Public-key Authenticated Encryption with Keyword Search: Cryptanalysis, Enhanced Security, and Quantum-resistant Instantiation
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Public-key Authenticated Encryption with Keyword Search: Cryptanalysis, Enhanced Security, and Quantum-resistant Instantiation Zi-Yuan Liu Yi-Fan Tseng Raylin Tso National Chengchi University National Chengchi University National Chengchi University Taipei 11605, Taiwan Taipei 11605, Taiwan Taipei 11605, Taiwan zyliu@cs.nccu.edu.tw yftseng@cs.nccu.edu.tw raylin@cs.nccu.edu.tw Masahiro Mambo Yu-Chi Chen Kanazawa University Yuan Ze University Kanazawa 920-1192, Japan Kanazawa 920-1192, Japan mambo@ec.t.kanazawa-u.ac.jp wycchen@saturn.yzu.edu.tw ABSTRACT become increasingly widespread. In particular, with the support With the rapid development of cloud computing, an increasing of cloud storage, users and enterprises can easily reduce the cost number of companies are adopting cloud storage to reduce over- of local maintenance and storage. In addition, it can be combined head. However, to ensure the privacy of sensitive data, the uploaded with IoT devices to provide more meta-services and applications. data need to be encrypted before being outsourced to the cloud. As the uploaded data are usually critical and sensitive, ensuring The concept of public-key encryption with keyword search (PEKS) that service providers can properly protect the privacy of data is was introduced by Boneh et al. to provide flexible usage of the an important issue. Therefore, to avoid privacy leakage, users need encrypted data. Unfortunately, most of the PEKS schemes are not to encrypt data before outsourcing them to the cloud. However, secure against inside keyword guessing attacks (IKGA), so the key- the encrypted data will lose the flexibility of use, such as search word information of the trapdoor may be leaked to the adversary. or modification. As the search function can considerably reduce To solve this issue, Huang and Li presented public key authenticated the transmission demand, this function is extremely important for encryption with keyword search (PAEKS) in which the trapdoor cloud storage. To resolve this issue, the concept of searchable en- generated by the receiver is only valid for authenticated ciphertexts. cryption was first introduced by Song et al. [56] and Boneh et al. With their seminal work, many PAEKS schemes have been intro- [8]. In these primitives, encrypted data are uploaded along with duced for the enhanced security of PAEKS. Some of them further multiple encrypted keywords by the sender, while the receiver can consider the upcoming quantum attacks. However, our cryptanaly- generate trapdoors for specific keywords. With the trapdoor, the sis indicated that in fact, these schemes could not withstand IKGA. cloud server can perform a search to find the matched encrypted To fight against the attacks from quantum adversaries and support keywords, i.e., they are associated with the same keyword, and the privacy-preserving search functionality, we first introduce a return the corresponding encrypted data to the receiver. With the novel generic PAEKS construction in this work. We further present distinction of whether the generation of encrypted keywords and the first quantum-resistant PAEKS instantiation based on lattices. trapdoors is symmetric or asymmetric, searchable encryption can The security proofs showed that our instantiation not only satis- be further divided into symmetric search encryption (SSE) and fied the basic requirements but also achieved an enhanced security public-key encryption with keyword search (PEKS). model, namely the multi-ciphertext and multi-trapdoor indistin- The first SSE scheme was presented by Song et al. [56] in 2000. guishability. Furthermore, the comparative results indicated that Because SSE has an advantage in efficiency, it has been extensively with only some additional expenditure, this instantiation could studied [18, 44, 46, 57]. However, in practical applications, SSE has provide more secure properties, making it suitable for more diverse the same problem as symmetric encryption—the key distribution application environments. problem. To resolve this problem, Boneh et al. [8] combined the concept of public-key encryption and searchable encryption to CCS CONCEPTS introduce the first PEKS scheme. In this scheme, the searchable ciphertext (i.e., encrypted keyword) is generated by using the re- • Security and privacy → Public key encryption; Cryptanalysis ceivers’ public keys, while a receiver can generate a trapdoor by and other attacks; Privacy-preserving protocols. using his/her private key and hand it to the cloud server to search for the matching searchable ciphertexts. In addition, Boneh et al. KEYWORDS [8] formalized the security requirement of the PEKS, namely ci- Cryptanalysis, Generic construction, Trapdoor privacy, Post-quantum, phertext indistinguishability (CI), i.e., indistinguishability against Keyword search, Public-key encryption. chosen keyword attacks (CKA), which ensures that there exists no adversary who can obtain any keyword information from the 1 INTRODUCTION ciphertext. However, Byun et al. [9] further considered the notion In recent years, with the widespread development of the cloud com- of trapdoor privacy (TP), i.e., indistinguishability against keyword puting technology, cloud applications, such as cloud storage, have 1
Zi-Yuan Liu, Yi-Fan Tseng, Raylin Tso, Masahiro Mambo, and Yu-Chi Chen
guessing attacks (KGA) [53], where the adversary may retrieve the Hence, with the above description, it raises an urgent problem:
keyword information from the trapdoor by adaptively generating Can we obtain a quantum-resistant PAEKS that also satisfies MCI
ciphertext for a guessing keyword. As discussed in Byun et al.’s and MTP?
work [9], the keyword space in PEKS schemes is small and limited,
e.g., only 225,000 (≈ 216 ) words in Merriam-Webster’s collegiate 1.2 Our Contribution
dictionary [11]. Therefore, upon a brute force attack, there is a In this work, we first cryptanalyze Zhang et al.’s lattice-based PEKS
high probability ( 2116 ) that the adversary can obtain the keyword schemes [62, 63] and show that their schemes cannot resist against
information hidden by the trapdoor. IKGA. To resolve the above issues, we present a generic PAEKS
The KGA can be divided into outside KGA launched by an exter- construction by adopting smooth projection hash function (SPHF)
nal adversary (e.g., eavesdropper) and inside KGA (IKGA) launched and PEKS.
by an internal adversary (e.g., malicious cloud server). Although As a high-level idea, to prevent adversaries from being able to
many KGA-secure PEKS schemes have been introduced [5, 13– adaptively generate ciphertexts for any keyword and further guess
15, 20–22, 30, 31, 52, 53, 58, 59, 61], it was not until the concept of the keyword hidden in the trapdoor, we restrict that the trapdoor
public-key authenticated encryption with keyword search (PAEKS) generated from a receiver is only valid to the ciphertext generated
was proposed by Huang and Li [27] that the IKGA was solved in from a specific sender. To meet this requirement, our strategy was to
the single-server context. In the PAEKS, the trapdoor generated by enable the sender and the receiver to obtain high-entropy random-
the receiver is only valid to the ciphertexts that are authenticated ness without any interaction by utilizing (pseudo-random) SPHF.
by a specified sender. In this way, the adversaries cannot perform Through this randomness, both parties could obtain an extended
KGA by adaptively generating ciphertext for any keyword to test keyword to generate a ciphertext and a trapdoor, respectively, in-
the trapdoors. As the concept of PAEKS solves the privacy concern, stead of generating them through the original low-entropy keyword.
many variants PAEKS schemes [12, 26, 36–38, 40–42, 45, 47–49] Therefore, the adversary could not perform IKGA by randomly se-
have been proposed to be suitable for various scenarios. lecting keywords.
In addition, to further achieve the MCI and MTP properties,
we provided a theoretical result in Theorem 3.3: if the PAEKS and
Trapdoor algorithms of a PAEKS scheme is probabilistic and the
PAEKS scheme satisfies CI and TP, then this PAEKS scheme also
1.1 Motivation
satisfies MCI and MTP. This interesting result can boost the security
MCI and MTP Security. Among various PAEKS schemes, Qin et of many existing PAEKS schemes.
al. [49] first introduced an enhanced security notion called multi- Eventually, we compiled Behnia et al.’s PEKS [6] and Ben-
ciphertext indistinguishability (MCI). Compared with CI, MCI con- hamouda et al.’s SPHF [7] by our generic construction and pro-
siders whether the adversary can distinguish two tuples of search- posed the first quantum-resistant PAEKS scheme based on lattices.
able ciphertexts related to some of the same keywords. In practical In terms of the computational cost and the communication cost, the
scenarios, each encrypted file is related to multiple search cipher- results showed that our instantiation could provide more secure
texts, so this notion captures the security that needs to be considered attributes with only a little additional expenditure.
in the real environment.
