Efficient encryption with keyword search in mobile networks

Journal of Hardware and Systems Security

Since the last decade, the public-key encryption with keyword search (PEKS) has been studied as a popular technique for searching data over encrypted files. The notion finds useful application for fine-grained data search on outsourced encrypted data like iCloud, mobile cloud data, etc. In this paper, we present a concrete public-key encryption (PKE)+PEKS scheme and prove its security in the standard model. We prove that our scheme is both IND-PKE-CCA secure, that is, provides message confidentiality against an adaptive chosen-ciphertext adversary, and IND-PEKS-CCA secure, that is, provides keyword privacy against an adaptive chosen-ciphertext adversary, under the Symmetric eXternal Diffie-Hellman (SXDH) assumption. Our construction uses asymmetric pairings which enable a fast implementation useful for practical applications. Our scheme has much shorter ciphertexts than other known PKE+PEKS schemes. Particularly, we compare our scheme with other proposed PEKS and integrated PKE+PEKS schemes and provide a relative analysis of various parameters including assumption, security, and efficiency.

Proceedings of the 11th International Conference on Security of Information and Networks, 2018

Public Key Encryption with Keyword Search (PEKS) enables users to search encrypted messages by a specific keyword without compromising the original data security. Traditional PEKS schemes allow users to search one keyword only instead of multiple keywords. Therefore, these schemes may not be applied in practice. Besides, some PEKS schemes are vulnerable to Keyword Guessing Attack (KGA). This paper formally defines a concept of Trapdoorindistinguishable Secure Channel Free Public Key Encryption with Multi-Keywords Search (tSCF-MPEKS) and then presents a concrete construction of tSCF-MPEKS. The proposed scheme solves multiple keywords search problem and satisfies the properties of Ciphertext Indistinguishability and Trapdoor Indistinguishability. Its security is semantic security in the random oracle models under Bilinear Diffle-Hellman (BDH) and 1-Bilinear Diffie-Hellman Inversion (1-BDHI) assumptions so that it is able to resist KGA.

Lecture Notes in Computer Science, 2008

The public key encryption with keyword search (PEKS) scheme recently proposed by Boneh, Di Crescenzo, Ostrovsky, and Persiano enables one to search encrypted keywords without compromising the security of the original data. In this paper, we address three important issues of a PEKS scheme, "refreshing keywords", "removing secure channel", and "processing multiple keywords", which have not been considered in Boneh et. al.'s paper. We argue that care must be taken when keywords are used frequently in the PEKS scheme as this situation might contradict the security of PEKS. We then point out the inefficiency of the original PEKS scheme due to the use of the secure channel. We resolve this problem by constructing an efficient PEKS scheme that removes secure channel. Finally, we propose a PEKS scheme that encrypts multiple keywords efficiently.

Computer Security – ESORICS 2012, 2012

We introduce the concept of identity-based encryption (IBE) with master key-dependent chosenplaintext (mKDM-sID-CPA) security. These are IBE schemes that remain secure even after the adversary sees encryptions, under some initially selected identities, of functions of the master secret key(s). We then propose a generic construction of chosen-ciphertext secure key-dependent encryption (KDM-CCA) schemes in the public key setting starting from mKDM-sID-CPA secure IBE schemes. This is reminiscent to the celebrated work by Canetti, Halevi and Katz (Eurocrypt 2004) on the traditional key-oblivious setting. Previously only one generic construction of KDM-CCA secure public key schemes was known, due to Camenisch, Chandran and Shoup (Eurocrypt 2009), and it required non-interactive zero knowledge proofs (NIZKs). Our transformation shows that NIZKs are not intrinsic to KDM-CCA public key encryption. Additionally, we are able to instantiate our new concept under the Rank assumption on pairing groups and for affine functions of the secret keys. The scheme builds on previous work by Boneh, Halevi, Hamburg and Ostrovsky (Crypto 2008). Our concrete schemes are only able to provide security against a bounded number of encryption queries, which is enough in some practical scenarios. As a corollary we obtain a KDM-CCA secure public key encryption scheme, in the standard model, whose security reduction to a static assumption is independent of the number of challenge queries. As an independent contribution, we give new and better reductions between the Rank problem (previously named as Matrix DDH problem) and the Decisional Linear and the Decisional 3-Party Diffie-Hellman problems. 1 Introduction Until recently public key encryption (PKE) schemes were only required to provide confidentiality against adversaries that see encryptions of plaintexts that depend solely on public information. That is, it was assumed (and even advocated) that an encryption scheme would never be used to encrypt its own decryption key. This requirement is certainly reasonable for many applications, but it has been challenged both by practical and foundational reasons [1, 14]. The paradigmatic case is the scenario of circular encryptions, where for n ≥ 2 public/secret key pairs (pk 1 , sk 1),. .. , (pk n , sk n), the adversary is given the ciphertexts Enc pk 1 (sk 2), Enc pk 2 (sk 3),. .. , Enc pkn (sk 1), and still semantic security shall hold. Thus a dedicated stronger security notion called key-dependent message security has emerged in the last few years [5]. Roughly speaking, it is required that semantic security holds even if the adversary sees encryptions of plaintexts that depend on the decryption keys. For the motivation, applications and history of key-dependent message security we refer to the excellent survey by Teranishi, Malkin and Yung [23]. The first breakthrough was due to Boneh, Halevi, Hamburg and Ostrovsky (BHHO) [9], who proposed a public key encryption scheme with indistinguishability against key-dependent chosen-plaintext attacks (KDM-CPA) in the standard model under the Decisional Diffie-Hellman assumption for affine functions of the secret key. Shortly after Applebaum, Cash, Peikert, and Sahai [3] proposed an efficient KDM-CPA secure scheme for affine functions under the Learning Parity with Noise assumption. Brakerski and Goldwasser [11] extended the BHHO scheme to a suite of KDM-CPA schemes secure under subgroup indistinguishability assumptions. Camenisch, Chandran and Shoup [13] proposed a generic construction of chosen-ciphertext secure keydependent encryption (KDM-CCA) schemes in the public key setting, that requires in particular a KDM-CPA secure scheme and specialized non-interactive zero knowledge proofs (NIZKs). By applying their transformation to (a variation of) the BHHO scheme, they obtained a KDM-CCA secure scheme under the Decision Linear assumption on pairing groups. This was the only generic construction of KDM-CCA secure public key encryption schemes in the standard model before our work. Concurrently to our work, Hofheinz [20]

