Semantically Secure and Verifiable Multi-keyword Search in Cloud Computing

Abstract

In cloud computing model, the data are usually encrypted before outsourced to the cloud server, which protects the data privacy, but also leaves keyword searches over ciphertext data a challenging problem. A keyword search scheme over encrypted data should achieve both index privacy and query privacy; moreover, verification of search results is desirable because the incorrectf results can be returned owing to system defects or the cloud server’s motivation to save computation recourses. Many multi-keyword search schemes have been proposed; however, few of these schemes are verifiable and adaptively index-hiding and adaptively query-hiding. In this paper, a semantically secure multi-keyword search scheme is constructed, which is adaptively index-hiding and adaptively query-hiding, also supports the correctness verification of search results. We provide a detailed performance comparison and give a thorough security proof by a sequence of games. The combined results demonstrate that our scheme is secure and practical.

Appendices

Appendix A.1 Dual System Encryption

The scheme security is proved by dual system encryption, in which both ciphertext and keys present two states: standard and semi-functional. The trapdoor generated by GenTrapdooris called the normal trapdoor, and the encrypted index generated by EncIndexis called the standard ciphertext. We define the semi-function index ciphertext and the semi-function trapdoor, which are only employed in the proof of the scheme.

We use to denote the normal index ciphertext of \(\overrightarrow{X} , (K_\mathrm{{1}}^{*(norm)},K_\mathrm{{2}}^{*(norm)})\) to denote the normal trapdoor of \(\overrightarrow{Y}\), to denote the semi-functional index ciphertext of \(\overrightarrow{X} = \{ {x_1}, \ldots ,{x_n}\} \).

We use to denote the semi-functional index ciphertext of \(\overrightarrow{X} = \{ {x_1}, \ldots ,{x_n}\} \).

We use \((K_\mathrm{{1}}^{*(semi)},K_\mathrm{{2}}^{*(semi)})\) to denote the semi-functional trapdoor of \(\overrightarrow{Y} = \{ {y_1}, \ldots ,{y_n}\} \).

$$\begin{aligned}&K_1^{*(semi)} = {s^{ - 1}}({\rho _1}(\sum \limits _{i = 1}^n {{y_i}b_i^*)} + \sum \limits _{i = 1}^n {{v_i}b_{n + i}^*} + {\rho _2}b_{2n + 2}^*) = {s^{ - 1}}({\rho _1}\overrightarrow{Y} ,\mathrm{{ }}\overrightarrow{V} ,0,{\rho _2},0){B^*}\\&K_2^{*(semi)} = {s^{ - 1}}({\theta _1}(\sum \limits _{i = 1}^n {{y_i}} b_i^*) + \sum \limits _{i = 1}^n {{w_i}} b_{n + i}^* + \gamma b_{2n + 1}^* + {\theta _2}b_{2n + 2}^*) = {s^{ - 1}}({\theta _1}\overrightarrow{Y} ,\overrightarrow{W} ,\gamma ,{\theta _2},0){B^*} \end{aligned}$$

where \(\overrightarrow{V} = ({v_1}, \ldots ,{v_n}),{v_j}(1 \le j \le n) \leftarrow {F_q}\) and \(\overrightarrow{W} = ({w_1}, \ldots ,{w_n}),{w_i}(1 \le i \le n) \leftarrow {F_q},\) other parameters are the same as those in \( K_\mathrm{{1}}^{*(norm)}\) and \( K_\mathrm{{2}}^{*(norm)}\).

If \(\overrightarrow{X} {.}\overrightarrow{Y} = 0\), we can observe that

are uniformly and independently distributed over \({G_T}\). From the Formula (1) and (2), we can observe that the decryption fails when the semi-functional ciphertext is decrypted with the semi-functional key.

Appendix A.2 The Proof of the Scheme Security

Index privacy game: it is a game between the challenger B and the PPT adversary A. This game is also called game 0.

1. 1.

   B executes \(Setup({1^\lambda })\) to generate PK and secret keys \(SK = \{ S{K_1},S{K_2}\} \), and PK is given to the adverdary. The private key is safely kept and \(S{K_1}\) is also safely kept by the data owner. Note B generates \(S{K_1}\) by acting as both parties in the the Diffie-Hellman key exchange protocol.

2. 2.

   A may adaptively issue queries, where each query can be ciphertext query or trapdoor query. On the j-th ciphertext query, A issues an index vector \(\overrightarrow{{X_j}} \) and receives the corresponding ciphertext \({C_{\overrightarrow{{X_j}} }} \leftarrow EncIndex(SK,\overrightarrow{{X_j}} )\). On the j-th trapdoor query, A issues a query vector \(\overrightarrow{{Y_j}} \) and receives the corresponding trapdoor \(T{D_{\overrightarrow{{Y_j}} }} \leftarrow GenTrapdoor(SK,\mathrm{{ }}\overrightarrow{{Y_j}} )\).

