Construction
In this section, we propose a concrete construction of our scheme that can provide multi-ciphertext indistinguishability, multi-trapdoor privacy and security against key guessing attack. The details of proposed scheme are described as follows.
-
Setup(κ): From κ, it chooses a bilinear pairing \(\hat {e}:{\mathbb {G}_{1} \times \mathbb {G}_{1} \rightarrow \mathbb {G}_{2}}\), where \(\mathbb {G}_{1},\mathbb {G}_{2}\) are cyclic groups of prime order q, and selects two random generators \(g,h \in \mathbb {G}_{1}\) and two cryptographic hash functions H1: \(\mathbb {G}_{1} \rightarrow \mathbb {Z}_{q}^{*}\), H2: \(\{0,1\}^{*} \rightarrow \mathbb {Z}_{q}^{*}\). It returns the public parameter \(pp = \left (\mathbb {G}_{1},\mathbb {G}_{2},q,g,h, \hat {e},H_{1},H_{2}\right)\).
-
KeyGenO(pp): It takes a grobal pubilc parameter pp as inputs, selects x←Zp randomly and defines PkO=gx and SkO=x. It outputs the data owner’s public/secret key pairs (PkO,SkO).
-
KeyGenR(pp): From pp, it chooses a random y←Zp and sets PkR=gy and SkR=y then returns the receiver’s public/secret key pairs (PkR,SkR).
-
KeyGenS(pp): By a grobal pubilc parameter pp, it selects randomly z←Zp, and defines PkS=hz and SkS=z. Finally it returns the server’s public/secret key pairs (PkS,SkS).
-
PEKS(pp,PkS,PkR,SkO,w): Given the public parameter pp, PkS, PkR, SkO and a keyword w, a data owner performs the following steps:
-
Select a number \(r \in _{R} \mathbb {Z}_{q}^{*}\).
-
Calculate C1=hr, \( \kern0.3em {C}_2=\kern0.3em \hat{e}{\left(\kern0.3em P{k}_R,P{k}_S\kern0.3em \right)}^{rS{k}_O{H}_2(w)}\kern0.3em \) and C3=grk, where \(\phantom {\dot {i}\!}k = H_{1}\left (Pk_{R}^{Sk_{O}}\right)\).
-
Output the ciphertext Cw=(C1,C2,C3) of w.
-
Trapdoor(pp,PkO,SkR,w′): From pp, PkO of data owner, SkR of receiver and a keyword w′, a receiver executes the following steps:
-
Choose a number \(s \in _{R} \mathbb {Z}_{q}^{*}\).
-
Compute T1=PkSs and \(\phantom {\dot {i}\!}T_{2} = {{Pk_{O}}^{Sk_{R}H_{2}(w^{\prime })}} \cdot g^{sk}\), where \(\phantom {\dot {i}\!}k = H_{1}\left (Pk_{O}^{Sk_{R}}\right)\).
-
Return the trapdoor \(T_{w^{\prime }} = (T_{1},T_{2})\)
-
Test(pp,SkS,Cw,Tw): After receiving \(T_{w^{\prime }}\), the server searchs over keyword ciphertexts {Cw} by testing \(\phantom {\dot {i}\!}\hat {e}(T_{2},C_{1}^{Sk_{S}}) = \hat {e}(T_{1},C_{3}) \cdot C_{2}\) using his private key SkS. If the equation holds, it outputs 1; otherwise, it outputs 0.
Correctness: Assume that (PkO,SkO), (PkR,SkR) and (PkS,SkS) be the data owner, the receiver and the server’s public/secret key pairs respectively. Cw=(C1,C2,C3) is the ciphertext of a keyword w generated by the owner. \(T_{w^{\prime }} = (T_{1},T_{2})\) is a trapdoor of a keyword generated by the receiver. It follows that:
$$\begin{array}{*{20}l} \hat{e}(T_{2},C_{1}^{Sk_{S}}) &= \hat{e}\left({Pk_{O}}^{Sk_{R}H_{2}(w')+{rk}}, h^{{Sk_{S}}r} \right) \\ &= \hat{e}(g,h)^{rxyzH_{2}(w^{\prime}vv)} \cdot \hat{e}(g,h)^{rszk}.\\ \hat{e}(T_{1},C_{3}) \cdot C_{2} &= \hat{e}\left(h^{zs},g^{rk}\right) \cdot \hat{e}\left(g^{y},h^{z}\right)^{rxH_{2}(w)}\\ &= \hat{e}(g,h)^{rxyzH_{2}(w)} \cdot \hat{e}(g,h)^{rszk}. \end{array} $$
Thus, if w=w′, then \(\phantom {\dot {i}\!}\hat {e}\left (T_{2},C_{1}^{Sk_{S}}\right) = \hat {e}\left (T_{1},C_{3}\right) \cdot C_{2}\) holds with probability 1; otherwise, it holds with overwhelming probability by the collision resistance of the hash function H2.
