Abstract
Confidentiality requires to keep information away from the eyes of nonlegitimate users, while practicality necessitates to make information usable for authorized users. The former issue is addressed with cryptography, and encryption schemes. The combination of both has been shown to be possible with advanced techniques that permit to perform computations on encrypted data. Searchable encryption concentrates on the problem of extracting specific information from a ciphertext.
In this paper, we focus on a concrete usecase where sensitive tokens (medical records) allow third parties to find matching properties (compatible organ donor) without revealing more information than necessary (contact information).
We reduce such case to the plaintextequality problem. But in our particular application, the messagespace is of limited size or, equivalently, the entropy of the plaintexts is small: publickey existing solutions are not fully satisfactory. We then propose a suitable security model, and give an instantiation with an appropriate security analysis.
Keywords
 Ciphertext
 Searchable Encryption
 Suitable Security Model
 Generic Bilinear Group Model
 Final Fingerprint
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, access via your institution.
Buying options
Notes
 1.
 2.
Even the testing key should give no advantage to anybody in generating fingerprints.
 3.
Even the fingerprinting key should give no advantage to anybody in making tests.
References
Boneh, D., Boyen, X., Goh, E.J.: Hierarchical identity based encryption with constant size ciphertext. Cryptology ePrint Archive, Report 2005/015 (2005). http://eprint.iacr.org/2005/015
Bellare, M., Boldyreva, A., O’Neill, A.: Deterministic and efficiently searchable encryption. Cryptology ePrint Archive, Report 2006/186 (2006). http://eprint.iacr.org/2006/186
Boneh, D., Di Crescenzo, G., Ostrovsky, R., Persiano, G.: Public key encryption with keyword search. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 506–522. Springer, Heidelberg (2004). https://doi.org/10.1007/9783540246763_30
Canard, S., Fuchsbauer, G., Gouget, A., Laguillaumie, F.: Plaintextcheckable encryption. In: Dunkelman, O. (ed.) CTRSA 2012. LNCS, vol. 7178, pp. 332–348. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642279546_21
Chaum, D.: Blind signatures for untraceable payments. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) CRYPTO 1982, pp. 199–203. Plenum Press, New York (1982)
Freedman, M.J., Nissim, K., Pinkas, B.: Efficient private matching and set intersection. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 1–19. Springer, Heidelberg (2004). https://doi.org/10.1007/9783540246763_1
Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)
Jager, T.: BlackBox Models of Computation. Vieweg+Teubner Verlag, Wiesbaden (2012)
Lu, Y., Zhang, R., Lin, D.: Stronger security model for publickey encryption with equality test. In: Abdalla, M., Lange, T. (eds.) Pairing 2012. LNCS, vol. 7708, pp. 65–82. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642363344_5
Pedersen, T.P.: Noninteractive and informationtheoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992). https://doi.org/10.1007/3540467661_9
Pointcheval, D., Sanders, O.: Short randomizable signatures. In: Sako, K. (ed.) CTRSA 2016. LNCS, vol. 9610, pp. 111–126. Springer, Cham (2016). https://doi.org/10.1007/9783319294858_7
Pointcheval, D., Sanders, O.: Reassessing security of randomizable signatures. In: Smart, N.P. (ed.) CTRSA 2018. LNCS, vol. 10808, pp. 319–338. Springer, Cham (2018). https://doi.org/10.1007/9783319769530_17
Shamir, A.: How to share a secret. Commun. Assoc. Comput. Mach. 22(11), 612–613 (1979)
Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997). https://doi.org/10.1007/3540690530_18
Song, D.X., Wagner, D., Perrig, A.: Practical techniques for searches on encrypted data. In: 2000 IEEE Symposium on Security and Privacy, pp. 44–55. IEEE Computer Society Press, May 2000
Yang, G., Tan, C.H., Huang, Q., Wong, D.S.: Probabilistic public key encryption with equality test. In: Pieprzyk, J. (ed.) CTRSA 2010. LNCS, vol. 5985, pp. 119–131. Springer, Heidelberg (2010). https://doi.org/10.1007/9783642119255_9
Acknowledgments
This work was supported in part by the European Research Council under the European Community’s Seventh Framework Programme (FP7/20072013 Grant Agreement no. 339563 – CryptoCloud).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proof of Theorem 1
A Proof of Theorem 1
Proof
We prove q\({\textsf {DMSDH}}\)1 in the generic bilinear group model. The generic group model (not bilinear) was used by Victor Shoup in [Sho97] to assess more tightly the difficulty of computing the discrete logarithm and related problems. A vastly clarified introduction to this technique can be found in [Jag12]. The generic bilinear group model is presented in appendix A of [BBG05]. It is essentially a formal way to enumerate the values that an adversary can compute from a restricted number of inputs, using only the group laws.
We use the classical approach of simulating group operations by an oracle \(\mathcal {G}\), which operates on arbitrary representations \({(\xi _{i,1})}_i\), \({(\xi _{i,2})}_i\), \({(\xi _{T,i})}_i\) of the elements of \(\mathbb {G}_1\), \(\mathbb {G}_2\) and \(\mathbb {G}_3\) (respectively). The oracle is built such that all interactions are done without relation to the secret values, hence reducing the attack to a guess.
For instance, \(\mathcal {G}(\times , \xi _{i,1}, \xi _{1,j})\) returns a representation of the product of the underlying values in \(\mathbb {G}_1\). The oracle \(\mathcal {G}\) similarly allows the adversary \(\mathcal {A}\) to compute products in \(\mathbb {G}_2\) and \(\mathbb {G}_T\), evaluate the pairing e, and test two representations for the equality of the underlying values.
To simulate the operations, the oracle \(\mathcal {G}\) stores the values known to the adversary \(\mathcal {A}\) (at beginning, and following a request) into lists \(L_1\), \(L_2\) and \(L_T\) (for each group). To track how the adversary \(\mathcal {A}\) obtained these values, we save with each representation \(\xi _{\square ,i}\) a polynomial \(p_{\square ,i}\) corresponding to the operations used to compute the value. The representations used are not important, and the reader must simply remember that a new random representation is generated for each new computed value; testing whether the value is fresh or not is done by searching the polynomial in the relevant list \(L_1\), \(L_2\) or \(L_T\).
The values initially provided to the adversary \(\mathcal {A}\) are:

in \(\mathbb {G}_1\): \({(g^{x^i})}_{0 \le i \le q}\), \(g^a\), \(g^{a \cdot x}\), \(h^{\frac{1}{x + w}}\), \(h^{\frac{a}{P(x)}}\)

in \(\mathbb {G}_2\): \({({\tilde{g}}^{x^i})}_{0 \le i \le q}\), \({\tilde{g}}^a\)
To simulate operations over these elements, we set r such that \(h = g^r\) and introduce the indeterminate values \(\bar{x}\), \(\bar{a}\), \(\bar{r}\). Then, we initialize \(L_1 = {\{{\bar{x}}^i\}}_i \cup \{\bar{a}, \bar{a} \bar{x}, \frac{\bar{r}}{\bar{x} + w}, \frac{\bar{a} \cdot \bar{r}}{P(\bar{x})}\}\), \(L_2 = {\{{\bar{x}}^i\}}_i \cup \{\bar{a}\}\) and \(L_T = \varnothing \) (along with arbitrary representations), and set:

\(\mathcal {G}(\times , \xi _{\square ,i}, \xi _{\square ,j})\): append \(p_{\square ,i} + p_{\square ,j}\) to \(L_\square \)

\(\mathcal {G}(=, \xi _{\square ,i}, \xi _{\square ,j})\): return whether \(p_{\square ,i} = p_{\square ,j}\)

\(\mathcal {G}(e, \xi _{1,i}, \xi _{2,j})\): append \(p_{1,i} \times p_{2,j}\) to \(L_T\)
Remark 4
Comparing the representations directly is equivalent to calling the group oracle for testing, because the representations are generated so as to be equal when the corresponding polynomials are equal
We now have to show two things: the simulation does not allow the adversary to distinguish between \((h^{\frac{1}{x + w}}, h^{\frac{a}{P(x)}})\) and a pair of random elements from \(\mathbb {G}_1\); the simulation is indistinguishable from the initial game.
Indistinguishability in Simulation. Since representations are opaque, the adversary can only obtain information from testing two values for equality (either of representations or through the group oracle \(\mathcal {G}\)).
Comparing elements of \(\mathbb {G}_1\). Consider a comparison of \(\xi _{1,i}\) to \(\xi _{1,j}\); the difference of their polynomials, \(p_{1,i}  p_{1,j}\), is of the form:
as a polynomial in \(\bar{r}\), the linear term implies that, if this polynomial were equal to zero, then:
as a polynomial in \(\bar{a}\), this implies \(C_1 = C_2 = 0\). Thus, the polynomial does not depend on the challenge pair.
Comparing elements of \(\mathbb {G}_2\). Elements in \(\mathbb {G}_2\) do not depend on the challenge pair.
Comparing elements of \(\mathbb {G}_T\). Since \(L_T\) starts out empty, a comparison of \(\xi _{T,i}\) to \(\xi {T,j}\) will correspond to polynomials whose difference \(p_{T,i}  p_{T,j}\) is the sum of products of one element from \(\mathbb {G}_1\) and one element from \(G_2\), thus of the form:
where Q and R are polynomials of degrees at most q. As a polynomial in \(\bar{r}\), if this were the zero polynomial, then the linear term would imply that:
as a polynomial in \(\bar{a}\), then the linear term would imply that:
that is, \(C P(\bar{x}) + S(\bar{x}) (\bar{x} + w) = 0\) for C a constant and S a polynomial. Since \(P(\bar{x})\) and \((\bar{x} + w)\) are relatively prime, this means that \(C = 0\) and \(S = 0\) and thus that the original equation does not depend on the challenge pair.
Undistinguishability of Simulation. Let \(q_\mathcal {G}\) be the number of queries to the group oracle \(\mathcal {G}\). The simulation is undistinguishable from the original game unless the adversary assembles two distinct polynomials (p, q) with \((p  q)(x, a, r) = 0\).
The adversary can adaptively test whether (x, a, r) is a root of one of the at most \(q' = (5 + 2 q + q_\mathcal {G})^2/2\) differences of polynomials of degrees at most \(d = 2q\). Per the SchwartzZippel lemma, which states that a multivariate polynomial of degree d has at most d roots, this is equivalent to testing whether (x, a, r) pertains to one of \(q'\) subsets of \(\mathbb {Z}_p^3\) of sizes at most d. Finally, the probability of adaptively finding such subsets is bounded above by \(\frac{q' \cdot d}{p^3}\), which is negligible.
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Canard, S., Pointcheval, D., Santos, Q., Traoré, J. (2018). PrivacyPreserving PlaintextEquality of LowEntropy Inputs. In: Preneel, B., Vercauteren, F. (eds) Applied Cryptography and Network Security. ACNS 2018. Lecture Notes in Computer Science(), vol 10892. Springer, Cham. https://doi.org/10.1007/9783319933870_14
Download citation
DOI: https://doi.org/10.1007/9783319933870_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783319933863
Online ISBN: 9783319933870
eBook Packages: Computer ScienceComputer Science (R0)