Searchable encryption with randomized ciphertext and randomized keyword search

3.3.1 Chosen keyword to ciphertext (CKC) attacks

In a CKC attack, the adversary has the ability to obtain a ciphertext for any keyword W of its choice under a receiver’s public key pk ¯ R specified by the adversary. That is, the adversary will obtain the ciphertext C W = Encrypt ( W , sk S , pk ¯ R ) . Formally, CKC attacks are modelled by giving the adversary A access to a ciphertext oracle Encrypt sk S ( ⋅ , ⋅ ) , viewed as a “black box”; the adversary can repeatedly submit any keyword W and a (data receiver’s) public key pk ¯ R of its choice to this oracle, and is given in return a ciphertext C W = Encrypt ( W , sk S , pk ¯ R ) .

3.3.2 Chosen keyword to trapdoor (CKT) attacks

In a CKT attack, the adversary has the ability to obtain a trapdoor of any keyword W of its choice under a sender’s public key pk ¯ S specified by the adversary. That is, the adversary will obtain the trapdoor T W = Trapdoor ( W , pk ¯ S , sk R ) . Similar to the previous case, CKT attacks are modelled by giving the adversary A access to a trapdoor oracle Trapdoor sk R ( ⋅ , ⋅ ) , viewed as a “black box”; the adversary can repeatedly submit any keyword W and a (data sender’s) public key pk ¯ S of its choice to this oracle and is given in return a trapdoor T W = Trapdoor ( W , pk ¯ S , sk R ) .

Clearly, the adversary’s access to the aforementioned oracles has to be restricted in some trivial instances. Let W 0 * and W 1 * be the challenge keywords, then, in the CI-security model, the adversary cannot request the trapdoors of the challenge keywords for the target public keys, lest the challenge become trivial. In many PAEKS schemes, such as [13], there are other limitations on the ciphertext oracle. For example, the adversary is not allowed to request the ciphertext corresponding to either W 0 * or W 1 * . Qin et al. [15], in their study, considered full CKC attacks, where this limitation is removed.

Similarly, for TI-security, the adversary cannot request the ciphertexts of the challenge keywords. In addition, in this case, many PAEKS schemes (see [13,15]) impose other limitations such as the adversary is not allowed to request trapdoors corresponding to either W 0 * or W 1 * . In this article, we consider full CKT attacks, where this limitation is removed.

In the following, we present the formal definitions of the security notions we will use. Note that in a multiuser setting, the adversary can also choose a public key to give as extra input to the oracles, while in the single-user setting, this public key is fixed.

3.3.3 (MU) full TI-security model

We describe the full TI-security game for an adversary A in the multi-user setting.

1. Initialization: Given a security parameter λ , the challenger runs the setup algorithm to generate the global system parameter Param . Then, it runs KeyGen S ( Param ) and KeyGen R ( Param ) to generate the target sender’s key pair ( pk S , sk S ) and the target receiver’s key pair ( pk R , sk R ), respectively. The challenger invokes the adversary A on input ( Param , pk S , pk R ) .

2. Phase 1: The adversary is allowed to adaptively issue queries to the following oracles for polynomially many times.

   • – Trapdoor oracle O T : Given a keyword W and a public key pk ¯ S , the oracle computes the corresponding trapdoor T W with respect to pk ¯ S and sk R , and returns T W to A .

   • – Ciphertext oracle O C : Given a keyword W and a public key pk ¯ R , the oracle computes the corresponding ciphertext C W with respect to sk S and pk ¯ R , and returns C W to A .

3. Challenge: At some point, A chooses two keywords ( W 0 * , W 1 * ) with the restriction that ( W 0 * , pk R ) and ( W 1 * , pk R ) have never been queried to O C in Phase 1. These keywords are submitted to the challenger as the challenge keywords. The challenger randomly chooses a bit β ∈ { 0 , 1 } , computes T W β * ← Trapdoor ( W β * , pk S , sk R ) , and returns T W β * to A .

4. Phase 2: The adversary continues to issue queries to O T and O C as above, with the restriction that neither ( W 0 * , pk R ) nor ( W 1 * , pk R ) could be submitted to the ciphertext oracle.

5. Guess: Finally, A outputs a bit β ′ ∈ { 0 , 1 } . It wins the game if and only if β ′ = β .

3.3.4 Standard CI-security model

We describe the standard CI-security game for an adversary A , in the single-user scenario.

