Hierarchical Identity-Based Authenticated Encryption with Keyword Search over encrypted cloud data

With the rapid development of cloud computing technology, cloud storage services are becoming more and more mature. However, the storage of sensitive data on remote servers poses privacy risks and is presently a source of concern. Searchable Encryption (SE) is an effective method for protecting sensitive data while preserving server-side searchability. Hierarchical Public key Encryption with Keyword Search (HPEKS), a new variant of SE, allows users with higher access permission to search over encrypted data sent to lower-level users. To the best of our knowledge, there exist only four HPEKS schemes in the literature. Two of them are in traditional public-key setting, and the remaining ones are identity-based public key cryptosystems. Unfortunately, all of the four existing HPEKS schemes are vulnerable against inside Keyword Guessing Attacks (KGAs). Moreover, all of the existing HPEKS schemes are based on the computationally expensive bilinear pairing operation which dramatically increases the computational costs. To overcome these issues, in this paper, we introduce the notion of Hierarchical Identity-Based Authenticated Encryption with Keyword Search (HIBAEKS). We formulate a security model for HIBAEKS and propose an efficient pairing-free HIBAEKS scheme. We then prove that the proposed HIBAEKS scheme is secure under the defined security model and is resistant against KGAs. Finally, we compare our proposed scheme with related constructions regarding security requirements, computational and communication costs to indicate the overall superiority of our proposed scheme.

Cloud storage technology has received extensive attention in recent years due to advantages like unlimited storage space, data shareability, low cost, and high service availability. Consequently, many enterprises and individual users prefer to store their data on the cloud storage server over the internet. Upon outsourcing over cloud, users naturally lose their complete control over data, and consequently, the security and privacy of their outsourced data become dependent on the cloud server’s security. However, a cloud server can not be completely trusted and additional steps must be taken to guarantee the privacy of users’ data. A naive approach towards achieving privacy would be to apply some form of encryption before uploading. However, this technique would bring up search complications on ciphered data. In order to circumvent this problem, the notion of Searchable Encryption (SE) can be used, which simultaneously enables search over encrypted data and protects data confidentiality [1]. An SE scheme involves three types of entity in its basic setup, data senders, data receivers, and cloud server. A data sender needs to outsource a collection of documents and related keywords to the cloud server. To do so, it produces ciphertext and searchable ciphertexts for each document and its keywords, respectively, and outsources them to the server. A data receiver, aiming to retrieve documents containing a specific keyword, creates a trapdoor for the keyword and submits it to the server. Upon receipt of a trapdoor, the cloud server conducts a search operation on the data receiver’s searchable ciphertexts to find documents that contain the corresponding keyword. Figure 1 shows a typical network architecture of a SE scheme.

A typical network architecture of SE

Full size image

Related works

To incorporate keyword search functionality in the asymmetric cryptography setting Boneh et al. [2] defined the concept of Public key Encryption with Keyword Search (PEKS) and proposed a PEKS scheme. In 2008, Baek et al. [3] discovered that the PEKS model proposed by Boneh et al. requires a secure communication channel for transmitting search trapdoors. To address this issue, the authors introduced the concept of Secure Channel-Free PEKS (SCF-PEKS). Byun et al. [4] noticed that in practical applications the keyword space is typically small and introduced a new attack named Keyword Guessing Attack (KGA). In a KGA, after obtaining a trapdoor, an adversary produces searchable ciphertexts corresponding to each potential keyword. Subsequently, the adversary verifies these ciphertexts against the provided trapdoor using the publicly available Test algorithm. Consequently, through the execution of this attack, an adversary may accurately obtain the corresponding keyword to the given trapdoor uniquely. In 2010, to achieve security against KGA, Rhee et al. [5] introduced the concept of designated-server PEKS (dPEKS) and proposed the first dPEKS scheme. The authors also introduced the concept of trapdoor-indistinguishability and proved that trapdoor-indistinguishability is a sufficient condition for thwarting KGAs. Roughly speaking, trapdoor-indistinguishability means that it should be infeasible for any Probabilistic Polynomial-Time (PPT) attacker to differentiate between the trapdoors associated with two different keywords. Afterwards, many dPEKS schemes have been proposed in the literature [6, 7]; unfortunately, these schemes are unable to withstand KGA launched by inside adversaries. In order to prevent this type of KGA, Li et al. [8] presented a chaos-based PEKS scheme by employing the key establishment in PEKS. However, Noroozi et al. [9] showed that an inside adversary is able to perform a KGA against Li et al.’s PEKS scheme. After that, in [10], Huang and Li defined the concept of Public key Authenticated Encryption with Keyword Search (PAEKS) by formalizing the idea of [8]. In contrast to a dPEKS scheme, in a PAEKS scheme, a data sender is equipped with a pair of public and private keys and generates the searchable ciphertexts using the data receiver’s public key and his own private key. The data receiver also employs his private key and data sender’s public key for trapdoor generation. Therefore, this concept guarantees that neither inside nor outside adversaries can generate searchable ciphertexts corresponding to the guessed keywords, thereby preventing the launch of KGAs. The authors of [11] observed that Huang and Li’s security model is not suitable for multi-user environments and defined an improved security model. Recently, Qin et al. [12] further improved the PAEKS’s security model presented in [11] and proposed a new PAEKS scheme secure in their proposed model. In the subsequent works [13,14,15], many other PAEKS schemes have been proposed.

The above-mentioned PEKS schemes have all been deployed on PKI, and thus suffer from the complicated certificate management problem. To tackle this matter, Abdalla et al. [16] defined the concept of Identity-Based Encryption with Keyword Search (IBEKS). Several IBEKS schemes have been proposed [17, 18] inspired by the work of [16]. However, these schemes require a secure channel for transmitting search trapdoors, and consequently they are not secure against outside KGA. To resist outside KGA on IBEKS, Wu et al. [19] introduced the concept of designated-tester IBEKS (dIBEKS) and proposed the first dIBEKS scheme. Later, [20, 21] proposed two other dIBEKS schemes; however, Noroozi et al. [22] proved that none of these three schemes provide ciphertext-indistinguishability against inside adversaries. To resist inside KGA on IBEKS, Li et al. [23] expanded PAEKS into the identity-based setting and proposed an Identity-Based Authenticated Encryption with Keyword Search (IBAEKS) scheme. Afterwards, some other PEKS schemes are proposed in the identity-based cryptography and related settings. The intersested reader is referred to [24,25,26,27,28,29,30,31,32] for more details.

Unfortunately, the PEKS frameworks mentioned above become impractical in the large multi-receiver setups which are organized via a hierarchical structure among their users. In this structure, a user with higher access permission (according to his corresponding role and responsibility) should be able to monitor data used by its lower-level users in the hierarchy. To add support for such access permissions in PEKS, Wang et al. [33] defined the concept of Hierarchical IBEKS (HIBEKS). They also proposed a HIBEKS scheme and claimed that it provides the security against offline KGAs launched by outside adversaries. However, it can be easily proven that their scheme can not resist outside offline KGAs.^{Footnote 1} In 2020, Li et al. [34] defined the concept of designated-server Hierarchical PEKS (dHPEKS) based on a multi-way tree of the users’ hierarchical structure called the public key tree. Then, they defined a security model for dHPEKS and presented a dHPEKS scheme with provable security under their model. In 2021, Liu et al. [35] used a distributed Two-Trapdoor Public-key cryptosystem [36] to construct another dHPEKS scheme which also utilizes a public key tree structure to enable the monitoring function for the data receivers. Nevertheless, these dHPEKS schemes are built on PKI, and therefore face the intractable certificate management problem. To overcome these limitations, recently, Shiraly et al. [37] introduced the concept of designated-tester Hierarchical IBEKS (dHIBEKS) and defined a security model for dHIBEKS. They have additionally put forth a dHIBEKS scheme and have provided a proof of its security under the defined model. In a dHIBEKS scheme, the identity of a user is represented as a hierarchical tree structure and a user with ID-tuple \(\left( ID_1, \cdots , ID_i\right)\) (for \(i \in \{1,2, \cdots , t-1\}\)) which has higher access permission than the data receiver with ID-tuple \(\left( ID_1, \cdots , ID_t\right)\), is able to compute the data receiver’s private key and therefore search over the data receiver’s ciphertexts.

Motivation and contribution

The large multi-receiver setups which gain the greatest advantages from searchable encryption technology, often support a hierarchical structure among their users. Examples include office automation systems within enterprises or governments that generate a substantial volume of messages on a daily basis. In this hierarchical structure, higher-layer users should possess the privilege to monitor lower-layer users to ascertain compliance with established regulations. To add support for such access permissions in PEKS, several HPEKS schemes have been proposed in the literature. As explained in prvious section, there exist only two dHPEKS schemes (i.e., [34] and [35]), one HIBEKS scheme (i.e., [33]), and one dHIBEKS scheme (i.e., [37]) in the literature. However, the same as other PEKS/dPEKS schemes, none of these schemes provide security against KGAs launched by the inside adversaries.

Another drawback of the existing PEKS schemes in the hierarchical setting is that they are based on computationally expensive bilinear pairing operations, resulting in a significant decrease in the efficiency of these schemes. To address these issues, in this paper:

• We define the notion of Hierarchical Identity-Based Authenticated Encryption with Keyword Search (HIBAEKS).

• We present the security model of HIBAEKS.

• We propose a concrete pairing-free HIBAEKS scheme.

