Skip to main content

Generic constructions of integrated PKE and PEKS

Abstract

In this paper we investigate the topic of integrated public-key encryption (PKE) and public-key encryption with keyword search (PEKS) schemes (PKE–PEKS as shorthand). We first formalize the strongest security notion to date for PKE–PEKS schemes, named joint CCA-security. We then propose two simple constructions of jointly CCA-secure PKE–PEKS schemes from anonymous (hierarchical) identity-based encryption schemes. Besides, we also define the notion of consistency for PKE–PEKS schemes, as well as revisit its related notions (including consistency of PEKS schemes, robustness and collision-freeness of IBE schemes), which may be of independent interest.

This is a preview of subscription content, access via your institution.

We’re sorry, something doesn't seem to be working properly.

Please try refreshing the page. If that doesn't work, please contact support so we can address the problem.

Notes

  1. In the PEKS setting, “plaintext” in fact means “keyword”. We will slightly abuse this term where it is clear from the context.

  2. Integrated PKE and PEKS scheme is also known as combined PKE/PEKS scheme.

  3. This combined CCA-security notion could be made stronger by giving the adversary access to an additional token oracle. We believe the absence of the token oracle is probably a careless mistake.

  4. In [3], tag-based is referred to as label-based [44].

  5. Our constructions also make use of a one-time signature scheme, but it can be derived from one-way functions which in turn implied by CPA-secure encryption.

  6. We believe the two key PKE–PEKS construction sketched in [3] is also jointly CCA-secure.

  7. Here, “non-interactive” means both token generation and keyword search are done in a non-interactive manner. We emphasize that indistinguishable-style keyword hiding is possible in interactive setting. Boneh et al. [14] constructed a PEKS scheme allowing Private Information Retrieval [36], which hides all the information including the keyword.

  8. According to the convention of IBE, decryption key \(dk\) is usually denoted by \(sk\) and referred to as private key. In this work we reserve the symbol \(sk\) for secret key of PKE, PEKS, and PKE–PEKS schemes and call private key in IBE schemes as decryption key to avoid confusion.

References

  1. Abdalla M., Bellare M., Rogaway P.: The oracle Diffie–Hellman assumptions and an analysis of dhies. In: Naccache D. (ed.) Topics in Cryptology-CT-RSA 2001. Lecture Notes in Computer Science, vol. 2020, pp. 143–158. Springer, Berlin (2001).

  2. Abdalla M., Bellare M., Catalano D., Kiltz E., Kohno T., Lange T., Malone-Lee J., Neven G., Paillier P., Shi H.: Searchable encryption revisited: Consistency properties, relation to anonymous ibe, and extensions. J. Cryptol. 21(3), 350–391 (2008).

  3. Abdalla M., Bellare M., Neven G.: Robust encryption. In: Micciancio D. (ed.) TCC 2010. Lecture Notes in Computer Science, vol. 5978, pp. 480–497. Springer, Berlin (2010).

  4. Agrawal S., Boneh D., Boyen X.: Efficient lattice (h)ibe in the standard model. In: Gilbert H. (ed.) Advances in Cryptology—EUROCRYPT 2010. Lecture Notes in Computer Science, vol. 6110, pp. 553–572. Springer, Berlin (2010).

  5. Baek J., Safavi-Naini R., Susilo W.: On the integration of public key data encryption and public key encryption with keyword search. In: Katsikas S.K., Lopez J., Backes M., Gritzalis S., Preneel B., (eds.) Information Security, 9th International Conference, ISC 2006. Lecture Notes in Computer Science, vol. 4176, pp. 217–232. Springer, Berlin (2006).

  6. Boneh D., Boyen X.: Efficient selective-id secure identity based encryption without random oracles. In: Cachin C., Camenisch J.L. (eds.) Advances in Cryptology—EUROCRYPT 2004. Lecture Notes in Computer Science, vol. 3027, pp. 223–238. Springer, Berlin (2004).

  7. Boneh D., Boyen X.: Short signatures without random oracles. In: Cachin C., Camenisch J. (eds.) Advances in Cryptology—EUROCRYPT 2004. Lecture Notes in Computer Science, vol. 3027, pp. 56–73. Springer, Berlin (2004).