3. 3.

   A issues two challenge index vectors \((\overrightarrow{{X^0}} ,\overrightarrow{{X^1}} )\), subject to the restriction \({\overrightarrow{X} ^{(0)}}{.}\overrightarrow{Y} \ne 0\) and \({\overrightarrow{X} ^{(1)}}{.}\overrightarrow{Y} \ne 0\) for the entire query vector \(\overrightarrow{Y} \) issued by A. B randomly chooses a random bit \(b \in \{ 0,1\} ,\) A is given \({C_{{{\overrightarrow{X} }^{(b)}}}} \leftarrow EncIndex(SK,{\overrightarrow{X} ^{(b)}})\).

4. 4.

   A may continue to submit additional queries as in step (2), with the same restriction as that in step 3.

5. 5.

   A outputs one bit b’ , and it will win the game if \(b' = b\).

Game 1: A really random function substitutes \({\mathrm{{F}}_{{K_1}}}\)in game 0, which has the same range and domain.

Game 2: A really random function substitutes \({\mathrm{{F}}_{{K_2}}}\)in game 1, which has the same range and domain.

Game 3: Semi-functional challenge ciphertext for the index is given to the adversary.

Game 4-t: the challenge index ciphertext is semi-functional, and the first t trapdoors are semi-functinal.

Game 5: The challenge index ciphertext and all the trapdoors are semi-functional.

Theorem 1

If the advantages for Assumptions 2 and 3 are negligible, then the proposed scheme is adaptively index-hiding against CPA.

Proof:

In game 5, since the index ciphertext and trapdoor are semi-functional, so for any PPT adversary, he can’t attain any advantage in game 5. So, if the index privacy game can be proved to be computationally indistinguishable with the game 5, then we also prove the advantage for the original index privacy is negligible. Below we will prove that the index privacy game and game 5 are computationally indistinguishable by 5 lemmas.

Lemma 1

Game0 and game 1 is computationally indistinguishable.

Proof

For convenience of proving of Lemma 1, we construct a PPT machine B that uses the adversary A to distinguish pseudorandom function and random function. The processing is as follows. (1) B returns the system public parameters to A and keeps \(SK = (r,{K_1},{K_2},{B^*})\).

(2) A issues a ciphertext query on the attribute vector \( \overrightarrow{X} \) to B, B queries its oracle on DID (the identifier of \( \overrightarrow{X} \) ) and set the result as \(\alpha \). When \(f = {F_{{K_1}}}\), then \(\alpha = {F_{{K_1}}}(DID)\), otherwise, \(\alpha \) is distributed uniformly at random. As response, B answers a ciphertext\({C_{\overrightarrow{X} }} = r({\varepsilon _1}(\sum \limits _{i = 1}^n {{x_i}{b_i}} ) + \alpha {b_{2n + 1}} + {\varepsilon _2}{b_{2n + 3}})\) , where \({\varepsilon _1},{\varepsilon _2} \in {F_q}\) uniformly at random.

(3) A issues a query, B answers a normal trapdoor computed by using \({B^*}\) and \({K_2}\).

(4) When B gets the challenge index vector \((\overrightarrow{{X^0}} ,\overrightarrow{{X^1}} )\), B chooses a random bit \(b \in \{ 0,1\} ,\) and sends a ciphertext index \({C_{\overrightarrow{{X^b}} }} = s({\varepsilon _1}(\sum \limits _{i = 1}^n {x_i^b{b_i}} ) + \alpha {\mathrm{{b}}_{2n + 1}} + {\varepsilon _2}{b_{2n + 3}})\).

(5) A and B continues to operate as the step (2) and (3). In fact, when \(f = {F_{{K_1}}}\), B has simulated game 0, when f is random function with the domain \(D = {(0,1)^{{l_t}}}\) and the range \(R = {F_q}\), and then B simulated game 1.

(6) A outputs bit b’, if \(b' = b\), which means that A can distinguish game 0 from game 1, then B can distinguish pseudorandom function and random function, which contradicts with the property of the pseudorandom function. Therefore, game 0 and game 1 are computationally indistinguishable.

Lemma 2

Game1 and game 2 is computationally indistinguishable.

We omit this proof of the Lemma 2, because it is similar to proof of Lemma 1.