• We prove the security of the proposed scheme in the given security model under the intractability assumption of GDH problem.

• We conduct a comparison between the proposed scheme with the related ones to demonstrate its overall superiority.

Paper organization

In Preliminaries section, we review the preliminary materials of the paper. In Definition and security model of HIBAEKS section we define the concept of HIBAEKS and its security model. The proposed HIBAEKS scheme is provided in The proposed HIBAEKS scheme section. We prove the security of the proposed HIBAEKS scheme in Security analysis section and analyze its performance in Performance analysis section. We provide the paper’s conclusion in Conclusion and future works section.

In this section, we present concise overview of some preliminary materials. Let G denote an additive cyclic group of prime order q, and P denote a generator of G. With this setup, the CDH, DDH, and GDH problems are defined as follows:

Definition 1

Computational Diffie-Hellman (CDH) problem: Given \(\left( P, xP, yP\right)\), where x, y are selected from \(\mathbb {Z}_q^*\) at random, compute \(C = xyP\).

Definition 2

Decisional Diffie-Hellman (DDH) problem: Given \(\left( P, xP, yP, zP\right)\), where x, y, z are selected from \(\mathbb {Z}_q^*\) at random, determine whether z is equal to \(xy \in \mathbb {Z}_q^*\) or is a random element of \(\mathbb {Z}_q^*\).

Definition 3

Gap Diffie-Hellman (GDH) problem: Given \(\left( P, xP, yP\right)\), where x, y are selected from \(\mathbb {Z}_q^*\) at random, compute \(C = xyP\) with the help of \(O_{DDH}\) which denotes an oracle that solves DDH (i.e., on input of \(\left( aP, bP, C\right)\), \(O_{DDH}\) outputs 1 if \(C = abP\) and 0 otherwise) [38].

In this section, we define the system model and security requirements of a HIBAEKS scheme. The general architecture of the hierarchical structure among the system users in a HIBAEKS scheme is depicted in Fig. 2. Here, users have a hierarchical structure according to their corresponding identities. At the top of the hierarchy, the root PKG generates the private key of the users in the first layer of hierarchy and send it to them. Each other user of the hierarchy would generate the private keys of their child users (if there is any) by using its private key and send the results to them.

The general hierarchical structure of a HIBAEKS scheme (for simplicity, we assume that each user has m child users)

Full size image

The definition

Formally, a HIBAEKS scheme includes five PPT algorithms as follows.

• Setup: The root PKG performs this algorithm. On input of a security parameter \(\lambda\), it outputs the public parameters prms, which will be an implicit input to other algorithms, and the master secret key msk.

• KeyGen: The root PKG or a lower-level PKG with ID-tuple \(ID|_t=\left( ID_1, \cdots , ID_t\right)\) performs this algorithm. Taking ID-tuple \(ID|_{t+1}=\left( ID_1, \cdots , ID_{t+1}\right)\) and the private key \(s_{ID|_t}\) of the ancestor of \(ID|_{t+1}\) (if \(t = 1\), then \(s_{ID|_t} = msk\)) as input, it outputs \(s_{ID|_{t+1}}\) as the private key of the user with ID-tuple \(ID|_{t+1}\).

• HIBAEKS: The data owner with ID-tuple \(ID|_t=\left( ID_1, \cdots , ID_t\right)\) performs this algorithm. Taking ID-tuple \(ID|_t\) and the private key \(s_{ID|_t}\) of the data owner, the data receiver’s ID-tuple \(ID^\prime |_{t^\prime }=\left( ID^\prime _1, \cdots , ID^\prime _{t^\prime }\right)\) and a keyword w as input, this algorithm outputs a searchable ciphertext \(C_w\).

• Trapdoor: The data receiver with ID-tuple \(ID^\prime |_{t^\prime }=\left( ID^\prime _1, \cdots , ID^\prime _{t^\prime }\right)\) or one of his ancestors performs this algorithm. Taking ID-tuple \(ID^\prime |_{t^\prime }\) and the private key of the receiver or his ancestor that runs this algorithm \(s_{ID^\prime |_{i^\prime }}\) (\(i^\prime \le t^\prime\)), ID-tuple \(ID|_t=\left( ID_1, \cdots , ID_t\right)\) of the data owner and a keyword \(w^\prime\) as input, this algorithm outputs a trapdoor \(T_{w^\prime }\).

• Test: The server performs this algorithm. Taking ID-tuple \(ID|_t=\left( ID_1, \cdots , ID_t\right)\) of the data owner, ID-tuple \(ID^\prime |_{t^\prime }=\left( ID^\prime _1, \cdots , ID^\prime _{t^\prime }\right)\) of the data receiver, a searchable ciphertext \(C_w\), and a trapdoor \(T_{w^\prime }\) as input, this algorithm outputs \(\top\) if \(w=w^\prime\) and \(\bot\) otherwise.

The security model

A security model of HIBAEKS should consider the indistinguishability of both the ciphertexts and the trapdoors. The followings show the details of the provided security model for HIBAEKS schemes.

Ciphertext-Indistinguishability

Let \(\Pi\) be a HIBAEKS scheme. The following game formally defines ciphertext-indistinguishability of \(\Pi\) against a PPT adversary \(\mathcal {A}\).

Game I: The Game I, conducted between \(\mathcal {A}\) and the challenger \(\mathcal {C}\), comprises the following phases:

• Initialization. \(\mathcal {C}\) creates the public parameters prms and the master secret key msk by executing Setup(\(\lambda\)). Then, it gives prms to \(\mathcal {A}\).

• Phase 1. \(\mathcal {C}\) responds to the following queries posed adaptively by \(\mathcal {A}\) for polynomially many times:

  • \(ExtSK(ID|_t)\): On input of a user’s ID-tuple \(ID|_t\), \(\mathcal {C}\) generates the corresponding secret key \(s_{ID|_t}\) and returns the result.

  • Queries to \(HIBAEKS\left( ID|_t,ID^\prime |_{t^\prime },w\right)\): On input of a data owner’s ID-tuple \(ID|_t\), a data receiver’s ID-tuple \(ID^\prime |_{t^\prime }\), and a keyword w, \(\mathcal {C}\) generates a searchable ciphertext \(C_w\) and returns the result.

  • Queries to \(Trapdoor\left( ID|_t,ID^\prime |_{t^\prime },w\right)\): On input of a data owner’s ID-tuple \(ID|_t\), a data receiver’s ID-tuple \(ID^\prime |_{t^\prime }\), and a keyword w, \(\mathcal {C}\) generates a trapdoor \(T_w\) and returns the result.

• Challenge. \(\mathcal {A}\) outputs a data owner’s ID-tuple \(ID^{S^*}|_t\), a data receiver’s ID-tuple \(ID^{R^*}|_{t^\prime }\), and two different challenge keywords \(w_0\) and \(w_1\). Now, \(\mathcal {C}\) chooses a bit b at random and performs \(HIBAEKS\left( ID^{S^*}|_t, s_{ID^{S^*}|_t}, ID^{R^*}|_{t^\prime }, w_b\right)\) to generate the target searchable ciphertext C. It sends C as the challenge searchable ciphertext to \(\mathcal {A}\).

• Phase 2. In this phase, \(\mathcal {A}\) is able to probe \(\mathcal {C}\) as Phase 1.

• Guess. \(\mathcal {A}\) returns a guess \(b^\prime \in \{0,1\}\) and is declared the winner if \(b=b^\prime\), subject to the following:

  • Neither \(ExtSK\left( ID^{S^*}|_t\right)\) nor \(ExtSK\left( ID^{R^*}|_{t^\prime }\right)\) are queried by \(\mathcal {A}\) during Phase 1 or Phase 2.

  • \(Trapdoor\left( ID^{S^*}|_t, ID^{R^*}|_{t^\prime }, w_i\right)\) for \(i=0,1\) are not queried by \(\mathcal {A}\) during Phase 1 or Phase 2.

The advantage of \(\mathcal {A}\) is defined as

Definition 4

A HIBAEKS scheme \(\Pi\) satisfies ciphertext-indistinguishability if for any PPT attacker \(\mathcal {A}\), \(Adv^{indC}_{\mathcal {A},\Pi }\) is negligible.

Trapdoor-indistinguishability

Let \(\Pi\) be a HIBAEKS scheme. The following game formally defines trapdoor-indistinguishability of \(\Pi\) against a PPT adversary \(\mathcal {A}\).

Game II: The Game II, conducted between \(\mathcal {A}\) and the challenger \(\mathcal {C}\), comprises the following phases:

• Initialization. \(\mathcal {C}\) creates the public parameters prms and the master secret key msk by executing Setup(\(\lambda\)). Then, it gives prms to \(\mathcal {A}\).

• Phase 1. Same as those in Game I.

• Challenge. \(\mathcal {A}\) outputs a data owner’s ID-tuple \(ID^{S^*}|_t\), a data receiver’s ID-tuple \(ID^{R^*}|_{t^\prime }\), and two different challenge keywords \(w_0\) and \(w_1\). Now, \(\mathcal {C}\) chooses a bit b at random and performs \(Trapdoor\left( ID^{S^*}|_t, ID^{R^*}|_{t^\prime }, s_{ID^{R^*}|_{t^{\prime }}}, w_b\right)\) to generate the target trapdoor T. It sends T as the challenge trapdoor to \(\mathcal {A}\).

• Phase 2. \(\mathcal {A}\) is able to probe \(\mathcal {C}\) as in Phase 1.

