Improved Searchable Public Key Encryption with Designated Tester

Download PDF
4 downloads 3567 Views 153KB Size Report
Comment
uploads on an email server a ciphertext (an encrypted email along with an encrypted list of keywords). To retrieve the emails containing a keyword w, a receiver ...
Improved Searchable Public Key Encryption with Designated Tester Hyun Sook Rhee

Jong Hwan Park

Centre for Computer and Information Security Research, University of Wollongong, Australia

Graduate School of Information Management & Security, Korea University, Republic of Korea

[email protected]

[email protected]

Willy Susilo Centre for Computer and Information Security Research, University of Wollongong, Australia

Graduate School of Information Management & Security, Korea University, Republic of Korea

[email protected]

[email protected]

ABSTRACT Recently, Baek et al. proposed an efficient public key encryption scheme with keyword search based on the scheme of Boneh et al.. However, the security model of Baek et al. seriously limits the ability of the adversary. In this paper, we enhance the security model of the public key encryption with keyword search to properly incorporate the ability of an adversary. We also construct a public key encryption scheme with keyword search secure in the enhanced security model.

Categories and Subject Descriptors E.3 [Data Encryption]: Public key cryptosystems

General Terms Security

Keywords Public key encryption with keyword search, Designated Tester, Searchable encryption

1.

Dong Hoon Lee

INTRODUCTION

A encryption scheme with keyword search enables a user to search encrypted data without revealing any information on the data [1, 4, 3, 5]. Boneh et al. [3] firstly proposed a public key encryption scheme with keyword search (PEKS scheme) in an encrypted email system. In the PEKS scheme, a sender ∗Corresponding author. Tel.: +82 2 3290 4892; fax: +82 2 928 9109.

uploads on an email server a ciphertext (an encrypted email along with an encrypted list of keywords). To retrieve the emails containing a keyword w, a receiver sends to the serve a trapdoor Tw that is a ciphertext of w. The email server then tests which ciphertexts are related with Tw . Recently, Baek et al. proposed a PEKS scheme with a designated server (dPEKS scheme) [4] that removes a secure channel in PEKS of Boneh et al. [3]. In dPEKS, only the server (a designated tester) chosen by a sender is able to perform a test to get the relation between a ciphertext and a trapdoor. Unfortunately, Baek et al.’s security model for dPEKS fails to capture attacks in the real environment. First, in their security model, an attacker is only provided with trapdoors, but cannot get the relation between a encrypted mail and a trapdoor. However, in the real environment, a malicious receiver can generate a trapdoor of a keyword of her choice and can obtain ciphertexts related with the trapdoor through interacting with the email server. Second, an attacker in the model has to reveal her secret key to a third party. This will seriously limit the ability of the attacker. In the paper, we enhance the security model for dPEKS and construct a dPEKS scheme secure in the enhanced security model. In our enhanced security model, an attacker publishes only her public key without revealing her secret key. An attacker is also allowed to obtain the relation between non-target ciphertexts and a trapdoor. We formally prove that our scheme is secure under the 1-BDHI and BDH assumptions.

2.

PRELIMINARIES

We briefly formalize the definition of a dPEKS scheme and define the security for dPEKS. We also address shortcomings of Baek el al.’s security model and review the complexity assumptions used to prove the security of the proposed scheme.

2.1

Definition of dPEKS

We define a dPEKS as follows.

• Global Setup(λ): Takes a security parameter λ, generates a global parameter GP. • KeyGenServer (GP): Takes as input GP. Output the public/secret pair (pkS , skS ) of server S. • KeyGenReceiver (GP): Takes as input GP, generates public/secret pair (pkR , skR ) of receiver R. • dPEKS(GP, pkR , pkS , w): Takes as input GP, a receiver’s public key pkR , a server’s public key pkS , and a keyword w. Return a ciphertext C of w. • Trapdoor(GP, skR , w): Takes as input GP, a receiver’s secret key skR and a keyword w. Generate a trapdoor Tw . • dTest(GP, C, skS , Tw ): Takes as input GP, C, a server’s secret key skS , and a trapdoor Tw . Output “yes” if w = w0 and “no” otherwise, where C = dPEKS(GP, pkR , pkS , w0 ).