  8. Boneh D., Boyen X.: Short signatures without random oracles and the sdh assumption in bilinear groups. J. Cryptol. 21(2), 149–177 (2008).

  9. Boneh D., Franklin M.K.: Identity-based encryption from the weil pairing. SIAM J. Comput. 32, 586–615 (2003).

  10. Boneh D., Waters B.: Conjunctive, subset, and range queries on encrypted data. In: Vadhan S.P. (ed.) Theory of Cryptography, 4th Theory of Cryptography Conference, TCC 2007. Lecture Notes in Computer Science, vol. 4392, pp. 535–554. Springer, Beriln (2007).

  11. Boneh D., Canetti R., Halevi S., Katz J.: Chosen-ciphertext security from identity-based encryption. SIAM J. Comput. 36(5), 1301–1328 (2007).

  12. Boneh D., Di Crescenzo G., Ostrovsky R., Persiano G.: Public key encryption with keyword search. In: Advances in Cryptology—EUROCRYPT 2004. Lecture Notes in Computer Science, vol. 3621, pp. 506–522. Springer, Berlin (2004).

  13. Boneh D., Gentry C., Hamburg M.: Space-efficient identity based encryption without pairings. In: 48th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2007, pp. 647–657. IEEE Computer Society (2007).

  14. Boneh D., Kushilevitz .E, Ostrovsky R., Skeith III W.E.: Public key encryption that allows pir queries. In: Menezes A. (ed.) Advances in Cryptology—CRYPTO 2007. Lecture Notes in Computer Science, vol. 4622, pp. 50–67. Springer, Berlin (2007).

  15. Boneh D., Raghunathan A., Segev G.: Function-private identity-based encryption: hiding the function in functional encryption. In: Canetti R., Garay J.A. (eds.) Advances in Cryptology—CRYPTO 2013. Lecture Notes in Computer Science, vol. 8043, pp. 461–478. Springer, Berlin (2013).

  16. Boyen X.: Lattice mixing and vanishing trapdoors: a framework for fully secure short signatures and more. In: Nguyen, P.Q., Pointcheval D. (eds.) Public Key Cryptography—PKC 2010. Lecture Notes in Computer Science, vol. 6056, pp. 499–517. Springer, Berlin (2010).

  17. Boyen X., Waters B.: Anonymous hierarchical identity-based encryption (without random oracles). In: Dwork C. (ed.) Advances in Cryptology—CRYPTO 2006. Lecture Notes in Computer Science, vol. 4117, pp. 290–307. Springer, Berlin (2006).

  18. Canetti R., Halevi S., Katz J.: Chosen-ciphertext security from identity based encryption. In: Cachin C., Camenisch J.L. (eds.) Advances in Cryptology—EUROCRYPT 2004. Lecture Notes in Computer Science, vol. 3027, pp. 207–222. Springer, Berlin (2004).

  19. Cash D., Hofheinz D., Kiltz E., Peikert C.: Bonsai trees, or how to delegate a lattice basis. In: Gilbert H. (ed.) Advances in Cryptology—EUROCRYPT 2010. Lecture Notes in Computer Science, vol. 6110, pp. 523–552. Springer, Berlin (2010).

  20. Cocks C.: An indentity based encryption scheme based on quadratic residues. In: Cryptography and Coding, 8th IMA International Conference. Lecture Notes in Computer Science, vol. 2260, pp. 360–363. Springer, Berlin (2001).

  21. Cramer R., Shoup V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption. In: Knudsen L.R. (ed.) Advances in Cryptology—EUROCRYPT 2002. Lecture Notes in Computer Science, vol. 2332, pp. 45–64. Springer, Berlin (2002).

  22. De Caro A., Iovino V., and Persiano G.: Fully secure anonymous hibe and secret-key anonymous Ibe with short ciphertexts. In: 4th International Conference—Pairing-Based Cryptography—Pairing 2010. Lecture Notes in Computer Science, vol. 6487, pp. 347–366. Springer, Beriln (2010).

  23. Di Crescenzo G., Saraswat V.: Public key encryption with searchable keywords based on jacobi symbols. In: Srinathan K., Rangan C.P., Yung M., (eds.) Progress in Cryptology—INDOCRYPT 2007. Lecture Notes in Computer Science, vol. 4859, pp. 282–296. Springer, Berlin (2007).