Information Sciences, 2013

encryption with keyword search 21 Keyword guessing attack 22 Without random oracle 23 2 4 42 against chosen keyword attack, chosen ciphertext attack, and keyword guessing attack. In 43 particular, we present two important security notions namely IND-SCF-CKCA and IND-44 KGA. The former is to capture an inside adversary, while the latter is to capture an outside 45 adversary. Intuitively, it should be clear that IND-SCF-CKCA captures a more stringent 46 attack compared to IND-KGA. Second, we present a secure channel free PEKS scheme 47 secure without random oracle under the well known assumptions, namely DLP, DBDH, 48 SXDH and truncated q-ABDHE assumption. Our contributions fill the gap in the literature 49 and hence, making the notion of PEKS very practical. We shall highlight that our scheme 50 is IND-SCF-CKCA secure. 51 Please cite this article in press as: L. Fang et al., Public key encryption with keyword search secure against keyword guessing attacks without random oracle, Inform. Sci. (2013), http://dx.Please cite this article in press as: L. Fang et al., Public key encryption with keyword search secure against keyword guessing attacks without random oracle, Inform. Sci. (2013), http://dx.Please cite this article in press as: L. Fang et al., Public key encryption with keyword search secure against keyword guessing attacks without random oracle, Inform. Sci. (2013), http://dx.

International Journal of Information Security, 2019

Public-key encryption with keyword search (PEKS) schemes enable public key holders to encrypt documents, while the secret key holder is able to generate queries for the encrypted data. In this paper, we present two PEKS schemes with extended functionalities. The first proposed scheme supports conjunctive queries. That is, it enables searching for encrypted documents containing a chosen list of keywords. We prove the computational consistency of our scheme, and we prove security under the asymmetric DBDH assumption. We show that it improves previous related schemes in terms of efficiency and in terms of index and trapdoor size. The second proposed scheme supports subset queries and some more general predicates. We prove the computational consistency of our scheme, and we prove our scheme secure under the p-BDHI assumption. We show that it improves previous related schemes in terms of efficiency and expressiveness. Moreover, unlike previous related schemes, it admits an arbitrary keyword space.

Siam Journal on Computing, 2007

We propose simple and efficient CCA-secure public-key encryption schemes (i.e., schemes secure against adaptive chosen-ciphertext attacks) based on any identity-based encryption (IBE) scheme. Our constructions have ramifications of both theoretical and practical interest. First, our schemes give a new paradigm for achieving CCA-security; this paradigm avoids "proofs of well-formedness" that have been shown to underlie previous constructions. Second, instantiating our construction using known IBE constructions we obtain CCA-secure encryption schemes whose performance is competitive with the most efficient CCA-secure schemes to date.

2011

We propose a security enhanced version of Boneh's "Public Key Encryption with Keyword Search" system. The server in the new system is equipped with a key pair for performing the search operations. This new system eliminates completely the "secure channel" assumption for the keyword trapdoor. We reexamine the security definition by Baek, point out the weakness of it, and strengthen it such that it is secure against chosen test ciphertext-keyword trapdoor attacks. We discuss the problems met by Baek's scheme and propose a modified system with full security proofs according to the enhanced security definition in the random oracle model.

