Exposure Resilient Public-key Encryption with Keyword Search against
Keyword Guessing Attack
Kaito Uemura
a
and Satoshi Obana
b
Hosei University, Tokyo, Japan
Keywords:
Public-key Encryption with Keyword Search, Keyword Guessing Attack, Key Exposure Resiliency, Key
Update.
Abstract:
Public-key Encryption with Keyword Search (PEKS), proposed by Boneh et al. in 2004, is a cryptographic
primitive that enables keyword search over encrypted data. The crucial issue of PEKS is that many exist-
ing PEKS do not guarantee security against Keyword Guessing Attack (KGA). Moreover, if a key exposure
occurs, PEKS cannot ensure secrecy of the ciphertext entrusted to the server. In this paper, we propose two Ex-
posure Resilient Public-Key Encryption with Keyword Search against KGA. The proposed schemes guarantee
security against KGA by slightly modifying the search process of PEKS so that it cannot be executed without
the server’s secret key. Furthermore, the damage of key exposure is minimized by periodically updating the
key. The second scheme even tolerates corruption of a server, which is realized by dividing the power of a
single server into two separate servers.
1 INTRODUCTION
Since the seminal work by Boneh et al. in 2004
(Boneh et al., 2004), Public-key Encryption with Key-
word Search (PEKS) is one of the hottest topics in
the area of cryptography. In addition to the basic
encryption function, PEKS possesses a search func-
tion over encrypted data. In the search process in
PEKS, the client with the secret key issues an en-
crypted search query called a trapdoor to the server
for the encrypted data entrusted by the client with the
public key. The server verifies the encrypted data it
manages and the trapdoor with test algorithm, and if
the keywords match the search is successful. PEKS
can ensure the security of encrypted data as long as
the trapdoor is not available to the attacker. However,
it cannot ensure the security of trapdoors when the
adversary mounts Keyword Guessing Attack (KGA).
KGA is an attack methodology specific to PEKS. The
attack is effective since anyone can execute test algo-
rithm in the model of PEKS. In addition, PEKS does
not consider the exposure of the secret key held by the
client. If a key exposure occurs, the attacker will also
be able to break the ciphertext. Therefore, it is nec-
essary to minimize the damage even when the secret
a
https://orcid.org/0000-0001-5707-2265
b
https://orcid.org/0000-0003-4795-4779
key is exposed.
To resolve the above mentioned problems, we pro-
pose PEKS that is secure against KGA and also se-
cure even in when the secret key is exposed. In the
proposed scheme, the server, not the client, has the
secret key, and the server uses its own secret key
for the test algorithm. By such design of the proto-
col, only the server can execute the test algorithm,
which greatly contribute in preventing KGA. In ad-
dition, the proposed scheme possesses a periodic key
update function to prevent key exposure. This func-
tion enables the client to use a different public key for
a certain period of time so that even if the secret key
is exposed during a certain period, the damage can
be localized only within that period. The encrypted
data is also updated in the server without decryption
so that search cannot be disabled by key update. To
avoid losing the searching capability due to the key
update, the ciphertext is updated in the server without
decryption by using proxy re-encryption (Blaze et al.,
1998) (Ateniese et al., 2006). This proposed scheme
was named single-server scheme. We also propose a
scheme to ensure the security of the encrypted data
in the server even when the server is attacked and the
administrator’s authority is seized, or when the server
administrator attempts to illegally obtain information.
This proposed scheme is an extension of single-server
scheme. If we assume that the attacker is the server,
692
Uemura, K. and Obana, S.
Exposure Resilient Public-key Encryption with Keyword Search against Keyword Guessing Attack.
DOI: 10.5220/0010548006920697
In Proceedings of the 18th International Conference on Security and Cryptography (SECRYPT 2021), pages 692-697
ISBN: 978-989-758-524-1
Copyright
c
2021 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved
the encrypted data in the server cannot be protected
because the attacker can use the secret key. We em-
ploy the idea of Dual-Server PEKS proposed by Chen
et al. in 2015 to protect the data in malicious server
(Chen et al., 2015) (Chen et al., 2016). Namely, we
prepare two servers where one server (called front
server) is responsible for data management, and the
other (back server) is responsible for the key man-
agement. By this splitting knowledge strategy, it is
impossible for the server to break the encrypted data
even if the front server is illegally accessed since it
does not possess the secret key. This extended scheme
was named dual-server scheme. Dual-server scheme
also possesses a key update functionality to minimize
the damage caused by the exposure of the server key.
