Skip to main content

Privacy-Preserving Plaintext-Equality of Low-Entropy Inputs

Part of the Lecture Notes in Computer Science book series (LNSC,volume 10892)


Confidentiality requires to keep information away from the eyes of non-legitimate users, while practicality necessitates to make information usable for authorized users. The former issue is addressed with cryptography, and encryption schemes. The combination of both has been shown to be possible with advanced techniques that permit to perform computations on encrypted data. Searchable encryption concentrates on the problem of extracting specific information from a ciphertext.

In this paper, we focus on a concrete use-case where sensitive tokens (medical records) allow third parties to find matching properties (compatible organ donor) without revealing more information than necessary (contact information).

We reduce such case to the plaintext-equality problem. But in our particular application, the message-space is of limited size or, equivalently, the entropy of the plaintexts is small: public-key existing solutions are not fully satisfactory. We then propose a suitable security model, and give an instantiation with an appropriate security analysis.


  • Ciphertext
  • Searchable Encryption
  • Suitable Security Model
  • Generic Bilinear Group Model
  • Final Fingerprint

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-93387-0_14
  • Chapter length: 18 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   109.00
Price excludes VAT (USA)
  • ISBN: 978-3-319-93387-0
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   139.99
Price excludes VAT (USA)
Fig. 1.


  1. 1.

  2. 2.

    Even the testing key should give no advantage to anybody in generating fingerprints.

  3. 3.

    Even the fingerprinting key should give no advantage to anybody in making tests.


  1. Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with constant size ciphertext. Cryptology ePrint Archive, Report 2005/015 (2005).

    Google Scholar 

  2. Bellare, M., Boldyreva, A., O’Neill, A.: Deterministic and efficiently searchable encryption. Cryptology ePrint Archive, Report 2006/186 (2006).

  3. Boneh, D., Di Crescenzo, G., Ostrovsky, R., Persiano, G.: Public key encryption with keyword search. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 506–522. Springer, Heidelberg (2004).

    CrossRef  Google Scholar 

  4. Canard, S., Fuchsbauer, G., Gouget, A., Laguillaumie, F.: Plaintext-checkable encryption. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 332–348. Springer, Heidelberg (2012).

    CrossRef  Google Scholar 

  5. Chaum, D.: Blind signatures for untraceable payments. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) CRYPTO 1982, pp. 199–203. Plenum Press, New York (1982)

    Google Scholar 

  6. Freedman, M.J., Nissim, K., Pinkas, B.: Efficient private matching and set intersection. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 1–19. Springer, Heidelberg (2004).

    CrossRef  Google Scholar 

  7. Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)

    MathSciNet  CrossRef  Google Scholar 

  8. Jager, T.: Black-Box Models of Computation. Vieweg+Teubner Verlag, Wiesbaden (2012)

    CrossRef  Google Scholar 

  9. Lu, Y., Zhang, R., Lin, D.: Stronger security model for public-key encryption with equality test. In: Abdalla, M., Lange, T. (eds.) Pairing 2012. LNCS, vol. 7708, pp. 65–82. Springer, Heidelberg (2013).

    CrossRef  Google Scholar 

  10. Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992).

    CrossRef  Google Scholar 

  11. Pointcheval, D., Sanders, O.: Short randomizable signatures. In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 111–126. Springer, Cham (2016).

    CrossRef  Google Scholar 

  12. Pointcheval, D., Sanders, O.: Reassessing security of randomizable signatures. In: Smart, N.P. (ed.) CT-RSA 2018. LNCS, vol. 10808, pp. 319–338. Springer, Cham (2018).

    CrossRef  Google Scholar 

  13. Shamir, A.: How to share a secret. Commun. Assoc. Comput. Mach. 22(11), 612–613 (1979)

    MathSciNet  MATH  Google Scholar 

  14. Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997).

    CrossRef  Google Scholar 

  15. Song, D.X., Wagner, D., Perrig, A.: Practical techniques for searches on encrypted data. In: 2000 IEEE Symposium on Security and Privacy, pp. 44–55. IEEE Computer Society Press, May 2000

    Google Scholar 

  16. Yang, G., Tan, C.H., Huang, Q., Wong, D.S.: Probabilistic public key encryption with equality test. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 119–131. Springer, Heidelberg (2010).