2.2

Our Security Model

Baek et al.’s security model has the following problems: (1) Their security model does not capture the following attack in the real life. In their security model, only trapdoor oracle was provided to an adversary. However, only a server (a designated tester) chosen by a sender is able to obtain the relation between the given ciphertext and a trapdoor (encrypted keyword generated by the email receiver), a malicious receiver can generate the trapdoor corresponding to each keyword of her choice using his secret key. Then, the malicious receiver can obtain the relation between the ciphertexts and the trapdoor through interacting with the email server in real environment. However, only the server (a designated tester) chosen by a sender is able to perform a test to get the relation between a ciphertext and a trapdoor and the malicious receiver cannot get the relation information under the Baek et al.’s security model. (2) To prove the security of PEKS (dPEKS) under the known hardness assumptions, we prove that if the security of PEKS (dPEKS) is not guaranteed, it is possible to solve the hardness problems. However, it is hard for an attacker A, whose task is to solve the underlying hard problem, to provide trapdoors, test results, and challenges to an attacker B of Baek et al.’s dPEKS scheme without knowing B’s secret key. The attacker B always has to reveal his secret key to a third party to attack Baek et al.’s dPEKS scheme. To solve these problems, we refine the security model for a dPEKS. For the security of a dPEKS against an attacker with testability of some ciphertexts and a given trapdoor, we construct a test oracle dTest(·). The security for a dPEKS asks that (1) a malicious server should not be able to distinguish between the ciphertext of two challenge keywords w0 and w1 of its choice, under the situation that it is allowed to obtain trapdoors for any non-challenge keywords and (2) a malicious outside attacker (including receiver) should not be able to distinguish between the ciphertext of two challenge keywords of its choice under the situation that it is allowed to obtain the relation between a ciphertext C = [A, B] and a trapdoor Tw , where A 6= A∗ and B 6= B ∗ (the ciphertext query is selected among only the ciphertext C = [A, B] not containing the same corresponding element of challenged ciphertext C ∗ = [A∗ , B ∗ ]) and Tw is a trapdoor for any nonchallenge keywords w 6= w0 , w1 . Next, in our security model, it is not needed that the attacker’s secret key is revealed to the third party. We refine the security for dPEKS in the sense of semanticsecurity. Let Ai (i = 1, 2) be an adversary whose running time is bounded by t which is polynomial in a security pa-