2 PRELIMINARIES
In this section, we describe the basic techniques used
in related work and proposed schemes.
2.1 Bilinear Map (Pairing)
The bilinear map is a two-input, one-output function.
Let G
1
, G
2
, G
T
be cyclic groups with prime order
q, and e be an efficiently computable bilinear map e :
G
1
×G
2
→ G
T
. In this paper, we assume a symmetric
pairing, where G
1
= G
2
= G.
2.2 Public-key Encryption with
Keyword Search (PEKS)
PEKS is a cryptographic protocol that makes it possi-
ble to make a search query over encrypted data. The
model consists of three entities : an encryption client,
a search client, a server, and consists of two phases
called an entrustment phase and a search phase. In the
entrustment phase, the encryption client encrypts the
keywords using the public key and entrusts them to
the server. In the search phase, the search client gen-
erates the trapdoor of a search keyword using its own
secret key and sends it to the server. The server exe-
cutes the test algorithm for all the ciphertexts it man-
ages and the trapdoor, and outputs the results. PEKS
scheme is defined by the following algorithms.
KeyGen(1
λ
): Takes as input the security parameters
1
λ
, outputs the public/secret key pair (pk,sk).
PEKS(pk,w): Takes as input the public key pk and
the keyword w, outputs the searchable ciphertext
C
w
for w.
Trapdoor(pk,sk , w
0
): Takes as input the public key
pk, the secret key sk, and the keyword w
0
, outputs
the trapdoor T
w
0
.
Test(pk,C
w
,T
w
0
): Takes as input the public key pk,
the ciphertext C
w
= PEKS(pk, w), and the trap-
door T
w
0
= Trapdoor(sk, w
0
), outputs 1 when w =
w
0
, otherwise outputs 0.
Several variants of PEKS have been proposed so far.
Chen et al. proposed Dual-Server Public-Key Encryp-
tion with Keyword Search (DS-PEKS) (Chen et al.,
2015) (Chen et al., 2016). The scheme is secure
against internal KGA. Matsuzaki et al. proposed
Key-Updatable Public-key Encryption with Keyword
Search (KU-PEKS)(Matsuzaki et al., 2017). In KU-
PEKS, in addition to the ciphertext entrustment and
search processes in PEKS, the secret/public keys are
periodically updated and the update key is generated.
PEKS guarantees indistinguishability against cho-
sen keyword attack (IND-CKA), a security against ac-
tive attackers who can obtain trapdoors for any key-
words. However, PEKS is not secure against KGA.
KGA is an attack methodology used to break trapdoor
keywords. In KGA, the attacker first guesses the key-
word of the target trapdoor, and then encrypts the key-
word with a public key. Next, the attacker executes
test algorithm taking as input the ciphertext of the
guessed keywords and the target trapdoor. This pro-
cess can be repeated until the keywords are matched,
and if they are matched, the attack is successful. KGA
is unavoidable in PEKS since anyone can execute test
algorithm for any ciphertext and trapdoor.
In PEKS, the secret key is held by the search
client. If the secret key is exposed, the attacker
can break the ciphertext through the communication
channel in the same way as KGA against a trapdoor.
When a key is exposed, the secret key and public
key in use at that time must be revoked and a new
key pair must be distributed. To make it possible to
search ciphertext with the updated key, we have to re-
encrypted all ciphertext.
3 SINGLE-SERVER SCHEME
Considering the above problems, we propose PEKS
against KGA with key exposure resiliency. In the
proposed scheme, we restrict the execution by in-
cluding the secret key as the input of the test algo-
rithm. With such modification, only the server can
execute the test algorithm while the client can gener-
ate ciphertext and trapdoor with the public key. Fur-
thermore, in the proposed scheme, key exposure re-
siliency is realized by periodic key update (Matsuzaki
et al., 2017). The update makes it impossible for
an attacker to break the ciphertext and trapdoor en-
crypted with the newly updated public key even if the
Exposure Resilient Public-key Encryption with Keyword Search against Keyword Guessing Attack
693
secret key is exposed. Thus, the damage of key ex-
posure is minimized within the exposure period. To
ensure that clients can still search for data after the
key update, the server also updates the ciphertext it
holds without decrypting them. Update without de-
cryption is realized by unidirectional and multi-hop
proxy re-encryption of (Wang and Cao, 2009). This
proposed scheme was named single-server scheme.