1. Initialization: Given a security parameter λ , the challenger generates Param and prepares pk S and pk R as in the previous Game. It then invokes the adversary A on input ( Param , pk S , pk R ) .

2. Phase 1: The adversary issues queries to oracles O T and O C as before, but in the single-user setting (no public key is given in input to the oracles since it is implicitly set to pk S and pk R , respectively).

3. Challenge: At some point, A chooses two keywords ( W 0 * , W 1 * ) , which have not been requested for trapdoors nor ciphertexts, and submits them to the challenger as the challenge keywords. The challenger randomly chooses a bit β ∈ { 0 , 1 } , computes C W β * ← Encrypt ( W β * , sk S , pk R ) , and returns C W β * to A .

4. Phase 2: The adversary continues to issue queries to O T and O C as above, with the restriction that neither W 0 * nor W 1 * could be submitted to either oracle.

5. Guess: Finally, A outputs a bit β ′ ∈ { 0 , 1 } . It wins the game if and only if β ′ = β .

5.1.1 Initialization

ℬ controls the random oracles that define the hash functions H and H 2 and sets the system parameters to Param = ( G , G T , e , p , g , H , H 2 ) . Then, it selects two random values a , b ∈ Z p and sets pk R = g a , pk S = g b , so sk R = a and sk S = b , therefore h = g a b . Moreover, it selects another random value u ∈ Z p and sets t = g u . This implies that H 2 ( g a b ) = u . The last secret s is implicitly set to be equal to x , so that H 2 ( g u ) = x . To simplify the notation, we set v = a b . Then, ℬ calls A on input ( Param , pk S , and pk R ).

5.1.2 Phase 1

In this phase, four oracles are involved. The oracle for H 2 only requires an element in G as input. The oracle for H requires in input a tuple in G × G × { 0 , 1 } * . The oracles for encryption and trapdoor require in input a pair in G × { 0 , 1 } * . The number of queries for the different oracles is limited, specifically to at most q H 2 , q H , q T , and q C queries for the oracles O H 2 , O H , O T , and O C , respectively. To simplify the description of the game, we assume that the adversary would not issue a pair ( g i , W i ) to O T with g i ≠ g a (or O C with g i ≠ g b ) before issuing the following queries: ( g i , pk R , W i ) (or ( pk S , g i , W i ) ) to O H ; g i a (or g i b ) to O H 2 ; and g α to O H 2 , where α is the output of the previous query. To the hash oracles, we associate two lists L H 2 and L H (initially empty) collecting the outputs of the hashes. The mentioned oracles operate as follows:

• Hash Oracle O H 2 . Given an element g i ∈ G , if there is an element in L H 2 of the form ⟨ g i , n i ⟩ , ℬ returns n i . If g i = g u , then ℬ aborts and outputs a random bit β ′ as its guess of β . If g i = g a b , then ℬ sets n i = u . Otherwise, it selects a random n i ∈ Z p . The pair ⟨ g i , n i ⟩ is added to the list L H 2 . ℬ returns H 2 ( g i ) = n i as the hash value of g i to A .

• Hash Oracle O H . Given a tuple ( pk ¯ S , pk ¯ R , W i ) , then ℬ returns h i if there is a tuple in L H of the form ⟨ ( pk ¯ S , pk ¯ R , W i ) , h i , a i , c i ⟩ . Otherwise, ℬ selects a random a i ∈ Z p and a biased c i ∈ { 0 , 1 } such that Pr [ c i = 0 ] = δ . Then, ℬ sets h i = g z ⋅ g a i if c i = 0 , and h i = g a i otherwise. The tuple ⟨ ( pk ¯ S , pk ¯ R , W i ) , h i , a i , c i ⟩ is added to the list L H . Finally, ℬ returns to A H ( pk ¯ S ‖ pk ¯ R ‖ W i ) = h i as the hash value of W i .

• Trapdoor oracle O T . Given a pair ( pk ¯ S , W i ) , ℬ selects a random ρ i ∈ Z p and retrieves from L H the tuple ⟨ ( pk ¯ S , pk R , W i ) , h i , a i , c i ⟩ . If pk ¯ S = g a , then ℬ computes the trapdoor T i as follows:

  • – If c i = 1 , then ℬ sets T i = [ e ( g u ( g x ) a i , g v ρ i ) , g ρ i , g v ρ i ] .

  • – If c i = 0 , then ℬ sets T i = [ e ( g u ( g x ) a i , g v ρ i ) ⋅ e ( g z , ( g x ) v ρ i ) , g ρ i , g v ρ i ] .