In addition, Pan and Li [48] followed this concept and introduced 2 PRELIMINARIES
the notion called multi-trapdoor privacy (MTP) to ensure that any
adversary cannot distinguish whether two tuples of trapdoors have This section introduces some requisite knowledge, including the
some of the same keywords. Unfortunately, Cheng and Meng [16] background of lattices and the definitions of cryptographic primi-
recently showed that although Pan and Li’s scheme [48] satisfies tives.
MTP, their scheme cannot satisfy MCI.
2.1 Background of Lattices
Quantum-resistant PAEKS. As Shor [54, 55] has confirmed that 2.1.1 Lattices. Here, we briefly summarize the concept of lattices.
there exists a quantum algorithm that can be used to crack the Let B = [b1 | · · · |b ] ∈ R × , where b1, · · · , b are linear in-
foundation of many cryptographic primitives—the discrete loga- dependent vectors. An -dimensional lattice Λ generated by B is
defined as Λ(B) := { =1 b | ∈ Z}. Here, B is called the basis
Í
rithm hard assumption, scholars have begun to explore how to
construct quantum-resistant PEKS schemes [6, 60]. To further sat- of Λ. In addition, given , , ∈ Z, u ∈ Z , and A ∈ Z × , we can
isfy TP, Zhang et al. [62, 63] introduced two lattice-based PEKS define two -ary lattices and a coset as follows:
schemes that are secure against IKGA by restricting the cipher- • Λ (A) := {y ∈ Z ⊤
| ∃ ∈ Z , y = A z mod };
text to be authenticated by the sender. However, our cryptanalysis • Λ (A) := {e ∈ Z | Ae = 0 mod };
⊥
shows that their schemes contain flaws, and therefore, an adversary • Λ u (A) := {e ∈ Z | Ae = u mod }.
can directly obtain the keyword information of the trapdoor. In
addition, Liu et al. [39] introduced a generic PAEKS construction 2.1.2 Discrete Gaussian Distributions. For any positive real num-
and further presented an instantiation based on NTRU lattices. Un- ber , any center c ∈ Z , and any x ∈ Z , we define the Gauss-
fortunately, their system model is not a “pure” public-key setting. ian distribution of D ,c by the probability distribution function
More specifically, their construction requires a trusted authority to ,c (x) := exp(− · ∥x − c∥ 2 / 2 ). Furthermore, for any lattice
Λ ⊂ Z , we define ,c (Λ) := x∈Λ ,c (x). Then, the discrete
Í
assist users in generating their private keys.
2Public-key Authenticated Encryption with Keyword Search: Cryptanalysis, Enhanced Security, and Quantum-resistant Instantiation
Gaussian distribution over lattice Λ with parameter ( , c) is defined kw ≠ kw ′ .
as follows: For any x ∈ Λ, DΛ, ,c (x) := ,c (x)/ ,c (Λ).
Ciphertext Indistinguishability of PEKS. The CI ensures that
2.1.3 Lattices with Trapdoors. Next, we introduce the preimage there is no PPT adversary that can obtain any keyword informa-
sampleable functions and lattice basis delegation technique. tion from the given challenge ciphertext, even if it can adaptively
(1) TrapGen(1 , 1 , ) [4, 43]: For input , , ∈ Z, this prob- query the trapdoor oracle for any keyword, except for the challenge
abilistic polynomial time (PPT) algorithm outputs a pair keyword. This security requirement is modeled by the following
(A ∈ Z × , TA ∈ Z × ), where TA is a basis for Λ ⊥ (A), indistinguishability against the chosen keyword attack (IND-CKA)
such that the following property holds: {A : (A, TA ) ← game of PEKS that is interacted by a challenger C and an adversary
TrapGen(1 , 1 , )} ≈ {A : A ← Z × }. Here, TA is also A.
called a trapdoor of A. • Setup. After receiving a security parameter , C gener-
(2) SamplePre(A, TA, u, ) [24]: For an input matrix A ∈ Z × ates (pkPEKS, skPEKS ) by performing the KeyGen algorithm.
and its trapdoor TA ∈ Z × , a vector u ∈ Z , and param- Then, it sends the public key pkPEKS to A and keeps the
eter ≥ ∥ Tf
p private key skPEKS secret.
A ∥ · ( log( )), this PPT algorithm outputs a
sample t ∈ Z • Phase 1. In this phase, A is allowed to adaptively issue
from a distribution that is statistically close
to DΛ u (A), such that At = u mod . queries to the trapdoor oracle polynomially many times:
for any keyword kw, C generates a trapdoor tdPEKS,kw by
(3) NewBasisDel(A, R, TA, ) [3]: For an input matrix A ∈
performing Trapdoor(skPEKS, kw) and returns tdPEKS,kw to
Z × , a Z -invertible matrix R sampled from the distribu-
A.
tion D × , trapdoor TA , and parameter ∈ R, this PPT
• Challenge. After A terminates the Phase 1, it outputs two
algorithm outputs a short lattice basis TB of Λ ⊥ (B), where
challenge keywords kw ∗0 , kw ∗1 to C. The restriction is that
B = AR−1 .
A never issue these two challenge keywords to the trap-
(4) SampleLeft(A, M, TA, u, ) [2]: For an input matrix A ∈
door oracle. C then randomly chooses a bit ∈ {0, 1} and
Z × and its corresponding trapdoor TA ∈ Z × , a ma-
returns the challenge ciphertext ct∗ to A by performing
trix M ∈ Z × 1 , a vector u ∈ Z , and a parameter ≥ PEKS(pkPEKS, kw ∗ ).
p
∥ Tf
A ∥ · ( log( + 1 )), this PPT algorithm outputs a sam- • Phase 2. A can continue to query the trapdoor oracle as
ple t ∈ Z + 1 from a distribution statistically close to in Phase 1 for any keyword kw, except for the challenge
DΛ ( [A |M]), such that [A|M] · t = u mod . keywords (i.e., kw ∉ {kw ∗0 , kw ∗1 }).
• Guess. Finally, A outputs a bit ′ ∈ {0, 1} as its answer, and
2.2 Public-key Encryption with Keyword wins the game if = ′ .
Search The advantage of A winning the above game is defined as
In this subsection, we recall the definition of PEKS defined by 1
−
Boneh et al. [8]. A PEKS scheme PEKS consists of the following
A ( ) := Pr[ = ′ ] − .
2
four algorithms:
Definition 2.1 (Ciphertext Indistinguishability of PEKS). A PEKS
• KeyGen(1 ): Taking as input a security parameter , this scheme is called CI (or IND-CKA) if, for any PPT adversary A,
PPT algorithm outputs a pair of keys (pkPEKS, skPEKS ), − ( ) is negligible.
where pkPEKS is the public key and skPEKS is the private A
key.
2.3 Labelled Public-key Encryption Scheme
• PEKS(pkPEKS, kw): Taking as input the public key pkPEKS
and a keyword kw, this PPT algorithm outputs a searchable A labelled public-key encryption (PKE) scheme can be viewed as
ciphertext ctPEKS,kw related to the keyword kw. the variant of PKE. As described in [1], a labelled PKE scheme PKE
• Trapdoor(skPEKS, kw ′ ): Taking as input the private key consists of the following three algorithms:
skPEKS and a keyword kw ′ , this PPT algorithm outputs a • KeyGen(1 ): Taking as input a security parameter , this
trapdoor tdPEKS,kw′ related to keyword kw ′ . PPT algorithm outputs a pair of keys (ekPKE, dkPKE ), where
• Test(ctPEKS,kw , tdPEKS,kw′ ): Taking as input the searchable ekPKE is the public encryption key and dkPKE is the private
ciphertext ctPEKS,kw and trapdoor tdPEKS,kw′ , this determin- decryption key.
istic algorithm outputs 1 if ctPEKS,kw and tdPEKS,kw′ are re- • Encrypt(ekPKE, label, mPKE ; ): Taking as input the public
lated to the same keyword (i.e., kw = kw ′ ); otherwise, it encryption key ekPKE , a label label, a plaintext mPKE , and
outputs 0. a randomness , this PPT algorithm outputs a ciphertext
Correctness. For any security parameter , any hon- ctPKE .
estly generated key pairs (pkPEKS, skPEKS ), any keywords • Decrypt(dkPKE, label, ctPKE ): Taking as input the private de-
kw, kw ′ , any ciphertext ctPEKS,kw ← PEKS(pkPEKS, kw), and cryption key dkPKE , a label label, and a ciphertext ctPKE , this
any trapdoor tdPEKS,kw′ ← Trapdoor(skPEKS, kw ′ ), then deterministic algorithm outputs a plaintext mPKE or ⊥.