In the following subsections, we describe the algo-
rithm and structure of single-server scheme in detail.
3.1 Algorithm
A single-server scheme is defined by the following six
algorithms.
Setup(1
λ
): Takes as input the security parameter 1
λ
,
generates the system parameter P.
KeyGen(P): Takes as input the system parameters P,
outputs the public/secret key pair (pk, sk).
Enc(P, pk
i
,w): Takes as input P, the public key pk
i
of
version i, and the keyword w, outputs the cipher-
text C
i
for w. The index of the key indicates the
version number.
ReEnc(P,sk
i+1
,C
i
): Takes as input P, the new secret
key sk
i+1
, and the ciphertext C
i
encrypted with the
public key of version i, outputs the ciphertext C
i+1
encrypted with the public key of version i+1. The
server deletes the old key.
Trapdoor(P, pk
i
,w
0
): Takes as input P, the public key
pk
i
of version i, and the keyword w
0
, outputs the
Trapdoor T
i
for w
0
.
Test(P,sk
i
,C
i
,T
i
): Takes as input P, the secret key sk
i
of version i, the version-matched ciphertext C
i
and
trapdoor T
i
, outputs 1 when w = w
0
, otherwise out-
puts 0.
3.2 Construction
The concrete construction of the single-server scheme
is described below. The encryption algorithm Enc
and the trapdoor generation algorithm Trap door are
based on the construction of the encryption algorithm
in (Wang and Cao, 2009).
Setup(1
λ
) → P: Let G,G
T
be a group with prime
order q, g be a generator of G, and h be a ran-
dom elements in G\g. e : G × G → G
T
is a
bilinear map. H : {0, 1}
∗
→ G
T
is a collision-
resistant hash function. The system parameter P
is (q,g,h, G,G
T
,e,H).
KeyGen(P) → (pk
i
,sk
i
): Pick x from Z
∗
q
randomly
and generate the public/secret key pair of version
i (pk
i
= g
x
i
,sk
i
= x
i
).
Enc(P, pk
i
,w) → C
i
: For a keyword w, pick r
1
from
Z
∗
q
randomly and generate the ciphertext of w C
i
=
(c
1
,c
i,2
) = (g
r
1
,e(h, pk
i
)
r
1
· H(w)).
ReEnc(P,sk
i+1
,C
i
) → C
i+1
: Update the ciphertext C
i
and generate the ciphertext C
i+1
. Let C
i
be (c
1
,c
i,2
) and compute C
i+1
= (c
1
,c
i+1,2
) =
(c
1
,c
i,2
·e(h, c
i,1
)
−x
i
+x
i+1
). In the re-encryption al-
gorithm ReEnc, the old secret key x
i
is removed
from the ciphertext C
i
and a new secret key x
i+1
is
assigned.
Trapdoor(P, pk
i
,w
0
) → T
i
: For a keyword w
0
, pick r
2
from Z
∗
q
randomly and generate the trapdoor of w
0
T
i
= (t
1
,t
i,2
) = (g
r
2
,e(h, pk
i
)
r
2
· H(w
0
)
−1
)
Test(P,sk
i
,C
i
,T
i
) → 1 or 0: If the keywords in the
ciphertext C
i
and the trapdoor T
i
match in the test
algorithm Test, the keyword element is removed
from C
i
· T
i
. Since the server can compute C
i
· T
i
from the information it holds, it can identify key-
word matches by comparing them. Do the testing
as follows,
C
i
· T
i
= (c
1
·t
1
,c
i,2
·t
i,2
)
= (g
r
1
+r
2
,e(h,g
x
i
)
r
1
+r
2
· H(w)H(w
0
)
−1
)
e(h
x
i
,c
1
·t
1
) = c
i,2
·t
i,2
(1)
If (1) holds, outputs 1, otherwise output 0.
4 DUAL-SERVER SCHEME
Though the single-server scheme is secure against ex-
ternal attackers who eavesdrop the communication
channel, it is vulnerable to corruption of the server.
This is due to the fact that a single server can exe-
cute the test algorithm by itself. To resolve the is-
sue, we divide the power of the server into two sepa-
rate servers (called ”front server” and ”back server”)
where the front server and the back server is respon-
sible for maintaining ciphertext and the secret key, re-
spectively. The test algorithm is executed only when
the front and back servers cooperates. This extended
scheme was named dual-server scheme. By separat-
ing the storage location of the ciphertext and the se-
cret key, if the front server is attacked, the security
of the ciphertext can be guaranteed since the secret
key is not there. In the entrustment phase, the encryp-
tion client entrusts the ciphertext to the front server.