rameter k. We consider the following two games: • Game1 : A1 is assumed to be a server. ◦ Setup: A1 generates the pair of his pair of public/secret keys (pks , sks ) and gives pks = pkA1 to B. B generates the receiver’s pair of public/secret keys (pkR , skR ) and gives pkR to A1 . Here, (pks , sks ) and pkR are given to A1 and pks and (pkR , skR ) are given to B. ◦ Phase 1 (Trapdoor and Test queries): A1 can adaptively asks B for the trapdoor Tw for any keyword w ∈ {0, 1}∗ of his choice. Also, A1 can get the test result about C and the given Tw . To get the trapdoor Tw for any keyword w ∈ {0, 1}∗ of his choice, A1 asks the Trapdoor oracle. ◦ Challenge: A1 gives pkR , w0 , and w1 to B. The restriction is that A1 did not previously ask for the trapdoors Tw0 or Tw1 . B chooses a random b ∈ {0, 1} and computes C ∗ ← dPEKS(pkR , pks , wb ), and sends C ∗ to A1 . ◦ Phase 2 (Trapdoor queries): A1 can adaptively asks B for the trapdoor Tw for any keyword w ∈ {0, 1}∗ of his choice as long as w 6= w0 , w1 . ◦ Guess: A1 outputs b0 ∈ {0, 1} and wins Game1 if b = b0 . We define A1 ’s advantage in breaking the dPEKS as AdvA1 (λ) = |P r[b = b0 ] − 1/2| • Game2 : A2 is assumed to be an outsider attacker (including a malicious receiver). A2 additionally requires dTest oracle in Phase 1 and Phase 2. ◦ Setup: A2 generates the pair of his public/secret keys (pkR , skR ) and gives pkR = pkA2 to B. B generates the server’s pair of public/secret keys (pks , sks ) and gives pks to A2 . Here, (pkR , skR ) and pks are given to A2 and pkR and (pks , sks ) are given to B. ◦ Phase 1 (dTest queries): A2 can adaptively ask B for the test result for any given C and the trapdoor Tw of his choice. ◦ Challenge: A2 gives pkR , pks , w0 and w1 to B. The restriction is that A2 did not previously ask for the trapdoors Tw0 or Tw1 to dTest oracle. B picks a random b ∈ {0, 1} and computes a ciphertext C ∗ ← dPEKS(pkR , pkS , wb ), and sends C ∗ to A2 . ◦ Phase 2 (dTest queries): This is identical to Phase 1, except that A2 may not issue the test query for (C, sks , Tw ), where the corresponding elements of C is not same to one of C ∗ and trapdoor Tw for any keyword w ∈ {0, 1}∗ of his choice as long as w 6= w0 , w1 . ◦ Guess: A2 outputs b0 ∈ {0, 1} and wins Game2 if b = b0 . We define A2 ’s advantage in breaking the dPEKS as AdvA2 (λ) = |P r[b = b0 ] − 1/2| Definition 1. We say that a dPEKS is semantically secure against an adaptive chosen keyword attack if for any polynomial time attackers Ai (i=1,2 ) we have that AdvAi (λ) is a negligible.

2.3

Bilinear pairings and complexity assumption

Let G and GT be two (multiplicative) cyclic groups of prime order p.

Bilinear Pairings: We follow the notations in [3]. We assume that g is a generator of G. Let e : G × G → GT be a function that has the following properties: • Bilinear: for all u, v ∈ G and a, b ∈ Z, we have e(ua , v b ) = e(u, v)ab . • Non-degenerate: e(g, g) 6= 1. We say that G is a bilinear group if the group action in G can be computed efficiently and there exists a group GT and an efficiently computable bilinear map e : G × G → GT as above. Note that e(, ) is symmetric since e(g a , g b ) = e(g, g)ab = e(g b , g a ). Bilinear Diffie-Hellman (BDH) Assumption [3]: The BDH problem in the group G is defined as follows: given (g, g a , g b , g c ) ∈ G4 as input, compute e(g, g)abc ∈ GT . We say that BDH problem is intractable of all polynomial time algorithms have a negligible advantage in solving BDH. Bilinear Diffie-Hellman Inversion(BDHI) Assumption [2]: The 1-BDHI problem in the group G is defined as follows: given the 2-tuple (g, g x ) ∈ G2 as input, compute e(g, g)1/x ∈ GT . We say that 1-BDHI problem is intractable of all polynomial time algorithms have a negligible advantage in solving 1-BDHI.

3.