Pr[Test(ctPEKS,kw , tdPEKS,kw′ ) = 1] = 1 − negl( ) when kw = kw ′ In addition, it must to satisfy the following correctness and se-
and Pr[Test(ctPEKS,kw , tdPEKS,kw′ ) = 0] = 1 − negl( ) when curity.
3Zi-Yuan Liu, Yi-Fan Tseng, Raylin Tso, Masahiro Mambo, and Yu-Chi Chen
• Correctness: For any security parameter , any pair of keys • Hash(hk, lpar, ): Taking as input a hashing key hk, the lan-
(dkPKE, ekPKE ) ← KeyGen(1 ), any label label, any plain- guage parameter lpar and a word ∈ Xlpar , this determin-
text mPKE , any randomness , and any ciphertext ctPKE ← istic algorithm outputs a hash value H ∈ {0, 1} for some
Encrypt(ekPKE, label, mPKE ; ), a labelled public-key encryp- ∈ N.
tion scheme is correct if Pr[Decrypt(dkPKE, label, ctPKE ) = • ProjHash(hp, lpar, , ): Taking as input a projection key
mPKE ] = 1 − negl( ). hp, the language parameter lpar, a word ∈ ℒ elpar , and a
• IND-CPA/IND-CCA1/IND-CCA2 security: Informally, we witness (i.e., ( , ) = 1), this deterministic algorithm
f
say that a labelled public-key encryption scheme has indis-
outputs a projected hash value pH ∈ {0, 1} for some ∈ N.
tinguishability against chosen-plaintext attacks (IND-CPA)
if there is no adversary that can obtain any information An approximate word-independent SPHF scheme has to fulfill
about the challenge plaintext. Suppose that the adversary is the following properties:
allowed to query the decryption oracle for any ciphertext, • Approximate correctness: For a word ∈
except for the challenge ciphertext, then the scheme has ℒelpar and its corresponding witness , we
indistinguishability against chosen-ciphertext attacks (IND- say SPHF is -approximate correctness if
CCA2). Furthermore, if the IND-CCA2 security restricts the Pr[HD(Hash(hk, lpar, ), ProjHash(hp, lpar, , )) >
adversary from continuously querying the oracles after ob- · ] ≤ negl( ), where HD(·, ·) outputs the Hamming
taining the challenge ciphertext, we call it IND-CCA1 secu- distance of two input values. In addition, if an approximate
rity. SPHF is 0-correct, then it is called SPHF.
• Smoothness: For a word ∉ ℒ elpar , the hash value H is
2.4 Smooth Projective Hash Functions statistically indistinguishable from a random element chosen
The SPHF was first introduced by Cramer and Shoup [17] to trans- from {0, 1} for some ∈ N.
form an IND-CPA secure encryption scheme into IND-CCA2 se- In addition to these two properties, to prove the security of the
curity. Informally, SPHF is defined for an NP language L over a proposed generic construction, we need another property called
domain X that contains two keyed algorithms, namely Hash and pseudo-randomness:
ProjHash that take as input the hashing key hk and a projection
key hp, respectively. The important property of SPHF is as follows: • Pseudo-randomness: For a word ∈ ℒ elpar , the hash value
for a word ∈ L, the outputs of both algorithms are indistinguish- H is indistinguishable from a random element chosen from
able, while for a word ∉ L, the outputs of Hash algorithms are {0, 1} for some ∈ N.
statistically indistinguishable with a random element. In fact, an (approximate word-independent) SPHF does not need
Various extended definitions of SPHF are also introduced to this property or even satisfy it. However, if the language for the
achieve password-based authenticated key exchange schemes [10, (approximate word-independent) SPHF is labelled CCA-secure ci-
19, 23, 25, 29, 32]. In this work, we focused on the stronger type phertext, it is easily satisfied because the ciphertexts are based on
of SPHF, called “word-independent” SPHF defined by Katz and hard-on-average problems [35].
Vaikuntanathan [33, 34]. Compared with general SPHF, the ProjKG
algorithm in word-independent SPHF does not require a word as 3 DEFINITION AND SECURITY MODELS OF
its input. The following formally define the languages and word-
PAEKS
independent SPHF.
We first consider a family of languages (ℒlpar,ltrap )lpar,ltrap in- Public-key authenticated encryption with keyword search (PAEKS),
dexed by some language parameter lpar and some language trap- first introduced by Huang and Li [27], can be viewed as inheriting
door ltrap, together with a family of NP language ( ℒ elpar )lpar in- the existed PEKS scheme [8] but additionally satisfies TP. Next,
we will review the definition and security requirements of PAEKS
dexed by some parameter lpar, with witness relation flpar , such
defined in [27].
that ℒlpar = { ∈ Xlpar | ∃ , lpar ( , ) = 1} ⊆ (ℒlpar,ltrap ) ⊆
e f
Xlpar , where (Xlpar )lpar is a family of sets and the parameter lpar is 3.1 Definition of PAEKS
generated by a polynomial-time algorithm Setup.lpar(1 ) for some
A PAEKS scheme PAEKS consists of the following six algorithms:
security parameter . We suppose that the membership in Xlpar
and flpar can be checked in polynomial time by the given lpar, and • Setup(1 ): Taking as input a security parameter , this PPT
that the membership in ℒlpar,ltrap by the given lpar and ltrap. algorithm outputs a public parameter pp.
• KeyGen (pp): Taking as input the public parameter pp,
Then, let ( ℒelpar ⊆ ℒlpar,ltrap ⊆ Xlpar )lpar,ltrap be the languages
this PPT algorithm outputs a pair of public/private keys
defined as above. An approximate word-independent SPHF scheme
(pk , sk ) of the sender.
SPHF for these languages consists of the following four algorithms:
• KeyGen (pp): Taking as input the public parameter pp,
• HashKG(lpar): Taking as input a language parameter lpar, this PPT algorithm outputs a pair of public/private keys
this PPT algorithm outputs a hashing key hk. (pk , sk ) of the receiver.
• ProjKG(hk, lpar): Taking as input a hashing key hk and the • PAEKS(pp, pk , sk , pk , kw): Taking as input the public pa-
language parameter lpar, this PPT algorithm outputs a pro- rameter pp, the public key pk and private key sk of the
jection key hp. sender, the public key pk of the receiver, and a keyword
4Public-key Authenticated Encryption with Keyword Search: Cryptanalysis, Enhanced Security, and Quantum-resistant Instantiation
kw, this PPT algorithm outputs a searchable ciphertext ctkw • Phase 2. A can continue to query the oracles as in Phase 1
related to the keyword kw. for any keyword kw, except for the challenge keywords (i.e.,
• Trapdoor(pp, pk , pk , sk , kw ′ ): Taking as input the public kw ∉ {kw ∗0 , kw ∗1 }).
parameter pp, the public key pk of the sender, the public key • Guess. Finally, A outputs a bit ′ ∈ {0, 1} as its answer and
pk and the private key sk of the receiver, and a keyword wins the game if = ′ .
kw ′ , this PPT/deterministic algorithm outputs a trapdoor The advantage of A winning the above game is defined as
tdkw′ related to the keyword kw ′ .
− 1
• Test(ctkw , tdkw′ ): Taking as input the searchable ciphertext
A ( ) := Pr[ = ′ ] − .