In the search phase, the search client first sends the
trapdoor to the front server. Next, the front server
executes the front test for all the ciphertext and the
trapdoor, and sends the internal-testing state to the
back server. Finally, the back server executes the back
test for the internal-testing state and return the results
to the search client. We should note that idea of di-
viding the power of the server has been presented in
(Chen et al., 2015), though, their scheme does not
SECRYPT 2021 - 18th International Conference on Security and Cryptography
694
support key update to minimize the damage of key ex-
posure. Our scheme support key update executed by
collaborating front and back servers. By using the ap-
proach of assigning a random element to the update
key in (Matsuzaki et al., 2017), dual-server scheme
guarantees the security of the ciphertext that has al-
ready been updated at the time of key exposure. In
the following subsections, we describe the algorithm
and structure of dual-server scheme, and finally, we
provide a security proof.
4.1 Algorithm
A single-server scheme is defined by the following
eight algorithms.
Setup(1
λ
),KeyGen(P): Same as single server
scheme.
Enc(P, pk
i
,w): Takes as input P, the public key pk
i
of
version i, and the keyword w, outputs the cipher-
text C
(0)
i
= (c
1
,c
(0)
i,2
) for w with 0 updates. The
index of the key indicates the version number.
ReKeyGen(P,sk
i
,sk
i+1
,c
1
): Takes as input P, the se-
cret key sk
i
of version i, the secret key sk
i+1
of
version i +1, and the ciphertext c
1
, outputs the up-
date key rk
i→i+1
. The server deletes the old key.
ReEnc(P,rk
i→i+1
,c
(k)
i,2
): Takes as input P, the update
key rk
i→i+1
, and the ciphertext c
(k)
i,2
encrypted with
the public key of version i +k, outputs the cipher-
text c
(k+1)
i,2
encrypted with the public key of ver-
sion i + k + 1.
Trapdoor(P, pk
i
,w
0
): Takes as input P, the public key
pk
i
of version i, and the keyword w
0
, outputs the
Trapdoor T
j
= (t
1
,t
j,2
) for w
0
.
FrontTest(P,c
(k)
i,2
,t
j,2
): Takes as input P, the cipher-
text c
(k)
i,2
and trapdoor t
j,2
where k + i = j holds,
outputs the internal testing-state C
IT S
.
BackTest(P,sk
j
,c
1
,t
1
,C
IT S
,state
j
): Takes as input
P, the secret key sk
j
of version j, the ciphertext
c
1
, the trapdoor t
1
, and the internal-testing state
C
IT S
, outputs 1 when w = w
0
, otherwise outputs 0.
4.2 Security Model
We define the security model of dual-server scheme
based on the security model in (Chen et al., 2015).
This security model can also be applied to single-
server schemes, where the attacker is an external
third party who has lower capabilities compared to
the server. The security defined in this section is
indistinguishability against chosen keyword attack
(IND-CKA) and indistinguishability against KGA
(IND-KGA), which guarantee the security of cipher-
text and trapdoor, respectively.
IND-CKA. The game between the attacker and the
challenger is shown below.
Setup: The challenger executes the KeyGen(λ) algo-
rithm to generate a key pair (pk
i
,sk
i
) and sends a
public key pk
i
to the attacker.
Key Exposure Query: The attacker sends a public
key pk
i
other than the most recent version to
the challenger. The challenger returns the corre-
sponding secret key sk
i
to the attacker.
Update KeyGen Query: The attacker sends a public
key pk
i
other than the most recent version and the
ciphertext c
1
to the challenger. The challenger ex-
ecutes ReKeyGen(P,sk
i
,sk
i+1
,c
1
), and returns the
update key to the attacker which updates to ver-
sion i + 1.
Update Query: The attacker sends the ciphertext c
(k)
i,2
and update key rk
i→i+1
to the challenger. The
challenger executes ReEnc(P,rk
i→i+1
,c
(k)
i,2
), and
returns the updated ciphertext c
(k+1)
i,2
to the at-
tacker.
Test Query 1: The attacker can adaptively issue the
test query for any keyword and any ciphertext.