A NEW DPEKS SCHEME

We propose a new dPEKS scheme. Our scheme is semantically secure against chosen keyword attack under our new security model. To enable to prove our scheme without revealing a server and receiver’s secret key under our new security model, we use the more complicated and special public key structure consisting of three components. Let G and GT be groups, where the computational Diffie-Hellman (CDH) problem is hard. Suppose that e : G × G → GT is a bilinear map and g is a generator of G, e(g, g) is a generator of GT . Let H1 : {0, 1}∗ → G and H2 : GT → {0, 1}λ be hash functions that are modeled as a random oracle. •Global Setup(λ): Given a security parameter λ, it returns a global parameter GP = (G, GT , e, H1 (·), H2 (·), g, h, u, u ˜), where h, u, u ˜ ∈ G are random values. •KeyGenServer (GP): Takes as input GP, chooses a random exponent sks and compute pks = (pks,1 , pks,2 , pks,3 ) = (g sks , h1/sks , u1/sks ). Output (pks , sks ) to the server S and publish pks . •KeyGenReceiver (GP): Takes as input GP, chooses a random exponent skR and compute pkR = (pkB,1 , pkB,2 , pkB,3 ) = (g skR , h1/skR , u ˜skR ). Output (pkR , skR ) to the receiver R and publish pkR . • dPEKS(GP, pkR , pks , w): Takes as input GP, receiver’s public key pkR = (pkR,1 , pkR,2 , pkR,3 ), a server’s public key pks = (pks,1 , pks,2 , pks,3 ), and a keyword w. This algorithm checks if e(pks,1 , pks,2 ) = e(g, h), e(pks,1 , pks,3 ) = e(g, u), e(pkR,1 , pkR,2 ) = e(g, h), and e(pkR,2 , pkR,3 ) = e(h, u ˜). If any of these conditions is false, this algorithm stops. Otherwise, this algorithm chooses a random value r ∈ Z∗p and compute a ciphertext C = [ pkR,1 r , H2 (e(pks,1 , H1 (w)r )) ]. • Trapdoor(GP, skR , w): Takes as input GP, a receiver’s secret key skR , a keyword w. Compute and output Tw = H1 (w)1/skR . • dTest(GP, C, sks , Tw ): Takes as input GP, C = [A, B], a secret key of server sks , and a trapdoor Tw . This algorithm

checks if B = H2 (e(A, Tw sks )). If the above equalities are satisfied, then output “yes”; otherwise, output “no”. We now prove the security of our scheme under 1-BDHI and BDH assumption described above. Theorem 4. Our scheme is semantically secure against a chosen keyword attack in Game1 under the random oracle model assuming 1-BDHI are intractable. Proof. Suppose that A1 is a malicious server with advantage  in breaking the proposed scheme. Suppose that A1 makes at most qT trapdoor queries. We build B that has advantage 0 = /eqT qH2 in solving the 1-BDHI problem in GT , where e is the base of the natural logarithm. B is given g, u1 = g α ∈ G. Its goal is to compute e(g, g)1/α ∈ GT . B chooses random values δ, π, π 0 ∈ Z∗p and sets that h = u1 δ = g α·δ , 0 u = g π , and u ˜ = g π ∈ G. Setup: A1 generates (pks , sks ) such that e(pks,1 , pks,2 ) = e(g, h) and e(pks,1 , pks,3 ) = e(g, u). Then, if there exists unknown sks such that pks,1 = g sks then pks,2 = u1 δ/sks and pks,3 = g π/sks are satisfied. To simulate (pkR , skR ), B ranδ 0 0 0 domly chooses x0 ∈ Z∗p and lets pkR = (u1 x , g x0 , u1 π ·x ), 0 where δ, π are the selected values above. B gives pkR to A1 . 1 0 0 Note that pkR = (g skR , h1/skR , uskR ) = (g α·x , h α·x0 , u ˜α·x ) δ 0 0 0 = (u1 x , g x0 , u1 π ·x ). H1 , H2 -queries: A1 can query the random oracle H1 or H2 . To respond to H1 queries, B maintains < wj , hj , ej , cj >∈ H1 -list (initially empty). When A1 queries the H1 at a point wi ∈ {0, 1}∗ , B responds as follows: 1. If the query wi already appears in the H1 -list in a tuple < wi , hi , ei , ci > then B responds with H1 (wi ) = hi ∈ G. Otherwise, B generates a random coin ci ∈ {0, 1} so that P r[ci = 0] = 1/(qT + 1). 2. B picks a random ei ∈ Z∗p . If ci = 0, B computes hi = g ei ∈ G. If ci = 1, B computes hi = (u1 )ei = g α·ei ∈ G. 3. B adds the tuple < wi , hi , ei , ci > to the H1 -list and responds to A1 by setting H1 (wi ) = hi . Similarly, A1 can issue a query to H2 . If there exists t ∈ GT such that (t, V ) ∈ H2 -list, B responds with H2 (t) = V . Otherwise, B responds to a query for H2 (t) by picking V ∈ {0, 1}λ randomly for each t and setting H2 (t) = V and adds (t, V ) to H2 -list (initially empty). Trapdoor queries: When A1 asks the trapdoor of w, let < wj , hj , ej , cj >∈ H1 -list such that wj = w. B can obtain hj ∈ G. If ci = 0 then B reports failure and terminates. Oth0 erwise, because hj = (u1 )ej ∈ G, B computes Tw = g ej /x , where ej is the value in H1 -list and x0 ∈ Z∗p is the selected value in Setup phase. Because there exists unknown secret 0 value α ∈ Z∗p such that Tw = H1 (w)1/skB = (g α·ej )1/α·x = ej 1/x0 ej /x0 (g ) , Tw = g is the correct trapdoor for w under the public key pkR . B gives Tw to A1 . Challenge: A1 sends w0 and w1 to B. B obtains h0 , h1 ∈ G such that H1 (w0 ) = h0 and H1 (w1 ) = h1 using H1 oracle. Let < wb , hb , eb , cb >∈ H1 -list (b = 0, 1). If both c0 = 1 and c1 = 1 then B reports failure and terminates. Otherwise, since at lease one of c0 , c1 is equal to 0, B picks b ∈ {0, 1}