2
ctkw and trapdoor tdkw′ , this algorithm outputs 1 if ctkw
and tdkw′ are related to the same keyword (i.e., kw = kw ′ ); Definition 3.1 (Ciphertext Indistinguishability of PAEKS). A
otherwise, it outputs 0. PAEKS scheme satisfies CI (or called IND-CKA secure) if, for any
PPT adversary A, − ( ) is negligible.
A
Correctness. For any security parameter , any hon-
estly generated key pairs of the sender (pk , sk ) and IND-IKGA Game of PAEKS:
receiver (pk , sk ), any keywords kw, kw ′ , any cipher- • Setup. Like the IND-CKA game, C generates the public
text ctkw ← PAEKS(pp, pk , sk , pk , kw), and any parameter pp and public/private key pairs (pk , sk ) and
trapdoor tdkw′ ← Trapdoor(pp, pk , pk , sk , kw ′ ), (pk , sk ) of the sender and the receiver. Then, it sends
Pr[Test(ctkw , tdkw′ ) = 1] = 1 − negl( ) when kw = kw ′ (pp, pk , pk ) to A.
and Pr[Test(ctkw , tdkw′ ) = 0] = 1 − negl( ) when kw ≠ kw ′ . • Phase 1. Like the IND-CKA game, A is allowed to adap-
tively issue queries to O and O polynomially many times.
• Challenge. After A terminates Phase 1, it outputs two
3.2 Security Requirements of PAEKS challenge keywords kw ∗0 , kw ∗1 to C. The restriction is that
A secure PAEKS scheme should satisfy ciphertext indistinguisha- A never issue the queries to O and O for these two chal-
bility (CI) and trapdoor privacy (TP). Informally, the notion of CI, lenge keywords. C then randomly chooses a bit ∈ {0, 1}
first proposed by Boneh et al. [8], aims to ensure that there is no and returns the challenge trapdoor td∗ to A by performing
PPT adversary that can obtain any knowledge of the keyword from Trapdoor(pp, pk , pk , sk , kw ∗ ).
the ciphertext. While the concept of TP, first introduced by Byun • Phase 2. A can continue to query the oracles as in Phase 1
[9] in 2006, aims to ensure that there is no PPT (inside) adversary for any keyword kw, except for the challenge keywords (i.e.,
can obtain any knowledge of the keyword from the trapdoor. kw ∉ {kw ∗0 , kw ∗1 }).
These two requirements are formally modeled by the following • Guess. Finally, A outputs a bit ′ ∈ {0, 1} as its answer and
IND-CKA game and indistinguishability against IKGA (IND-IKGA) wins the game if = ′ .
game, respectively, interacted with a challenger C and an adversary
The advantage of A winning the above game is defined as
A.
1
A − ( ) := Pr[ = ′ ] − .
IND-CKA Game of PAEKS: 2
Definition 3.2 (Trapdoor Privacy of PAEKS). A PAEKS scheme
• Setup. After receiving a security parameter , C generates
satisfies TP (or called IND-IKGA secure) if, for any PPT adversary
the public parameter pp by executing the Setup algorithm.
A, A − ( ) is negligible.
Then, it executes the KeyGen and KeyGen algorithms to
obtain the public/private key pairs (pk , sk ) and (pk , sk ) To enhance the security requirements of PAEKS, Qin et al. [49]
of the sender and the receiver, respectively. Finally, it sends introduced the notion called multi-ciphertext indistinguishability
(pp, pk , pk ) to A. (MCI). This notion aims to ensure that there is no PPT adversary
• Phase 1. In this phase, A is allowed to adaptively issue that can distinguish two tuples of challenge ciphertexts. In addition,
queries to the following two oracles polynomially many Pan and Li [48] considered a concept similar to TP, called multi-
times. trapdoor privacy (MTP), to ensure that there is no PPT adversary
– Ciphertext Oracle O : For any keyword kw, C gen- that can distinguish two tuples of challenge trapdoors. Although we
erates a searchable ciphertext ctkw by performing do not consider multi-setting of the security requirements as in [49]
PAEKS(pp, pk , sk , pk , kw) and returns ctkw to A. and [48], we introduce Theorem 3.3 to show that if the PAEKS and
– Trapdoor Oracle O : For any keyword kw, Trapdoor algorithms of a secure PAEKS scheme are probabilistic,
C generates a trapdoor tdkw by performing then this scheme satisfies MCI and MTP.
Trapdoor(pp, pk , pk , sk , kw) and returns tdkw to
Theorem 3.3. Suppose that a PAEKS scheme satisfies CI and its
A.
PAEKS algorithm is probabilistic, then the PAEKS scheme satisfies
• Challenge. After A terminates Phase 1, it outputs two
MCI. Similarly, suppose that a PAEKS scheme satisfies TP and its
challenge keywords kw ∗0 , kw ∗1 to C. The restriction is that A
Trapdoor algorithm is probabilistic, then the PAEKS scheme satisfies
never issue the queries to O and O for these two challenge
MTP.
keywords. C then randomly chooses a bit ∈ {0, 1} and
returns the challenge ciphertext ct∗ to A by performing Proof. As the part of TP is similar to CI, we only prove the part
PAEKS(pp, pk , sk , pk , kw ∗ ). of CI. Suppose that an adversary A can break the MCI of a PAEKS
5Zi-Yuan Liu, Yi-Fan Tseng, Raylin Tso, Masahiro Mambo, and Yu-Chi Chen
scheme, then there is a challenger C who can use A as the black Proof. Here, we show how an inside adversary A can retrieve
box algorithm to break the CI of the same PAEKS scheme. the keyword information hidden in the trapdoor. Suppose that A
has received a trapdoor td := tkw ∥ related to some time and
• Setup. Given a tuple of public information (pp, pk , pk ),
keyword kw. It tries to obtain the keyword information via the
C passes this information to A.
following steps:
• Phase 1. On receiving any ciphertext query or trapdoor
query for a keyword kw from A, C queries O for the ci- (1) Because tkw ∥ is generated from the receiver by performing
phertext query and queries O for trapdoor query. Then, it SamplePre(A ∥ · −1 , Tkw ∥ , , ), we know that = A ∥ ·
returns the answer to A. −1
· t kw ∥ = A ∥ · 2 (kw∥ ) −1 · tkw ∥ .
• Challenge. After receiving two tuples of challenge key- (2) Then, A randomly selects a guessed keyword kw ′ to test
words (kw ∗0,1, · · · , kw ∗0, ) and (kw ∗1,1, · · · , kw ∗1, ), C per-
whether = A ∥ · 2 (kw ′ ∥ ) −1 · tkw ∥ .
?
forms the following steps. It randomly chooses a tuple
(3) If the equation in Step 2 holds, A outputs kw ′ as its guess;
(kw ∗0, , kw ∗1, ) for some such that kw ∗0, ≠ kw ∗1, . Then, it
otherwise, A returns to Step 2 and continues to select and
takes this tuple as its challenge keyword and receives a
test other keywords.
challenge ciphertext ct∗ . In addition, it randomly chooses
− 1 elements ( 1, · · · , −1, +1, · · · , ) from the out- Therefore, by a brute force attack, there is a high probability that
put space of the PAEKS algorithm. Finally, it returns A can obtain the keyword related to the trapdoor as the keyword
( 1, · · · , −1, ct∗, +1, · · · , ) as the challenge ciphertext for space is limited. □
A.
• Phase 2. A can continue to query the oracles as in Phase 1 Lemma 4.2. Zhang et al.’s [62] proxy-oriented identity-based PEKS
for any keyword kw, except for the challenge keywords (i.e., scheme is vulnerable to IKGA.
kw ≠ kw , ∗ ) for ∈ {0, 1} and ∈ {1, }.
• Guess. A finally outputs a bit ′ , then C takes A’s answer Proof. Let id and id be two identities of the proxy and the
as its answer. receiver, respectively. Here, we show that how the inside adversary
A can retrieve the keyword information hidden in the trapdoor.
