1000] is employed.
Golle, Staddon, and Waters [38] proposed conjunctive keyword search over encrypted data in the symmetric key setting, and Park et al. [66] extended their security model in the public key setting. Hwang and Lee [49] improved the efficiency of the Park et al. scheme, and additionally considered the multi-user setting. Although these schemes support conjunctive keyword search, they do not support wildcards unlike HVE. As an independent work of Boneh and Waters [18] that proposed HVE, Shi et al. [83] also proposed a scheme providing range queries on encrypted data that they call Multi-Dimensional Range Query over Encrypted Data (MRQED). Although the performance, especially the search cost, is better than that of HVE, they employed a weaker security model that they call match-revealing security where it does not protect the privacy of the attributes if an entry is matched by the query. On the other hand, HVE employs a stronger security model that they call match-concealing security where it requires the attribute values to remain hidden even when an entry matches a query. In the HVE context, match-revealing security is the same as weak attribute hiding, and match-concealing security is the same as full attribute hiding. Later, Gay et al. [37] proposed a lattice-based variant of the Shi et al. MRQED scheme. As an application of HVE, Chatterjee and Mukherjee [22] proposed a general search framework. They assumed HVE constructed in private key setting and with key confidentiality, and introduced the Blundo-Iovino-Persiano HVE scheme [13] as its candidate. One drawback to the HVE scheme, beside private key setting, is that it considers weak attribute hiding only. Tseng et al. [89] proposed a framework to compute statistics on encrypted data by using HVE, and their framework also supports range operations. Remark that the functionality of their range search is different from that of the Boneh-Waters and ours (Section 2.2 and Section 6). Briefly, a ciphertext and a trapdoor are associated with keyword vectors and , respectively, and the trapdoor works if all keywords contained in are contained in .
Lu [62] proposed a logarithmic-time search scheme on encrypted data. He considered a cloud storage scenario where a data owner prepares ciphertexts of data (by using a secret key) and preserves them on a database in the cloud. On the basis of a request from users, the data owner computes search tokens and sends them to users. That is, the Lu scheme provides search delegation capability, but the encryption procedure is not public. He proposed range predicate encryption based on the symmetric-key variant of inner-product predicate encryption [82]. Although the Lu scheme supports logarithmic-time search, one drawback of the scheme is privacy leakage when multi-dimensional range queries are considered. For example, if a range with two dimensions is queried, then the scheme allows us to search and independently, and it reveals more private information, e.g., or . This leakage, called single-dimensional privacy, was pointed out by Wang et al. [90]. They also pointed out that a scheme proposed by Wang et al. [92] has the same privacy leakage. Although HVE supports single-dimensional privacy, the search cost of HVE is linear. Accordingly, Wang et al. [90] proposed a tree-based public-key MRQED scheme with faster-than-linear search time that provides single-dimensional privacy. They called the scheme Maple, and it employs multi-dimensional tree structures (R-trees [42], [48]) for indexing data records. They mentioned that R-trees do not guarantee a good worst-case performance but they generally perform well with real-word data, and thus they insisted that Maple supports faster-than-linear search time in an empirical sense.
Later, Hahn and Kerschbaum [43] mentioned that the order of all indexed elements is revealed from the index in the Lu scheme [62], the bucketization of indexed ciphertexts is leaked in Maple [90], and the relative distance of all indexed ciphertexts is leaked in the Wang et al. scheme [92]. Owing to the result by Naveed et al. [64], the leakage of all these indexes results in vulnerability.
Although range queries can be employed for several applications such as geometric range search [91], however, Lacharité, Minaud, and Paterson [60] showed that several searchable encryption schemes supporting range queries are vulnerable. Since they did not explicitly consider public key setting such as HVE, it would be interesting to investigate whether or not their analysis can be employed in HVE with range queries.
Since PEKS can be generically constructed from anonymous IBE [2], it seems natural to consider attribute-based encryption (ABE) or functional encryption that imply IBE [46] for realizing expressive keyword search, to name a few [65], [61], [63], [26], [85], [84], [25], [72]. In fact, HVE can be seen as key-policy ABE (KP-ABE) since a policy can be specified for decryption keys by using wildcards. More concretely, HVE can be seen as anonymous key-policy ABE since it supports attribute hiding. Since Hayata et al. [45] showed that PEKS supporting logical disjunctions and logical conjunctions imply anonymous key-policy ABE, employing HVE in our generic construction is a reasonable choice. Toward access control in addition to expressive search, Shi, Lai, Li, Deng, and Weng [84] proposed authorized keyword search on encrypted data, which ensures that only authorized users can search and further access the encrypted data. Their scheme can be seen as dual-policy ABE [6] with attribute hiding. A ciphertext is associated with a set of keywords and an access structure, and a search token is also associated with a search predicate and a set of attributes. If the set of keywords satisfy the predicate and the set of attributes satisfy the access structure, then the test algorithm outputs 1, and 0 otherwise. As a follow-up to Shi et al.'s work, several authorized keyword search schemes have been proposed [51], [85], [25]. As a range-specific ABE, time-specific encryption [70], [53], [54] and ABE for range [5] have been proposed. However, these do not support attribute hiding, and thus they are not directly employed in searchable encryption.