Security proof
In this subsection, we prove that our scheme achieves the security of MCI, MTP and designated testability. Formally, we have the following theorems.
Theorem 1
Under the assumption of DBDH, our scheme satisfies multi-ciphertext indistinguishability.
Proof Assume that \(\mathcal {A}\) is an adversary who tries to destroy the MCI security. And the algorithm \(\mathcal {C}\) for solving DBDH problem is established. Given a instance of this problem, such as \(Y = \left (\mathbb {G}_{1},\mathbb {G}_{2},\hat {e},q,g,g^{x},g^{y},g^{z},Z_{1}\right)\), the algorithm \(\mathcal {C}\) works exactly as follows.
Setup: \(\mathcal {C}\) randomly selects two hash functions \(H_{1}:\mathbb {G}_{1} \rightarrow \mathbb {Z}_{q}^{*}\), \(H_{2}:\{0,1\}^{*} \rightarrow \mathbb {Z}_{q}^{*}\) and sets \(pp = \left (\mathbb {G}_{1}, \mathbb {G}_{2}, q, g, \hat {e}, h =g^{\alpha }, H_{1}, H_{2}\right)\), PkO=gx, PkR=gy and (PkS,SkS)=(ht,t). It then sends pp and (PkS,SkS) to \(\mathcal {A}\).
Phase 1: We define several oracles as follows, which allow \(\mathcal {A}\) to query many times. We assume that \(\mathcal {A}\) cannot query the same oracle more than once.
-
Hash Oracle \(\phantom {\dot {i}\!}\mathcal {O}_{H_{1}}\): In response to the H1 query, the oracle maintains a tuple list \(\phantom {\dot {i}\!}L_{H_{1}}= \left \{< m_{i},a_{i}>\right \}\). We assume that \(\phantom {\dot {i}\!}\mathcal {O}_{H_{1}}\) can be asked by attackers for \(\phantom {\dot {i}\!}q_{H_{1}}\) times at most. For querying mi to the oracle, it will perform the following operations: At first, if \(\hat {e}(g,m_{i}) = \hat {e}\left (g^{x},g^{y}\right)\), \(\mathcal {C}\) randomly returns a bit b′ and halts. Otherwise \(\mathcal {C}\) checks whether mi exists in the tuple list. If so, \(\mathcal {C}\) takes out the corresponding tuple and returns ai to \(\mathcal {A}\). Otherwise, it randomly chooses a new exponent ai∈{0,1}κ, stores <mi,ai> in \(\phantom {\dot {i}\!}L_{H_{1}}\) and returns ai to \(\mathcal {A}\).
-
Hash Oracle \(\phantom {\dot {i}\!}\mathcal {O}_{H_{2}}\): In response to the H2 query, the oracle maintains a tuple list \(\phantom {\dot {i}\!}L_{H_{2}}= \left \{< w_{i},b_{i}>\right \}\). We assume that \(\phantom {\dot {i}\!}\mathcal {O}_{H_{2}}\) can be asked by attackers for \(\phantom {\dot {i}\!}q_{H_{2}}\) times at most. When submitting the keywords wi to the Oracle for query, it will perform the following operations: At first, it checks whether wi exists in the tuple list. if it exists, \(\mathcal {C}\) will take out the corresponding tuple and return bi to \(\mathcal {A}\). Otherwise, it randomly selects a new exponent bi∈{0,1}κ, stores <wi,bi> in \(\phantom {\dot {i}\!}L_{H_{2}}\)and returns bi to \(\mathcal {A}\).