As ct∗ is C’s challenge ciphertext and the PAEKS algorithm is Suppose that A has received a trapdoor td := dkw related to some
probabilistic, for the view of A, ( 1, · · · , −1, ct∗, +1, · · · , ) is keyword kw. It tries to obtain the keyword information via the
the same as the truly ciphertext. Therefore, suppose A’s answer following steps:
is right, then C can use A’s answer to break the CI of the PAEKS
(1) Because dkw is generated from the receiver by perform-
scheme.
ing SamplePre(Aid −1, Dkw , v, ), we know that v =
The proof for TP is the similar to that for CI, except for the
Aid −1 dkw , where = 4 (id ∥id ∥kw).
challenge part. More concretely, in the part of TP, C is given
(2) Then, A randomly selects a guessed keyword kw ′ and com-
a challenge trapdoor td∗ , instead of a challenge ciphertext ct∗ .
putes ′ = 4 (id ∥id ∥kw ′ ).
In addition, C returns ( 1, · · · , −1, td∗, +1, · · · , ) to A, where
(3) A tests whether v = Aid ′ −1 dkw .
?
( 1, · · · , −1, +1, · · · , ) are randomly chosen from the output
space of the Trapdoor algorithm. Based on the above description, (4) If the equation in Step 3 holds, A outputs kw ′ as its guess;
with the answer of A, C can also take A’s answer as its answer. otherwise, A returns to Step 2 and continues to select and
Therefore, the proof is completed. □ test other keywords.
Therefore, by a brute force attack, there is a high probability that
4 CRYPTANALYSIS OF PREVIOUS A can obtain the keyword related to the trapdoor as the keyword
TRAPDOOR PRIVACY SCHEMES space is limited. □
In this section, we cryptanalyze two lattice-based (variant) PEKS
schemes proposed by Zhang et al. [62] at Inf. Sci. in 2019 and Zhang
5 PROPOSED GENERIC PAEKS
et al. [63] at IEEE Trans. Dependable Secur. Comput. in 2021, respec- CONSTRUCTION
tively. The core idea of these schemes against IKGA is to restrict In this section, we propose a generic PAEKS construction based on
the malicious adversary from adaptively generating ciphertexts for a secure PEKS and SPHF for the language of the labelled CCA2-
any keyword and to further test the trapdoor generated from the re- secure ciphertext. In particular, we require that the underlying PEKS
ceiver. Although these schemes have been proven to satisfy TP (i.e., scheme satisfy CI and that SPHF scheme is word-independent, -
the schemes are secure against IKGA), we show that there exists correct for some negligible , and pseudo-random. The following
an adversary that can easily break the TP in polynomial time by describes how to obtain this generic construction.
randomly choosing keywords, because the trapdoor directly leaks Let PEKS = (KeyGen, PEKS, Trapdoor, Test) be a PEKS with
the keyword information. In the following, we directly present our keyword space KS PEKS , let PKE = (KeyGen, Encrypt, Decrypt)
cryptanalysis by two lemmas. Please refer to Appendix A for Zhang be a labelled public-key encryption scheme with public key space
et al.’s schemes). PKS PKE and plaintext space PS PKE , and let SPHF = (HashKG,
ProjKG, Hash, ProjHash) be the approximate word-independent
Lemma 4.1. Zhang et al.’s [63] forward-secure PEKS scheme is SPHF for the language of the ciphertext defined below.
vulnerable to IKGA.
6Public-key Authenticated Encryption with Keyword Search: Cryptanalysis, Enhanced Security, and Quantum-resistant Instantiation
Language of Ciphertext. Let (lpar, ltrap) = (ekPKE, dkPKE ), Let ctkw be the searchable ciphertext related with the keyword kw
where ekPKE ∈ PKS PKE and dkPKE is its corresponding decryption generated by the sender, and tdkw′ be the trapdoor related with the
key. We define the language of ciphertext as follows: keyword kw ′ generated by the receiver.
ℒe = {(label, ctPKE, mPKE ) | ∃ , ctPKE = Encrypt(ekPKE, label, mPKE ; )}; As the underlying SPHF is -correct for some = negl( ), it
follows that
ℒ = {(label, ctPKE, mPKE ) | Decrypt(dkPKE, label, ctPKE ) = mPKE, }
H = SPHF.Hash(hk , mpk, (ctPKE, , mPKE ))
where the witness relation f is implicitly defined as:
((label,
f ctPKE, mPKE ), ) = 1 if and only if ctPKE = = SPHF.ProjHash(hp , mpk, (ctPKE, , mPKE ), ) = pH ;
Encrypt(ekPKE, label, mPKE ; ). H = SPHF.Hash(hk , mpk, (ctPKE, , mPKE ))
= SPHF.ProjHash(hp , mpk, (ctPKE, , mPKE ), ) = pH .
Construction. The whole construction is described as follows:
• Setup(1 ): It first generates (ekPKE, dkPKE ) ← Therefore, H ⊕ pH = H ⊕ pH holds. Clearly, if kw = kw ′ , then
PKE.KeyGen(1 ). Then, it randomly chooses a der-kw = 2 (kw, H ⊕ pH ) = 2 (kw ′, H ⊕ pH ) = der-kw ′ ,
plaintext mPKE ← PS PKE and a label label ← and therefore, ctPKES,der-kw and tdPEKS,der-kw′ are related
∗
{0, 1} . It also chooses two secure hash functions to the same extended keyword. As the underlying PEKS
∗
1 : PKS PKE × PS PKE × {0, 1} → PKS PKE and scheme is correct, PAEKS.Test(pp, ctkw , tdkw′ ) = 1 holds with
2 : KS PEKS × {0, 1}∗ → KS PEKS . In addition, it computes overwhelming probability. In contrast, if kw ≠ kw ′ , then
mpk = 1 (ekPKE, mPKE, label). Finally, it outputs the public der-kw = 2 (kw, H ⊕ pH ) ≠ 2 (kw ′, H ⊕ pH ) = der-kw ′ ,
parameter pp := ( , mpk, ekPKE, mPKE, label, 1, 2 ). and therefore, ctPKES,der-kw and tdPEKS,der-kw′ are re-
• KeyGen (pp): It first checks whether mpk = lated to different extended keywords. Consequently,
1 (ekPKE, mPKE, label). If the equation is not PAEKS.Test(pp, ctkw , tdkw′ ) = 0 holds with overwhelming
satisfied, it terminates. Otherwise, it performs probability.
hk ← SPHF.HashKG(mpk) and hp ←
SPHF.ProjKG(hk , mpk). Then, it generates Security Analysis. Below, we detail the rigorous security proofs
ctPKE, ← PKE.Encrypt(mpk, label, mPKE ; ), where of the proposed generic construction. By adopting the sequence-
is the witness randomly selected such that of-games strategy, Theorem 5.1 and Theorem 5.2 indicate that the
construction satisfies CI and TP under the standard model, respec-
((label, ctPKE, , mPKE ), ) = 1 is satisfied. Finally,
f
tively. More concretely, we construct a sequence of games: the first
it outputs the public key pk := (hp , ctPKE, ) and private
game is identical to the real attack game and A can only distin-
key sk := (hk , ) of the sender.
guish these games with a negligible advantage. For simplicity, let
• KeyGen (pp): It first checks whether mpk = Game
1 (ekPKE, mPKE, label). If the equation is not A
( ) denote the advantage of A in game Game , where
satisfied, it terminates. Otherwise, it performs ∈ [0, ]. Furthermore, Theorem 5.3 shows that the proposed con-
hk ← SPHF.HashKG(mpk) and hp ← struction satisfies MCI and MTP.
SPHF.ProjKG(hk , mpk). Then, it generates
Theorem 5.1. The proposed generic PAEKS construction satisfies
ctPKE, ← PKE.Encrypt(mpk, label, mPKE ; ), where
CI under the standard model if the underlying SPHF scheme satisfies
is the witness randomly selected such that
pseudo-randomness.