  24. Dodis Y., Katz J.: Chosen-ciphertext security of multiple encryption. In: Kilian J. (ed.) Theory of Cryptography, TCC 2005. Lecture Notes in Computer Science, vol. 3378, pp. 188–209. Springer, Berlin (2005).

  25. Dolev D., Dwork C., Naor M.: Nonmalleable cryptography. SIAM J. Comput. 30(2), 391–437 (2000).

  26. ElGamal T.: A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 31, 469–472 (1985).

  27. Farshim P., Libert B., Paterson K.G., Quaglia E.A.: Robust encryption, revisited. In: Kurosawa K., Hanaoka G. (eds.) Public-Key Cryptography—PKC 2013. Lecture Notes in Computer Science, vol. 7778, pp. 352–368. Springer, Berlin (2013).

  28. Fuhr T., Paillier P.: Decryptable searchable encryption. In: Susilo W., Liu J.K., Mu Y. (eds.) Provable Security, First International Conference, ProvSec 2007. Lecture Notes in Computer Science, vol. 4784, pp. 228–236. Springer, Berli (2007).

  29. Gentry C., Silverberg A.: Hierarchical id-based cryptography. In: Zheng Y. (ed.) Advances in Cryptology—ASIACRYPT 2002. Lecture Notes in Computer Science, vol. 2501, pp. 548–566. Springer, Berlin (2002).

  30. Gentry C.: Practical identity-based encryption without random oracles. In: Vaudenay S. (ed.) Advances in Cryptology—EUROCRYPT 2006. Lecture Notes in Computer Science, vol. 4004, pp. 445–464. Springer, Berlin (2006).

  31. Gentry C., Peikert C., Vaikuntanathan V.: Trapdoors for hard lattices and new cryptographic constructions. In: Proceedings of the 40th Annual ACM Symposium on Theory of Computing (STOC 2008), pp. 197–206. ACM Press, New York (2008).

  32. Haber S., Pinkas B.: Securely combining public-key cryptosystems. In: Proceedings of the 8th ACM Conference on Computer and Communications Security (CCS 2001), pp. 215–224. ACM Press, New York (2001).

  33. Hofheinz D., Weinreb E.: Searchable encryption with decryption in the standard model. IACR Cryptology ePrint Archive, Report 2008/423 (2008). http://eprint.iacr.org/2008/423. Accessed 25 June 2012.

  34. Horwitz J., Lynn B.: Toward hierarchical identity-based encryption. In: Advances in Cryptology—EUROCRYPT 2002. Lecture Notes in Computer Science, vol. 2322, pp. 466–481. Springer, Berlin (2002).

  35. Krawczyk H., Rabin T.: Chameleon signatures. In: Proceedings of the Network and Distributed System Security Symposium (NDSS 2000). The Internet Society, San Diego (2000).

  36. Kushilevitz E., Ostrovsky R.: Replication is not needed: single database, computationally-private information retrieval. In: 38th Annual Symposium on Foundations of Computer Science (FOCS 1997), pp. 364–373. IEEE Computer Society, Los Alamitos (1997).

  37. Micciancio D., Peikert C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval D., Johansson T. (eds.) Advances in Cryptology—EUROCRYPT 2012. Lecture Notes in Computer Science, vol. 7237, pp. 700–718. Springer, Berlin (2012).

  38. Mohassel P.: A closer look at anonymity and robustness in encryption schemes. In: Masayuki A. (ed.) Advances in Cryptology—ASIACRYPT 2010. Lecture Notes in Computer Science, vol. 6477, pp. 501–518. Springer, Berlin (2010).

  39. Nishioka M.: Perfect keyword privacy in peks systems. In: Provable Security—6th International Conference (ProvSec 2012). Lecture Notes in Computer Science, vol. 7496, pp. 175–192. Springer, Berlin (2012).

  40. Okamoto T., Pointcheval D.: The gap-problems: a new class of problems for the security of cryptographic schemes. In: Kim K. (ed.) Proceedings of Public Key Cryptography—PKC 2001. Lecture Notes in Computer Science, vol. 1992, pp. 104–118. Springer, Berlin (2001).