The strongest security definition for public key encryption (PKE) schemes is indistinguishability against adaptive chosen ciphertext attacks (IND-CCA). A practical IND-CCA secure PKE scheme in the standard model is well-known to be difficult to construct given the fact that there are only a few such kind of PKE schemes available. From another perspective, we observe that for a large class of PKE-based applications, although IND-CCA security is sufficient, it is not a necessary requirement. Examples are Key Encapsulation Mechanism (KEM), MT-authenticator, providing pseudorandomness with a-priori information, and so on. This observation leads us to propose a slightly weaker version of IND-CCA, which requires ciphertexts of two randomly selected messages are indistinguishable under chosen ciphertext attacks. Under this new security notion, we show that highly efficient schemes proven secure in the standard model can be built in a straightforward way. We also demonstrate that such a security definition is already sufficient for the applications above.

Theoretical Computer Science, 2009

We describe a new and practical identity-based key encapsulation mechanism that is secure in the standard model against chosen-ciphertext (CCA2) attacks. Since our construction is direct and not based on hierarchical identity-based encryption, it is more efficient than all previously proposed schemes. Furthermore, we give the first chosen-ciphertext secure identity-based key encapsulation mechanism with threshold key delegation and decryption in the standard model. 1 Introduction Identity-Based Encryption and Key Encapsulation. An Identity-Based Encryption (IBE) scheme is a public-key encryption scheme where any string is a valid public key. In particular, email addresses and dates can be public keys. The ability to use identities as public keys avoids the need to distribute public key certificates. Instead of providing the full functionality of an IBE scheme, in many applications it is sufficient to let sender and receiver agree on a common random session key. This can be accomplished with an identity-based key encapsulation mechanism (IB-KEM) as formalized in [7]. Any IB-KEM can be updated to a full IBE scheme by adding a symmetric encryption scheme with appropriate security properties. After Shamir proposed the concept of IBE in 1984 [39] it remained an open problem for almost two decades to come up with a satisfying construction for it. In 2001, Boneh and Franklin [11] proposed formal security notions for IBE systems and designed a fully functional secure IBE scheme using bilinear maps. This scheme and the tools developed in its design have been successfully applied in numerous cryptographic settings, transcending by far the identity based cryptography framework. IBE is currently in the process of getting standardized-from February 2006 on the new IEEE P1363.3 standard for "Identity-Based Cryptographic Techniques using Pairings" [29] accepts submissions. An alternative but less efficient IBE construction was proposed by Cocks [19] based on quadratic residues. Both IBE schemes (through the Fujisaki-Okamoto [24] transformation) provide security against chosen-ciphertext attacks. In a chosen ciphertext attack, the adversary is given access to a decryption oracle that allows him to obtain the decryptions of ciphertexts of his choosing. Intuitively, security in this setting means that an adversary obtains (effectively) no information about encrypted messages, provided the corresponding ciphertexts are never submitted to the decryption oracle. For different reasons, the notion of chosen-ciphertext security has emerged as the "right" notion of security for encryption schemes. We stress that, in general, chosen-ciphertext security is a much stronger security requirement than chosen-plaintext attacks [4], where in the latter an attacker is not given access to the decryption oracle. The drawback of the IBE scheme from Boneh-Franklin and Cocks is that security can only be guaranteed in the random oracle model [5], i.e. in an idealized world where all parties magically get black-box access to a truly random function. Unfortunately a proof in the random oracle model can only serve as a heuristic argument and has proved to possibly lead to insecure schemes when the random oracles are implemented in the standard model (see, e.g., [15]). Waters' IBE. To fill this gap Waters [45] presents the first efficient Identity-Based Encryption scheme that is chosen-plaintext secure without random oracles. The proof of his scheme makes use of an algebraic method first used by Boneh and Boyen [8] and security of the scheme is based on the Bilinear Decisional Diffie-Hellman (BDDH) assumption. However, Waters' plain IBE scheme only guarantees chosen-plaintext security. From 2-level Hierarchical IBE to chosen-chipertext secure IBE. Hierarchical identitybased encryption (HIBE) [28, 26] is a generalization of IBE allowing for hierarchical delegation of decryption keys. Recent results from Canetti, Halevi, and Katz [16], further improved upon by Boneh and Katz [13] show a generic and practical transformation from any chosen-plaintext secure 2-level HIBE scheme to a chosen-ciphertext secure IBE scheme. Since Waters' IBE scheme can naturally be extended to a 2-level HIBE this implies the first chosen-ciphertext secure IBE in the standard model. Key size, as well as the security reduction of the resulting scheme are comparable to the ones from Waters' IBE. However, the transformation involves some symmetric overhead to the ciphertext in form of a one-time signature or a MAC with their respective keys.