((label,
f ctPKE, , mPKE ), ) = 1 is satisfied. In addition, it
generates (pkPEKS, skPEKS ) ← PEKS.KeyGen(1 ). Finally, Proof. This proof consists of four games, illustrated as follows:
it outputs the public key pk := (hp , ctPKE, , pkPEKS ) and Game0 : This game is identical to the real IND-CKA game defined
private key sk := (hk , , skPEKS ) of the receiver. in Section 3.2. Suppose that the advantage of A in this game is
• PAEKS(pp, pk , sk , pk , kw): It runs H ←
defined as Game
A
0
( ) := . In addition, to simulate a real view
SPHF.Hash(hk , mpk, (ctPKE, , mPKE )) and pH ←
for A, on receiving the query for some keyword kw from A, the
SPHF.ProjHash(hp , mpk, (ctPKE, , mPKE ), ). Then, it
challenger C responds as follows:
computes der-kw = 2 (kw, H ⊕ pH ) and generates
ctPKES,der-kw ← PEKS.PEKS(pkPEKS, der-kw ). Finally, it • O : For keyword kw, C computes ctkw ←
outputs a searchable ciphertext ctkw := ctPKES,der-kw . PAEKS(pp, pk , sk , pk , kw) and returns ctkw to A.
• Trapdoor(pp, pk , pk , sk , kw ′ ): It runs H = • O : For keyword kw, C computes tdkw ←
SPHF.Hash(hk , mpk, (ctPKE, , mPKE )) and pH = Trapdoor(pp, pk , pk , sk , kw) and returns tdkw to
SPHF.ProjHash(hp , mpk, (ctPKE, , mPKE ), ). Then, it A.
computes der-kw ′ = 2 (kw ′, H ⊕ pH ) and generates Game1 : This game is identical to Game0 , except for the
tdPEKS,der-kw′ ← PEKS.Trapdoor(skPEKS, der-kw ′ ). generation of the challenge ciphertext ct∗ in the Chal-
Finally, it outputs a trapdoor tdkw′ := tdPEKS,der-kw . lenge phase. More concretely, instead of generating H ←
• Test(pp, ctkw , tdkw′ ): It outputs the result of SPHF.Hash(hk , mpk, (ctPKE, , mPKE )), C randomly chooses H
PEKS.Test(ctkw , tdkw′ ). from the output space of the SPHF.Hash algorithm. Because of the
Correctness. Suppose that the public parameter pp and the pub- pseudo-randomness of the underlying SPHF scheme, A cannot
lic/private key pairs (pk , sk ), (pk , sk ) are honestly generated. distinguish the view between Game0 and Game1 . Therefore, we
7Zi-Yuan Liu, Yi-Fan Tseng, Raylin Tso, Masahiro Mambo, and Yu-Chi Chen
obtain information about the challenge keywords (kw ∗0 , kw ∗1 ) given by A.
| Game
A
1
( ) − Game
A
0
( )| ≤ negl( ). The only way for A is to guess. Therefore, we have
Game2 : This game further changes the generation of the chal- Game
A
3
( ) = 0.
lenge ciphertext ct∗ in the Challenge phase. In this game, der-kw Finally, combining the above games, we have ≤ negl( ). The
is chosen from KS PEKS , instead of by computing der-kw ← proof is now complete. □
2 (kw ∗ , H ⊕ pH ) for ∈ {0, 1}. As H is randomly chosen,
the output of 2 (kw ∗ , H ⊕ pH ) is random. Therefore, A cannot Theorem 5.3. The proposed generic PAEKS construction further
distinguish the view between Game1 and Game2 . Consequently, satisfies MCI and MTP if the PEKS and Trapdoor algorithms of the
we obtain underlying PEKS scheme are probabilistic.
| Game
A
2
( ) − Game
A
1
( )| ≤ negl( ). Proof. In the proposed construction, the PAEKS and Trapdoor
algorithms actually perform the PEKS and Trapdoor algorithms of
Game3 : This game is the last game. Because the chal- the underlying PEKS scheme. To the best of our knowledge, for
lenge ciphertext ct∗ = ctPKES,der-kw is generated from the current well-known PEKS schemes (e.g., [6, 8, 28]), the PEKS
PEKS.PEKS(pkPEKS, der-kw ) and der-kw is now randomly cho- and Trapdoor algorithms are probabilistic. Hence, by combining
sen from KS PEKS , the challenge ciphertext does not contain any the result of Theorem 3.3, the proposed construction satisfies MCI
information about the challenge keywords (kw ∗0 , kw ∗1 ) given by A. and MTP. □
The only way for A is to guess. Therefore, we have
Game3
( ) = 0.
6 LATTICE-BASED INSTANTIATION
A
In this section, we propose the first quantum-resistant PAEKS in-
Finally, combining the above games, we have ≤ negl( ). The stantiation based on lattices. This instantiation leverages three
proof is completed. □ lattice-based building blocks and inherits their securities to be
secure against quantum attacks. More concretely, we adopt the
Theorem 5.2. The proposed generic PAEKS construction satisfies labelled IND-CCA2-secure PKE scheme introduced by Micciancio
TP under the standard model if the underlying SPHF scheme satisfies and Peikert [43], the word-independent SPHF introduced by Ben-
pseudo-randomness. hamouda et al. [7], and the PEKS scheme introduce by Behnia et
al. [6]. Note that, for simplicity, we only provide the description
Proof. This proof is similar to the proof of Theorem 5.1, again
of the weaker version (IND-CCA1) of the PKE scheme [43] in the
with four games.
following instantiation. Before introducing our instantiation, we
Game0 : This game is identical to the real IND-IKGA game defined
define some important notations. Let R be a ring and U be a sub-
in Section 3.2. Suppose that the advantage of A in this game is
set of R × of invertible elements. In addition, let G = I ⊗ g⊤ be
defined as Game 0
( ) := . In addition, the view simulated by the
A the gadget matrix defined in [43], where g⊤ = [1, 2, · · · , 2 ] and
challenger C is the same as that in Game0 in the proof of Theorem
= ⌈log ⌉ − 1. We also define the encoding function Encode( ∈
5.1.
{0, 1}) = · (0, · · · , 0, ⌈ /2⌉) ⊤ and the deterministic rounding func-
Game1 : This game is identical to Game0 , except for the
tion R( ) = ⌊2 / ⌉ mod 2. Finally, let ℎ be an injective ring homo-
generation of the challenge trapdoor td∗ in the Chal-
morphism from R to Z × .
lenge phase. More concretely, instead of generating
The whole instantiation is described as follows:
H ← SPHF.Hash(hk , mpk, (ctPKE, , mPKE )), C randomly
chooses H from the output space of the SPHF.Hash algorithm. • Setup(1 ): Given a security parameter and the parameters
Because of the pseudo-randomness of the underlying SPHF scheme, , , , 1, 2, (set as instructed in the following parameter
A cannot distinguish the view between Game0 and Game1 . selection part), this algorithm first chooses , , ℓ = ploy( ),
Therefore, we obtain computes (ekPKE := A0, dkPKE := T) ← TrapGen(1 , 1 , ),
and sets mPKE := m = 1 2 · · · ∈ {0} . Then, it
| Game
A
1
( ) − Game
A
0
( )| ≤ negl( ). randomly chooses element label := ← U and two se-
cure hash functions 1 : Z × × {0, 1} × U → Z × ,
Game2 : This game further changes the generation of the chal-
lenge trapdoor td∗ in the Challenge phase. In this game, der-kw 2 : {1, −1}ℓ × {0, 1} → {1, −1}ℓ , and chooses an in-
is chosen from KS PEKS , instead of by computing der-kw ← jective ring homomorphism ℎ : R → Z × . It also com-
2 (kw ∗ , H ⊕ pH ) for ∈ {0, 1}. As H is randomly chosen, putes mpk := A = 1 (A0, m, ) ∈ Z × . Finally, it out-
the output of 2 (kw ∗ , H ⊕ pH ) is random. Therefore, A cannot puts pp := ( , , , , 1, 2, , , ℓ, ekPKE := A0, mpk :=
distinguish the view between Game1 and Game2 . Consequently, A, mPKE := m, label := , 1, 2, ℎ).