such that cb = 0 and responds C ∗ = [A∗ , B ∗ ] with a ciphertext for wb as follows: 0 1. B chooses a random value k0 ∈ Z∗p and defines r = skks ·α ∈ Z∗p , for some unknown secret values sks , α ∈ Z∗p . B com0 0 putes A∗ = (pks,3 1/π )x ·k , where x0 , π are the selected value in Setup phase. Here, pkR,1 x0 ·k0

0

r

= (g

α·x0 r

) = (g

α·x0

)

k0 sks ·α

=

rem 4. Since pkR,3 = u ˜skR = g γ·t4 ·skR , B randomly picks b ∈ 1

γ {0, 1} and sets A∗ = pkR,1 = pkR,3 t4 and chooses a random 1

Z ∈ {0, 1}λ and sets B ∗ = Z. Note that Twb = {(g β·eb ) skR } γ

γ and B ∗ = H2 (e(pkR,1 , Twskbs )) = H2 (e(g skR , g γ β·α eb ·t3 H2 (e(g , g ) ).

β·eb ·sks skR

)) =

0

g sks = (pks,3 1/π )x ·k is satisfied. 2. B chooses a random Z ∈ {0, 1}λ and sets B ∗ = Z. Trapdoor queries: A1 can ask the Trapdoor queries about w 6= w0 , w1 . B responds identically in Phase 1.

dTest queries: This is identical to Phase 1, except asking to test oracle with C = [A, B] such that A = A∗ or B = B ∗ and Tw about w = w0 , w1 . Output: A2 outputs b0 ∈ {0, 1}. B picks (t, V ) form the H2 1

Output: A1 outputs b0 ∈ {0, 1}. B picks a random pair 1

1

(t, V ) from the H2 -list and outputs t eb ·k0 = e(g, g) α as its 1 guess for e(g, g) α , where eb and k0 are the used values on the Challenge step. The description of B is completed. We omit the detailed description of probability.  Theorem 5. Our scheme is semantically secure against a chosen keyword attack in Game2 under the random oracle model assuming BDH are intractable. Proof. Assume that there exists an adversary (a malicious receiver) A2 with advantage  in breaking the scheme. Suppose that A2 makes at most qdT dTest queries (qdT > 0). B is given g, u1 = g α , u2 = g β , and u3 = g γ ∈ G. Its goal is to compute e(g, g)αβγ ∈ GT . B chooses randomly chosen values t1 , t2 , t4 ∈ Z∗p and generates h = (u1 )t1 = g αt1 , ˜ = (u3 )t4 = g γ t4 . u = (u1 )t2 = g αt2 , and u Setup: A2 generates (pkR , skR ) such that e(pkR,1 , pkR,2 ) = e(g, h), and e(pkR,2 , pkR,3 ) = e(h, u ˜). If there exists unknown secret key skR such that pkR,1 = g skR , then pkR,2 = 1