  Note that T i is a well-distributed trapdoor: in fact, in the first case, we have H ( pk S ‖ pk R ‖ W i ) = g a i , and in the second case, H ( pk S ‖ pk R ‖ W i ) = g a i ⋅ g z .

• Otherwise, if pk ¯ S ≠ pk S , then ℬ sets h ¯ = ( pk ¯ S ) b and retrieves ⟨ h ¯ , n i ⟩ from L H 2 . It sets t ¯ = g n i , then it retrieves ⟨ t ¯ , s ¯ ⟩ from L H 2 . Then, it returns the trapdoor T i = [ e ( t ¯ ⋅ h i s ¯ , h ¯ ρ ) , g ρ , h ¯ ρ ] .

• Ciphertext oracle O C . Given a pair ( pk ¯ R , W i ) , ℬ retrieves from L H the tuple ⟨ ( pk S , pk ¯ R , W i ) , h i , a i , c i ⟩ and selects a random r i ∈ Z p . We distinguish two cases:

  • – If pk ¯ R ≠ pk R , ℬ sets h ¯ = ( pk ¯ R ) a and retrieves ⟨ h ¯ , n i ⟩ from L H 2 . Then, it sets t ¯ = g n i and retrieves ⟨ t ¯ , s ¯ ⟩ from L H 2 . Finally, ℬ returns the ciphertext C i = [ C i , 1 , C i , 2 ] = [ t ¯ ⋅ h i s ¯ ⋅ g r i , h ¯ r i ] .

  • – If pk ¯ R = g b , then ℬ checks the value of c i retrieved from L H . If c i = 0 , then it aborts and outputs a random bit β ′ as its guess of β . Otherwise, it returns the ciphertext C i = [ C i , 1 , C i , 2 ] = [ g u + r i ( g x ) a i , g v r i ] . Note that C i is a well-distributed ciphertext.

5.1.3 Challenge

The adversary A submits two keywords W 0 * and W 1 * , and we assume that ( pk S , pk R , W 0 * ) and ( pk S , pk R , W 1 * ) have been queried to O H , but ( pk R , W 0 * ) and ( pk R , W 1 * ) have not been queried to O C . ℬ retrieves from L H the tuples ⟨ ( pk S , pk R , W 0 * ) , h 0 * , a 0 * , c 0 * ⟩ and ⟨ ( pk S , pk R , W 1 * ) , h 1 * , a 1 * , c 1 * ⟩ . If c 0 * = c 1 * = 1 , then it aborts and outputs a random bit β ′ as a guess of β . If c 0 * = c 1 * = 0 , then let γ be a bit selected at random. Otherwise, let γ be the bit such that c γ * = 0 . Note that γ is uniformly distributed in { 0 , 1 } . ℬ then computes the trapdoor

Note that, if Z = e ( g , g ) x y z , then

Therefore, T * is a correct trapdoor. In this case, the random value chosen for the trapdoor corresponds to y . Otherwise, the first entrance in Q 1 * is a random element of G 2 . The tuple T * is returned to the adversary.

5.1.4 Phase 2

A continues issuing queries to the oracles, with the restriction that it cannot issue ( pk R , W 0 * ) and ( pk R , W 1 * ) to O C . In this phase, ℬ sets c i = 1 for all new queries to O H .

5.1.5 Guess

Finally, A outputs a bit γ ′ . If γ ′ = γ , then ℬ outputs β ′ = 0 , otherwise β ′ = 1 .

We analyse now the success probability of ℬ . Denote by abt the event that ℬ aborts during the game, which is divided into three events.

• abt 0 : if g i = g u in the simulation of O H 2 . Since u was selected randomly over Z p , therefore determining g u is either a random guess or, given that H 2 ( g a b ) = u , corresponds to solving the CDH. Therefore, under some limitations on the number of queries q H 2 , we have that Pr [ abt 0 ] is negligible.

• abt 1 : if c i = 0 and pk ¯ R = g b in the simulation of O C . We can overestimate this probability by assuming that pk ¯ R = g b in every call to O C . Each c i is selected randomly and independently, therefore a lower bound to the probability that abt 1 does not happen is Pr [ abt 1 ¯ ] ≤ ( 1 − δ ) q C .

• abt 2 : if c 0 * = c 1 * = 1 in the generation of the challenge trapdoor. Therefore, Pr [ abt 2 ¯ ] = 1 − ( 1 − δ ) 2 .