we obtain • KeyGen (pp): Given the public parameter pp, this algorithm
first checks whether A = 1 (A0, m, ). Then, it computes
| Game
A
2
( ) − Game
A
1
( )| ≤ negl( ). A = A + [0; Gℎ( )], randomly chooses a matrix hk :=
k ← ⊤
Game3 : This game is the last game. Because the chal- Z, , and computes hp := p = A · k ∈ Z , where
lenge trapdoor td∗ = tdPKES,der-kw is generated from ≥ (Λ⊥ (A )) for some = negl( ). For = 1, · · · , , it
PEKS.PEKS(pkPEKS, der-kw ) and der-kw is now randomly cho- randomly chooses vectors s , ← Z and e , ← Z, (re-
√
sen from KS PEKS , the challenge trapdoor does not contain any select e , if ∥e , ∥ > 2 ), and computes c , ← A ⊤ · s , +
8Public-key Authenticated Encryption with Keyword Search: Cryptanalysis, Enhanced Security, and Quantum-resistant Instantiation
√ p
e , +Encode( ) mod , where = 1 · ( log . Finally, • Test(pp, ctkw , tdkw′ ): Given the public parameter pp, the
it outputs the public key pk := (hp := p , ctPKE, := searchable ciphertext ctkw , and the trapdoor tdkw′ , this al-
{c , } =1 ) and the private key sk := (hk := k , := gorithm runs as follows. For = 1, · · · , , it first com-
{s , } =1 ) of the sender. putes ← 0 − tdk c1 ∈ Z . It also checks whether
• KeyGen (pp): Given the public parameter pp, this algorithm | − ⌊ /2⌋| < ⌊ /4⌋; it yes, it sets = 1, and otherwise,
first checks whether A = 1 (A0, m, ). Then, it computes = 0. Then, If = for all = 1, · · · , , it outputs 1; else,
A = A + [0; Gℎ( )], randomly chooses a matrix hk := it outputs 0.
k ← ⊤
Z, , and computes hp := p = A · k ∈ Z , where Correctness. To ensure that the construction works correctly,
⊥
≥ (Λ (A )) for some = negl( ). For = 1, · · · , , there are two situations that need to be satisfies:
it randomly chooses vectors s , ← Z and e , ← • If kw = kw ′ , the sender and the receiver obtain the same
√ Z,
(re-select e , if ∥e , ∥ > 2 ), and computes c , ← A ⊤ · derived keyword (i.e., der-kw = der-kw ).
√ p
s , + e , + Encode( ) mod , where = 1 · ( log . • If ctkw and tdkw′ are related to the same derived keyword,
In addition, it generates (B , S ) ← TrapGen(1 , 1 , ), and then the Test algorithm outputs 1.
selects ℓ + 1 random matrices B ,1, · · · , B ,ℓ , C ← Z × We first consider the first situation by Lemma 6.1 followed by
and a random vector r ← Z . Finally, it outputs the pub- the description in [7]. That is, if the norm of the first error term is
lic key pk := (hp := p , ctPKE, := {c , } =1, pkPEKS := less than , then dk = dk .
{B , {B , } =1ℓ , C , r }) and the private key sk := (hk :=
Lemma 6.1 (Suppose the norm of the first error terms
k , := {s , } =1, skPEKS := S ) of the receiver. ⊤ · k and e⊤ · k ) is less than , then dk = dk ).
(e , , , ,
• PAEKS(pp, pk , sk , pk , kw): Given the public parameter
pp, the public key pk and the private key sk of the Proof. For = 1, · · · , , we have
sender, the public key pk of the receiver, and a keyword ⊤
ℎ , = R(c , · k , (mod ))
kw ∈ {1, −1}ℓ , this algorithm run as follows. For = 1, · · · , , ⊤ ⊤
it computes H := ℎ , = R(c , ⊤ · k (mod )), com- = R((s , · A ) · k , + e , · k , (mod ))
⊤
putes pH := , = R(s , · p (mod )), and computes
| {z }
first error term
, = ℎ , · , . Then, it sets y = ,1 ,2 · · · , ∈ {0, 1} . ⊤
= R(s , · A ) · k , (mod )) = , ;
It computes der-kw := dk = (dk ,1 dk ,2 · · · dk ,ℓ ) =
2 (kw, y ) ∈ {1, −1}ℓ . To generate a searchable cipher-
text for the derived keyword der-kw , it runs the follow- ⊤
Íℓ ℎ , = R(c , · k , (mod ))
ing steps. It computes Bdk ← C + =1 B , and Fdk ← ⊤ ⊤
×2
= R((s , · A ) · k , + e , · k , (mod ))
(B |Bdk ) ∈ Z . For = 1, · · · , , it performs three | {z }
steps: (i) it chooses ← {0, 1}, chooses a random s ← Z first error term
and matrices R ← {1, −1} × for = 1, · · · , ℓ, and sets ⊤
= R(s , · A ) · k , (mod )) = , .
Íℓ
R̄ ← =1 dk , R ∈ {−ℓ, · · · , ℓ } × ; (ii) it chooses noise Therefore, for = 1, · · · , , , = ℎ , · , = ℎ , · , = , .
Ψ̄ Ψ̄
vectors ←−− Z and y ←−−− Z
and sets z ← R̄⊤ ∈ Then, we have y = y . □
, y
⊤
Z ; (iii) it sets 0 ← r s + + ⌊ /2⌋ ∈ Z and As y = y and kw = kw ′ , we have der-kw = dk =
y 2 (kw, y ) = 2 (kw ′, y ) = dk = der-kw .
c1 ← F⊤ s + ∈ Z 2 . Finally, it outputs a searchable
dk z Then, we consider the second situation in which the Test algo-
ciphertext ctkw := (ctPEKS,der-kw := { 0 , c1 , } =1 ). rithm will output a correct answer: For all = 1, · · · , , we have
′
• Trapdoor(pp, pk , pk , sk , kw ): Given the public param-
y
= 0 − tdk c1 = r ⊤ s + + ⌊ /2⌋ − tdk (F⊤ s
dk + )
eter pp, the public key pk of the sender, the public z
key pk and private key sk of the receiver, and a key- = ⌊ /2⌋ + − t⊤
word kw ′ ∈ {1, −1}ℓ , this algorithm runs as follows. For dk y z .
| {z }
= 1, · · · , , it computes H := ℎ , = R(c , ⊤ · k
second error term
⊤
(mod )), computes pH := , = R(s , · p (mod )), According to Lemma 22 in [2], if the p norm of the second error
and computes , = ℎ , · , . Then, it sets y = term is bounded by · 2 · ℓ · · · ( log ) + O (ℓ 2 3/2 ) ≤ /5,
,1 ,2 · · · , ∈ {0, 1} . It computes der-kw := dk = then can be obtained correctly. Hence, we have = for
(dk ,1 dk ,2 · · · dk ,ℓ ) = 2 (kw ′, y ). To generate a trap- = 1, · · · , if the derived keywords are the same.