Lemma 3

Assuming the advantage for Assumption 2 is negligible, and then game 2 and 3 are computationally indistinguishable.

Proof

For convenience of proving of this lemma, we construct a PPT machine B that uses the adversary A against Assumption 2.

After receiving Assumption 2 instance , B tries his best to decide \(\beta = 1\) or \(\beta = 0\). B runs A to break Assumption 2. The processing is as follows.

1. (1)

   B returns the system public parameters to A and keeps \(SK = (s,{K_1},{K_2},{B^*})\).

2. (2)

   A submits a ciphertext query on the index vector \(\overrightarrow{X} \), B answers a normal ciphertext \({C_{\overrightarrow{X} }} = s({\varepsilon _1}(\sum \limits _{i = 1}^n {{x_i}{b_i}} ) + \alpha {\mathrm{{b}}_{2n + 1}} + {\varepsilon _2}{b_{2n + 3}})\) omputed by \(\widehat{B}\) and S.

3. (3)

   A issues a trapdoor query on all the query keywords, B answers a normal trapdoor computed by \(\widehat{{B^*}}\) and S .

4. (4)

   Getting the challenge index vector \((\overrightarrow{{X^0}} ,\overrightarrow{{X^1}} )\), B selects a random bit \( b \in \{ 0,1\}\), parses \(\overrightarrow{{X^b}} = \{ x_1^b, \ldots ,x_n^b\}\), and computes \({C_{\overrightarrow{{X^b}} }} = s(\sum \limits _{i = 1}^n {x_i^b{d_{\beta ,i}}} + \alpha '{b_{2n + 1}})\), where \(\alpha ' \in {F_q}\) uniformly at random.

5. (5)

   A continues to adaptively submit additional queries as in steps (2) and (3).

When \(\beta = 0\), then \({C_{\overrightarrow{{X^b}} }} = r(\sum \limits _{i = 1}^n {x_i^b{d_{0,i}}} + \alpha '{b_{2n + 1}}) = r({\varepsilon _1}\sum \limits _{i = 1}^n {x_i^b{b_i}} + \alpha '{b_{2n + 1}} + (\sum \limits _{i = 1}^n {x_i^b{\varepsilon _{2,i}}} ){b_{2n + 3}})\), B has simulated game 2.

When \(\beta = 1\), then \(_{\overrightarrow{{X^b}} }^{} = r(\sum \limits _{i = 1}^n {x_i^b{d_{1,i}}} + \alpha '{b_{2n + 1}}) = r({\varepsilon _1}\sum \limits _{i = 1}^n {x_i^b{b_i}} + \sum \limits _{i = 1}^n {(\sum \limits _{t = 1}^n \rho x_t^b{u_{t,i}}} ){b_{n + i}} + \alpha '{b_{2n + 1}} + (\sum \limits _{i = 1}^n {x_i^b{\varepsilon _{2,i}}} ){b_{2n + 3}}),\) B has simulated game 3.

1. (6)

   A outputs bit b’, if \(b' = b\), which means that A can distinguish game 3 and game 2, then B can decide \(\beta = 0\mathrm{{ or 1}}\). This means that B’s advantage of breaking Assumption 2 is non-negligible. This contradicts \(ADV_\mathrm{{A}}^{A{p_2}}(\lambda )\) = \(ADV_\mathrm{{A}}^{n - eDDH}(\lambda ) \), which has been proved in []. Therefore, if the advantage for Assumption 2 is negligible, game 3 and game 2 are computationally indistinguishable.

Lemma 4

Assuming the advantage for Assumption 3 is negligible, then game 4-(t-1) and game 4-t are computationally indistinguishable for \(1 \le \vartheta \le t\). where \(\vartheta \) denotes the number of trapdoor queries the adversary makes.

Proof

To For the sake of proving this Lemma 4, we construct a PPT machine B that uses the adversary A against Assumption 3.

Receiving \((q,G,{G^T},g,e,V,\widehat{B},\widehat{{B^*}},{\{ h_{\beta ,i}^*,\mathrm{{ }}{d_i}\} _{(1 \le i \le n}})\), B tries to decide if \(\beta = 0\mathrm{{ or 1}}\). B runs A as a subroutine to break Assumption 3. The processing is as follows.

1. (1)

   B returns the system returns the system Parameter to A, and keeps .

2. (2)

   A issues a ciphertext query for the index vector \(\overrightarrow{X}\), B answers a normal ciphertext \({C_{\overrightarrow{X} }} = s({\varepsilon _1}(\sum \limits _{i = 1}^n {{x_i}{b_i}} ) + \alpha {\mathrm{{b}}_{2n + 1}} + {\varepsilon _2}{b_{2n + 3}})\) computed by s and .

