Publicly verifiable searchable symmetric encryption based on efficient cryptographic components

Abstract

Public verifiability is an interesting feature that cryptographic protocols, such as those used in cloud computing applications, may support. By public verifiability, the client can delegate the verification process to a third party auditor without revealing the private key or data. The main contribution of this paper is achieving public verifiability in the symmetric setting of searchable encryption (SE), separately for single and Boolean keyword search. While Public verifiability in SE has already been achieved using complex tools such as indistinguishability obfuscation or pairing, this work employs basic cryptographic components and assumptions, such as pseudo-random functions, one-way functions, digital signatures and the DDH assumption.

Appendix A: Background

1.1 A.1: Basic primitives and assumptions

Decision Diffie-Hellman Assumption. Let G be a prime order cyclic group of order p with generator g. We say that the decision Diffie-Hellman (DDH) assumption holds in G if for all P.P.T adversaries \(\mathcal {A}\) there exists a negligible function \(\mathrm {negl}\) such that:

$$\begin{aligned} \bigg |\Pr [\mathcal {A}(g, g^a, g^b, g^{ab}) = 1]-\Pr [\mathcal {A}(g, g^a, g^b, g^c) = 1]\bigg |\le \mathrm {negl}(\lambda ), \end{aligned}$$

where the probability is over the randomness of \(\mathcal {A}\) and uniformly chosen a, b, c from \(\mathbb {Z}^*_p\).

Definition 9

(CPA-Secure Symmetric Encryption Scheme [20]) For any symmetric encryption scheme \(\varPi =(\mathsf {Gen},\mathsf {Enc},\mathsf {Dec})\) the following game is defined.

\(\mathsf {SymK}_{\mathcal {A},\varPi }^{\mathsf {cpa}}(\lambda )\): A key K is generated by running \(\mathsf {Gen}(1^\lambda )\). The adversary \(\mathcal {A}\) is given input \(1^\lambda \) and oracle access to \(\mathsf {Enc}(K,.)\) and outputs a pair of messages \(m_0,m_1\) of the same length. A uniform bit \(b\in \{0, 1\}\) is chosen, and then a ciphertext \(c\leftarrow \mathsf {Enc}(K,m_b)\) is computed and given to \(\mathcal {A}\). The adversary \(\mathcal {A}\) continues to have oracle access to \(\mathsf {Enc}(K,.)\), and outputs a bit \(b'\). The output of the game denoted by \(\mathsf {SymK}_{\mathcal {A},\varPi }^{\mathsf {cpa}}(\lambda )\), is defined to be 1 if \(b'=b\), and 0 otherwise.

We say that \(\varPi \) is CPA-secure, if for all P.P.T adversaries \(\mathcal {A}\) there is a negligible function \(\mathrm {negl}\) such that

$$\begin{aligned} \Pr [\mathsf {SymK}_{\mathcal {A},\varPi }^{\mathsf {cpa}}(\lambda )=1]\le \frac{1}{2}+\mathrm {negl}(\lambda ). \end{aligned}$$

Definition 10

(Second-Preimage Resistant Hash Function) A second-preimage resistant hash function (with output length l) is a hash function \(H:\{0,1\}^*\rightarrow \{0,1\}^l\) if for all P.P.T adversaries \(\mathcal {A}\) there is a negligible function \(\mathrm {negl}\) such that:

$$\begin{aligned} \Pr [x\leftarrow \{0,1\}^*, x'\leftarrow \mathcal {A}(x)~:~x'\ne x,~H(x')=H(x)]\le \mathrm {negl}(\lambda ). \end{aligned}$$

Definition 11

(Pseudo-Random Function) Let \(\mathsf {Func}[n,m]\) be the set of all functions from \(\{0, 1\}^n\) to \(\{0, 1\}^m\). A function \(F : \{0, 1\}^\lambda \times \{0, 1\}^n\rightarrow \{0, 1\}^m\) is pseudo-random if it is computable in polynomial time (in \(\lambda \)) and if for all P.P.T adversaries \(\mathcal {A}\) there is a negligible function \(\mathrm {negl}\) such that:

$$\begin{aligned} \bigg |\Pr [K\leftarrow \{0, 1\}^\lambda ~:~\mathcal {A}^{F(K,.)}(\lambda ) = 1 ] -\Pr [g \leftarrow \mathsf {Func}[n,m] ~:~\mathcal {A}^{g(.)}(\lambda ) = 1]\bigg | \le \mathrm {negl}(\lambda ). \end{aligned}$$

If F is bijective then it is a pseudo-random permutation.

Definition 12

(Strong One-Way Function) A function \(g : \{0, 1\}^*\rightarrow \{0, 1\}^*\) is a strong one-way function if it is computable in polynomial time (in \(\lambda \)) and if for all P.P.T adversaries \(\mathcal {A}\) there exists a negligible function \(\mathrm {negl}\) such that for any input length \(n=n(\lambda )\),

$$\begin{aligned} \Pr [x\leftarrow \{0,1\}^n,~y\leftarrow g(x): ~g(\mathcal {A}(1^n,y))=y]\le \mathrm {negl}(\lambda ). \end{aligned}$$

1.2 A.2: Signature scheme

The correctness and security of a signature scheme are defined as follows.

Definition 13

(Correctness [20]) A signature scheme \(\varGamma =(\mathsf {Gen}, \mathsf {Sign},\mathsf {Vrfy})\) is correct if except with negligible probability over (pk, sk) output by \(\mathsf {Gen}(1^\lambda )\), it holds that

\(\mathsf {Vrfy}(pk,m,\mathsf {Sign}(sk,m)) = 1\) for every message m.

Definition 14

(Security [20]) Let \(\varGamma =(\mathsf {Gen}, \mathsf {Sign},\mathsf {Vrfy})\) be a signature scheme, and consider the following experiment for an adversary \(\mathcal {A}\):

\(\mathsf {Forge}_\mathcal {A}^\varGamma (\lambda )\): \(\mathsf {Gen}(1^\lambda )\) is run to obtain keys (pk, sk). The adversary \(\mathcal {A}\) is given pk and access to the oracle \(\mathsf {Sign}(sk,.)\). The adversary then outputs \((m,\sigma )\). Let \(\mathbf {q}\) denote the set of all queries that \(\mathcal {A}\) asked its oracle. The output of the experiment, denoted by \(\mathsf {Forge}_\mathcal {A}^\varGamma (\lambda )\), is defined to be 1, if and only if (1) \(\mathsf {Vrfy}(pk,m,\sigma ) = 1\) and (2) \(m\notin \mathbf {q}\).

We say the signature scheme \(\varGamma \) is existentially unforgeable under an adaptive chosen-message attack, or just secure, if for all P.P.T adversaries \(\mathcal {A}\), there is a negligible function \(\mathrm {negl}\) such that:

$$\begin{aligned} \Pr [\mathsf {Forge}_\mathcal {A}^\varGamma (\lambda ) = 1] \le \mathrm {negl}(\lambda ). \end{aligned}$$

1.3 A.3: TSet scheme

Definition 15

(Correctness [8]) For the adversary \(\mathcal {A}\) and a TSet scheme \(\varSigma =(\mathsf {Setup},\mathsf {GetTag}, \mathsf {Retrieve})\), the following game is defined.

\( \mathsf {ComCor}_\mathcal {A}^\varSigma (\lambda )\): \(\mathcal {A}(1^\lambda )\) chooses T, the game generates \((TSet,K )\leftarrow \mathsf {Setup}(T)\), gives TSet to \(\mathcal {A}\). Then the adversary adaptively chooses keywords w. For each query w from the adversary, the game generates \(tg \leftarrow \mathsf {GetTag}(K ,w)\) and \(t_w \leftarrow \mathsf {Retrieve}(TSet, tg)\). The game outputs 1 if in any execution the server outputs \(t_w \ne T[w]\), and 0 otherwise. The output of the game is denoted by the random variable \( \mathsf {ComCor}_\mathcal {A}^\varSigma (\lambda )\).

We say that a TSet scheme \(\varSigma \) is computationally correct if for all P.P.T adversaries \(\mathcal {A}\) there exists a negligible function \(\mathrm {negl}\) such that:

$$\begin{aligned} \Pr [\mathsf {ComCor}_\mathcal {A}^\varSigma (\lambda )=1]\le \mathrm {negl}(\lambda ). \end{aligned}$$

Definition 16

(Adaptive-Security [8]) Let \(\varSigma = (\mathsf {Setup}, \mathsf {GetTag}, \mathsf {Retrieve})\) be a TSet scheme and \(\mathcal {L}_T\) be a stateful algorithm. For the adversary \(\mathcal {A}\) and the simulator \(\mathcal {S}\), two following games are defined.

• \(\mathsf {Real}_\mathcal {A}^\varSigma (\lambda )\): \(\mathcal {A}(1^\lambda )\) outputs T. The game runs \((TSet,K )\leftarrow \mathsf {Setup}(T)\) and gives TSet to \(\mathcal {A}\). Then \(\mathcal {A}\) adaptively chooses keywords w. For each w from the adversary, the game gives \(tg\leftarrow \mathsf {GetTag}(K, w)\) to \(\mathcal {A}\). Eventually \(\mathcal {A}\) outputs a bit which the game uses as its output denoted by \(\mathsf {Real}_\mathcal {A}^\varSigma (\lambda )\).

• \(\mathsf {Sim}_\mathcal {A}^\varSigma (\lambda )\): The game initializes a counter \(i = 0\) and an empty list \(\mathbf {q}\). \(\mathcal {A}(1^\lambda )\) outputs T. The game runs \(TSet^*\leftarrow \mathcal {S}(\mathcal {L}_T(T))\) and gives \(TSet^*\) to \(\mathcal {A}\). Then \(\mathcal {A}\) adaptively chooses keywords w, and for each w the game stores w in \(\mathbf {q}[i]\), increments i, and gives \(\mathcal {A}\) the output of \(\mathcal {S}(\mathcal {L}_T (T,\mathbf {q}))\). Eventually, \(\mathcal {A}\) outputs a bit which the game uses as its output denoted by \(\mathsf {Sim}_\mathcal {A}^\varSigma (\lambda )\).

We say that \(\varSigma \) is a \(\mathcal {L}_T\)-adaptively-secure if for all P.P.T adversaries \(\mathcal {A}\) there exists an algorithm \(\mathcal {S}\) such that:

$$\begin{aligned} | \Pr [\mathsf {Real}_\mathcal {A}^\varSigma (\lambda )= 1]-\Pr [\mathsf {Sim}_\mathcal {A}^\varSigma (\lambda )= 1] |\le \mathrm {negl}(\lambda ). \end{aligned}$$