door ciphertext for the derived keyword der-kw , it com-
Íℓ
putes Bdk ← C + =1 B , and sample tdPEKS,der-kw := Parameter Selection. For the system to work correctly, the pa-
tdk ← SampleLeft(B , Bdk , S , r , 2 ). Finally, it outputs rameters have the following restrictions [2, 7, 43]: p
(i) > 5 log
tdtw′ := (tdPEKS,der-kw := tdk ). so TrapGen can operate [43]; (ii) > 1 3/2 ( log ) so that
y = y (iii) < [ 2 ℓ ( log )] −1 and = Ω( 2 3/2 ) so
p
√
that the second error term is bounded by /5; (iii) 1 = 2 and
√
> 2 / so that Regev’s reduction [50, 51] can operate; (iv)
9Zi-Yuan Liu, Yi-Fan Tseng, Raylin Tso, Masahiro Mambo, and Yu-Chi Chen Security. The security of the proposed instantiation is directly based on the underlying schemes. As the language of Benhamouda et al.’s word-independent SPHF scheme [7] is for the ciphertext of the labelled IND-CCA2 PKE scheme [43], the word of the scheme is a ciphertext. Therefore, this SPHF trivially satisfies pseudo- randomness. In addition, the PEKS and Trapdoor algorithms in Behnia et al.’s PEKS scheme [6] are probabilistic. On the basis of Theorem 5.3, we obtain the following theorem: Theorem 6.2. The proposed lattice-based PAEKS scheme satisfies MCI and MTP under the standard model. 7 COMPARISON In this section, we present a comparison of our lattice-based instan- (a) Encrypting keywords tiation with other PEKS/PAEKS schemes (i.e., BOC+ 04 [8], HL17 [27], ZTW+ 19 [62], QCH+ 20 [49], BOY20 [6], ZXW+ 21 [63], and LTT+ 21 [39]) in terms of security properties, computation complex- ity, computation cost, and communication cost. Table 1 presents a comparison of the seven properties of each scheme, namely CI, MCI, TP, MTP, quantum-resistance (QR), standard model (SM), and no trusted authority (NTA). As we have cryptanalyzed ZTW+ 19 [62] and ZTW+ 21 [63] in the previous section, there are only the QCH+ 20’s [49] and LTT+ 21’s [39] schemes satisfy TP. In addition, only LTT+ 21 [39] provides quantum-resistant instantiation based on the NTRU lattices. However, their solution requires an additional trusted authority to help users generate their private keys, which increases the difficulty of use in practice. To provide higher level security, we removed this requirement. In general, our instantia- tion is the first quantum-resistant PAEKS scheme that satisfies TP (b) Generating trapdoors and MTP under the standard model and does not require a trusted authority. We subsequently conducted two comparisons with three lattice- based schemes (i.e., ZTW+ 19, BOY20, and ZXW+ 21) in terms of computational complexity and communication cost in Table 2 and Table 3, respectively. For simplicity, only five types of time- consuming operations are considered, namely general multiplica- tion ( ), general hash function ( ), SamplePre function ( ), BasisDel function ( ), and SampleLeft function ( ). In addi- tion, Fig. 1 presents the results of the experimental simulation, where the simulation was carried out in the MATLAB language on Windows 10 Enterprise Version 1909 with Inter(R) Core(TM) i7-9700 CPU clocked at 3.00 GHz and 32GB of system memory. To achieve the 80-bit security level, we set the parameters with = 256, = 9753, = 4096, = 10, = 10, ℓ = 10, 1 = 8, 2 = 8, where , are the parameters related to the security parameter (c) Performing tests (i.e., , = poly( )) and ℓ is the length of the keyword. In ad- dition, we adopted the internal .net classes of MATLAB, namely Figure 1: Comparison of Computation Costs with other System.Security.Cryptography.HashAlgorithm to implement Lattice-based PEKS Schemes the SHA256 hash function. As our instantiation adopted BOY20 [6] as the building block, we first analyzed the differences with BOY20 [6]. The results indicated p that our instantiation only required some extra cost in terms of the 2 > ℓ · · ( log ) such that the security proof in [2] and computational cost. In terms of the communication cost, as our in- SampleLeft work correctly. p To achieve√these requirements, p we set stantiation did not require additional elements to meet the required = 6 1+ , = 2.5 · ( log ), 1 = 2 , 2 = ℓ · ( log ), = securities (e.g., TP and MTP), the communication cost was the same [ℓ 2 2 · ( log )] −1 , where > ⌈log ⌉. p as that for BOY20 [6]. In contrast, although our instantiation took approximately twice as long as ZTW+ 19 [62] and ZXW+ 21 [63] to 10
Public-key Authenticated Encryption with Keyword Search: Cryptanalysis, Enhanced Security, and Quantum-resistant Instantiation Table 1: Comparison of security properties with those of PAEKS schemes Schemes CI MCI TP MTP QR SM NTA BOC+ 04 [8] ✓ ✓ ✗ ✗ ✗ ✗ ✓ HL17 [27] ✗ ✗ ✗ ✗ ✗ ✗ ✓ ZTW+ 19 [62] ✓ ✓ ✗ ✗ ✓ ✗ ✗ QCH+ 20 [49] ✓ ✓ ✓ ✗ ✗ ✗ ✓ BOY20 [6] ✓ ✓ ✗ ✗ ✓ ✓ ✓ ZXW+ 21 [63] ✓ ✓ ✗ ✗ ✓ ✗ ✓ LTT+ 21 [39] ✓ ✓ ✓ ✓ ✓ ✗ ✗ Ours ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓: The scheme supports the corresponding feature; ✗: The scheme fails in supporting the corresponding feature. SM: Standard model; QR: Quantum-resistant. NTA: No trusted authority. Table 2: Comparison of Required Operations with those for other Lattice-based PEKS Schemes Schemes Ciphertext Generation Trapdoor Generation Testing ZTW+ 19 [62] 2 + ( + 2 + + ) + + 2 + + + (ℓ + ) BOY20 [6] ( 2 + 2 + + ℓ + 1) ℓ + 2 ZXW+ 21 [63] + ( + 2 + + ) + + 2 + + + (ℓ + ) Ours + ( ( + + 1) + ( 2 + 2 + + ℓ + 1)) + ( ( + + 1) + ℓ) + 2 , : The parameters related to security parameter ; ℓ: The length of the keyword. , , , , and : The running time of a general multiplication, general hash function, SamplePre function, BasisDel function, and SampleLeft function, respectively. Table 3: Comparison of Communication Costs with other 3.3), we demonstrated that the construction further satisfied MCI Lattice-based PEKS Schemes and MTP if the PEKS algorithm and Trapdoor algorithms of the underlying PEKS scheme were probabilistic. Schemes Ciphertext Trapdoor Furthermore, by leveraging Behnia et al.’s [6] lattice-based PEKS scheme, we introduced the first quantum-resistant PAEKS instan- ZTW+ 19 [62] (ℓ + ℓ + )| | | | tiation that not only offered privacy-preserving keyword search BOY20 [6] (| | + 2 | | + 1) 2 | | but also fought against multi-CKA and multi-IKGA. In a compari- ZXW+ 21 [63] (ℓ + ℓ + )| | | | son with the existing quantum-resistant PEKS schemes, the results Ours (| | + 2 | | + 1) 2 | | indicates that although the communication cost increased, our in- stantiation was safer and more suitable for environments with : The parameter related to security parameter; : Dimension; security concerns. : Modules; : The parameter related to security parameter; ℓ: The length of the keyword. ACKNOWLEDGMENTS This research was supported by the Ministry of Science and Tech- generate ciphertexts, the time it took to generate trapdoors and per- nology, Taiwan (ROC), under project numbers MOST 108-2218-E- form tests decreased by approximately 40% and 99%, respectively. 004-002-MY2, MOST 109-2628-E-155-001-MY3, MOST 109-2221-E- In terms of the communication cost, the ciphertext size and the 004-011-MY3, MOST 109-3111-8-004-001-, MOST 110-2218-E-004- trapdoor size of our instantiation were both approximately twice 001-MBK, and MOST 110-2221-E-004-003-. larger than those for ZTW+ 19 [62] and ZXW+ 21 [63]. Although the communication cost increased, we believe that this additional cost is acceptable under the trade-offs of more security and efficiency. REFERENCES [1] Michel Abdalla, Fabrice Benhamouda, and David Pointcheval. 2015. Public-Key Encryption Indistinguishable Under Plaintext-Checkable Attacks. In PKC. 8 CONCLUSION [2] Shweta Agrawal, Dan Boneh, and Xavier Boyen. 2010. Efficient Lattice (H)IBE in the Standard Model. In EUROCRYPT. In this work, we proposed a generic PAEKS construction that could [3] Shweta Agrawal, Dan Boneh, and Xavier Boyen. 2010. Lattice Basis Delegation transform the PEKS scheme to the PAEKS scheme by equipping a in Fixed Dimension and Shorter-Ciphertext Hierarchical IBE. In CRYPTO. pseudo-random SPHF scheme. Our security proofs demonstrated [4] Joël Alwen and Chris Peikert. 2011. Generating Shorter Bases for Hard Random Lattices. Theory Comput. Syst. 48, 3 (2011), 535–553. that this construction satisfied two basic security notations—CI [5] Joonsang Baek, Reihaneh Safavi-Naini, and Willy Susilo. 2008. Public key en- and TP. In addition, on the basis of our theoretical result (Theorem cryption with keyword search revisited. In ICCSA. 11
You can also read