The challenger returns 1 or 0 as the test result.
Challenge: The attacker sends the public key pk
i
of
version i and two keywords w
0
,w
1
. The chal-
lenger picks b ∈ {0, 1} and generates the chal-
lenge ciphertext Enc(P, pk
i
,w
b
) → C
∗
i
. The chal-
lenger returns C
∗
i
to the attacker.
Test Query 2: The attacker can continue issue the
test query for any keyword and any ciphertext ex-
cept of the challenge keywords w
0
,w
1
. The chal-
lenger returns 1 or 0 as the test result to the at-
tacker.
Output: Finally, the attacker outputs its guess b
0
∈
{0,1} for b and wins the game if b = b
0
.
Let the attacker in the above game be A and we define
the advantage as follows.
Adv
IND−CKA
A
(λ) = |Pr[b = b
0
] − 1/2|.
IND-KGA. This game is the same as IND-CKA game
except that in the Challenge phase, the challenger re-
turns a trapdoor instead of a ciphertext to the attacker,
so we omit the description of it.
Let the attacker in the game be A and we define
the advantage as follows.
Adv
IND−KGA
A
(λ) = |Pr[b = b
0
] − 1/2|.
Based on the security model defined above, we define
the security of dual-server scheme as follows.
Definition 1. We say that dual-server scheme if
for any polynomial time attacker A , we have that
Exposure Resilient Public-key Encryption with Keyword Search against Keyword Guessing Attack
695
Adv
IND−CKA
A
(λ) and Adv
IND−KGA
A
(λ) are negligible
functions of the security parameter λ.
4.3 Construction
The concrete construction of the dual-server scheme
is described below. When update the key, the back
server selects the random elements R
i
with which the
key is update, which makes the front server infeasible
to attack the ciphertexts generated outside the expo-
sure period even when the front server is corrupted.
The back server keeps the list state
i
of combinations
of random elements for cancelling the random ele-
ments accumulated in the internal-testing state.
Setup(1
λ
) → P, KeyGen(P) → (pk
i
,sk
i
): Same as
single server scheme.
Enc(P, pk
i
,w) → C
(0)
i
: For a keyword w, pick r
1
from
Z
∗
q
randomly and generate the ciphertext of w
C
(0)
i
= (c
1
,c
(0)
i,2
) = (g
r
1
,e(h, pk
i
)
r
1
· H(w)).
ReKeyGen(P,sk
i
,sk
i+1
,c
1
) → rk
i→i+1
: Pick R
i
from
G
T
randomly and generate the update key
rk
i→i+1
= e(h
−x
i
+x
i+1
,c
i,1
) · R
i
. For state
1
= φ
and state
i
= {st
i,1
,...,st
i,i−1
}, compute state
i+1
=
{st
i+1,1
,...,st
i+1,i−1
,st
i+1,i
} = {st
i,1
· R
i
,...,st
i,i−1
·
R
i
,R
i
} and store in the back server. st
i, j
=
∏
i−1
k= j
R
k
holds.
ReEnc(P,rk
i→i+1
,c
(k)
i,2
) → c
(k+1)
i,2
: Update the cipher-
text c
(k)
i,2
and generate the ciphertext c
(k+1)
i,2
= c
(k)
i,2
·
rk
i→i+1
.
Trapdoor(P, pk
i
,w
0
) → T
i
: For a keyword w
0
, pick r
2
from Z
∗
q
randomly and generate the trapdoor of w
0
T
j
= (t
1
,t
j,2
) = (g
r
2
,e(h, pk
i
)
r
2
· H(w
0
)
−1
)
FrontTest(P,c
( j−i)
i,2
,t
j,2
) → C
IT S
: Generate the
internal testing-state C
IT S
= c
( j−i)
i,2
· t
j,2
=
e(h,g
x
j
)
r
1
+r
2
· H(w)H(w
0
)
−1
· st
j,i
BackTest(P,c
i,1
,t
j,1
,C
IT S
,state
j
) → 1 or 0: For
state
j
= {st
j,1
,...,st
j, j−1
}, do the testing as
follows,
e(h
x
i
,c
i,1
·t
i,1
) · st
j,i
= C
IT S
(2)
If (2) holds, outputs 1, otherwise output 0.
4.4 Security of Dual-server Scheme
Theorem 1. Dual-server scheme is indistinguishable
secure against CKA assuming DBDH is intractable.