  41. Paterson K.G., Schuldt J.C.N., Stam M., Thomson S.: On the joint security of encryption and signature, revisited. In: Lee D.H., Wang X. (eds.) Advances in Cryptology—ASIACRYPT 2011. Lecture Notes in Computer Science, vol. 7073, pp. 161–178. Springer, Berlin (2011).

  42. Sakai R., Kasahara M.: Id based cryptosystems with pairing on elliptic curve. Cryptology ePrint Archive, Report 2003/054 (2003). http://eprint.iacr.org/2003/054. Accessed 25 June 2012.

  43. Seo J.H., Cheon J.H.: Fully secure anonymous hierarchical identity-based encryption with constant size ciphertexts. IACR Cryptology ePrint Archive, Report 2011/021 (2011). http://eprint.iacr.org/2011/021. Accessed 25 June 2012.

  44. Shoup V.: A proposal for an iso standard for public key encryption. IACR Cryptology ePrint Archive, Report 2001/112 (2001). http://eprint.iacr.org/2001/112. Accessed 25 June 2012.

  45. Waters B.: Efficient identity-based encryption without random oracles. In: Advances in Cryptology—EUROCRYPT 2005. Lecture Notes in Computer Science, vol. 3494, pp. 114–127. Springer, Berlin (2005).

  46. Zhang R., Imai H.: Generic combination of public key encryption with keyword search and public key encryption. In: Wang H., Xing C. (eds.) Cryptology and Network Security, 6th International Conference, CANS 2007. Lecture Notes in Computer Science, vol. 4856, pp. 159–174. Springer, Berlin (2007).

Download references

Acknowledgments

Yu Chen is supported by the National Natural Science Foundation of China under Grant No. 61303257, 61379141, the Strategic Priority Research Program of CAS under Grant No. XDA06010701, and the National 973 Program of China under Grant No.2011CB302400. Jiang Zhang and Zhenfeng Zhang are sponsored by the National Basic Research Program of China under Grant No. 2013CB338003, and the National Natural Science Foundation of China under Grant No. 61170278, 91118006. We are grateful to Zongyang Zhang, Qiong Huang, and Sherman S.M. Chow for helpful discussions. We also thank the anonymous DCC reviewers for many useful comments.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Yu Chen.

Additional information

Communicated by R. Steinwandt.

Appendix: Review of standard definitions

Appendix: Review of standard definitions

Public-key encryption with keyword search

A non-interactive PEKS scheme [12] consists of four PPT algorithms as follows:

  • \(\mathsf {KeyGen}(\kappa )\): take as input a security parameter \(\kappa \), output a public/secret key pair \((pk, sk)\). Let \(W\) be the set of all possible keywords.

  • \(\mathsf {Encrypt}(pk, w)\): take as input a public key \(pk\) and a keyword \(w \in W\), output a ciphertext \(s\).

  • \(\mathsf {TokenGen}(sk, w)\): take as input a secret key \(sk\) and a keyword \(w \in W\), output a token \(t_w\).

  • \(\mathsf {Test}(t_w, s)\): take as input a token \(t_w\) and a ciphertext \(s \leftarrow \mathsf {Encrypt}(pk, w')\), output 1 if \(w' = w\) and 0 otherwise.

The IND-PEKS-CPA security for PEKS schemes is defined by the following experiment:

Setup: \(\mathcal {CH}\) runs \(\mathsf {KeyGen}(\kappa )\) to generate \((pk, sk)\) and gives \(\mathcal {A}\) the public key \(pk\).

Phase 1: \(\mathcal {A}\) can adaptively make token queries \(\langle w \rangle \). \(\mathcal {CH}\) responds with \(t_w \leftarrow \mathsf {TokenGen}(sk, w)\).

Challenge: \(\mathcal {A}\) outputs two distinct keywords \(w_0^*, w_1^* \in W\) subject to the restriction that they had not been asked for tokens in Phase 1. \(\mathcal {CH}\) picks a random bit \(b\) and sends \(c^* \leftarrow \mathsf {Encrypt}(pk, w_b^*)\) to \(\mathcal {A}\) as the challenge ciphertext.

Phase 2: \(\mathcal {A}\) can adaptively make more token queries \(\langle w \rangle \) subject to the restriction that \(w \ne w_0^*, w_1^*\). \(\mathcal {CH}\) responds the same way as in Phase 1.

Guess: \(\mathcal {A}\) outputs a guess \(b'\) for \(b\) and succeeds if \(b' = b\). We denote this event by \({\mathsf {SuccA}}\) and define \(\mathcal {A}\)’s advantage as \(\mathrm {Adv}_{\mathcal {A}, \text {PEKS}}^{\text {IND-CPA}}(\kappa ) \mathop {=}\limits ^{def }|\Pr [{\mathsf {SuccA}}] - 1/2|\).

Definition 8.1

A PEKS scheme is \((t, q_w, \epsilon )\) IND-PEKS-CPA secure if for all \(t\)-time adversaries making at most \(q_w\) token queries have advantage at most \(\epsilon \) in the above experiment.

The IND-PEKS-CCA security for PEKS schemes can be defined by a similar experiment by giving the adversary access to an additional test oracle which can determine if \(c\) is an encryption of \(w\). To avoid triviality, test queries \(\langle c^*, w_0^* \rangle \) and \(\langle c^*, w_1^* \rangle \) are not allowed in Phase 2.

Definition 8.2

A PEKS scheme is \((t, q_w, q_t, \epsilon )\) IND-PEKS-CCA secure if for all \(t\)-time adversaries making at most \(q_w\) token queries and at most \(q_t\) test queries have advantage at most \(\epsilon \) in the IND-PEKS-CCA experiment.

Hierarchical identity-based encryption

Hierarchical identity-based encryption (HIBE) [29, 34] is a generalization of IBE [9] to identities supporting hierarchical structures. In an HIBE scheme, identities are hierarchical and take the form \(id = (id_1, id_2, \dots )\). Each user in the hierarchy can act as a local key-generation authority for all subordinate hierarchical identities. An HIBE scheme consists of five PPT algorithms as follows:

  • \(\mathsf {KeyGen}(\kappa , \ell )\): take as input a security parameter \(\kappa \) and a parameter \(\ell \) for the maximum depth of the HIBE, output a master public/secret key pair \((mpk, msk)\). Let \(I\) be the identity space, \(M\) be the message space, and \(C\) be the ciphertext space. We assume \(mpk\) is used as an implicit input for algorithms \(\mathsf {Extract}\), \(\mathsf {Derive}\), as well as \(\mathsf {Decrypt}\),

  • \(\mathsf {Extract}(msk, id)\): take as input \(msk\) and an identity \(id \in I\), output a decryption key \(dk_{id}\).Footnote 8

  • \(\mathsf {Derive}(dk_{id}, id')\): take as input a decryption key \(dk_{id}\) for identity \(id = (id_1, \dots , id_{j-1})\) of depth \(j-1\) and an identity \(id' = (id_1, \dots , id_j)\) of depth \(j\), output a decryption key \(dk_{id'}\) for \(id'\).

  • \(\mathsf {Encrypt}(mpk, id, m)\): take as input \(mpk\), an identity \(id \in I\), and a message \(m \in M\), output a ciphertext \(c \in C\).

  • \(\mathsf {Decrypt}(dk_{id}, c)\): take as input a decryption key \(dk_{id}\) for identity \(id\) and a ciphertext \(c \in C\), output a message \(m \in M\) or a reject symbol \(\bot \) indicating \(c\) is invalid.

The basic security notion for HIBE schemes is indistinguishability against adaptive chosen-plaintext attack (IND-HIBE-CPA), which is defined by the following experiment:

Setup: \(\mathcal {CH}\) runs \(\mathsf {KeyGen}(\kappa , \ell )\) to generate \((pk, sk)\) and gives \(\mathcal {A}\) the master public key \(mpk\).

Phase 1: \(\mathcal {A}\) can adaptively make decryption key extraction queries \(\langle id \rangle \). \(\mathcal {CH}\) responds with \(dk_{id} \leftarrow \mathsf {Extract}(msk, id)\).