• Guess. \(\mathcal {A}\) returns a guess \(b^\prime \in \{0,1\}\) and is declared the winner if \(b=b^\prime\), subject to the following:

  • Neither \(ExtSK\left( ID^{S^*}|_t\right)\) nor \(ExtSK\left( ID^{R^*}|_{t^{\prime }}\right)\) are queried by \(\mathcal {A}\) during Phase 1 or Phase 2.

  • \(HIBAEKS\left( ID^{S^*}|_t, ID^{R^*}|_{t^\prime }, w_i\right)\) for \(i=0,1\) are not queried by \(\mathcal {A}\) during Phase 1 or Phase 2.

The advantage of \(\mathcal {A}\) is defined as

Definition 5

A HIBAEKS scheme \(\Pi\) satisfies trapdoor-indistinguishability if for any PPT attacker \(\mathcal {A}\), \(Adv^{indT}_{\mathcal {A},\Pi }\) is negligible.

Remark 1

As it is proven in [5], the notion of trapdoor-indistinguishability is a sufficient condition for thwarting KGAs.

In the following, we present our proposed HIBAEKS scheme.

• Setup: Given a security parameter \(\lambda\), the root PKG:

  1. 1.

     Chooses a cyclic group G with prime order \(q>2^\lambda\).

  2. 2.

     Chooses four cryptographic hash functions^{Footnote 2}\(h: G \times \{0,1\}^*\rightarrow Z^*_q\), \(h_1:\{0,1\}^*\times G \times \{0,1\}^*\times G\times G \times \{0,1\}^*\rightarrow Z^*_q\), \(h_2:Z^*_q\times G \rightarrow Z^*_q\), and \(h_3: Z^*_q \times \{0,1\}^*\rightarrow Z^*_q\).

  3. 3.

     Chooses a generator \(P\in G\), \(s \in _{R} Z^*_q\) as the master secret key, and computes \(P_{pub}=sP\) as the master public key.

  4. 4.

     Secures s and publishes the system parameters \(prms=\left( G,~q,~ P,~P_{pub},~h,~h_1,~h_2,~h_3\right)\) which also will be an implicit input to all other algorithms.

• KeyGen (or Lower-level Setup): Through this algorithm and on input of the ID-tuple \(ID|_{t+1}=\left( ID_1, \cdots , ID_{t+1}\right)\) and the private key of the ancestor of \(ID|_{t+1}\), i.e., \(s_{ID|_t}\) (note that if \(t=1\), then \(s_{ID|_t}=s\)), the root PKG or a lower-level PKG:

  1. 1.

     Computes

     $$\begin{aligned} r_{ID|_{t+1}}&= h_3\left( s_{ID|_t},ID|_{t+1}\right) \\ R_{ID|_{t+1}}&= r_{ID|_{t+1}}P\\ s_{ID|_{t+1}}&= r_{ID|_{t+1}}+s_{ID|_t} h\left( R_{ID|_{t+1}},ID|_{t+1}\right) \end{aligned}$$
  2. 2.

     Sends \(\left( s_{ID|_{t+1}},R_{ID|_{t+1}}\right)\) securely to the user with ID-tuple \(ID|_{t+1}\).

• HIBAEKS: Through this algorithm and on input of the data owner’s ID-tuple \(ID|_t= \left( ID_1, \cdots , ID_t\right)\) and his secret key \(s_{ID|_t}\), the receiver’s ID-tuple \(ID^\prime |_{t^\prime }=\left( ID^\prime _1, \cdots , ID^\prime _{t^\prime }\right)\), \(R_{ID^\prime |_1}\), \(R_{ID^\prime |_2}\), \(\cdots\), \(R_{ID^\prime |_{t^\prime }}\) and a keyword w, the data owner:

  1. 1.

     Chooses \(r\in Z^*_q\) at random and computes \(C_1 = rP\).

  2. 2.

     Computes \(K=\sum _{i=1}^{t^\prime } \prod _{j=i+1}^{t^\prime } h\left( R_{ID^\prime |_j},ID^\prime |_j\right) R_{ID^\prime |_i} + \prod _{i=1}^{t^\prime } h\left( R_{ID^\prime |_i},ID^\prime |_i\right) P_{pub} = [h\left( R_{ID^\prime |_2},ID^\prime |_2\right) \times\) \(\cdots \times h\left( R_{ID^\prime |_{t^\prime }},ID^\prime |_{t^\prime }\right) ] R_{ID^\prime |_1} + [h\left( R_{ID^\prime |_3},ID^\prime |_3\right) \times\) \(\cdots \times h\left( R_{ID^\prime |_{t^\prime }},ID^\prime |_{t^\prime }\right) ] R_{ID^\prime |_2} + \cdots + R_{ID^\prime |_{t^\prime }} + [h\left( R_{ID^\prime |_1},ID^\prime |_1\right) \times h\left( R_{ID^\prime |_2},ID^\prime |_2\right) \times \dots \times h(R_{ID^\prime |_{t^\prime }},\) \(ID^\prime |_{t^\prime })]P_{pub}\).

  3. 3.

     Computes \(C_2=rh_2(h_1(ID|_t,s_{ID|_t}P,ID^\prime |_{t^\prime }\), \(K,s_{ID|_t}K,w),C_1)P\).

  4. 4.

     Sends the searchable ciphertext \(C=\left( C_1,C_2\right)\) to the server.

• Trapdoor: Through this algorithm and on input of the data owner’s ID-tuple \(ID|_t=\left( ID_1, \cdots , ID_t\right)\), \(R_{ID|_1}\), \(R_{ID|_2}\), \(\cdots\), \(R_{ID|_t}\), the ID-tuple corresponding to the receiver or one of his ancestors \(ID^\prime |_i=\left( ID^\prime _1, \cdots , ID^\prime _i\right)\) and the corresponding secret key \(s_{ID^\prime |_i}\), and a keyword w, the data receiver or that ancestor of him who performs this algorithm:

  1. 1.

     If the receiver is not the one that performs this algorithm, then uses \(s_{ID^\prime |_i}\) step by step down and computes \(s_{ID^\prime |_{t^\prime }}\) as specified in the KeyGen algorithm.

  2. 2.

     Computes \(K^\prime =\sum _{i=1}^t \prod _{j=i+1}^t h(R_{ID|_j},ID|_j) R_{ID|_i} + \prod _{i=1}^t h(R_{ID|_i},ID|_i) P_{pub} = [h(R_{ID|_2},ID|_2) \times \cdots \times h(R_{ID|_t},ID|_t)] R_{ID|_1} + [h(R_{ID|_3},ID|_3) \times \cdots \times h(R_{ID|_t},ID|_t)] R_{ID|_2}+ \cdots + R_{ID|_t} + [h(R_{ID|_1},ID|_1) \times h(R_{ID|_2},ID|_2) \times \cdots \times h(R_{ID|_t},ID|_t)]P_{pub}\).

  3. 3.

     Computes \(T = h_1(ID|_t,K^\prime ,ID^\prime |_{t^\prime },s_{ID^\prime |_{t^\prime }}P, s_{ID^\prime |_{t^\prime }}\) \(K^\prime ,w)\).

  4. 4.

     Sends the trapdoor T to the server.

• Test: The server outputs \(\top\) if the following equation holds; else, \(\bot\).

  $$\begin{aligned} C_2 = h_2\left( T,C_1\right) C_1. \end{aligned}$$

In the following, we show that the proposed HIBAEKS scheme works correctly.

Theorem 1

Assume that \(C=\left( C_1,C_2\right)\) is the searchable ciphertext of the keywords w and let T be the trapdoor for \(w^\prime\). Then, if \(w=w^\prime\), the output of the Test algorithm on C and T would be \(\top\).

Proof

To prove this theorem, first note that

Now, we show that if \(w=w^\prime\) then, \(C_2=h_2\left( T,C_1\right) C_1\) and as a consequence, the Test algorithm outputs \(\top\) on input of C and T.

\(\square\)

Instantiation of the scheme

Consider a scenario wherein a data sender with ID-tuple \(ID|_{2} = (ID_{1}, ID_{2})\) at level 2 wants to send a document to the data receiver with ID-tuple \(ID^{\prime }|_{2} = (ID^{\prime }_{1}, ID^{\prime }_{2})\) at level 2 situated in a different branch of the user’s hierarchy. To do so, for each keyword w of the document, the data sender chooses \(r\in Z^*_q\) at random and computes \(C_1 = rP\). It computes \(K = h(R_{ID^\prime |_2},ID^\prime |_2) R_{ID^\prime |_1} + R_{ID^\prime |_2} + [h(R_{ID^\prime |_1},ID^\prime |_1) \times h(R_{ID^\prime |_2},ID^\prime |_2)]P_{pub}\). Then, it uses its secret key \(s_{ID^\prime |_2}\) to compute \(C_{2} = rh_{2}(h_{1}(ID|_2,s_{ID|_2}P,ID^\prime |_{t^\prime }\), \(K,s_{ID|_2}K,w),C_{1})P\), and sends the searchable ciphertext \(C=\left( C_1,C_2\right)\) to the server.