α

h skR = g skR and pkR,3 = u ˜skR = g γ·t4 ·skR are satisfied. To simulate (pks , sks ), B randomly chooses t3 ∈ Z∗p and t1

t2

lets pks = (pks,1 , pks,2 , pks,3 ) = (u1 t3 , g t3 , g t3 ), where t1 , t2 ∈ Z∗p are selected values above. B gives pks to A2 . H1 and H2 -queries: This is identical to H1 and H2 queries of Theorem 4, except the following: B picks a random ei ∈ Z∗p . If ci = 0, B computes hi = u2 ei ∈ G. If ci = 1, B computes hi = g ei ∈ G. dTest queries: When A2 asks Tw and C = [A, B] to get the test result, B replies as follows: B checks if H2 (e(A, Twsks )) = ei ·t3

H2 (e(A, pkR,2 ) t1 ) = B, where t1 , t3 are the generated values in Setup phase and ei is in H1 -list. Let < wj , hj , ej , cj > γ ∈ H1 -list such that w = wj . Since A = pkR,1 , if cj = 0, 1

β·ej

then Tw = H1 (w) skR = g skR and B reports failure and 1

ej

terminates. Otherwise, Since Tw = H1 (w) skR = g skR , hj = g ej and sks = α · t3 are satisfied (α is unknown value), sks

H2 (e(A, Twsks )) = H2 (e(A, H1 (w) skR )) = H2 (e(A, g α skR

ej ·t3

ej ·α·t3 skR

))

ej ·t3 t1

= H2 (e(A, g )) = H2 (e(A, pkR,2 )). If it is satisfied, B gives “yes” to A2 . Otherwise, B gives “no” to A2 . Challenge: A2 gives w0 and w1 to B. B generates the following C ∗ = [A∗ , B ∗ ] as same the manner in proof of Theo-

list and outputs t eb ·t3 as its guess for e(g, g)αβγ , where eb is the value used in the Challenge phase. The description of algorithm B is completed. We omit the detailed description of probability due to the page limitation. 

4.

CONCLUSION

In this paper, we refined the semantic security of dPEKS scheme and constructed a new secure dPEKS scheme in our security model. Our security model is stronger than Baek et al.’s model. We leave as our future work on how to build the diverse queries (conjunctive, subset queries, etc.) on a dPEKS scheme.

5.

REFERENCES

[1] M. Abdalla, M. Bellare, D. Catalano, E. Kiltz, T. Kohno, T. Lange, J. Malone-Lee, G. Neven, P. Paillier, and H. Shi, “Searchable Encryption Revisited : Consistency Properties, Relation to Anonymous IBE, and Extensions”, In Proceedings of Crypto’05, LNCS. 3621, pp. 205-222 (2005). [2] D. Boneh and X. Boyen, “Efficient selective-ID secure identity based encryption without random oracle”, In Proceedings of EURO 2004, LNCS Vol. 3027 (2004). [3] D. Boneh, G. D. Crescenzo, R. Ostrovsky and G. Persiano, “Public Key Encryption with Keyword Search”, In Proceedings of EUROCRYPT’04, LNCS Vol. 3027, pp. 506-522(2004). [4] J. Baek, R. Safavi-Naini and W. Susilo, “Public Key Encryption with Keyword Search Revisited”, In Proceedings of ACIS’06 (2006). [5] D. Park, K. Kim and P. Lee, “Public Key Encryption with Conjunctive Field Keyword Search”, In 5th International Workshop WISA’04, LNCS. 3325, pp. 73-86(2004).