3. (3)

   A issues the -th trapdoor query on the query vector \( \overrightarrow{Y} = \{ {y_1}, \ldots ,{y_n}\} \), B answers query ciphertext according to the following rules.

If \(1 \le v \le k - 1\), B creates a semi-functional trapdoor for \(\overrightarrow{Y} = \{ {y_1}, \ldots ,{y_n}\} \) by using s and \({\mathrm{{B}}^*}\).

If \(v > k\), B answers a normal trapdoor by using s and \({\mathrm{{B}}^*}\).

If \(v =k\), B calculates \( K_1^* = {s^{ - 1}}(\rho (\sum \limits _{i = 1}^n {{y_i}} h_{\beta ,i}^*) + \rho 'b_{2n + 2}^*),K_2^* = {s^{ - 1}}(\theta (\sum \limits _{i = 1}^n {{y_i}} h_{\beta ,i}^*) + \eta 'b_{_{2n + 1}}^* + \theta 'b_{2n + 2}^*)\), where \(\rho ,\rho ',\theta ,\mathrm{{ }}\theta ',\eta ' \in {F_q}\) uniformly at random.

1. (4)

   Getting the challenge attribute vector \( (\overrightarrow{{X^0}} ,\overrightarrow{{X^1}} )\), B selects a random bit \(b \in \{ 0,1\} \), parses \(\overrightarrow{{X^b}} = \{ x_1^b, \ldots ,x_n^b\}\). B chooses \({\varepsilon _2}',\alpha ' \in {F_q}\) and \(DID \in {\{ 0,1\} ^{{l_t}}}\) uniformly at random, computes \( \alpha = {F_{{K_1}}}(FID),\mathrm{{ }}{C_{\overrightarrow{{X^b}} }} = r(\sum \limits _{i = 1}^n {x_i^b{d_i}} + \alpha '{b_{2n + 1}} + {\varepsilon _2}'{b_{2n + 3}}),\) B sends \((\alpha ,C_{\overrightarrow{{X^b}} }^{})\) to A.

2. (5)

   A continues to adaptively issue additional queries as in steps (2) C(3).

In fact, when \(\beta = 0\), B has simulated game 4-(t-1). when \(\beta = 1\), then B simulated game 4-t.

1. (6)

   A outputs b’, if \(b' = b\), which means that A can distinguish game 4-(t-1) and game 4-t, then B can decide \(\beta = 0\ \mathrm {or}\ 1\). This means that B’s advantage for Assumption 2 is non-negligible. This conflicts \(ADV_\mathrm{{A}}^{A{p_3}}(\lambda )\) = \(ADV_\mathrm{{A}}^{n - eDDH}(\lambda ) \), which has been proved in []

So game 4-(t -1) and game 4-t are computationally indistinguishable.

Lemma 5

Game 4-\(\vartheta \) and game 5 are essentially equivalent.

Proof

For convenience of proving of Lemma 5, we prove distribution

in game 4-\(\vartheta \) and that in Game 5 are equivalent, where x and y denote the number of ciphertext queries and trapdoor queries the adversary issues, respectively.

Set \({d_i}{ = }{\mathrm{{b}}_i}\mathrm{{,\,}}{\mathrm{{d}}_{n + i}}{\,=\,}{b_{n + i}}\mathrm{{ - }}\sum \limits _{s = 1}^n {{z_{i,s}}} {b_s}\mathrm{{ - }}{\theta _i}{b_{2n + 1}}\mathrm{{ ( i = 1,}} \ldots \mathrm{{,\,n),\, }}{d_{2n + i}}\mathrm{{\,=\,}}{b_{2n + i}}\mathrm{{ ( i =}}1\mathrm{{,\,}}2\mathrm{{,\,}}3)\),

Set \(\mathrm{{D}}: = ({d_1}, \ldots ,{d_{2n + 3}}), {\mathrm{{D}}^*}: = (d_1^*, \ldots ,d_{2n + 3}^*)\).

In the game 4-t, the trapdoor for the j-th query, the index ciphertext for the first index, and the challenge ciphertext can be represented by B and \({B^*}\) as follows.