-
Oracle \(\mathcal {O}_{E}\): It takes public key Pki as input. To response to the queries, the oracle maintains a tuple list LE={<Pki,ci,Vi>}, and it is assumed that \(\mathcal {O}_{E}\) can be asked by attackers for qE times at most. When submitting Pki to the Oracle query, it will perform the following operations: At first, if Pki=gx or Pki=gy, \(\mathcal {C}\) randomly returns a bit b′ and halts. Otherwise \(\mathcal {C}\) tests whether exists Pki in the tuple list. If so, \(\mathcal {C}\) chooses the candidate tuple and returns ci to \(\mathcal {A}\). Otherwise, it randomly selects a new exponent ci∈{0,1}κ, and computes \(\phantom {\dot {i}\!}V_{i} = {Pk_{i}}^{c_{i}}\). Finally, it stores <Pki,ci,Vi> in LE and outputs ci.
-
Ciphertext Oracle \(\mathcal {O}_{Ciphertext}\): Input a tuple (pkO,PkR,wi), which wi∈{0,1}∗, it randomly chooses \(r_{i} \in \mathbb {Z}_{q}^{*}\), and computes \(C_{w_{i}} = \left (C_{1w_{i}},C_{2w_{i}},C_{2w_{i}}\right)\) as follows.
-
If (PkO,PkR)=(gx,gy) or (PkO,PkR)=(gy,gx), then it sets \(\phantom {\dot {i}\!}g^{z} = g^{\alpha r_{i}}\), and computes \(C_{1w_{i}} = g^{z}\), \(\phantom {\dot {i}\!}C_{2w_{i}} = Z_{1}^{tb_{i}}\), \(C_{3w_{i}} = g^{r_{i}a_{i}} \).
-
Otherwise, at least one Pki in (PkO,PkR) is equal to gx or gy. It computes H2(wi)=bi, k=ai, and returns to \(\mathcal {A}\) with \(C_{w_{i}} = \left (C_{1w_{i}},C_{2w_{i}},C_{3w_{i}}\right)\), where \(C_{1w_{i}} = h^{r_{i}}\), \(C_{2w_{i}}=\hat {e}(g^{y},h^{r_{i}})^{tc_{o}b_{i}}\) and \(C_{3w_{i}} = g^{r_{i}{a_{i}}}\).
-
Trapdoor Oracle \(\mathcal {O}_{Trapdoor}\): Input (PkO,PkR,wi), where wi∈{0,1}∗, it randomly chooses \(s_{i} \in \mathbb {Z}_{q}^{*}\), and computes \(T_{w_{i}} = (T_{1w_{i}},T_{2w_{i}})\) as follows.
-
If (PkO,PkR)=(gx,gy) or (PkO,PkR)=(gy,gx), then it computes \(T_{1w_{i}} = g^{ts_{i}}\) and \(T_{2w_{j}i} = Z_{2}^{b_{i}}\cdot g^{{r_{i}a_{i}}}\).
-
Otherwise, at least one Pki in (PkO,PkR) equals to gx or gy. It calculates H2(wi)=bi, k=ai, and returns to \(\mathcal {A}\) with \(T_{w_{i}} = \left (T_{1w_{i}},T_{2w_{i}}\right)\), where \(T_{1w_{i}} = g^{ts_{i}} \), \(\phantom {\dot {i}\!}T_{2w_{i}}=(g^{x})^{c_{o}b_{i}}\cdot g^{{s_{i}a_{i}}}\).
Challenge: \(\mathcal {A}\) completes multiple queries on the above oracles. It selects two challenge keyword tuples \(\vec w_{0}^{*}\) and \(\vec w_{1}^{*}\), and sends them to \(\mathcal {C}\) with \(Pk_{O}^{*}\) and \(Pk_{R}^{*}\). \(\mathcal {C}\) randomly selects a random number ri and a bit \(\hat {b} \in \{0,1\}\). then \(\mathcal {C}\) outputs a ciphertext tuple \(\vec C_{{{w_{\hat {b}}}}^{*}} = \left (C_{{w_{\hat {b},1}}^{*}},\dots,C_{{w_{\hat {b},n}}^{*}}\right)\) where \(C_{{1w_{\hat {b},i}}^{*}} = g^{z}\), \(\phantom {\dot {i}\!}C_{{2w_{\hat {b},i}}^{*}} = Z_{1}^{tb_{i}}\), \(\phantom {\dot {i}\!}C_{{3w_{\hat {b},i}}^{*}} = g^{za_{i}} \).