    CrossRef  Google Scholar 

Download references


This work was supported in part by the European Research Council under the European Community’s Seventh Framework Programme (FP7/2007-2013 Grant Agreement no. 339563 – CryptoCloud).

Author information

Authors and Affiliations


Corresponding author

Correspondence to Quentin Santos .

Editor information

Editors and Affiliations

A Proof of Theorem 1

A Proof of Theorem 1


We prove q-\({\textsf {DMSDH}}\)-1 in the generic bilinear group model. The generic group model (not bilinear) was used by Victor Shoup in [Sho97] to assess more tightly the difficulty of computing the discrete logarithm and related problems. A vastly clarified introduction to this technique can be found in [Jag12]. The generic bilinear group model is presented in appendix A of [BBG05]. It is essentially a formal way to enumerate the values that an adversary can compute from a restricted number of inputs, using only the group laws.

We use the classical approach of simulating group operations by an oracle \(\mathcal {G}\), which operates on arbitrary representations \({(\xi _{i,1})}_i\), \({(\xi _{i,2})}_i\), \({(\xi _{T,i})}_i\) of the elements of \(\mathbb {G}_1\), \(\mathbb {G}_2\) and \(\mathbb {G}_3\) (respectively). The oracle is built such that all interactions are done without relation to the secret values, hence reducing the attack to a guess.

For instance, \(\mathcal {G}(\times , \xi _{i,1}, \xi _{1,j})\) returns a representation of the product of the underlying values in \(\mathbb {G}_1\). The oracle \(\mathcal {G}\) similarly allows the adversary \(\mathcal {A}\) to compute products in \(\mathbb {G}_2\) and \(\mathbb {G}_T\), evaluate the pairing e, and test two representations for the equality of the underlying values.

To simulate the operations, the oracle \(\mathcal {G}\) stores the values known to the adversary \(\mathcal {A}\) (at beginning, and following a request) into lists \(L_1\), \(L_2\) and \(L_T\) (for each group). To track how the adversary \(\mathcal {A}\) obtained these values, we save with each representation \(\xi _{\square ,i}\) a polynomial \(p_{\square ,i}\) corresponding to the operations used to compute the value. The representations used are not important, and the reader must simply remember that a new random representation is generated for each new computed value; testing whether the value is fresh or not is done by searching the polynomial in the relevant list \(L_1\), \(L_2\) or \(L_T\).

The values initially provided to the adversary \(\mathcal {A}\) are:

  • in \(\mathbb {G}_1\): \({(g^{x^i})}_{0 \le i \le q}\), \(g^a\), \(g^{a \cdot x}\), \(h^{\frac{1}{x + w}}\), \(h^{\frac{a}{P(x)}}\)

  • in \(\mathbb {G}_2\): \({({\tilde{g}}^{x^i})}_{0 \le i \le q}\), \({\tilde{g}}^a\)

To simulate operations over these elements, we set r such that \(h = g^r\) and introduce the indeterminate values \(\bar{x}\), \(\bar{a}\), \(\bar{r}\). Then, we initialize \(L_1 = {\{{\bar{x}}^i\}}_i \cup \{\bar{a}, \bar{a} \bar{x}, \frac{\bar{r}}{\bar{x} + w}, \frac{\bar{a} \cdot \bar{r}}{P(\bar{x})}\}\), \(L_2 = {\{{\bar{x}}^i\}}_i \cup \{\bar{a}\}\) and \(L_T = \varnothing \) (along with arbitrary representations), and set:

  • \(\mathcal {G}(\times , \xi _{\square ,i}, \xi _{\square ,j})\): append \(p_{\square ,i} + p_{\square ,j}\) to \(L_\square \)

  • \(\mathcal {G}(=, \xi _{\square ,i}, \xi _{\square ,j})\): return whether \(p_{\square ,i} = p_{\square ,j}\)

  • \(\mathcal {G}(e, \xi _{1,i}, \xi _{2,j})\): append \(p_{1,i} \times p_{2,j}\) to \(L_T\)

Remark 4

Comparing the representations directly is equivalent to calling the group oracle for testing, because the representations are generated so as to be equal when the corresponding polynomials are equal

We now have to show two things: the simulation does not allow the adversary to distinguish between \((h^{\frac{1}{x + w}}, h^{\frac{a}{P(x)}})\) and a pair of random elements from \(\mathbb {G}_1\); the simulation is indistinguishable from the initial game.

Indistinguishability in Simulation. Since representations are opaque, the adversary can only obtain information from testing two values for equality (either of representations or through the group oracle \(\mathcal {G}\)).

Comparing elements of \(\mathbb {G}_1\). Consider a comparison of \(\xi _{1,i}\) to \(\xi _{1,j}\); the difference of their polynomials, \(p_{1,i} - p_{1,j}\), is of the form:

$$ \sum _i \bigg ( C_x^{(i)} {\bar{x}}^i + C_a \bar{a} + C_{ax} \bar{a} \bar{x} + C_1 \frac{\bar{r}}{\bar{x} + w} + C_2 \frac{\bar{a} \cdot \bar{r}}{P(\bar{x})} \bigg ) $$

as a polynomial in \(\bar{r}\), the linear term implies that, if this polynomial were equal to zero, then:

$$ C_1 P(\bar{x}) + C_2 \bar{a} (\bar{x} + w) = 0 $$

as a polynomial in \(\bar{a}\), this implies \(C_1 = C_2 = 0\). Thus, the polynomial does not depend on the challenge pair.

Comparing elements of \(\mathbb {G}_2\). Elements in \(\mathbb {G}_2\) do not depend on the challenge pair.

Comparing elements of \(\mathbb {G}_T\). Since \(L_T\) starts out empty, a comparison of \(\xi _{T,i}\) to \(\xi {T,j}\) will correspond to polynomials whose difference \(p_{T,i} - p_{T,j}\) is the sum of products of one element from \(\mathbb {G}_1\) and one element from \(G_2\), thus of the form:

$$ \sum _i \bigg ( Q(\bar{x}) + C_{i,a} \bar{a} + C_{i,ax} \bar{a} \bar{x} + C_{i,1} \frac{\bar{r}}{\bar{x} + w} + C_{i,2} \frac{\bar{a} \cdot \bar{r}}{P(\bar{x})} \bigg ) \times \bigg ( R(\bar{x}) + {\tilde{C}}_{i,a} \bar{a} \bigg ) $$

where Q and R are polynomials of degrees at most q. As a polynomial in \(\bar{r}\), if this were the zero polynomial, then the linear term would imply that:

$$ \sum _i \bigg ( C_{i,1} P(\bar{x}) + C_{i,2} \bar{a} (\bar{x} + w) \bigg ) \times \bigg ( R(\bar{x}) + {\tilde{C}}_{i,a} \bar{a} \bigg ) = 0 $$

as a polynomial in \(\bar{a}\), then the linear term would imply that:

$$ \sum _i \bigg ( C_{i,1} P(\bar{x}) {\tilde{C}}_{i,a} + C_{i,2} (\bar{x} + w) R(\bar{x}) \bigg ) = 0 $$

that is, \(C P(\bar{x}) + S(\bar{x}) (\bar{x} + w) = 0\) for C a constant and S a polynomial. Since \(P(\bar{x})\) and \((\bar{x} + w)\) are relatively prime, this means that \(C = 0\) and \(S = 0\) and thus that the original equation does not depend on the challenge pair.

Undistinguishability of Simulation. Let \(q_\mathcal {G}\) be the number of queries to the group oracle \(\mathcal {G}\). The simulation is undistinguishable from the original game unless the adversary assembles two distinct polynomials (pq) with \((p - q)(x, a, r) = 0\).

The adversary can adaptively test whether (xar) is a root of one of the at most \(q' = (5 + 2 q + q_\mathcal {G})^2/2\) differences of polynomials of degrees at most \(d = 2q\). Per the Schwartz-Zippel lemma, which states that a multivariate polynomial of degree d has at most d roots, this is equivalent to testing whether (xar) pertains to one of \(q'\) subsets of \(\mathbb {Z}_p^3\) of sizes at most d. Finally, the probability of adaptively finding such subsets is bounded above by \(\frac{q' \cdot d}{p^3}\), which is negligible.

Rights and permissions

Reprints and Permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Canard, S., Pointcheval, D., Santos, Q., Traoré, J. (2018). Privacy-Preserving Plaintext-Equality of Low-Entropy Inputs. In: Preneel, B., Vercauteren, F. (eds) Applied Cryptography and Network Security. ACNS 2018. Lecture Notes in Computer Science(), vol 10892. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-93386-3

  • Online ISBN: 978-3-319-93387-0

  • eBook Packages: Computer ScienceComputer Science (R0)