Proof. Suppose A is an attack algorithm that has ad-
vantage ε in breaking the proposed scheme. Suppose
A makes at most q
rk
Update KeyGen Query to O
RK
and at most q
te
Test Query to O
T E
(we assume q
rk
and q
te
are positive). We construct an algorithm B
that solves the DBDH problem with probability at
least ε
0
= ε/e(q
rk
+ q
te
+ 1), where e is the base of
the natural logarithm. Algorithm B’s running time is
approximately the same as A’s. Hence, if the DBDH
assumption holds in G then ε
0
is a negligible function
and consequently ε must be a negligible function in
the security parameter.
Let g be a generator of G. Algorithm B is given
g,u
1
= g
α
,u
2
= g
β
,u
3
= g
γ
,v ∈ G
4
× G
T
. Its goal is
to output 1 if v = e(g,g)
αβγ
, otherwise 0. Algorithm
B generates the public system parameters par of the
proposed scheme as follows.
1. Pick a bilinear map group (q, g,G, G
T
,e)
2. Let h = u
2
3. Pick a collision-resistant hash function H :
{0,1}
∗
→ G
T
4. par = (q,g, h,G,G
T
,e,H) Algorithm B simulates
the challenger and interacts with attacker A as fol-
lows.
Setup: Algorithm B starts by giving A the parameter
par.
KeyGen Query: To respond to KeyGen Query, algo-
rithm B keeps a list of tuples hi, pk
i
,x
i
,cii called the
O
KG
list. First, the list is empty. When A queries the
KeyGen oracle O
KG
with the version number i, the
algorithm B responds as follows.
1. Outputs pk
i
,x
i
if the query i is already in the O
KG
list with tuples hi, pk
i
,x
i
,cii
2. Otherwise, generates the random coin coin
i
∈
{0,1}, where Pr[coin
i
= 0] = δ
3. Picks x
i
←
R
Z
∗
q
. If coin
i
= 0, computes pk
i
= u
x
i
1
,
and if coin
i
= 1, computes pk
i
= g
x
i
4. Add a tuple hi, pk
i
,x
i
,cii to the O
KG
list and output
pk
i
,x
i
In either case of coin
i
, A cannot distinguish pk
i
because it is equivalent for A .
Key Exposure Query: Takes as input the public key
pk
i
, and outputs ⊥ if it is the latest version. Other-
wise, output the corresponding x
i
from the O
KG
list.
If it is not in the list, output ⊥.
Update KeyGen Query: Takes as inputs two public
keys pk
i
, pk
j
and the ciphertext c
1
, and returns ⊥ if at
least one of them is the latest version. Also, if there
are no the public keys in the O
KG
list, outputs ⊥. Oth-
erwise, if coin
i
corresponding to the input public key
is 0, outputs failure and terminates, and if it is 1, picks
the corresponding x
i
,x
j
from the list and computes
rk
i→ j
and outputs it.
Test Query 1: Takes as input the ciphertext C
i
and
a keyword w. If coin
i
corresponding to the version
number of the input ciphertext is 0, outputs failure
SECRYPT 2021 - 18th International Conference on Security and Cryptography
696
and terminates, and if it is 1, executes Trapdoor,
FrontTest and BackTest algorithms and outputs 0 or
1.
Challenge: Algorithm A generates a pair of two key-
words w
0
and w
1
and sends them to the algorithm B
with a public key pk
∗
. Algorithm B generates the
challenge ciphertext C
∗
and returns it to A as follows.
1. If the public key pk
∗
is not in the list of O
KG
, then
returns ⊥. If it is in the list, picks the correspond-
ing secret key x
∗
.
2. Takes the coin
∗
corresponding to the given pub-
lic key, and if coin
∗
= 1, outputs failure and ter-
minates, and if coin
∗
= 0, picks b ∈ {0,1} and
compute the challenge ciphertext C
∗
= (c
∗
1
,c
∗
2
) =
(g
γ
,H(w
b
) · v
x
∗
)
Test Query 2: Algorithm B works in the same way
as Test Query 1. However, if the input is w
0
or w
1
,
returns ⊥.
Output: A outputs a guess b
0
∈ {0, 1} that indicates
whether the challenge ciphertext C
∗
is Enc(P, pk
∗
,w
0
)
or Enc(P, pk
∗
,w
1
). Algorithm B outputs 1 if b
0
is the
same as b picked in Challenge (i.e., v = e(g,g)
αβγ
).