On the other side, the data receiver with ID-tuple \(ID^{\prime }|_{2} = (ID^{\prime }_{1}, ID^{\prime }_{2})\) or its parent with ID-tuple \(ID^{\prime }|_{1} = (ID^{\prime }_{1})\) in the user’s hierarchy wants to genetate a valid trapdoor for a keyword \(w^{\prime }\). The data receiver or its parent computes \(K^{\prime } = h(R_{ID|_2},ID|_2) R_{ID|_1} + R_{ID|_2} + [h(R_{ID|_1},ID|_1) \times h(R_{ID|_2},ID|_2)]P_{pub}\). Then, it computes \(T = h_{1}(ID|_{2}, K^{\prime } ,ID^\prime |_{2}, s_{ID^{\prime }|_2} P, s_{ID^{\prime }|_2} K^{\prime } ,w^{\prime })\), and sends it to the server. Finally, the server returns \(\top\) if the equation \(C_2 = h_2(T,C_1)C_1\) holds; otherwise, it returns \(\bot\). The parent of the data receiver (i.e., the user with identity \(ID^{\prime }|_{1} = (ID^{\prime }_{1})\)) could also search over its child documents by first computing the secret key \(s_{ID^{\prime }|_2} = r_{ID^{\prime }|_2} + s_{ID^{\prime }|_1} h(R_{ID^{\prime }_{2}} ,ID^{\prime }_{2} )\), where \(r_{ID^{\prime }|_{2}}= h_3\left( s_{ID^{\prime }|_1},ID^{\prime }|_{2}\right)\) and \(R_{ID^{\prime }|_{2}} = r_{ID^{\prime }|_{2}}P\), and then proceeding in the same way as its child.

Let \(\Pi\)=(Setup, KeyGen, HIBAEKS, Trapdoor, Test) be the scheme of The proposed HIBAEKS scheme section. In what follows, we provide Theorems 2 and 3 to prove that \(\Pi\) preserves ciphertext and trapdoor-indistinguishability as defined in Definitions 4 and 5. Based on Theorem 3 in this paper and Theorem 5 in [5], we can conclude that our proposed scheme provides security against KGAs launched by both outside/inside adversaries. This is stated in Theorem 4.

Theorem 2

\(\Pi\) satisfies ciphertext-indistinguishability under the hardness assumption of GDH problem.

Proof

Assume the existence of an adversary \(\mathcal {A}\) against \(\Pi\), capable of winning game I by a non-negligible advantage \(\epsilon\) (i.e., \(Adv^{indC}_{\mathcal {A},\Pi }=\epsilon\)). We show how a PPT algorithm \(\mathcal {B}\) can use \(\mathcal {A}\) to solve GDH problem with an advantage \(Adv_\Gamma ^{GDH}\left( \mathcal {B},q_{h_1}\right) \ge \dfrac{l^2 \epsilon }{q_h \left( q_h-l\right) }\), where \(\mathcal {A}\) can makes \(q_h\) queries to the oracle h on different ID-tuples and l is the maximum hierarchical level. As a result, we can conclude that \(\epsilon\) should be negligible.

Given a GDH problem instance \(\left( P, xP, yP\right)\), \(\mathcal {B}\) operates as follows.

• \(\mathbf {Initialization.}\ \mathcal {B}\) executes Setup(\(\lambda\)) as specified in the proposed scheme with the exception of setting \(P_{pub} = xP\). For \(i \in [1, 2, \dots , l]\), \(\mathcal {B}\) randomly selects indices \(l_{i}, l^\prime _{i} \le q\) \((l_{i} \ne l^\prime _{i})\) corresponding to the challenge ID-tuple of data owner and data receiver, respectively. Then, \(\mathcal {B}\) sends prms to \(\mathcal {A}\).

• \(\mathbf {Phase~1.}\) Below is a description of the queries that \(\mathcal {A}\) can make and how \(\mathcal {B}\) responds to them. \(\mathcal {B}\) must maintain the following initial empty lists in order to consistently answer to queries: L, \(L_1\), \(L_2\), \(L_3\) and \(L_{key}\).

  • Queries to h: On input of \(\left( R_{ID|_i},ID|_i\right)\) to this oracle, \(\mathcal {B}\) searches L to find the entry \(\left( ID|_i, R_{ID|_i}, h\right)\) and returns h if such a tuple exists. Otherwise, it chooses \(h \in Z^*_q\) randomly, inserts \(\left( ID|_i, R_{ID|_i}, h\right)\) to L and returns h to \(\mathcal {A}\).

  • Queries to \(h_1\): On input of \(\left( ID|_t,K^\prime ,ID^\prime _{t^\prime },K,g,w\right)\) to this oracle, \(\mathcal {B}\) checks the output of DDH oracle on \(\left( xP, yP, g\right)\). If the DDH oracle outputs 1, it returns g as the solution of the GDH problem and concludes its execution. Otherwise, it searches \(L_1\) for the entry \(\left( ID|_t,K^\prime ,ID^\prime |_{t^\prime },K,g,w,h_1\right)\). If no such a tuple exists, \(\mathcal {B}\) selects \(h_1 \in Z^*_q\) randomly and adds \(\left( ID|_t,K^\prime ,ID^\prime |_{t^\prime },K,g,w,h_1\right)\) to \(L_1\). In both cases, \(\mathcal {B}\) outputs \(h_1\).

  • Queries to \(h_2\): On input of \(\left( T,C_1\right)\) to this oracle, \(\mathcal {B}\) searches \(L_2\) for the entry \(\left( T,C_1, h_2\right)\). If no such a tuple exists, it selects \(h_2 \in Z^*_q\) randomly and adds \(\left( T,C_1, h_2\right)\) to \(L_2\). It returns \(h_2\) in both cases.

  • Queries to \(h_3\): On input of \(\left( s_{ID|_{t-1}},ID|_t\right)\) to this oracle, \(\mathcal {B}\) searches \(L_3\) for the entry \(\left( s_{ID|_{t-1}},ID|_t,h_3\right)\). If no such an entry is found, it chooses \(h_3 \in Z^*_q\) randomly and adds \(\left( s_{ID|_{t-1}},ID|_t,h_3\right)\) to \(L_3\). In both cases, it returns \(h_3\).

  • Queries to ExtSK: On input of \(\left( ID|_t\right)\) to this oracle, \(\mathcal {B}\) searches \(L_{key}\) to find the tuple \((n_1, n_2, \cdots , n_i, 0, \cdots , 0, ID^\prime |_i =(ID^\prime _1, \cdots , ID^\prime _i), R_{ID^\prime |_i}\), \(s_{ID^\prime |_i})\) with maximum value of i such that for each \(j=1,\cdots , i\): \(ID_j=ID^\prime _j\).

    • If \(i=t\), \(\mathcal {B}\) returns \(s_{ID|_t}\).

    • If no such an i is found, \(\mathcal {B}\)

      1. 1.

         sets \(i=1\).

      2. 2.

         searches \(L_{key}\) to find the entry \(\left( n_1, 0, \cdots , 0, ID^\prime |_1, R_{ID^\prime _1}, s_{ID^\prime |_1}\right)\) by maximum value of \(n_1\).

         1. ·

            If \(n_1=l_1-1\), it selects \(h \in Z^*_q\) at random and computes \(R_{ID|_1}=xP - h xP\). Then, it adds the tuples \(\left( l_1, 0, \cdots , 0, ID|_1,R_{ID|_1},\bot \right)\), \(\left( ID|_1, R_{ID|_1},h\right)\) and \(\left( \bot ,ID|_1,\bot \right)\) to \(L_{key}\), L and \(L_3\), respectively.

         2. ·

            If \(n_1=l^\prime _1-1\), it selects \(h \in Z^*_q\) at random and computes \(R_{ID|_1}=yP - hxP\). Then, it adds the tuples \(\left( l^\prime _1, 0, \cdots , 0,ID|_1,R_{ID|_1},\bot \right)\), \(\left( ID|_1,R_{ID|_1},h\right)\) and \(\left( \bot ,ID|_1,\bot \right)\) to \(L_{key}\), L and \(L_3\), respectively.

         3. ·

            Otherwise, it chooses \(h, s_{ID|_1} \in Z^*_q\) randomly and computes \(R_{ID|_1}=s_{ID|_1}P - hxP\). Then, it adds the tuples \(\left( n_1+1, 0, \cdots , 0, ID|_1,R_{ID|_1},s_{ID|_1}\right)\), \(\left( ID|_1,R_{ID|_1},h\right)\) and \(\left( \bot ,ID|_1,\bot \right)\) to \(L_{key}\), L and \(L_3\), respectively.

    • If \(i<t\), for \(j=i+1,\cdots ,t\), searches \(L_{key}\) to find the entry \((n_1, \cdots , n_j, 0, \cdots , 0, ID^\prime |_j=(ID_1\), \(\cdots , ID_{j-1}, ID^\prime _j), R_{ID^\prime |_j}, s_{ID^\prime |_j})\) with the maximum value of \(n_j\). If no such a tuple exists, searches L to find the entry \((n_1, \cdots\), \(n_{j-1}, 0, \cdots , 0, ID|_{j-1}= (ID_1, \cdots\), \(ID_{j-1}), R_{ID|_{j-1}}, h(R_{ID|_{j-1}},ID|_{j-1}))\). In both cases,

      1. ·

         If \(n_1=l_1, n_2=l_2, \cdots , n_j=l_j-1\), it chooses \(h \in Z^*_q\) randomly and computes \(R_{ID|_j}=xP - hxP\). Then, it adds \(\left( n_1, \cdots , n_j+1, \cdots , 0,ID|_j,R_{ID|_j},\bot \right)\), \(\left( ID|_j,R_{ID|_j},h\right)\) and \(\left( \bot ,ID|_j,\bot \right)\) to \(L_{key}\), L and \(L_3\), respectively.