Phase 2: As with Phase 1 of operation, \(\mathcal {A}\) continue to enquire \(\mathcal {O}_{Ciphertext}\) and/or \(\mathcal {O}_{Trapdoor}\) for any keyword wi except \(w_{i} \in \vec w_{0} \cup \vec w_{1} \).
Guess: The adversary\(\mathcal {A}\) sends its guess bit \(\hat {b^{\prime }}\) to \(\mathcal {C}\). Returns b′=0 if \(\hat {b^{\prime }} = \hat {b}\), b′=1 otherwise.
If the guess of the challenging public key is incorrect, \(\mathcal {C}\) will abort. This event is represented by E. If \(\mathcal {C}\) aborts, \(\mathcal {C}\) outputs a random bit. The termination probability of E is \(\frac {1}{q_{E}(q_{E} -1)}\), therefore, \(Pr[\overline {E}] = \frac {1}{q_{E}(q_{E} -1)}\).
Assume that algorithm \(\mathcal {C}\) is not aborted. If the simulation provided by algorithm \(\mathcal {C}\) is the same as scenario of \(\mathcal {A}\) in real attack and \(Z_{1} = \hat {e}(g,g)^{xyz}\), the adversary \(\mathcal {A}\) will win with \(Adv_{\mathcal {A}}^{MCI}(\kappa) + \frac {1}{2}\). If Z1 is randomly chosen from the group \(\mathbb {G}_{2}\), \(\phantom {\dot {i}\!}C_{{2w_{\hat {b},i}}^{*}} = Z_{1}^{Sk_{S}H_{2}(w)}\) is a random element of \(\mathbb {G}_{2}\). In this case, the trapdoor \(\vec T_{{w_{\hat {b}}}^{*}} \) and ciphertext \(\vec C_{{w_{\hat {b}}}^{*}}\) can be tested. When the keywords are consistent, test algorithm outputs 1. Therefore, \(\mathcal {A}\) has a 1/2 probability that he wins the Game 1. Thus, the advantage for \(\mathcal {C}\) in solving DBDH problem is
$$\begin{array}{*{20}l} &\quad Adv_{\mathcal{B}}^{DBDH}(\kappa)\\ &=\! \vert \!Pr[b^{\prime} = b\! \mid E]\! \cdot \!Pr[E] \!+ \!Pr[b^{\prime} = b\! \mid\! \overline{E}] \cdot\! Pr[\overline{E}]\! - \!\frac{1}{2} \vert\! \\ &= \!\vert\! \frac{1}{2} \!\cdot \!(1-\!Pr[\overline{E}])\! + \!\left(Pr[b^{\prime}\! =\! 0]\! \mid \!\overline{E}\!\cap\! b\! =\!0 \right)\!\cdot\! Pr[b\,=\,0]\!\\ & \qquad + Pr[b^{\prime} = 1 \mid \overline{E} \cap b = 1] \cdot Pr[\overline{E}] - \frac{1}{2} \vert\\ &\geq \vert Pr[\overline{E}] \cdot \left(\left(Adv_{\mathcal{A}}^{MCI} + \frac{1}{2}\right)\cdot \frac{1}{2} + \frac{1}{2} \cdot \frac{1}{2}\right) - \frac{1}{2} \end{array} $$
$$\begin{array}{*{20}l} & \qquad+\frac{1}{2} \cdot (1-Pr[\overline{E}]) + Pr[\overline{E}] \vert \\ &= \frac{1}{2}Pr[\overline{E}]Adv_{\mathcal{A}}^{MCI}(\kappa)\\ &= \frac{1}{2q_{E}(q_{E} - 1)} \cdot Adv_{\mathcal{A}}^{MCI}(\kappa). \end{array} $$
Theorem 2
Under the assumption of DDH, our scheme satisfies semantically MTP security.