Otherwise, B outputs 0 (i.e., v is a random value).
In this simulation challenge, if coin
∗
= 0, v =
e(g,g)
αβγ
and w
0
= w
b
for the challenge ciphertext
generated by Algorithm B, it is a correct ciphertext
for A, since the test algorithm holds as follows.
T = (t
1
,t
2
) = (g
r
,e(h, pk
∗
)
r
· H(w
0
)
−1
)
C
IT S
= c
∗
2
·t
2
= e(h, pk
∗
)
γ+r
e(h
−αx
∗
,c
∗
1
·t
1
) = C
IT S
A can output the correct b
0
with a probability of
ε. Therefore, if b = b
0
holds, B can distinguish v =
e(g,g)
αβγ
with ε. On the other hand, if v is a ran-
dom value, A can only distinguish the correct b
0
that
is equal to b with probability 1/2.
Next, we consider that B can distinguish v =
e(g,g)
αβγ
with a probability of at least ε
0
. We analyze
the probability that B does not terminate the simula-
tion. We define the following three events.
- E
1
: B does not terminate in Update KeyGen Query
- E
2
: B does not terminate in Test Query
- E
3
: B does not terminate in Challenge
The probability of the occurrence of E
1
is (1 − δ)
q
rk
.
The probability of the occurrence of E
2
is (1 − δ)
q
te
.
The probability of the occurrence of E
3
is δ. There-
fore, we can compute (1 − δ)
q
rk
+q
te
δ as the probabil-
ity that B does not terminate the simulation . Since
the probability is 1/e(q
rk
+q
te
+1) when we optimize
to a maximum, B solves the DBDH problem with a
probability of at least ε/e(q
rk
+ q
te
+ 1).
Theorem 2. Dual-server scheme is indistinguishable
against KGA assuming DBDH is intractable.
Enc and Trapdoor in dual-server scheme are
equivalent, and the security models of IND-KGA and
IND-CKA are the same except that B returns a trap-
door instead of a ciphertext in Challenge. Therefore,
the proof of Theorem 2 is the same as the proof of
Theorem 1, and we omit the details of the proof.
5 CONCLUSION
In this paper, we have proposed two Exposure Re-
silient Public-Key Encryption with Keyword Search
against KGA. Both schemes (i.e., single-server and
dual-server schemes) guarantee security against KGA
by slightly modifying the test algorithm so that it can-
not be executed without the server’s secret key. Fur-
thermore, the damage of key exposure is minimized
by periodically updating the key. The second scheme
even tolerates corruption of a server, which is realized
by dividing the power of a single server into front and
back servers. To construct a scheme with less compu-
tational cost will be our challenging future work.
REFERENCES
Ateniese, G., Fu, K., Green, M., and Hohenberger, S.
(2006). Improved proxy re-encryption schemes with
applications to secure distributed storage. In ACM
Transactions on Information and System Security, Vol.
9, No. 1, pages pp. 1–30.
Blaze, M., Bleumer, G., and Strauss, M. (1998). Divert-
ible protocols and atomic proxy cryptography. In
Advances in Cryptology, EUROCRYPT’98, pages pp.
127–144.
Boneh, D., Crescenzo, G. D., Ostrovsky, R., and Per-
siano, G. (2004). Public key encryption with keyword
search. In Advances in Cryptology, EUROCRYPT
2004, pages pp. 506–522.
Chen, R., Mu, Y., Yang, G., Guo, F., and Wang, X. (2015).
A new general framework for secure public key en-
cryption with keyword search. In Information Security
and Privacy, Vol. 9144, pages pp 59–76.
Chen, R., Mu, Y., Yang, G., Guo, F., and Wang, X.
(2016). Dual-server public-key encryption with key-
word search for secure cloud storage. In IEEE Transa-
cions on Information Forensics and Security, Vol. 11,
No. 4, pages pp. 789–798.
Matsuzaki, N., Anada, H., and Watanabe, Y. (2017). Key-
updatable public-key encryption with keyword search
: The case of public-key update model. In Computer
Security Symposium 2017.
Wang, H. and Cao, Z. (2009). A fully secure unidirectional
and multi-use proxy re-encryption scheme. Master’s
thesis, Department of Computer Science and Engi-
neering, Shanghai Jiao Tong University.
Exposure Resilient Public-key Encryption with Keyword Search against Keyword Guessing Attack
697