Challenge: \(\mathcal {A}\) outputs two distinct messages \(m_0^*\), \(m_1^*\) and an identity \(id^*\) subject to the restriction that any prefix of \(id^*\) had not been queried for decryption keys in Phase 1. \(\mathcal {CH}\) randomly picks a bit \(b\) and sends \(c^* \leftarrow \mathsf {Encrypt}(mpk, id^*, m_b^*)\) to \(\mathcal {A}\) as the challenge ciphertext.

Phase 2: \(\mathcal {A}\) can adaptively make more decryption key extraction queries \(\langle id \rangle \) subject to the restriction that \(id\) is not a prefix of \(id^*\). \(\mathcal {CH}\) responds the same way as in Phase 1.

Guess: \(\mathcal {A}\) outputs a guess \(b'\) for \(b\) and succeeds if \(b' = b\). We denote this event by \({\mathsf {SuccA}}\) and define \(\mathcal {A}\)’s advantage as \(Adv _{\mathcal {A}, \text {HIBE}}^{\text {IND-CPA}}(\kappa ) \mathop {=}\limits ^{def }|\Pr [{\mathsf {SuccA}}]- 1/2|\).

Definition 8.3

A HIBE scheme is \((t, q_k, \epsilon )\) IND-HIBE-CPA secure if for all \(t\)-time adversaries making at most \(q_k\) decryption key extraction queries have advantage at most \(\epsilon \) in the above experiment.

Selective-identity IND-HIBE-CPA security can be defined similarly. The difference is that the adversary has to commit a target identity \(id^*\) before seeing \(mpk\) and is not allowed to query decryption keys for any prefix of \(id^*\) throughout the experiment.

Orthogonal to security, anonymity is introduced to capture identity privacy, which ensures the ciphertext reveals no information about the recipient’s identity. To allow a fine-grained treatment, Abdalla et al. [2] defined anonymity regarding to a set \(L\) of levels, meaning that in the anonymous experiment the adversary is challenged to distinguished two distinct identities differing only at levels \(l \in L\). For ease of notation, we will write \(l\) rather than \(\{l\}\) when \(L = \{l\}\) is a singleton set. Let \(\mathsf {diff}(\cdot , \cdot )\) be a function outputting the set of levels at which the two input identities differ. We recall the definition of anonymity for HIBE schemes as follows:

Setup: \(\mathcal {CH}\) runs \(\mathsf {KeyGen}(\kappa )\) to generate \((pk, sk)\) and gives \(\mathcal {A}\) the master public key \(mpk\).

Phase 1: \(\mathcal {A}\) can adaptively make decryption key queries \(\langle id \rangle \). \(\mathcal {CH}\) responds with \(dk_{id} \leftarrow \mathsf {Extract}(msk, id)\).

Challenge: \(\mathcal {A}\) outputs a message \(m^*\) and two distinct identities \(id_0^*\), \(id_1^*\) subject to the restrictions that any prefix of \(id_0^*\) and \(id_1^*\) had not been asked for decryption keys and \(\mathsf {diff}(id_0^*, id_1^*) \subset L\). \(\mathcal {CH}\) picks a random \(b \in \{0,1\}\) and gives \(c^* \leftarrow \mathsf {Encrypt}(mpk, id_b^*, m^*)\) to \(\mathcal {A}\) as the challenge ciphertext.

Phase 2: \(\mathcal {A}\) can adaptively make more decryption key extraction queries for any identity \(id\) subject to the restriction that \(id\) is not a prefix of \(id_0^*\) or \(id_1^*\). \(\mathcal {CH}\) responds the same way as in Phase 1.

Guess: \(\mathcal {A}\) outputs a guess \(b'\) for \(b\) and succeeds if \(b'=b\). We denote this event by \({\mathsf {SuccA}}\) and define \(\mathcal {A}\)’s advantage as \(Adv _{\mathcal {A}, \text {HIBE}}^{\text {ANO-CPA}}(\kappa ) \mathop {=}\limits ^{def }|\Pr [{\mathsf {SuccA}}]- 1/2|\).

Definition 8.4

A HIBE scheme is \((t, q_k, \epsilon )\) ANO-HIBE-CPA \([L]\)-anonymous if for all \(t\)-time adversaries making at most \(q_k\) decryption key extraction queries have advantage at most \(\epsilon \) in the above experiment.