      2. ·

         If \(n_1=l_1, n_2=l_2, \cdots , n_{j-1}=l_{j-1}, n_j\ne l_j-1\), it chooses \(h, s_{ID|_j} \in Z^*_q\) randomly and computes \(R_{ID|_j}=s_{ID|_j} P - hxP\). Then, it adds the tuples \(\left( n_1, \cdots , n_j+1, \cdots , 0, ID|_j,R_{ID|_j},s_{ID|_j}\right)\), \(\left( ID|_j,R_{ID|_j},h\right)\) and \(\left( \bot ,ID|_j,\bot \right)\) to \(L_{key}\), L and \(L_3\), respectively.

      3. ·

         If \(n_1=l^\prime _1, n_2=l^\prime _2, \cdots , n_j=l^\prime _j-1\), it chooses \(h \in Z^*_q\) randomly and computes \(R_{ID|_j}=yP - hyP\). Then, it adds the tuples \((n_1, \cdots\), \(n_j+1, \cdots , 0, ID|_j, R_{ID|_j}, \bot )\), \(\left( ID|_j, R_{ID|_j}, h\right)\) and \(\left( \bot , ID|_j, \bot \right)\) to \(L_{key}\), L and \(L_3\), respectively.

      4. ·

         If \(n_1=l^\prime _1, n_2=l^\prime _2, \cdots , n_{j-1}=l^\prime _{j-1}, n_j\ne l^\prime _j-1\), it chooses \(h, s_{ID|_j} \in Z^*_q\) randomly and computes \(R_{ID|_j}=s_{ID|_j} P - h yP\). Then, it adds \((n_1\), \(\cdots , n_j+1, \cdots , 0, ID|_j,R_{ID|_j},s_{ID|_j})\), \(\left( ID|_j,R_{ID|_j},h\right)\) and \(\left( \bot ,ID|_j,\bot \right)\) to \(L_{key}\), L and \(L_3\), respectively.

      5. ·

         If at least one of the inequalities \(n_1 \ne l_1, n_2\ne l_2, \cdots , n_{i-1}\ne l_{i-1}\) and at least one of the inequalities \(n_1 \ne l^\prime _1, n_2\ne l^\prime _2, \cdots , n_{i-1}\ne l^\prime _{i-1}\) hold, \(\mathcal {B}\) obtains \(\left( s_{ID|_{j-1}},ID|_j,h_3\left( ID|_j\right) \right)\) by calling \(\mathcal {Q}_{h_3}(s_{ID|_{j-1}}\), \(ID|_j)\). It also computes \(R_{ID|_j}=h_3P\) and obtains \(\left( ID|_j,R_{ID|_j},h\right)\) by calling \(\mathcal {Q}_h\left( ID|_j,R_{ID|_j}\right)\). Then, it sets \(s_{ID|_j}= h_3 + s_{ID|_{j-1}} h\) and adds \((n_1, \cdots , n_j+1\), \(\cdots , 0, ID|_j,R_{ID|_j},s_{ID|_j})\) to \(L_{key}\).

    • If \(s_{ID|_t} \ne \bot\), returns \(s_{ID|_t}\); otherwise, it aborts.

  • Queries to HIBAEKS: On input of \(\left( ID|_t, ID^\prime |_{t^\prime },w\right)\) to this oracle, \(\mathcal {B}\)

    • obtains \((n_1, 0, \cdots , 0, ID|_1, R_{ID|_1}, s_{ID|_1})\), \((n_1, n_2\), \(0, \cdots , 0, ID|_2, R_{ID|_2},s_{ID|_2}), \cdots ,(n_1,\) \(\cdots , n_t, 0, \cdots\), \(0, ID|_t, R_{ID|_t}, s_{ID|_t})\), \((n^\prime _1, 0, \cdots , 0, ID^\prime |_1, R_{ID^\prime |_1}\), \(s_{ID^\prime |_1})\), \((n^\prime _1, n^\prime _2, 0, \cdots , 0, ID^\prime |_2, R_{ID^\prime |_2}, s_{ID^\prime |_2}), \cdots\), \((n^\prime _1, \cdots\), \(n^\prime _{t^\prime }\), 0, \(\cdots\), 0, \(ID^\prime |_{t^\prime }\), \(R_{ID^\prime |_{t^\prime }}\), \(s_{ID^\prime |_{t^\prime }})\), \((ID|_1\), \(R_{ID|_1}\), \(h(R_{ID|_1}\), \(ID|_1))\), \((ID|_2, R_{ID|_2}, h(R_{ID|_2}\), \(ID|_2))\), \(\cdots\), \((ID|_t, R_{ID|_t}, h(R_{ID|_t}, ID|_t))\), \((ID^\prime |_1\), \(R_{ID^\prime |_1}\), \(h(R_{ID^\prime |_1}\), \(ID^\prime |_1))\), \((ID^\prime |_2\), \(R_{ID^\prime |_2}\), \(h(R_{ID^\prime |_2}\), \(ID^\prime |_2))\), \(\cdots\), \((ID^\prime |_{t^\prime }\), \(R_{ID^\prime |_{t^\prime }}\), \(h(R_{ID^\prime |_{t^\prime }}\), \(ID^\prime |_{t^\prime }))\) by calling \(\mathcal {Q}_{ExtSSK}(ID|_1)\), \(\mathcal {Q}_{ExtSSK}(ID|_2)\), \(\cdots\), \(\mathcal {Q}_{ExtSSK}(ID|_t)\), \(\mathcal {Q}_{ExtSSK}\left( ID^\prime |_1\right)\), \(\mathcal {Q}_{ExtSSK}\) \((ID^\prime |_2)\), \(\cdots\), \(\mathcal {Q}_{ExtSSK}\) \((ID^\prime |_{t^\prime })\), \(\mathcal {Q}_h\left( R_{ID|_1},ID|_1\right)\), \(\mathcal {Q}_h\left( R_{ID|_2},ID|_2\right)\), \(\cdots\), \(\mathcal {Q}_h(R_{ID|_t}, ID|_t)\), \(\mathcal {Q}_h(R_{ID^\prime |_1}\), \(ID^\prime |_1)\), \(\mathcal {Q}_h\left( R_{ID^\prime |_2},ID^\prime |_2\right)\), \(\cdots\), \(\mathcal {Q}_h\left( R_{ID^\prime |_t},ID^\prime |_{t^\prime }\right)\), respectively.

    • chooses \(r\in Z^*_q\) randomly and sets \(C_1 = r P\).

      1. ·

         If \(s_{ID|_t} \ne \bot\), \(\mathcal {B}\)

         1. 1.

            computes \(K = \sum _{i=1}^{t^{\prime }} (\prod _{j=i+1}^{t^{\prime }} h(R_{ID^{\prime }|_j}, ID^{\prime }|_j)\) \(R_{ID^{\prime }|_i}) + \prod _{i=1}^{t^{\prime }} \left( h\left( R_{ID^{\prime }|_i},ID^{\prime }|_i\right) P_{pub}\right)\).

         2. 2.

            obtains \((ID|_t,s_{ID|_t} P,ID^\prime |_{t^\prime },K,s_{ID|_t} K,w,h_1)\) and \((h_1,C_1,h_2)\) by calling \(\mathcal {Q}_{h_1}(ID|_t,s_{ID|_t} P\), \(ID^\prime |_{t^\prime },K,s_{ID|_t} K,w)\) and \(\mathcal {Q}_{h_2}\left( h_1,C_1\right)\), respectively, and sets \(C_2=r h_2\).

      2. ·

         If \(s_{ID|_t} = \bot\) and \(s_{ID^\prime |_{t^\prime }} \ne \bot\), \(\mathcal {B}\)

         1. 1.

            computes \(K^\prime = \sum _{i=1}^t (\prod _{j=i+1}^t h(R_{ID|_j},ID|_j)\) \(R_{ID|_i}) + \prod _{i=1}^t (h(R_{ID|_i}, ID|_i) P_{pub})\).

         2. 2.

            obtains \((ID|_t, K^\prime , ID^\prime |_t, s_{ID^\prime |_t}P, s_{ID^\prime |_t}K^\prime , w\), \(h_1)\) and \(\left( h_1,C_1,h_2\right)\) by calling \(\mathcal {Q}_{h_1}(ID_t,K^\prime ,ID^\prime |_{t^\prime }\), \(s_{ID^\prime |_t}P, s_{ID^\prime |_{t^\prime }}K^\prime ,w)\) and \(\mathcal {Q}_{h_2}\left( h_1,C_1\right)\) respectively, and sets \(C_2=r h_2\).

      3. ·

         If \(s_{ID|_t} = \bot\) and \(s_{ID^\prime |_{t^\prime }} = \bot\), \(\mathcal {B}\)

         1. 1.

            computes \(K^\prime = \sum _{i=1}^t (\prod _{j=i+1}^t h\left( R_{ID|_j},ID|_j\right)\) \(R_{ID|_i}) + \prod _{i=1}^t \left( h\left( R_{ID|_i}, ID|_i\right) P_{pub}\right)\) and \(K = \sum _{i=1}^{t^{\prime }} \left( \prod _{j=i+1}^{t^{\prime }} h \left( R_{ID^{\prime }|_j},ID^{\prime }|_j\right) R_{ID^{\prime }|_i}\right) + \prod _{i=1}^{t^{\prime }} \left( h\left( R_{ID^{\prime }|_i},ID^{\prime }|_i\right) P_{pub}\right)\).