Proof Assume that \(\mathcal {A}\) is an external opponent who tries to crack the Multi-trapdoor Privacy. Moreover, the algorithm \(\mathcal {C}\) for solving the DDH problem is established. Given a instance of this problem, such as \(Y = \left (\mathbb {G}_{1},q,g,g^{x},g^{y},Z_{2}\right)\), the algorithm \(\mathcal {C}\) works exactly as follows.
Setup: \(\mathcal {C}\) randomly selects two hash functions \(H_{1}:\mathbb {G}_{1} \rightarrow \mathbb {Z}_{q}^{*}\), \(H_{2}:\{0,1\}^{*} \rightarrow \mathbb {Z}_{q}^{*}\) and sets \(pp = \left (\mathbb {G}_{1},\mathbb {G}_{2},q,g,h =g^{\alpha },H_{1},H_{2}\right)\), PkO=gx, PkR=gy and (PkS,SkS)=(ht,t). It then sends pp to \(\mathcal {A}\).
Phase 1: Same as in Theorem 1.
Challenge: \(\mathcal {A}\) completes multiple queries on the above research. It selects two challenge keyword tuples \(\vec w_{0}^{*}\) and \(\vec w_{1}^{*}\), and sends them to \(\mathcal {C}\) with \(Pk_{O}^{*}\) and \(Pk_{R}^{*}\). \(\mathcal {C}\) randomly select a number si and a bit \(\hat {b} \in \{0,1\}\). Then, \(\mathcal {C}\) returns a trapdoor set \(\vec T_{{w_{\hat {b}}}^{*}}= \left (T_{{w_{\hat {b},1}}^{*}},\dots, T_{{w_{\hat {b},n}}^{*}}\right)\) where \(T_{{1w_{\hat {b},i}}^{*}} = h^{ts_{i}}\), \(T_{{2w_{\hat {b},i}}^{*}} = Z_{2}^{b_{i}} \cdot g^{s_{i}a_{i}}\).
Phase 2: \(\mathcal {A}\) continue to enquire \(\mathcal {O}_{C}\) and/or \(\mathcal {O}_{T}\) for any keyword wi except \(w_{i} \in \vec w_{0} \cup \vec w_{1} \).
Guess: The adversary \(\mathcal {A}\) sends its guess bit \(\hat {b^{\prime }}\) to \(\mathcal {C}\). He returns b′=0 if \(\hat {b^{\prime }} = \hat {b}\), b′=1 otherwise.
If the guess of challenging public key is incorrect, \(\mathcal {C}\) will abort. This event will be represented by E. If \(\mathcal {B} \) aborts, \(\mathcal {C}\) outputs a random bit. The probability that it being equal to b is 1/2. According to the random guess of b, the termination probability of E is \(\frac {1}{q_{E}\left (q_{E} -1 \right)}\), therefore, \(Pr[\overline {E}] = \frac {1}{q_{E}\left (q_{E} -1 \right)}\).
Othervise, \(\mathcal {C}\) does not abort. If the simulation provided by algorithm \(\mathcal {C}\) is the same as scenario of \(\mathcal {A}\) in real attack and Z2=gxy, an adversary \(\mathcal {A}\) will win the game with the probability of \(Adv_{\mathcal {A}}^{MTP}(\kappa) + \frac {1}{2}\). If Z2 is randomly chosen from the group \(\mathbb {G}_{2}\), \(T_{{2w_{\hat {b},i}}^{*}} = Z_{2}^{b_{i}} \cdot g^{s_{i}a_{i}}\) will be a random element of \(\mathbb {G}_{2}\). Therefore, the challenge trapdoor tuple hides \(\hat {b}\) completely. In this case, the adversary can test the trapdoor \(\vec T_{{w_{\hat {b}}}^{*}} \) and the ciphertext \(\vec C_{{w_{\hat {b}}}^{*}}\). When the keywords are equal, the test algorithm outputs 1. Thus, the advantage for \(\mathcal {C}\) in solving DDH problem is equal to the advantage in Theorem 1.
Theorem 3
Under the assumption of DBDH, our scheme satisfies designated testability.
Proof Assume that \(\mathcal {A}\) is an attacker who tries to crack the designated testability and the challenger \(\mathcal {C}\) wants to solve DBDH problem. Given a instance of this problem, such as \(Y = \left (\mathbb {G}_{1},\mathbb {G}_{2},\hat {e},q,h,h^{x},h^{y},h^{z},Z_{3}\right)\), the algorithm \(\mathcal {C}\) works as follows.
Setup: \(\mathcal {C}\) randomly selects two hash functions \(H_{1}:\mathbb {G}_{1} \rightarrow \mathbb {Z}_{q}^{*}\), \(H_{2}:\{0,1\}^{*} \rightarrow \mathbb {Z}_{q}^{*}\) and sets \(pp = (\mathbb {G}_{1}, \mathbb {G}_{2}, q\), \(\hat {e}\), h, H1, H2, g=hx), (PkO,SkO)=(gs,s), (PkR,SkR)=(gt,t) and PkS=hz. It then sends pp to \(\mathcal {A}\).
Phase 1: Hash Oracle \(\phantom {\dot {i}\!}\mathcal {O}_{H_{1}}\) and Hash Oracle \(\phantom {\dot {i}\!}\mathcal {O}_{H_{2}}\) are same in Theorem 1. We only define Exact Oracle \(\mathcal {O}_{E}\) as follows.
Frist \(\mathcal {A}\) performs multiple queries on the above oracle. It selects two challenge keywords \( w_{0}^{*}\) and \(w_{1}^{*}\). Then \(\mathcal {A}\) returns \((w_{0}^{*}, w_{1}^{*})\) to \(\mathcal {C}\) together with \(Pk_{O}^{*}\) and \(Pk_{R}^{*}\). \(\mathcal {C}\) selects a number \(y \in _{R} \mathbb {Z}_{q}\) and a bit \(\hat {b} \in _{R} \{0,1\}\), and outputs \(\phantom {\dot {i}\!}C_{{w_{\hat {b}}}^{*} }= \left (C_{{1w_{\hat {b}}}^{*}}, C_{{2w_{\hat {b}}}^{*}}, C_{{3w_{\hat {b}}}^{*}}\right)\) where \(C_{{1w_{\hat {b}}}^{*}} = h^{y}\), \(\phantom {\dot {i}\!}C_{{2w_{\hat {b}}}^{*}} = Z_{3}^{stb_{i}}\), \(\phantom {\dot {i}\!}C_{{3w_{\hat {b}}}^{*}} = g^{yk}\).
Phase 2: \(\mathcal {A}\) continue to enquire \(\mathcal {O}_{C}\) and/or \(\mathcal {O}_{T}\) for any keyword wi except wi∈{w0,w1}.
Guess: The adversary \(\mathcal {A}\) transmits its guess bit \(\hat {b^{\prime }}\) to \(\mathcal {C}\). Returns b′=0 if \(\hat {b^{\prime }} = \hat {b}\), b′=1 otherwise. If the simulation provided by algorithm \(\mathcal {C}\) is the same as \(\mathcal {A}\) in real attack and \(Z = \hat {e}(h,h)^{xyz}\), \(\mathcal {A}\) will win the game with the probability of \(Adv_{\mathcal {A}}^{DT}(\kappa) + \frac {1}{2}\). If Z is randomly chosen from the group \(\mathbb {G}_{2}\), \(\phantom {\dot {i}\!}C_{{2w_{\hat {b},i}}^{*}} = Z^{Sk_{S}H_{2}(w)}\) is a well distributed challenge ciphertext. And \(\mathcal {A}\) has a 1/2 probability of winning the game. Thus, \(\mathcal {C}\)’s advantage in solving DBDH problem is
$$\begin{array}{*{20}l} &Adv_{\mathcal{B}}^{DBDH}(\kappa) \\ &= \vert Pr[b^{\prime} = 1 \mid b = 1] \cdot Pr[b= 1] \\ & \qquad + Pr[b^{\prime} = 1 \mid b = 1] \cdot Pr[b= 1] - \frac{1}{2} \vert \\ &= \vert \frac{1}{2} \cdot \frac{1}{2} + \frac{1}{2}\cdot\left(Adv_{\mathcal{A}}^{DT}(\kappa) + \frac{1}{2}\right) - \frac{1}{2} \vert \\ &= \frac{1}{2}Adv_{\mathcal{A}}^{DT}(\kappa). \end{array} $$