When considering anonymity for HIBE schemes in the presence of chosen-ciphertext attack, we obtain the ANO-PEKS-CCA security [3], which is defined by a similar experiment as above by giving the adversary additional access to a decryption oracle subject the natural restriction that decryption queries \(\langle id_0^*, c^* \rangle \) and \(\langle id_1^*, c^* \rangle \) are not allowed in Phase 2.

Definition 8.5

A HIBE scheme is \((t, q_k, q_d, \epsilon )\) ANO-HIBE-CCA \([L]\)-anonymous if for all \(t\)-time adversaries making at most \(q_k\) decryption key extraction queries and at most \(q_d\) decryption queries have advantage at most \(\epsilon \) in the ANO-HIBE-CCA experiment.

Signatures

A signature scheme consists of three PPT algorithms as follows:

  • \(\mathsf {KeyGen}(\kappa )\): take as input a security parameter \(\kappa \), output a verification key \(vk\) and a signing key \(sk_\sigma \). Let \(M\) be the message space.

  • \(\mathsf {Sign}(sk_\sigma , m)\): take as input a signing key \(sk_\sigma \) and a message \(m \in M\), output a signature \(\sigma \).

  • \(\mathsf {Verify}(vk, m, \sigma )\): take as input a verification key \(vk\), a message \(m\), and a signature \(\sigma \), output \(1\) indicates “acceptance” and \(0\) indicates “rejection”.

For the correctness of a signature scheme, we require that for all \((vk,sk_\sigma ) \leftarrow \mathsf {KeyGen}(\kappa )\) and all \(m \in M\), \(\mathsf {Verify}(vk, m, \mathsf {Sign}(sk_\sigma ,m)) = 1\) always holds. If \((\sigma , m)\) satisfies \(\mathsf {Verify}(vk, m, \sigma ) = 1\), then \(\sigma \) is said to be a valid signature of message \(m\) under the verification key \(vk\).

A strong notion of security for signature schemes is strong existential unforgeability under adaptive chosen-message attack (sEUF-CMA), which is defined by the following experiment:

Setup: \(\mathcal {CH}\) runs \(\mathsf {KeyGen}(\kappa )\) to generate \((vk, sk_\sigma )\) and gives \(\mathcal {A}\) the verification key \(vk\).

Forgery: \(\mathcal {A}\) may do one of the following:

  • \(\mathcal {A}\) adaptively make signing queries \(\langle m_i \rangle \), and is then given in return \(\sigma _i \leftarrow \mathsf {Sign}(sk_\sigma , m_i)\). After this, \(\mathcal {A}\) outputs \((m^*, \sigma ^*)\).

  • \(\mathcal {A}\) outputs \((m^*, \sigma ^*)\) without making any signing queries. In this case \((m_i, \sigma _i)\) are undefined.

We denote the event that \(\mathcal {A}\) outputs \((m^*, \sigma ^*)\) such that \(\mathsf {Verify}(vk, m^*, \sigma ^*) = 1\) but \((m^*, \sigma ^*) \ne (m_i, \sigma _i)\) (if \((m_i, \sigma _i)\) are defined) as \({\mathsf {SuccA}}\), and define \(\mathcal {A}\)’s advantage as \(\mathrm {Adv}_{\mathcal {A}, \text {SIG}}^{\text {sEUF-CMA}} \mathop {=}\limits ^{def }\Pr [{\mathsf {SuccA}}]\).

Definition 8.6

A signature scheme is \((t, q_s, \epsilon )\) sEUF-CMA secure if for all \(t\)-time adversaries making at most \(q_s\) signing queries have advantage at most \(\epsilon \) in the above experiment. Particularly, a signature scheme is one-time strongly unforgeable if it is \((t, 1, \epsilon )\) sEUF-CMA secure.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Chen, Y., Zhang, J., Lin, D. et al. Generic constructions of integrated PKE and PEKS. Des. Codes Cryptogr. 78, 493–526 (2016). https://doi.org/10.1007/s10623-014-0014-x

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-014-0014-x

Keywords

  • PKE–PEKS
  • Joint security
  • Consistency
  • Collision-freeness
  • Robustness

Mathematics Subject Classification

  • 94A60