         2. 2.

            goes through \(L_1\) for \(\left( ID|_t,K^\prime ,ID^\prime |_{t^\prime },K,*,w, h_1\right)\). If no such a tuple is found, it chooses \(h_1\in Z^*_q\) randomly and adds \(\left( ID|_t,K^\prime ,ID^\prime |_{t^\prime },K,\bot ,w,h_1\right)\) to \(L_1\). Finally, it obtains \(\left( h_1,C_1,h_2\right)\) by calling \(h_2\left( h_1,C_1\right)\), and sets \(C_2=r h_2\).

    • Returns \(C=\left( C_{1},C_{2}\right)\).

  • Queries to Trapdoor: On input of \((ID|_t,ID^\prime |_{t^\prime }, w)\) to this oracle, \(\mathcal {B}\) obtains \((n_1, 0, \cdots , 0, ID|_1, R_{ID|_1}, s_{ID|_1})\), \((n_1, n_2, 0, \cdots , 0\), \(ID|_2, R_{ID|_2},s_{ID|_2})\), \(\cdots\), \((n_1, \cdots , n_t, 0, \cdots , 0, ID|_t\), \(R_{ID|_t}, s_{ID|_t})\), \((n^\prime _1, 0, \cdots , 0, ID^\prime |_1, R_{ID^\prime |_1}, s_{ID^\prime |_1})\), \((n^\prime _1, n^\prime _2, 0, \cdots , 0, ID^\prime |_2, R_{ID^\prime |_2}, s_{ID^\prime |_2})\), \(\cdots\), \((n^\prime _1, \cdots\), \(n^\prime _{t^\prime }, 0, \cdots , 0, ID^\prime |_{t^\prime }, R_{ID^\prime |_{t^\prime }}, s_{ID^\prime |_{t^\prime }})\), \((ID|_1, R_{ID|_1}\), \(h(R_{ID|_1}, ID|_1))\), \((ID|_2\), \(R_{ID|_2}\), \(h(R_{ID|_2}\), \(ID|_2))\), \(\cdots\), \((ID|_t\), \(R_{ID|_t}, h(R_{ID|_t}\), \(ID|_t))\), \(( ID^\prime |_1\), \(R_{ID^\prime |_1}\), \(h(R_{ID^\prime |_1}, ID^\prime |_1))\), \((ID^\prime |_2, R_{ID^\prime |_2}, h(R_{ID^\prime |_2}, ID^\prime |_2))\), \(\cdots\), \((ID^\prime |_{t^\prime }, R_{ID^\prime |_{t^\prime }}, h(R_{ID^\prime |_{t^\prime }}, ID^\prime |_{t^\prime }))\) by calling \(\mathcal {Q}_{ExtSSK}(ID|_1)\), \(\mathcal {Q}_{ExtSSK}(ID|_2)\), \(\cdots\), \(\mathcal {Q}_{ExtSSK}\) \((ID|_t)\), \(\mathcal {Q}_{ExtSSK}(ID^\prime |_1)\), \(\mathcal {Q}_{ExtSSK}(ID^\prime |_2)\), \(\cdots\), \(\mathcal {Q}_{ExtSSK}(ID^\prime |_{t^\prime })\), \(\mathcal {Q}_h(R_{ID|_1},ID|_1)\), \(\cdots\), \(\mathcal {Q}_h(R_{ID|_t}\), \(ID|_t)\), \(\mathcal {Q}_h(R_{ID^\prime |_1}, ID^\prime |_1)\), \(\cdots\), \(\mathcal {Q}_h(R_{ID^\prime |_t},ID^\prime |_{t^\prime })\), respectively.

    • If \(s_{ID|_t} \ne \bot\), \(\mathcal {B}\)

      1. 1.

         computes \(K=\sum _{i=1}^{t^{\prime }} (\prod _{j=i+1}^{t^{\prime }} h(R_{ID^\prime |_j},ID^\prime |_j)\) \(R_{ID^\prime |_i})+\prod _{i=1}^{t^{\prime }} (h(R_{ID^\prime |_i}, ID^\prime |_i)P_{pub})\).

      2. 2.

         obtains \(\left( ID|_t,s_{ID|_t}P,ID^\prime |_{t^\prime },K,s_{ID|_t}K,w,h_1\right)\) by calling \(\mathcal {Q}_{h_1}\left( ID|_t,s_{ID|_t}P,ID^\prime |_{t^\prime },K,s_{ID|_t}K,w\right)\).

      3. 3.

         sets \(T= h_1\).

    • If \(s_{ID|_t} = \bot\) and \(s_{ID^\prime |_{t^\prime }} \ne \bot\), \(\mathcal {B}\)

      1. 1.

         computes \(K^\prime =\sum _{i=1}^t(\prod _{j=i+1}^th(R_{ID|_j},ID|_j)\) \(R_{ID|_i})+ \prod _{i=1}^t (h(R_{ID|_i},ID|_i)P_{pub})\).

      2. 2.

         obtains \((ID|_t, K^\prime , ID^\prime |_{t^\prime }, s_{ID^\prime |_{t^\prime }}P, s_{ID^\prime |_{t^\prime }}K^\prime ,w\), \(h_1)\) by calling \(\mathcal {Q}_{h_1}(ID|_t,K^\prime ,ID^\prime |_{t^\prime }, s_{ID^\prime |_{t^\prime }}P\), \(s_{ID^\prime |_{t^\prime }}K^\prime\) ,w) and sets \(T= h_1\).

    • If \(s_{ID|_t} = s_{ID^\prime |_{t^\prime }} = \bot\), it

      1. 1.

         computes \(K^\prime =\sum _{i=1}^t(\prod _{j=i+1}^t h(R_{ID|_j},ID|_j)\) \(R_{ID|_i})+ \prod _{i=1}^t(h(R_{ID|_i},ID|_i)P_{pub})\) and \(K=\sum _{i=1}^{t^{\prime }} \left( \prod _{j=i+1}^{t^{\prime }} h\left( R_{ID^\prime |_j},ID^\prime |_j\right) R_{ID^\prime |_i}\right) +\prod _{i=1}^{t^{\prime }} \left( h\left( R_{ID^\prime |_i}, ID^\prime |_i\right) P_{pub}\right)\).

      2. 2.

         goes through \(L_1\) for a tuple \(\left( ID|_t, K^\prime , ID^\prime |_{t^\prime }, K, *, w,h_1\right)\). If no such a tuple exists, it selects \(h_1\in Z^*_q\) randomly and inserts \(\left( ID|_t,K^\prime ,ID^\prime |_{t^\prime },K,\bot ,w,h_1\right)\) to \(L_1\).

      3. 3.

         sets \(T= h_1\).

    • returns T.

• \(\mathbf {Challenge.}\) Eventually \(\mathcal {A}\) outputs a data owner’s ID-tuple \(ID^{S^*}|_t=\left( ID^{S^*}_1,ID^{S^*}_2, \cdots ,ID^{S^*}_t\right)\), a data receiver’s ID-tuple \(ID^{R^*}|_{t^\prime }=\left( ID^{R^*}_1,ID^{R^*}_2, \cdots , ID^{R^*}_{t^\prime }\right)\) and two challenge keywords \(w_0\) and \(w_1\left( \ne w_0\right)\). \(\mathcal {B}\) selects a random bit \(b \in \{0,1\}\) and obtains \((n^{S^*}_1\), \(\cdots , n^{S^*}_t, 0, \cdots , 0, ID^{S^*}|_t, R_{ID^{S^*}|_t}, s_{ID^{S^*}|_t})\), \((n^{R^*}_1, \cdots\), \(n^{R^*}_{t^\prime }, 0, \cdots , 0, ID^{R^*}|_{t^\prime }, R_{ID^{R^*}|_{t^\prime }}, s_{ID^{R^*}|_{t^\prime }})\), \((ID^{S^*}|_t\), \(R_{ID^{S^*}|_t}, h(R_{ID^{S^*}|_t}, ID^{S^*}|_t))\) and \((ID^{R^*}|_{t^\prime }, R_{ID^{R^*}|_{t^\prime }}\), \(h(R_{ID^{R^*}|_{t^\prime }},ID^{R^*}|_{t^\prime }))\) by calling \(\mathcal {Q}_{ExtSSK}(ID^{S^*}|_t)\), \(\mathcal {Q}_{ExtSSK}\left( ID^{R^*}|_{t^\prime }\right)\), \(\mathcal {Q}_h\left( R_{ID^{S^*}|_t},ID^{S^*}|_t\right)\) and \(\mathcal {Q}_h\) \(\left( R_{ID^{R^*}|_{t^\prime }},ID^{R^*}|_{t^\prime }\right)\), respectively. If \(n^{S^*}_1 = l_1, n^{S^*}_2= l_2, \cdots , n^{S^*}_{t}= l_{t}\) and \(n^{R^*}_1 = l^\prime _1, n^{R^*}_2= l^\prime _2, \cdots , n^{R^*}_{t^\prime }= l^\prime _{t^\prime }\) hold, \(\mathcal {B}\) chooses \(r \in Z_q\) randomly and aborts otherwise. It sets \(C_1=r P\) and computes \(K^\prime =\sum _{i=1}^t \left( \prod _{j=i+1}^t h\left( R_{ID^{S^*}|_j},ID^{S^*}|_j\right) R_{ID^{S^*}|_i}\right) + \prod _{i=1}^t \left( h\left( R_{ID^{S^*}|_i},ID^{S^*}|_i\right) P_{pub}\right)\) and \(K=\sum _{i=1}^{t^\prime }\) \(\left( \prod _{j=i+1}^{t^\prime } h\left( R_{ID^{R^*}|_j},ID^{R^*}|_j\right) R_{ID^{R^*}|_i} \right) + \prod _{i=1}^{t^\prime }\) \((h(R_{ID^{R^*}|_i},ID^{R^*}|_i) P_{pub})\). Then, it goes through \(L_1\) for a tuple \(\left( ID^{S^*}|_t,K^\prime ,ID^{R^*}|_{t^\prime },K,*,w,h_1\right)\). If no such a tuple exists, \(\mathcal {B}\) selects \(h_1\in Z^*_q\) at random and inserts \(\left( ID^{S^*}|_t,K^\prime ,ID^{R^*}|_t,K,\bot ,w,h_1\right)\) to \(L_1\). Then, it obtains \(\left( h_1,C_1,h_2\right)\) by calling \(h_2\left( h_1,C_1\right)\), and sets \(C_2=r h_2\). Finally, it sends \(\left( C_1,C_2\right)\) as the challenge searchable ciphertext to \(\mathcal {A}\).