We notice that can be represented by D and \({D^*}\).

where is \(v_t^{(j)'} = v_t^{(j)} - \rho _1^{(j)}\sum \limits _{i = 1}^n {y_i^{(j)}{z_{t,i}}}\) uniformly and independly distributed.

where \(w_t^{(j)'} = w_t^{(j)} - \theta _1^{(j)}\sum \limits _{i = 1}^n {y_i^{(j)}{z_{t,i}} - } {\beta ^{(j)}}{\theta _t}\) are uniformly and independently distributed

$$\begin{aligned}&C_{\overrightarrow{X} }^{(j)} = s(\varepsilon _1^{(j)}(\sum \limits _{i = 1}^n {x_i^j{b_i}} ) + {\alpha ^{(j)}}{b_{2n + 1}} + \varepsilon _2^{(j)}{b_{2n + 3}}) = s(\varepsilon _1^{(j)}(\sum \limits _{i = 1}^n {x_i^j{d_i}} ) + {\alpha ^{(j)}}{d_{2n + 1}} + \varepsilon _2^{(j)}{d_{2n + 3}}),\\&C_{_{\overrightarrow{X} }}^* = s(\varepsilon _1^*(\sum \limits _{i = 1}^n {x_i^*{b_i}} ) + \sum \limits _{i = 1}^n {{u_i}{b_{n + i}}} + {\alpha ^*}{\mathrm{{b}}_{2n + 1}} + \varepsilon _2^*{b_{2n + 3}}),\\&= s(\sum \limits _{t = 1}^n {{\varepsilon _x}{d_t}} + \sum \limits _{i = 1}^n {{u_i}{d_{n + i}}} + {\alpha _x}{d_{2n + 1}} + \varepsilon _2^*{d_{2n + 3}}) \end{aligned}$$

\({\varepsilon _x} = {\varepsilon _1}x_t^* + \sum \limits _{i = 1}^n {{u_i}} {z_{i,t}},{\alpha _x} = {\alpha ^*} + \sum \limits _{i = 1}^n {{u_i}} {\theta _i}\) are uniformly and independently distributed.

Therefore, can be represented as trapdoor and index ciphertext with two methods, in Game 4-\(\vartheta \) over bases \(\mathrm{{B}},{\mathrm{{B}}^*})\) in Game 5 over bases \(\mathrm{{D}},{\mathrm{{D}}^*})\). Thus, Game 4-\(\vartheta \) can be conceptually changed to Game 5.

In conclusion, if the function is paseudorandom function and the advantages for Assumptions 2 and 3 are negligible, the index privacy game and game 5 are computationally indistinguishable. Moreover, any PPT adversary has no advantage for game 5. At this point, Theorem 1 is proved.

Index privacy game game 0: it is the origal query privacy game between the challenger B and the adaversary A. We describe the original query privacy game can be described by the similar method with the original index privacy game.

Theorem 2

If the advantages for Assumptions 4 and 5 are negligible, then the proposed scheme is adaptively query-hiding against CPA.

The proof ofthe Theorem 2 is similar to the proof of the Theorem 1.

Appendix A.3 The Proof of Unforgeability of the Results

Theorem 3

The proposed scheme achieves unforgeability of the results.

Aftering receiving the trapdoor \(T{D_{\overrightarrow{Y} }} = (K_1^*,K_2^*)\), the cloud server searches all the encrypted index and sends \((({\alpha _1},p{f_1}),({\alpha _2},p{f_2}), \ldots )\) to the user, where \(p{f_i}\) is the proof that \({d_i}\) with the \(DI{D_i}\) matches with Q. \(p{f_i} = e({C_{\overrightarrow{{X_i}} }},\mathrm{{ K}}_2^*)\)

If \(\overrightarrow{{X_i}} \) matchs with \(\overrightarrow{Y} = ({\mathrm{{y}}_1}, \ldots ,{\mathrm{{y}}_n})\), then \(\overrightarrow{{X_i}} {.}\overrightarrow{Y} = 0\), i.e., \(\sum \limits _{j = 1}^n {{x_{i,j}}} .{y_j} = 0\), then \(p{f_i} = e({C_{\overrightarrow{{X_i}} }},\mathrm{{ K}}_2^*) = e{(\mathrm{{g,g}})^{{\alpha _i}\gamma }}\), here \({\alpha _i} = {F_{{K_1}}}(DI{D_i}),\gamma = {\gamma _1}, \ldots ,{\gamma _d},{\gamma _i} = {F_{{K_2}}}(KI{D_i})\) Otherwise, \(p{f_i}\) are uniformly and independently distributed in \({G_T}\). So, If \(\overrightarrow{{X_i}}\) doesnt matchs with \(\overrightarrow{Y} = ({\mathrm{{y}}_1}, \ldots ,{\mathrm{{y}}_n})\), the probability that an adversary outputs \( p{f_i} = e{(\mathrm{{g,g}})^{{\alpha _i}\gamma }}\) is negligible. So, we prove that the proposed scheme achieves unforgeability of the results.