For achieving fast search capability, other attempts have been proposed at the expense of security, e.g., deterministic encryption [11], [10], [16], [34], order preserving encryption [4], [15], [14], [57], [55], [56], [74], [88], and comparable encryption [35], [36], [52], [47] that reveal partial information and thus they provide an efficient search cost.
To sum up, although HVE does not support fast search functionality, it provides strong security (full attribute hiding). Since fast searching currently requires several information leakages and many attacks have been reported, we employ HVE as a building block of SCF-MPEKS from the viewpoint of security in this paper.
Here, we explain the additional contents from the proceedings version [28]. First, we proposed a range search technique by extending the Boneh-Waters technique [18] in Section 6. We reduce the length of vectors to be encrypted and to be employed for generating trapdoors by half. Second, by using the PBC library [1], we implement our SCF-MPEKS instantiation and also implement the proposed range search in Section 7. We also improve the related work section that were omitted in the proceedings version due to the page limitation.
We note that we employ the symmetric pairing setting due to the Park-Lee-Susilo-Lee HVE scheme [69]. For achieving 128-bit security, the order of the underlying elliptic curve is desired to be 256 bits. Since such a curve is not contained in the PBC library, we generated parameters for the curve by using the PairingParametersGenerator API supported by jPBC [27].
Section snippets
Cryptographic tools
This section, we define the building blocks for our generic construction. means that x is chosen uniformly from a set S. means that y is an output of an algorithm A with an input x.
First, we give the definition of HVE. We mainly borrow the notations given in [69]. Let Σ be an arbitrary set of attributes, and ⁎ be a wildcard character, and set . Let ℓ be the dimension of vectors, and for two vectors and , define a predicate function
Definitions of SCF-MPEKS
In this section, we give the definition of SCF-MPEKS. We mainly borrow the definition of Wang et al. [93]. Remark that the algorithm in the Wang et al. definition generates a trapdoor for a keyword ω, say , and for a ciphertext associated with a keyword vector , the algorithm with outputs 1 if includes ω. In our definition, the algorithm generates a trapdoor for a keyword vector , and the algorithm with
Proposed generic construction of SCF-MPEKS
In this section, we construct SCF-MPEKS from , , and . Let be a target collision-resistant (TCR) hash function [12]. Briefly, collision resistance requires that it is infeasible for any polynomial-time adversary to find two distinct values where these hashed values are the same. Target collision resistance is a weaker notion, where given a random element, it is infeasible for
Our SCF-MPEKS instantiation
In this section, we instantiate our generic construction from the Park-Lee-Susilo-Lee HVE scheme [69], the Kiltz tag-based KEM scheme [59], and the Wee OTS scheme [94]. For encrypting a longer plaintext, we simply employ AES (with a suitable mode of operation). We denote as a AES ciphertext of a plaintext M using a key K, and as its decryption.
Let and be cyclic groups of prime order p, be a generator, and e be an efficiently computable bilinear map .
Proposed range queries on encrypted data
In this section, we propose a system that supports range queries on encrypted data. As discussed in Section 2.2, a ciphertext and trapdoor must be generated for vectors of length 2n, when . Here, we reduce the length of vectors from 2n to n. As in the Boneh-Waters construction, we test to test . Then, we point out that the encoding of is the same for both cases in the Boneh-Waters construction (Fig. 1, Fig. 2). In other words, for , if (and 0
Implementation environment
For the server that runs the algorithm, we employ a workstation. For the sender, who runs the algorithm, and for the receiver, who runs the algorithm, we employ a Laptop PC. Our implementation environment is detailed in Table 2.
Parameters
We employ the PBC library [1] (pbc-0.5.14) and (Type A, defined on a 2048-bit prime field and the order is 256 bits) as the underlying elliptic curve. Since such a curve is not contained in the PBC library, we
Conclusion
In this paper, we propose a generic construction of SCF-MPEKS. By instantiating the construction, we provide the first adaptive SCF-MPEKS scheme secure in the standard model. Moreover, we implement an instantiation of our generic construction and demonstrate that it is efficient in practice. We also propose a system that supports range queries and show that our construction is more efficient than the Boneh-Waters construction.
Since we do not consider keyword guessing attacks [33], [41], [20],
Declaration of Competing Interest
This work was partially supported by JSPS KAKENHI Grant Numbers JP15K00185 and JP16H02808, and MIC/SCOPE #162108102.
References (96)
- et al.
Public key encryption with keyword search secure against keyword guessing attacks without random oracle
Inf. Sci.
(2013) - et al.
Efficient secure-channel free public key encryption with keyword search for EMRs in cloud storage
J. Med. Syst.
(2015) - et al.
Fully secure hidden vector encryption under standard assumptions
Inf. Sci.
(2013) - et al.
Generic construction of designated tester public-key encryption with keyword search
Inf. Sci.
(2012) - et al.
Trapdoor security in a searchable public-key encryption scheme with a designated tester
J. Syst. Softw.
(2010) - et al.
Searchable encryption revisited: consistency properties, relation to anonymous IBE, and extensions
J. Cryptol.
(2008) - et al.
Robust encryption
- et al.
Order-preserving encryption for numeric data
- et al.
Attribute-based encryption for range attributes