• \(\mathbf {Phase~2.}\ \mathcal {A}\) can make queries as in Phase 1.

• \(\mathbf {Guess.}\ \mathcal {A}\) returns its guess \(b^\prime \in \{0,1\}\).

Since L contains at most \(q_h\) elements and \(l_i \le q\) and \(l^\prime _i \le q\) (for \(1 \le i \le l\)) are independent of the adversary’s view, \(\mathcal {B}\) correctly guesses a challenge owner’s ID-tuple \(ID^{S^*}|_t\) and a challenge data receiver’s ID-tuple \(ID^{R^*}|_{t^\prime }\), with probability \(\dfrac{l^2}{q_h \left( q_h-l\right) }\) (Note that \(l < q_h\)). Due to that \(h_1\) is viewed as a random oracle, it can be deduced that the advantage of \(\mathcal {A}\) in guessing b would be negligible except if \(\left( ID^{S^*}|_t,K^\prime ,ID^{R^*}|_{t^\prime },K,xyP,w_b,h_1\right)\) appears on \(L_1\). If this tuple appears on \(L_1\), the GDH problem can definitely be solved by \(\mathcal {B}\). Moreover, \(\mathcal {B}\) has asked at most \(q_{h_1}\) queries to \(O_{DDH}\). Consequently, we can conclude that \(Adv_\Gamma ^{GDH}\left( \mathcal {B},q_{h_1}\right) \ge \frac{l^2 \epsilon }{q_h \left( q_h-l\right) }\) is non-negligible.

Theorem 3

\(\Pi\) satisfies trapdoor-indistinguishability under the hardness assumption of GDH problem.

Proof

Assume the existence of an adversary \(\mathcal {A}\) against \(\Pi\), capable of winning game II by a non-negligible advantage \(\epsilon\) (i.e., \(Adv^{indT}_{\mathcal {A},\Pi }=\epsilon\)). We show how a PPT algorithm \(\mathcal {B}\) can use \(\mathcal {A}\) to solve GDH problem with an advantage \(Adv_\Gamma ^{GDH}\left( \mathcal {B},q_{h_1}\right) \ge \dfrac{l^2\epsilon }{q_h \left( q_h-l\right) }\) where \(\mathcal {A}\) can makes \(q_h\) queries to the oracle h on different ID-tuples and l is the maximum hierarchical level. As a result, we can conclude that \(\epsilon\) should be negligible.

Given a GDH problem instance \(\left( P, xP, yP\right)\), \(\mathcal {B}\) operates as follows.

• \(\mathbf {Initialization.}\ \mathcal {B}\) executes Setup(\(\lambda\)) as specified in the proposed scheme with the exception of setting \(P_{pub} = xP\). For \(i \in [1, 2, \dots , l]\), \(\mathcal {B}\) randomly selects indices \(l_{i}, l^\prime _{i} \le q\) \((l_{i} \ne l^\prime _{i})\) corresponding to the challenge ID-tuple of data owner and data receiver, respectively. Then, \(\mathcal {B}\) sends prms to \(\mathcal {A}\).

• \(\mathbf {Phase~1.}\) In this phase, the type of queries that \(\mathcal {A}\) is able to perform and the way \(\mathcal {C}\) treats them are the same as those in Game I.

• \(\mathbf {Challenge.}\ \mathcal {A}\) outputs a data owner’s ID-tuple \(ID^{S^*}|_t=(ID^{S^*}_1,\cdots ,ID^{S^*}_t)\), a data receiver’s ID-tuple \(ID^{R^*}|_{t^\prime }=(ID^{R^*}_1,\cdots , ID^{R^*}_{t^\prime })\) and two challenge keywords \(w_0\) and \(w_1(\ne w_0)\). Then, it selects a random bit \(b \in \{0,1\}\) and obtains \((n^{S^*}_1\), \(\cdots , n^{S^*}_t, 0, \cdots , 0, ID^{S^*}|_t, R_{ID^{S^*}|_t}, s_{ID^{S^*}|_t})\), \((n^{R^*}_1, \cdots\), \(n^{R^*}_{t^\prime }, 0, \cdots , 0, ID^{R^*}|_{t^\prime }, R_{ID^{R^*}|_{t^\prime }}, s_{ID^{R^*}|_{t^\prime }})\), \((ID^{S^*}|_t\), \(R_{ID^{S^*}|_t}, h(R_{ID^{S^*}|_t}, ID^{S^*}|_t))\) and \((ID^{R^*}|_{t^\prime }, R_{ID^{R^*}|_{t^\prime }}\), \(h(R_{ID^{R^*}|_{t^\prime }}, ID^{R^*}|_{t^\prime }))\) by calling \(\mathcal {Q}_{ExtSSK}(ID^{S^*}|_t)\), \(\mathcal {Q}_{ExtSSK}\) \((ID^{R^*}|_{t^\prime })\), \(\mathcal {Q}_h(R_{ID^{S^*}|_t},ID^{S^*}|_t)\) and \(\mathcal {Q}_h\) \((R_{ID^{R^*}|_{t^\prime }},ID^{R^*}|_{t^\prime })\), respectively. If \(n^{S^*}_1 = l_1\), \(n^{S^*}_2= l_2\), \(\cdots\), \(n^{S^*}_{t}= l_{t}\), \(n^{R^*}_1 = l^\prime _1\), \(n^{R^*}_2= l^\prime _2\), \(\cdots\), \(n^{R^*}_{t^\prime }= l^\prime _{t^\prime }\) holds, \(\mathcal {B}\) computes \(K=\sum _{i=1}^{t^\prime } (\prod _{j=i+1}^{t^\prime } h\) \((R_{ID^{R^*}|_j},ID^{R^*}|_j) R_{ID^{R^*}|_i} )+ \prod _{i=1}^{t^\prime }(h(R_{ID^{R^*}|_i}, ID^{R^*}|_i\) \()P_{pub})\) and \(K^\prime =\sum _{i=1}^t (\prod _{j=i+1}^t h(R_{ID^{S^*}|_j},ID^{S^*}|_j)\) \(R_{ID^{S^*}|_i})+ \prod _{i=1}^t (h(R_{ID^{S^*}|_i},ID^{S^*}|_i) P_{pub})\), and aborts otherwise. It goes through \(L_1\) for \((ID^{S^*}|_{t},K^\prime\), \(ID^{R^*}|_t,K,*,w,h_1)\). If no such a tuple exists, it selects \(h_1\in Z^*_q\) randomly and inserts \((ID^{S^*}|_t\), \(K^\prime ,ID^{R^*}|_{t^\prime },K,\bot ,w,h_1)\) to \(L_1\). Finally, it sets \(T= h_1\) and sends T as the challenge trapdoor to \(\mathcal {A}\).

• \(\mathbf {Phase~2.}\ \mathcal {A}\) can make queries as in Phase 1.

• \(\mathbf {Guess.}\ \mathcal {A}\) returns its guess \(b^\prime \in \{0,1\}\).

The same as what we have in the proof of Theorem 2, here too \(\mathcal {B}\) can correctly guesses a challenge owner ID-tuple and a challenge data receiver’s ID-tuple with probability \(\dfrac{l^2}{q_h \left( q_h-l\right) }\). Due to that \(h_1\) is viewed as a random oracle, it can be deduced that the advantage of \(\mathcal {A}\) in guessing b would be negligible except if \(\left( ID^{S^*}|_t,K^{\prime },ID^{R^*}|_{t^\prime },K,xyP,w_b,h_1\right)\) appears on \(L_1\). If this tuple appears on \(L_1\), the GDH problem can definitely be solved by \(\mathcal {B}\). Moreover, \(\mathcal {B}\) has asked at most \(q_{h_1}\) queries to \(O_{DDH}\). Therefore, we can conclude that \(Adv_\Gamma ^{GDH}\left( \mathcal {B},q_{h_1}\right) \ge \frac{l^2 \epsilon }{q_h \left( q_h-l\right) }\) is non-negligible. \(\square\)

Theorem 4

The HIBAEKS scheme proposed in The proposed HIBAEKS scheme section provides security against KGA launched by both outside and inside adversaries.

Proof

Theorem 3 proves that the HIBAEKS scheme proposed in The proposed HIBAEKS scheme section ensures trapdoor-indistinguishability against both outside and inside adversaries. Moreover, Theorem 5 of [5] indicates that trapdoor-indistinguishability is a sufficient condition for thwarting keyword-guessing attacks. Therefore, combining these results, we can conclude that our proposed scheme provides security against KGAs launched by both outside/inside adversaries. This concludes the proof. \(\square\)

We compare the proposed HIBAEKS scheme with the related PEKS constructions (i.e., the schemes of [20, 21, 23, 33,34,35, 37]). Table 1 considers a comparison regarding the security and functionality. As it can be seen from the results, our proposed scheme along with the schemes of [33,34,35, 37] are the only existing PEKS schemes that support hierarchical access permission. Among them, the schemes of [34] and [35] are in PKI setting and consequently, they suffer from the complex certificate management problem. Moreover, the same as all other existing dPEKS schemes, these schemes are insecure against KGAs launched by inside adversaries. The schemes of [33, 37] don’t suffer from certificate management problems; however, while the scheme of [37] suffers from KGAs launched by inside attackers, the scheme of [33] suffers from KGAs performed by the outside and inside adversaries. Therefore, we can conclude that our proposed scheme is the only PEKS scheme that supports hierarchical access permission, doesn’t suffer from complex certificate management problem, and is secure against KGAs.

Table 2 considers a comparison regarding the computational costs. Note that to simplify comparisons, less time-consuming operations are ignored in the comparisons. To further simplify comparisons, we use the reported executing times of the operations in [39]: \(T_H=4.362\) millisecond (ms), \(T_{sm1}=1.631~ms\), \(T_{bp}=4.154~ms\), \(T_{sm}=0.509~ms\), where \(T_H\), \(T_{sm1}\), \(T_{sm}\), and \(T_{bp}\) denote the execution times for a Hash-to-point operation, a scalar multiplication operation over the bilinear group \(G_1\), a scalar multiplication operation over the elliptic curve group G, and a bilinear pairing operation, respectively. These results are obtained by use of a tablet computer with 4GB RAM and an Intel Corei5-4210U CPU@1.7 GHz running Ubuntu 16.04 while employing the open-source cryptography library MIRACL [40]. (For simplicity, we let the hierarchical level of the data receiver \(t = 3\), and the maximum hierarchical level \(l= 10\)) As it can be seen from Fig. 3 and Table 2, the execution times for key generation, trapdoor generation, ciphertext generation, and test algorithms of our HIBAEKS scheme are significantly lower compared to the corresponding algorithms of [20, 21, 23, 33,34,35, 37].

Computational cost comparison

Full size image

Figure 4 and Table 3 consider a comparison regarding the communication costs. To simplify comparisons, we utilize the bit length sizes reported in [39]:^{Footnote 3}\(h = 160\), \(|G| = 320\), \(|G_1|= 512\), and \(|G_2|= 1024\), where |G|, \(|G_i|\), and h denote the bit length size of each element of the elliptic curve group G, each element of the bilinear group \(G_i~(i=1,2)\), and the output of an ordinary hash function, respectively. The results shown in Table 2 and Fig. 4 demonstrate that the proposed scheme has much lower bit length size of the searchable ciphertext and the trapdoor than those in the related schemes [20, 21, 23, 33,34,35, 37].

Communication cost comparison

Full size image

One important scenario that should be considered when analysing the performance of PEKS schemes in hierarchical settings is where a data sender wants to send a searchable ciphertext to multiple data receivers. In such situations, it is conceivable that the data receivers are located in different branches in the hierarchical structure. Figures 5 and 6 compare the computational costs of ciphertext generation and the ciphertext size of our HIBAEKS scheme and the related ones along with increasing the number of the data receivers’ branches in the user’s hierarchy, respectively. The results indicate that our proposed scheme has higher performance in terms of the running time of ciphertext generation and the ciphertext size for each number of the branches of the data receivers.

Ciphertext generation time along with data receivers’ branches increasing

Full size image

Ciphertext size along with data receivers’ branches increasing

Full size image

To preserve security against KGA launched by both inside and outside adversaries in the hierarchical setting, in this paper, we introduce the notion of Hierarchical Identity-Based Authenticated Encryption with Keyword Search (HIBAEKS) and define its security model. Furthermore, we propose the first HIBAEKS scheme which does not require bilinear pairing operations and prove its security under the defined security model. Moreover, we provide comparisons to demonstrate the overall superiority of our proposed scheme. However, the existing hierarchical SE schemes and our HIBAEKS scheme fall short of providing payment fairness, i.e., they lack any mechanism to penalize a dishonest search server that provides untrustworthy results. Proposing a hierarchical SE scheme with payment fairness for both users and storage providers seems to be an interesting problem to be considered in future researches.

Not applicable.

1. The security analysis of the HIBEKS of [33] is provided in Appendix A.

2. The hash functions utilized in our paper can be generated from any cryptographically secure hash function. Let \(\mathcal {H}\) represent a cryptographically secure hash function (e.g., SHA) that takes variable length binary strings as input and outputs binary strings of length l bits, where \(2^l<q\). Under these assumptions, the hash functions employed in our scheme can be easily instantiated from \(\mathcal {H}\) by converting the various components of their inputs into binary strings, concatenating them together to form the inputs of \(\mathcal {H}\), and utilizing the output of \(\mathcal {H}\) as an integer modulo q as their respective outputs.

3. We also consider \(\gamma _1=128-bit\) [35] and \(|N|=1024-bit\) [36], where \(\gamma _1\) and N represent the bit length size of the output of the hash function \(H_4\) and an integer in [35], respectively.

The authors declare that no funds, grants, or other support were received during the preparation of this manuscript.

Authors and Affiliations

1. Department of Computer and Data Science, Shahid Beheshti University, G.C., Tehran, Iran

   Danial Shiraly & Ziba Eslami

2. Information Science Research Department, Iranian Research Institute for Information Science and Technology (IranDoc), Tehran, Iran

   Nasrollah Pakniat

Contributions

Danial Shiraly: Conceptualization, Methodology, Writing-Original draft preparation. Ziba Eslami: Supervision, Writing-Reviewing and Editing. Nasrollah Pakniat: Conceptualization, Verification, Writing-Reviewing and Editing.

Corresponding author

Correspondence to Ziba Eslami.

Ethics approval and consent to participate

This article does not contain any studies with human participants or animals performed by any of the authors.

Competing interests

The authors declare no competing interests.

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendix A: Security analysis of the HIBEKS of [33]

We anlyze the security of the HIBEKS of [33]. Using the notations of [33], upon receiving a trapdoor \((T_{j_1}, \cdots , T_{j_{l-j+1}},S_j)\), an outside attacker \(\mathcal {A}\) guesses a keyword w and computes \(X^\prime = \hat{g}\), \(Y^\prime = (\hat{g}^\prime _3\hat{h}^{I_1}_1 \cdots \hat{h}^{I_i}_i {\hat{h}}^w)\), \(Z^\prime = e(g_2, g^\prime _1)\), where \(ID_R = [I_1, I_2, \cdots , I_i]\) is the identity of the data receiver. It then verifies the following equation: \(Z^\prime {\mathop {=}\limits ^{?}} \frac{e(T_{j_1} T^{I_{j+1}}_{j_1} \cdots T^{I_i}_{j_{i-j+1}}, X^\prime )}{e(S_j, Y^\prime )}\). If it holds, then the trapdoor is associated with the keyword w; otherwise, \(\mathcal {A}\) guesses another possible keyword. Therefore, this scheme do not provide security against offline KGAs launched by outside attackers.

Appendix B: Security analysis of the dHPEKS of [35]

We anlyze the security of the dHPEKS of [35]. Using the notations used in [35], let \(w_{0}\) and \(w_{1}\) denote the challenge keywords, and \(T_{b} = \{T^{1}_{b}=[t_{w_{b}}]_{pk_{u_{R}}}, T^{2}_{b}= \{U_{R},l_{R}\}\}\) denote the challenge trapdoor generated by the challanger for keyword \(w_{b}\) (where the bit \(b\in \{0,1\}\) is randomly chosen by the challanger). Upon receiving the challenge trapdoor, the cloud server \(\mathcal{C}\mathcal{S}\) chooses \(K \in \{0, 1\}^{\gamma _1}, r_1, r_2 \in Z^*_q\) and a message m randomly and computes \(C = \{T^{1}_{b}, l_{i}, TT, C_1, C_2, C_3, C_4, C_5, C_6, C_{r_{i}} \}\) and \([t_{w_{0}}]_{pk^{(1)}_{u_{i}}}, \{ g^{l_{i} H_{2}(pk^{(2)}_{u_{i}} )}_{2}, l_{i}\}\) for a user \(u_{i}\) which is not a ancestor of the challange data receiver. Then, \(\mathcal{C}\mathcal{S}\) and the challenger jointly compute \([M]_{pk^{(1)}_{u_{i}}}\), and \(\mathcal{C}\mathcal{S}\) checks if \(Dec_{sk^{(1)}_{u_{i}}} ([M]_{pk^{(1)}_{u_{i}}}) = 0\) holds. If it holds, then outputs \(b = 0\), and \(b = 1\), otherwise. Consequently, the dHPEKS scheme of [35] is completely insecure against offline KGAs launched by inside attackers.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions