Keywords

1 Introduction

The question of constructing practical cryptographic schemes for securing data in the cloud has attracted a lot of research during the last decade. Notions like order preserving encryption [8, 10], attribute-based encryption [21, 24, 26], functional encryption [1, 6, 1416, 25] and format preserving encryption [7] are useful for this purpose. The notions of IBE [11, 12, 19] and public key encryption with keyword search [13, 17, 33, 34] deal with testing of equality. Homomorphic encryption too [22, 23, 35] plays an important role in cloud security. These schemes aim to achieve data privacy, user privacy, secure computation on encrypted data, etc., on the cloud.

At EUROCRYPT 2012 Pandey and Rouselakis [29] defined the notion of property preserving symmetric encryption (PPEnc) which can be used for data clustering [27]. This notion, the authors claim, is most useful in the symmetric key setting. A PPEnc scheme is a collection of four algorithms, namely, Setup, Encrypt, Decrypt and Test where Test is used to check whether the underlying messages satisfy a particular property or not. The authors claim that it is sufficient to consider a simpler notion called property preserving tag (PPTag), obtained by dropping the decryption algorithm. The standard approach is to use a semantic secure symmetric key encryption scheme to encrypt the “payload” message while the encryption algorithm of PPTag is used to create a “tag” that is used as one of the inputs to Test to publicly check whether the message satisfies the property or not. In fact a similar approach was taken in [28, 32]. Following the Bellare et al. approach for standard encryption [4, 5], they define several security notions for property preserving encryption such as find-then-guess (FtG) and left-or-right (LoR) security. However, unlike Bellare et al. [4] who showed FtG implies LoR in the ordinary symmetric key setting, [29] claims that there is a separation between FtG and LoR notions and a hierarchy among the FtG classes that does not collapse. While the notion of property preserving encryption and its security are defined in the abstract setting of a general k-ary property, the separation results are conditioned on the assumed existence of a PPEnc for a concrete binary property based on quadratic residuosity, called \(P_{qr}\). Finally, the paper proposes a scheme for achieving orthogonality, which is claimed to be LoR secure in the generic bilinear group model.

Property preserving encryption has a direct connection with predicate private encryption [32]. In such a scheme, given a token one can check whether a ciphertext satisfies a certain predicate or not. A PPTag scheme may be easily constructed from a predicate private encryption scheme by concatenating ciphertext and token for a given message. If one starts from a full secure predicate-private scheme, one obtains an LoR secure PPTag scheme [1, 29]. In [29], the authors also claim that property preserving encryption is a generalization of order preserving encryption of Boldyreva et al. [810].

Our Motivation. Property preserving symmetric encryption is an interesting new concept, with a potential practical application for outsourcing computation and it is related to several other primitives like order preserving encryption and predicate encryption. Hence it is imperative that this notion be critically evaluated from the definitional perspective. Because of the separation, designers working on the problem of constructing property preserving encryption for various concrete properties may tend to disregard the FtG notion and only aim at the strongest LoR notion, which is likely to take considerably more resources, see, for example, [1]. Thus it is natural to ask whether the separation indicates any real gap between the two notions and generalizes to any concrete property of interest or is it an artifact related to the peculiarities of the property considered in [29]. The importance of cryptanalyzing the proposed provably secure construction requires no further emphasis.

Our Contributions. In Sect. 3, we revisit the separation results of [29]. As no concrete construction of FtG-secure scheme for \(P_{qr}\) was suggested to validate the separation results, we first attempt to build such a scheme. The first observation is that the quadratic residuosity property used in the separation results of [29], can be generalized to a property preserving test of equality. Hence we focus on equality property and show that one-time pad is sufficient to achieve FtG security for equality preserving encryption of one-bit messages. Furthermore, the two notions of FtG and LoR security in fact collapse in such a deterministic setting. This result is further generalized for equality testing of n-bit messages where we show a pseudo-random permutation is sufficient to achieve the strongest LoR security. Thus, on one hand we can easily generalize the separation results of [29] for the equality property, on the other we show that in concrete terms the two notions of FtG and LoR effectively collapse for this property. This points to the inherent ambiguity with respect to the actual implication of the separation results for concrete properties of interest. Thus contextualized, we note that the question of whether the separation results of [29] actually indicate any real world difference between the two notions of FtG and LoR security for property preserving encryption still remains open.

In Sect. 4, we look at the relation of FtG and LoR in the context of orthogonality property. We show that given an FtG secure orthogonality preserving encryption of vectors of length 2n, there exists LoR secure orthogonality preserving encryption of vectors of length n. This result gives further credence to our already established evidence that FtG is indeed a meaningful notion of security for property preserving encryption. We also show that in the property preserving scenario orthogonality implies equality.

In Sect. 5, we cryptanalyze the scheme for testing orthogonality from [29]. We show that the PPEnc scheme given in [29, Sect. 5] is not even weakest selective find-then-guess secure, which falsifies the claim [29, Theorem 5.1] that it is LoR secure. Going beyond indistinguishability, we show that if an adversary is allowed just one query and then given a ciphertext for some unknown message vector \(x=(x_1,\ldots ,x_n)\), s/he can extract significant non-trivial information about x including whether x is orthogonal to any message of adversary’s choice. Thus the attack defeats the very purpose of having property preserving encryption in the symmetric key setting and may be of independent interest in understanding the security of cryptographic schemes in the composite order pairing setting.

We draw our conclusion in Sect. 6. Some of the detailed proofs are provided in Appendix A.

2 Definitions

We recall the basic definition of property preserving encryption and notions of its security from [29]. The paper claims that the idea makes most sense in the symmetric key setting – in the public key setting an adversary can gain non-trivial information about a target ciphertext by encrypting messages of her own choice and then testing for the property on the target message.

As in [29], we too model any k-ary property on \(\mathcal {M}\) as a Boolean function on \(\mathcal {M}^{k}\). One of the main properties considered is orthogonality, which depends on computing inner products in finite dimensional vector spaces over finite fields. Let \(v=(v_1,\ldots ,v_n)\) and \(w=(w_1,\ldots ,w_n)\) be vectors over a finite field \(\mathbb {F}_q\). The inner product between them is defined as \(v\cdot w=v_1w_1+\ldots +v_nw_n \pmod {q}\). These vectors are orthogonal if \(v\cdot w=0\).

Definition 1

A property preserving encryption scheme (PPEnc) for the k-ary property P is a collection of four probabilistic polynomial time (PPT) algorithms, which are defined as follows:

  1. 1.

    \(\mathsf{{Setup}}(1^\lambda )\): This takes as input the security parameter and outputs the message space (\(\mathcal {M}\)), public parameters (PP) and the secret key (SK).

  2. 2.

    \(\mathsf{{Encrypt}}(PP,SK,m)\): This algorithm outputs the ciphertext CT corresponding to the message m, using the secret key SK and public parameter PP.

  3. 3.

    \(\mathsf{{Decrypt}}(PP,SK,CT)\): This algorithm outputs the plaintext message m.

  4. 4.

    \(\mathsf{{Test}}(CT_1,\)...\(,CT_k,PP)\): This is a public algorithm that takes as inputs ciphertexts \(CT_1,\ldots ,CT_k\) corresponding to messages \(m_1,\ldots ,m_k\), respectively and outputs a bit.

These set of four algorithms must satisfy the standard correctness requirement. In addition, if the Test algorithm outputs \(b \in \{0,1\}\) then, except with negligible probability, one has \(P(m_1,\ldots ,m_k)=b\).

A related notion of PPTag scheme was also defined. Informally, such a scheme does not have any decrypt module.

Definition 2

A property preserving tag scheme (PPTag) for the k-ary property P is a collection of three probabilistic polynomial time (PPT) algorithms, which are defined as follows:

  1. 1.

    \(\mathsf{{Setup}}(1^\lambda )\): This takes as input the security parameter and outputs the message space (\(\mathcal {M}\)), public parameters (PP) and the secret key (SK).

  2. 2.

    \(\mathsf{{Encrypt}}(PP,SK,m)\): This algorithm outputs the ciphertext CT corresponding to the message m, using the secret key SK and public parameter PP.

  3. 3.

    \(\mathsf{{Test}}(CT_1,\)...\(,CT_k,PP)\): This is a public algorithm that takes as inputs ciphertexts \(CT_1,\ldots ,CT_k\) corresponding to messages \(m_1,\ldots ,m_k\), respectively and outputs a bit.

This set of algorithms must satisfy the standard correctness requirement. If the Test lgorithm outputs \(b \in \{0,1\}\) then, except with negligible probability, one has \(P(m_1,\ldots ,m_k)=b\).

Remark 1

In [29], the authors suggest the following strategy while designing a secure property preserving encryption scheme. The actual “payload” message is encrypted using an IND-CPA secure symmetric encryption scheme. For testing the property, a tag is constructed for each message using a PPTag scheme.

2.1 Security Notions

Inspired by the study of security notions of symmetric key encryption by Bellare et al. [4], Pandey and Rouselakis [29] propose several notions of security for property preserving symmetric encryption. These notions are defined by taking into account the specific nature of PPEnc. Here we informally describe the two notions of security for such schemes which are most relevant to our work. For more details refer to [29].

Definition 3

For a k-ary property P, any two sequences \(X=(x_1,\ldots ,x_n)\) and \(Y=(y_1,\ldots ,y_n)\) of inputs are said to have the same equality pattern if

$$\begin{aligned} P(x_{i_1},\ldots ,x_{i_k})=P(y_{i_1},\ldots ,y_{i_k}),~\forall (i_1,\ldots ,i_k) \in [n]^{k}. \end{aligned}$$

Find-then-Guess Security ( FtG). Challenger and adversary \({\mathcal A}=({\mathcal A}_1,{\mathcal A}_2)\) plays the following game Game \(_{\varPi ,\mathcal {A},\lambda }^\mathsf{FtG}(b)\) which is formally defined in [29, Sect. 3]. After the Setup phase, in \({\mathcal A}_1\), the adversary first adaptively queries the encryption oracle for messages \((m_1,\ldots ,m_t)\). Then the adversary outputs the challenge messages \((m_0^{*},m_1^{*})\). In \({\mathcal A}_2\), after the challenger returns the ciphertext of \(m_b^{*}\) for a random \(b \in \{0,1\}\), the adversary again adaptively queries \((m_{t+1},\ldots ,m_q)\). The adversary wins the game if s/he can correctly predict the bit b. Adversarial queries must satisfy the extra condition that the equality patterns of \((m_1,\ldots ,m_t,m_0^{*},m_{t+1},\ldots ,m_q)\) and \((m_1,\ldots ,m_t,m_1^{*},m_{t+1},\ldots ,m_q)\) are the same. Otherwise \({\mathcal A}\) can trivially win the game.

Definition 4

Let \(\varPi =\) Setup,Encrypt,Decrypt,Test be a symmetric key property preserving encryption scheme. Then \(\varPi \) is said to be FtG secure if there exists a negligible function \(n(\cdot )\) such that for all PPT FtG adversaries \(\mathcal {A}\) as above and for all \(\lambda \in \mathbb {N}\) sufficiently large, the advantage of \(\mathcal {A}\) in the FtG game is negligible:

$$ \mathsf{Adv}_{\varPi ,\mathcal {A},\lambda }^\mathsf{FtG}=\left| \Pr \left[ \mathsf{Game}_{\varPi ,\mathcal {A},\lambda }^\mathsf{FtG}(1)=1\right] - \Pr \left[ \mathsf{Game}_{\varPi ,\mathcal {A},\lambda }^\mathsf{FtG}(0)=1\right] \right| \le n(\lambda ). $$

They [29] further introduce a hierarchy in the FtG notion depending on the number of challenge queries. In particular, any adversary playing the \(\mathsf{FtG}^{\eta }\) game, for \(\eta \in \mathbb {N}\), is allowed to make \(\eta \) many challenge queries interleaved between encryption oracle queries. A selective FtG notion may be defined in the usual way, following [11], where the adversary outputs the challenge messages even before receiving the public parameters.

Left-or-Right Security ( LoR). Challenger and adversary \(\mathcal {A}\) plays the following game Game \(_{\varPi ,\mathcal {A},\lambda }^\mathsf{LoR}(b)\). After setup, \(\mathcal {A}\) makes q encryption queries, where each query is of the form \((m_0^{(i)},m_1^{(i)})\). The queries are such that the tuples \((m_0^{(1)},\ldots ,m_0^{(q)})\) and \((m_1^{(1)},\ldots ,m_1^{(q)})\) have the same equality pattern. The challenger returns the encryption of \(m_{b}^{(i)}\) for each i where the random bit b is chosen at the beginning of game. At the end, the adversary has to output a guess \(b^\prime \) of b and wins if \(b^\prime =b\). The game is formally defined in [29, Sect. 3]. The definition of adversarial advantage is as follows.

Definition 5

Let \(\varPi =\) Setup,Encrypt,Decrypt,Test be a symmetric key property preserving encryption scheme. Then \(\varPi \) is said to be LoR secure if there exists a negligible function \(n(\cdot )\) such that for all PPT LoR adversaries \(\mathcal {A}\) as above and for all \(\lambda \in \mathbb {N}\) sufficiently large, the advantage of \(\mathcal {A}\) in the LoR game is negligible:

$$ \mathsf{Adv}_{\varPi ,\mathcal {A},\lambda }^\mathsf{LoR}=\left| \Pr \left[ \mathsf{Game}_{\varPi ,\mathcal {A},\lambda }^\mathsf{LoR}(1)=1\right] - \Pr \left[ \mathsf{Game}_{\varPi ,\mathcal {A},\lambda }^\mathsf{LoR}(0)=1\right] \right| \le n(\lambda ). $$

3 Separation Results: A Closer Look

Let \(\mathcal {QR}_p\) (resp. \(\mathcal {QNR}_p\)) be the set of quadratic residues (resp. quadratic non-residues) in \(\mathbb {Z}_p^*\) for some prime p. Consider the quadratic residuosity property \(P_{qr}\) defined as follows:

$$\begin{aligned} P_{qr}(m_1,m_2) = \left\{ \begin{array}{rcl} 1 &{} {\text {if}} &{} m_1 \cdot m_2 \in \mathcal {QR}_p \\ 0 &{} {\text {if}} &{} m_1 \cdot m_2 \in \mathcal {QNR}_p \end{array}\right. \end{aligned}$$
(1)

Assuming there exists an FtG secure property preserving encryption scheme \(\varPi \) for \(P_{qr}\); Pandey and Rouselakis construct an artificial scheme \(\varPi '\) which is FtG but not LoR secure [29, Theorem 4.1]. In a similar fashion they establish that FtG \(^{\eta }\) \(\nrightarrow \) FtG \(^{\eta +1}\) [29, Theorem 4.4]. Note that (i) the separation results are specific to property \(P_{qr}\) and (ii) conditioned on the existence of FtG secure scheme for \(P_{qr}\) and no such construction was known or suggested in [29].

Property preserving encryption is a rather broad category and a separation based on the specificity of a particular property does not necessarily provide enough insight about the relationship between different security notions for another concrete property or how two notions are related in general. For example, the separation result for \(P_{qr}\) in [29] does not give any clue whether the same will hold for another property, say orthogonality. Another crucial question is whether the separation is real or merely an artifact – is there any ‘natural’ construction for a ‘natural’ property that is FtG but not LoR secure.

Clearly, a thorough investigation of these questions requires identifying natural properties that encompass other properties and then analysing the real difference between security notions of property preserving encryption in the context of these natural properties. For example, consider the set of all unary properties. It is suggested [29] that for any unary property P, a PPTag scheme can be trivially obtained by providing P(m) in the clear as part of the ciphertext. We note that in such a scenario, the two notions FtG and LoR actually collapse. The case for binary properties, however, is more subtle as we see next.

3.1 Equivalence Testing via Equality

We demonstrate that certain equivalence relations can be tested via equality property – \(P_{qr}\) property used in [29] is one such relation.

Claim 1

To construct a PPTag scheme for \(P_{qr}\); it suffices to construct a PPTag scheme for equality where the message space is \({\mathcal M}= \{0,1\}\).Footnote 1

Proof

The argument is quite straightforward. A “sign” function S was used by [29] to define \(P_{qr}\) where \(S(m) = 0\) if \(m \in \mathcal {QR}_p\); else \(S(m)=1\). In other words, \(P_{qr}\) divides the message space \({\mathcal M}= \mathbb {Z}_p^*\) into 2 equivalence classes. Given any message in \(\mathbb {Z}_p^*\) one can efficiently determine S(m) and then use the PPTag scheme for equality over the message space \(\{0,1\}\) to encrypt S(m). Product of two messages x and y belongs to \(\mathcal {QR}_p\) if and only if both x and y belong to same equivalence class. Thus testing whether the product of x and y is a quadratic residue or not is now reduced to the task of testing whether S(x) and S(y) are equal or not.    \(\square \)

The property \(P_{qr}\) used in [29] is a particular instance of a larger class of property \({\mathcal P}\). In particular, the property \({\mathcal P}\) induces an equivalence relation on a set \({\mathcal M}\) such that there exists an efficient algorithm to determine the class in which a given element lies. Another example of such property is to test, given two integers m and n, whether their difference is divisible by a fixed prime p. It is easy to see that a PPTag scheme for such a property \({\mathcal P}\) can be realized by any PPTag scheme for equality. Note, however, that there do exist equivalence relations for which the question of membership testing is not known to be easy.

3.2 Natural LoR Secure Equality Testing

We describe a property preserving encryption scheme for testing equality over message space \(\{0,1\}\).

  1. 1.

    \(\mathsf{{Setup}}(1^{\lambda })\): Set \(SK=t\), where \(t \in _R \{0,1\}\).

  2. 2.

    \(\mathsf{{Encrypt}}(SK,m)\): \(CT=t\oplus m\).

  3. 3.

    \(\mathsf{{Decrypt}}(SK,CT)\): \(m'=CT\oplus t\).

  4. 4.

    \(\mathsf{{Test}}(CT_1,CT_2)\): Return 1 if and only if \(CT_1=CT_2\).

It is well-known that as a symmetric key encryption scheme the above construction (or any deterministic encryption scheme) is not FtG secure in the sense of [4] but it is as a PPEnc as the following claim shows.

Claim 2

The above construction is an FtG secure PPEnc for one-bit messages.

Proof

The key idea is that an FtG adversary \({\mathcal A}\) is restricted by the equality pattern. If \({\mathcal A}\) makes the challenge query as (0, 1) or (1, 0) then s/he cannot make any encryption oracle query. Hence, the one-time pad ensures the challenge bit is information theoretically hidden from \({\mathcal A}\). On the other hand, if the challenge query is of the form (0, 0) or (1, 1) then there is no non-trivial information for \({\mathcal A}\) to learn either from the encryption queries or from the challenge.    \(\square \)

The above result further leads us to the following interesting consequence. Let \(E: {\mathcal K}\times \{0,1\} \longrightarrow \{C_0,C_1\}\) be a deterministic encryption scheme.

Claim 3

If E is FtG secure PPEnc scheme for equality then it is LoR secure.

Proof

Let \(\mathcal {A}\) be a valid LoR adversary for E. We will construct a valid FtG adversary \(\mathcal {B}\) for E, which is playing the FtG game with its own challenger \(\mathcal {C}\) by internally running \(\mathcal {A}\).

Observe that \(\mathcal {A}\) has to respect the equality pattern and hence can only make queries from the following disjoint sets: \(S_1 = \{(0,0),(1,1)\}\) and \(S_2 = \{(0,1), (1,0)\}\). If \({\mathcal A}\) makes queries from the set \(S_1\), then \(\mathsf FtG\longrightarrow \mathsf LoR\) holds trivially.

Now let us analyze the case when \({\mathcal A}\) makes queries from \(S_2 = \{(0,1),(1,0)\}\). Let us, without loss of generality, assume that \({\mathcal A}\)’s first query is (0, 1). \({\mathcal B}\) sets the same message (0, 1) as its own FtG challenge query, forwards it to \(\mathcal {C}\). In response \(\mathcal {C}\) provides a challenge ciphertext \(C_b\) to \(\mathcal {B}\), \(b \in \{0,1\}\) by encrypting \(\beta \in _R \{0,1\}\) using the encryption function E as per the rule of the FtG game. \({\mathcal B}\) forwards the same \(C_b\) to \(\mathcal {A}\). Note that by the definition of \(\mathsf FtG\) security, \({\mathcal B}\) cannot make any other query to \(\mathcal {C}\). However, if \(\mathcal {A}\) repeats the same query (0, 1), then \(\mathcal {B}\) simply forwards the same ciphertext \(C_b\). If \(\mathcal {A}\) queries the other valid message pair (1, 0), then \(\mathcal {B}\) returns ciphertext \(C_{1-b}\). When \(\mathcal {A}\) outputs a bit as its guess and halts, then \(\mathcal {B}\) outputs the same bit to \(\mathcal {C}\) and halts.

The simulation of \({\mathcal A}\)’s environment by \({\mathcal B}\) is perfect. In fact, after the first query, \(\mathcal {A}\) can on its own generate the response for all other queries it is going to make. Now the FtG security of E ensures that the encryption of 1 is indistinguishable from the encryption of 0. Hence, the advantage of \(\mathcal {B}\) is same as that of \(\mathcal {A}\) and the two notions actually collapse.    \(\square \)

As a consequence we note that the one-time pad construction of PPEnc achieves LoR security. However, it is well-known that the same is not even FtG secure as standard symmetric key encryption scheme. Thus there exists binary property preserving encryption scheme secure in the strong LoR sense of property preserving encryption but does not even achieve FtG security as a standard symmetric key encryption scheme.

Based on our previous observations we suggest the following direct construction of LoR secure PPEnc for equality testing on \({\mathcal M}= \{0,1\}^n\). A PPTag can be obtained by dropping the Decrypt algorithm from the description.Footnote 2

Property Preserving Encryption for Equality. We describe a scheme \(\varPi \) to test for equality of strings of length n.Footnote 3 Let \(\{\mathcal {F}\}_{n}\) be a pseudo-random permutation (PRP) family and an element \(F \in \{\mathcal {F}\}_{n}\) is defined as \(F:\{0,1\}^{n} \times \{0,1\}^{n} \longrightarrow \{0,1\}^{n}\).

  1. 1.

    \(\mathsf{{Setup}}(1^{\lambda })\): Set a random n-bit binary string K as the secret key SK.

  2. 2.

    \(\mathsf{{Encrypt}}(SK,m)\): \(CT=F_K(m)\).

  3. 3.

    \(\mathsf{{Decrypt}}(SK,CT)\): Return \(F_K^{-1}(CT)\).

  4. 4.

    \(\mathsf{{Test}}(CT_1,CT_2)\): Return 1 if and only if \(CT_1=CT_2\).

Claim 4

If the underlying PRP family is secure, then \(\varPi \) is LoR secure.

Proof

(Sketch) The claim is established through a simple hybrid argument. Let the adversary \(\mathcal {A}\) for the LoR game set \((m_{0,1}^{*},m_{1,1}^{*}),\ldots ,(m_{0,t}^{*},m_{1,t}^{*})\) as challenges. We claim that the games \(\mathsf{{Game}}_0: m_{0,1}^{*},\ldots ,m_{0,t}^{*}\) and \(\mathsf{{Game}}_1: m_{1,1}^{*},\ldots ,m_{1,t}^{*}\) are indistinguishable. We note that, by the security of the PRP, the \(\mathsf{{Game}}_0\) is indistinguishable from a game where the challenger computes the response from a random permutation. Similarly, challenges output in \(\mathsf{{Game}}_1\) will be indistinguishable from the output of a random permutation.    \(\square \)

3.3 Separation Between FtG and LoR Notions for Equality

After establishing the existence of natural PPEnc/PPTag scheme for equality testing satisfying LoR security (and, hence, FtG security), we now generalize the result of [29, Theorem 4.1] to show that the separation holds for the equality property and need not necessarily be restricted to small number of equivalence classes. Let \(\mathcal {M}\) be the message space. Suppose \(z=\lceil \log _{2} |{\mathcal M}| \rceil \) so that every element \(m \in {\mathcal M}\) can be represented by a bit string of length z. Note that z (and not \(|{\mathcal M}|\)) is a polynomial in the security parameter. Let \(\varPi = (\mathsf{{Setup, Encrypt, Test}}\)) be any FtG secure PPTag scheme for equality. From this scheme we construct another scheme \(\varPi ^{\prime } = (\mathsf{{Setup}}^{\prime }, \mathsf{{Encrypt}}^{\prime }, \mathsf{{Test}}^{\prime }\)) for realizing the same property. The construction uses a PRF family \({\mathcal F}: \{0,1\}^\kappa \times \{0,1\}^z \longrightarrow \{0,1\}^z\).Footnote 4

  1. 1.

    \(\mathsf{{Setup}}^{\prime }(1^{\lambda })\): Calls Setup of \(\varPi \) to obtain (PPSK) and chooses \(k \in _R \{0,1\}^{\kappa }\) (as the key for the PRF). The algorithm outputs PP as the public parameters for \(\varPi ^{\prime }\) and sets the secret key as \({SK^{\prime } = (SK, k)}\).

  2. 2.

    \(\mathsf{{Encrypt}}^{\prime }(PP,SK^{\prime },m)\): While encrypting \(m \in \mathcal {M}\), the encryption algorithm of \(\varPi \) is used to obtain \(ct = \mathsf{{Encrypt}}(PP,SK,m)\). Then choose a bit \(b \in _R \{0,1\}\). The ciphertext of \(\varPi ^{\prime }\) is computed as

    $$ CT={\left\{ \begin{array}{ll} (ct,b,F_k(m)),~\text{ if }~ b=0,\\ (ct,b,F_k(m) \oplus m), ~\text{ otherwise }. \end{array}\right. } $$
  3. 3.

    \(\mathsf{{Test}}^{\prime }(CT_1,CT_2,PP)\): Given \(CT_1 = (ct_1, b_1, t_1)\) and \(CT_2 = (ct_2, b_2, t_2)\), the algorithm outputs \(\mathsf{{Test}}(ct_1, ct_2, PP)\).

The following two lemma generalize the result of [29] and together establish that the separation result for FtG and LoR holds for equality property. We provide the proofs in Appendix A.

Lemma 1

If the scheme \(\varPi \) is FtG secure and \({\mathcal F}\) is a secure PRF then \(\varPi ^{\prime }\) constructed as above is also FtG secure. In particular, \(\epsilon _{\varPi ^{\prime }} \le \epsilon _{\varPi } + 2\epsilon _{{\mathcal F}}\) where \(\epsilon _{X}\) denotes the advantage in the corresponding security game for the primitive \(X \in \{\varPi , {\mathcal F},\varPi ^{\prime }\}\).

Lemma 2

There is an LoR adversary for the scheme \(\varPi ^{\prime }\) with non-negligible advantage.

Remark 2

We point out an interesting consequence of the above separation result. Shen-Shi-Waters [32] proposed two security notions, the single challenge and full challenge security for predicate private symmetric encryption (see [32] for the definitions of security). The strategy outlined in Lemmas 1 and 2 in the context of PPTag can be adapted to establish a similar separation between single challenge and full challenge security of predicate private encryption. Suppose we are given a single challenge secure predicate private scheme for equality, called \(\varPsi \). From that we construct another scheme \(\varPsi ^{\prime }\) where the only changes are in the Setup and Encrypt as described in the context of \(\varPi ^{\prime }\) above. In particular, the encryption algorithm of \(\varPsi ^{\prime }\) outputs a ciphertext of \(\varPsi \) together with either \((b, F_k(m))\) or \((b,F_k(m) \oplus m)\) depending upon whether \(b=0\) or \(b=1\). A similar argument as in the case of PPTag above shows that \(\varPsi ^{\prime }\) is single challenge secure but not full secure.

Hierarchy Among FtG Classes. We briefly comment on the separation result for the hierarchy among FtG classes given in [29]. The reader may refer to the full version [20] for further details. The equality property over small message space is used to establish the result. We start with a scheme \(\varPi \) which is FtG \(^{\eta }\) secure and derive a scheme \(\varPi ^{\prime }\) which is not FtG \(^{\eta +1}\) secure. For each message m the Setup algorithm of \(\varPi ^{\prime }\) stores a set of random bit strings \(\{t_{m,1}, \ldots , t_{m,\eta }\}\) as part of secret key. Encryption algorithm of \(\varPi ^{\prime }\) chooses \(b \in _R \{1,\ldots , \eta +1\}\) and returns

$$ \varPi ^{\prime }.\mathsf{Encrypt}(PP,SK,m)= (\varPi .\mathsf{Encrypt}(PP,SK,m),b,val), $$

where

$$ val={\left\{ \begin{array}{ll} t_{m,b},~\text{ if }~1 \le b \le \eta \\ t_{m,1}\oplus \ldots \oplus t_{m,\eta )}\oplus m, ~\text{ if }~b=\eta +1. \end{array}\right. } $$

The derived scheme \(\varPi ^{\prime }\) is not FtG \(^{\eta +1}\) secure, but FtG \(^{\eta }\) secure.

3.4 The Bottom Line

At this point a reader may wonder what could be a plausible conclusion of our analysis. On one hand, a PRP is sufficient to construct LoR secure PPEnc for equality and the two notions of FtG and LoR collapse in such a setting. On the other, for the same property there is a theoretical gap between FtG and LoR notions of security which may or may not be the case for other properties of interest. In fact, in the next section we show that for orthogonality any FtG secure PPEnc for vectors of length 2n gives an LoR secure PPEnc for vectors of length n.

It seems the only reasonable conclusion is that no conclusive evidence exists indicating any real world difference between the two notions of security for PPEnc in general. This leads us to the following open question: is there a ‘natural’ construction of a scheme for testing equality or, for that matter, any other ‘natural’ property, which is FtG secure but not LoR secure. Resolving this question will shed further light into the usefulness of the hierarchy of security notions introduced in [29].

4 Orthogonality: Relation Between FtG and LoR and with Equality

We show that it is possible to construct an LoR secure scheme from FtG secure scheme for orthogonality which provides evidence that FtG is a meaningful notion for property preserving encryption. Next, we show that orthogonality implies equality in the property preserving scenario.

4.1 FtG \(_{2n}\) implies LoR \(_n\)

Shen, Shi and Waters showed [32, Theorem 2.8] that a single challenge secure symmetric key predicate-only encryption scheme for testing orthogonality of vectors of length 2n may be used to construct one achieving full security for n length vectors. Inspired by their technique we derive a similar result for property preserving orthogonality testing.

Let \(\varTheta _{2n}\) be an FtG secure PPTag encryption scheme for testing orthogonality of vectors of length 2n. We construct a PPTag scheme \(\varTheta _n\) for testing orthogonality of vectors of length n as follows. In the following we assume that the underlying field on which the vectors are defined does not have characteristic 2 (this is a technical requirement in the security argument). For \(x=(x_1,\ldots ,x_n)\) and \(y=(y_1,\ldots ,y_n)\), as usual \(x||y:=(x_1,\ldots ,x_n,y_1,\ldots ,y_n)\).

  1. 1.

    \(\varTheta _n \cdot \mathsf{{Setup}}(1^\lambda )\): The public parameters and the secret key are the same as the corresponding ones of \(\varTheta _{2n}\).

  2. 2.

    \(\varTheta _n \cdot \mathsf{{Encrypt}}(PP,SK,x)\): The ciphertext is \(\varTheta _{2n} \cdot \mathsf{{Encrypt}}(PP,SK,x||x)\).

  3. 3.

    \(\varTheta _n \cdot \mathsf{{Test}}(CT_1,CT_2,PP)\): The test is carried out using that of the \(\varTheta _{2n}\) scheme as \(\varTheta _n \cdot \mathsf{{Test}}(CT_1, CT_2,PP)=1\) if and only if \(\varTheta _{2n} \cdot \mathsf{{Test}}(CT_1,CT_2,PP)=1\).

Next, we show that \(\varTheta _{n}\) is LoR secure. The proof proceeds via a sequence of hybrids. Any adversary who can distinguish two adjacent games can break the FtG security of \(\varTheta _{2n}\).

Theorem 1

The scheme \(\varTheta _{2n}\) is FtG secure implies the derived scheme \(\varTheta _n\) is LoR secure.

Proof

(Sketch) Recall that we have assumed that the underlying field on which the vectors are defined does not have characteristic 2. We observe that \(x \cdot y=0 ~\text{ if } \text{ and } \text{ only } \text{ if }~(x||x) \cdot (y||y)=0\). The encoding which maps x to x||x is used for proving LoR security via a hybrid argument.

Let \(\mathcal {A}\) be a valid LoR adversary for \(\varTheta _{n}\). The adversary \(\mathcal {A}\) sets as challenges the pairs \((x_0^{(1)},x_1^{(1)}),\ldots ,(x_0^{(q)},x_1^{(q)})\) to the challenger \(\mathcal {C}\). The challenger fixes a random bit b and returns encryption of \(x_b^{(i)},~1 \le i \le q\). The adversary outputs a bit \(b^{\prime }\) at the end of the game and wins if \(b=b^{\prime }\).

We prove that the distributions of the ciphertexts of the sequence of messages \((x_0^{(1)},x_0^{(2)},\ldots ,x_0^{(q)})\) and \((x_1^{(1)},x_1^{(2)},\ldots ,x_1^{(q)})\) are indistinguishable. That is, the adversary \(\mathcal {A}\) cannot distinguish the games \(\mathcal {G}_0\) and \(\mathcal {G}_1\) of Table 1. The proof proceeds via a sequence of hybrid games. We tabulate the sequence of hybrids in Table 1. In \(\mathcal {G}_B\), the value \(\alpha \) is chosen at random from the underlying field. We mention that a sequence of intermediate games is defined between two consecutive games for proving indistinguishability, where only one ciphertext is changed. One such sequence between \(\mathcal {G}_A\) and \(\mathcal {G}_B\) is given in Table 1.

Table 1. Left: sequence of hybrids \(\mathcal {G}_0\) through \(\mathcal {G}_1\); right: intermediate games between \(\mathcal {G}_A\) and \(\mathcal {G}_B\)
Full size table

We first argue that \(\mathcal {G}_0\) and \(\mathcal {G}_A\) are indistinguishable. Consider an intermediate game, called \(\mathcal {G}_{0,1}\), defined as \(x_0^{(1)}|| 0,x_0^{(2)}|| x_0^{(2)},\ldots ,x_0^{(q)}|| x_0^{(q)}\).

Notice that this game differs from \(\mathcal {G}_0\) only in the first component. We claim that \(\mathcal {G}_0\) and \(\mathcal {G}_{0,1}\) are indistinguishable. For, suppose \(\mathcal {A}\) can distinguish them. Setting \((x_0^{(1)}|| x_0^{(1)},x_0^{(1)}|| 0)\) as challenge messages and querying the rest of the elements, \(\mathcal {A}\) can be used to construct a valid FtG adversary for \(\varTheta _{2n}\). We proceed by defining a sequence of games where any two consecutive games vary exactly at one component. Similar argument would show that \(\mathcal {G}_B\) and \(\mathcal {G}_C\) are indistinguishable. The games \(\mathcal {G}_C\) and \(\mathcal {G}_D\) too may similarly be shown to be indistinguishable.

Recall that \(\mathcal {G}_B\) was defined using a random parameter \(\alpha \). Even though, say for example \((x_0^{(1)}||0) \cdot (x_0^{(2)}||0) \ne 0\) holds, it may so happen that \((x_0^{(1)}||x_1^{(1)})\cdot (x_0^{(2)}||x_1^{(2)})=0\). Thus, a random choice of \(\alpha \) ensures that setting as the challenge \((x_0^{(1)}||0,x_0^{(1)}||\alpha x_1^{(1)})\) and the rest of the elements as queries one gets a valid FtG adversary for \(\varTheta _{2n}\). This argument shows that \(\mathcal {G}_A\) and \(\mathcal {G}_B\) are indistinguishable. Similar argument shows that \(\mathcal {G}_D\) and \(\mathcal {G}_1\) are indistinguishable.    \(\square \)

4.2 A Direct Test for Equality from Orthogonality

Katz et al. [28] suggested a simple encoding to test for equality using inner product: create a ciphertext for \(\mathcal {I}=(1,I)\) and a token for \(\mathcal {J}=(-J,1)\). Now the inner product of \(\mathcal {I}\) and \(\mathcal {J}\) is 0 if and only if \(I=J\). This encoding does not directly work for property preserving encryption as there is no separate token and the Test is performed only on the ciphertexts. Nevertheless, we show that one can construct a scheme for testing equality property, given a scheme for testing orthogonality of vectors. The new scheme inherits the same security as that of the underlying orthogonality testing scheme. Note that this result is of theoretical interest, but of little practical value as we already have much more efficient scheme for testing equality.

The setting is as follows. Let the message space be \(\mathbb {F}_{q}\), where the finite field is assumed to contain \(i=\sqrt{-1}\). Examples of fields which contain i are \(\mathbb {F}_{2^n}\); \(\mathbb {F}_p\), where \(p \equiv 1 \pmod {4}\); or extensions of the form \(\mathbb {F}_q\) which contain i. The square root of \(-1\) may be given explicitly or may be computed using Tonelli-Shanks algorithm [3, Chapter 7].

We encode any \(x \in \mathbb {F}_q\) as a vector in \(\mathbb {F}_{q}^{5}\), where the encoding is given by \(x \mapsto v_x=(x^2+1,ix^2,ix,ix,i)\) (in characteristic 2 fields \(m \mapsto v_m=(m+1,m,1)\)). The mapping \(m \mapsto v_m\) is one-to-one. Observe that, elements x and y are equal if and only if \(v_x\cdot v_y=0\). We now describe a scheme \(\varPi ^{\prime }\) for testing equality, given a scheme \(\varPi \) for testing orthogonality of vectors of length 5 over \(\mathbb {F}_q\).

  1. 1.

    \(\mathsf{{Setup}}(1^\lambda )\): The public parameters and secret key for \(\varPi ^{\prime }\) are those of \(\varPi \).

  2. 2.

    \(\mathsf{{Encrypt}}(PP,SK,m)\): While encrypting \(m \in \mathbb {F}_q\), the encryption algorithm first computes the encoding \(v_m\) corresponding to m. Then the ciphertext corresponding to m is \(CT=\varPi .\mathsf{{Encrypt}}(PP,SK,v_m)\).

  3. 3.

    \(\mathsf{{Test}}(CT_1,CT_2,PP)\): Same as that of \(\varPi \).

Lemma 3

If \(\varPi \) is FtG (respectively LoR) secure then so is \(\varPi ^{\prime }\), correspondingly.

Proof

We describe the FtG case as the LoR case may be similarly handled. Suppose \(\varPi ^{\prime }\) is not FtG secure, with \(\mathcal {A}_{\varPi ^{\prime }}\) a valid adversary. We construct \(\mathcal {A}_{\varPi }\), an FtG adversary for scheme \(\varPi \), which internally runs \(\mathcal {A}_{\varPi ^{\prime }}\). Whenever \(\mathcal {A}_{\varPi ^{\prime }}\) makes an encryption query m, the adversary \(\mathcal {A}_{\varPi }\) forwards \(v_m\) to the challenger \(\mathcal {B}_{\varPi }\). On receiving the ciphertext, it forwards it to \(\mathcal {A}_{\varPi ^{\prime }}\). When \(\mathcal {A}_{\varPi ^{\prime }}\) sets \((m_0^{*},m_1^{*})\) as challenge, the adversary \(\mathcal {A}_{\varPi }\) forwards \((v_{m_0^{*}},v_{m_1^{*}})\) to the challenger. On receiving the encryption of one of the two vectors \(\mathcal {A}_{\varPi }\) forwards it to \(\mathcal {A}_{\varPi ^{\prime }}\). The other queries made by \(\mathcal {A}_{\varPi ^{\prime }}\) may be handled similarly. When \(\mathcal {A}_{\varPi ^{\prime }}\) outputs a bit \(b^{\prime }\) and halts, so does \(\mathcal {A}_{\varPi }\). This is a perfect simulation and \(\mathcal {A}_{\varPi }\) wins with the same advantage as that of \(\mathcal {A}_{\varPi ^{\prime }}\).    \(\square \)

5 Cryptanalysis of Pandey and Rouselakis Construction

The only construction proposed in [29] is a PPTag scheme for testing orthogonality of two vectors over a finite field. The proposed scheme works in the composite order bilinear pairing setting. It is claimed without proof in [29, Theorem 5.1] that the scheme achieves LoR security in the generic group model with a precise bound on the adversarial advantage.

We identify an inherent symmetry in the construction that is required for the public Test algorithm. The same symmetry allows the adversary to construct ‘pseudo-ciphertext’ for many messages from a valid ciphertext of a known message. Suitably manipulated pseudo-ciphertext can be exploited by the adversary to win the indistinguishability game with overwhelming probability. Thus the scheme is not even selective FtG secure. However, the properties of pseudo-ciphertexts allow an adversary to go even further. We show that, after making a single query, an adversary can gain non-trivial information about the underlying message vector given any valid ciphertext. In particular, the adversary can choose any vector and then check whether the unknown message is orthogonal to it or not. This effectively negates the main motivation of using the symmetric key setting for property preserving encryption.

5.1 Pandey and Rouselakis Construction

We recall the scheme of [29] for testing orthogonality of two vectors defined over a prime field \(\mathbb {F}_p\), referred to as PR scheme hereafter.

  1. 1.

    \(\mathsf{{Setup}}(1^\lambda ,n)\): Pick two distinct primes p and q uniformly at random in the range \((2^{\lambda -1},2^{\lambda })\) where \(\lambda \) is the security parameter. Let \({\mathbb G}\) and \({\mathbb G}_T\) be two groups of order \(N=pq\) such that there is an efficiently computable bilinear map \(e: {\mathbb G}\times {\mathbb G}\longrightarrow {\mathbb G}_T\). Select a vector \((\gamma _1,\ldots ,\gamma _n) \in \mathbb {Z}_q\) such that \(\sum _{i=1}^{n}\gamma _i^{2}=\delta ^2 \pmod {q}\). Let \(g_0\) (resp. \(g_1\)) be a generator of a subgroup of order p (resp. q) of \({\mathbb G}\). Set the message space as \(\mathcal {M}=(\mathbb {Z}_{N}^{*} \bigcup \{0\})^n\). Set

    $$ PP= \langle n,N,\mathbb {G},\mathbb {G}_T,e \rangle ,~~SK= \langle g_0,g_1,\{\gamma _i\}_{i=1}^{n},\delta \rangle . $$
  2. 2.

    \(\mathsf{{Encrypt}}(PP,SK,M)\): On input a message \(M=(m_1,\ldots ,m_n)\), select two random elements \(\phi \) and \(\psi \) from \(\mathbb {Z}_N\). The ciphertext is computed as

    $$ CT=(ct_0,\{ct_i\}_{i=1}^n)=\left( g_1^{\psi \delta },\{g_0^{\phi m_i}\cdot g_1^{\psi \gamma _i}\}_{i=1}^n\right) . $$
  3. 3.

    \(\mathsf{{Test}}(CT^{(1)},CT^{(2)},PP)\): When two ciphertexts \(CT^{(1)}=(ct_0^{(1)},\{ct_i^{(1)}\}_{i=1}^n)\) and \(CT^{(2)}=(ct_0^{(2)},\{ct_i^{(2)}\}_{i=1}^n)\) are input, the algorithm outputs 1 if and only if:

    $$ \prod _{i=1}^{n}e(ct_i^{(1)},ct_i^{(2)})=e(ct_0^{(1)},ct_0^{(2)}). $$

Correctness ensures that Test outputs 1 only when the underlying messages are orthogonal, except with a negligible probability.

5.2 A Valid FtG Adversary

Notice that the construction ensures that the quadratic form relation \(\gamma _1^2+\gamma _2^2 + \ldots +\gamma _n^2=\delta ^2 \pmod {q}\) is formed in the exponent for one subgroup element of \({\mathbb G}_T\) while the inner product of the two message vectors is computed in the exponent of the other. However, the above equality implies that \(\gamma _1(\gamma _1+\gamma _2)+\gamma _2(\gamma _2-\gamma _1)+\gamma _3^2+\ldots +\gamma _n^2 = \delta ^2\) mod q also holds.

Given a ciphertext for some message \(x=(x_1,\ldots ,x_n)\), say \((c_0,c_1,c_2,\ldots ,c_n)\), the tuple \(W=(c_0,c_1\cdot c_2,c_2/c_1,c_3,\ldots ,c_n)\) may be computed. We can hence easily see that the tuple W may be used in the Test algorithm in place of a valid ciphertext of \(x^{\prime }=(x_1+x_2,x_2-x_1,x_3,\ldots ,x_n)\). The advantage is that, even though the adversary is forbidden to query \(x^{\prime }\) in the security game, s/he may still obtain a ciphertext of x if it is a valid query, and then, compute and use W for testing for orthogonality to \(x^{\prime }\).

Many such relations among the secret key tuple \((\gamma _1,\ldots ,\gamma _n)\) exist that are equal to \(\delta ^2\). We give more such examples in Lemma 4. But, this observation motivates us to define the notion of pseudo-ciphertext.

Definition 6

A pseudo-ciphertext for PR scheme, associated with a valid message z, is an element \(W_z \in {\mathbb G}^{n+1}\) such that Test \((CT_x,W_z,PP)=1\) if and only if Test \((CT_x,CT_z,PP)=1\), except with negligible probability, where \(CT_x\) and \(CT_z\) are properly formed ciphertexts for x and z respectively.

Next, we prove that [29] scheme is not FtG secure.

Proposition 1

The PPTag scheme proposed in [29] for testing orthogonality is not even selective FtG secure.

Proof

One can construct a valid selective FtG adversary for the \(n=2\) case as follows. The adversary sets (0, 1) and (1, 0) as challenges. Then s/he queries (1, 1) and forms a pseudo-ciphertext for (2, 0). Using that pseudo-ciphertext adversary can trivially win the indistinguishability game.

Now consider the case where \(n \ge 3\). The claim is established in terms of the following attack game between the adversary (\({\mathcal A}\)) and the challenger (\({\mathcal S}\)).

(i) \({\mathcal A}\) outputs a pair of n-dimensional vectors \((\mu _0^{*}, \mu _1^{*})\) as the challenge messages where \(n \ll N\). The challenges are of the form \(\mu _0^{*}=(m_1,m_0,1,\ldots ,1)\) and \(\mu _1^{*}=(m_1,m_1,1,\ldots ,1)\), where \(m_1\ne m_0\) are from \(\mathbb {Z}_N^*\).

(ii) \({\mathcal A}\) receives the public parameter PP from challenger.

(iii) \({\mathcal A}\) queries \({Q}=((m_1+m_0)/2,(m_0-m_1)/2,1,\ldots ,1,-(n-3))\). Observe that Q is not orthogonal to either of the challenge messages \(\mu _0^{*}\) and \(\mu _1^{*}\) and hence, is a valid query. \({\mathcal S}\) responds with \(CT_{Q}\), which is equal to

$$ \left( g_1^{\psi \delta },g_0^{\phi (m_1+m_0)/2 }g_1^{\psi \gamma _1},g_0^{\phi (m_0-m_1)/2}g_1^{\psi \gamma _2},g_0^{\phi }g_1^{\psi \gamma _3},\ldots ,g_0^{\phi }g_1^{\psi \gamma _{n-1}},g_0^{-(n-3)\phi }g_1^{\psi \gamma _n}\right) $$

for some \(\psi , \phi \in _R \mathbb {Z}_N\). Given \(CT_{Q}\), \({\mathcal A}\) takes the product and ratio of the third and second components of the ciphertext to obtain respectively \(g_0^{m_0\phi }g_1^{\psi (\gamma _1+\gamma _2)}\) and \(g_0^{-m_1\phi }g_1^{\psi (\gamma _2-\gamma _1)}\). \({\mathcal A}\) now computes the pseudo-ciphertext (Definition 6) \(W_{{Q}^{\prime }}\) for \(Q^\prime = (m_0,-m_1,1,\ldots ,1,-(n-3))\) as

$$ (g_1^{\psi \delta },g_0^{m_0\phi }g_1^{\psi (\gamma _1+\gamma _2)},g_0^{-m_1\phi }g_1^{\psi (\gamma _2-\gamma _1)},g_0^{\phi }g_1^{\psi \gamma _3},\ldots ,g_0^{\phi }g_1^{\psi \gamma _{n-1}},g_0^{-(n-3)\phi }g_1^{\psi \gamma _n}). $$

Note that the message vector \(Q^\prime \) is orthogonal to \(\mu _0^{*}\) but not to \(\mu _1^{*}\).

(iv) \({\mathcal A}\) now asks for the challenge ciphertext. Suppose that \({\mathcal S}\) responds with an encryption for \(\mu _b^{*}\)

$$ CT_b=\left( g_1^{\tilde{\psi }\delta },g_0^{m_1 \tilde{\phi }}g_1^{\gamma _1\tilde{\psi }},g_0^{m_b \tilde{\phi }}g_1^{\gamma _2\tilde{\psi }},g_0^{\tilde{\phi }}g_1^{\gamma _3\tilde{\psi }},\cdots ,g_0^{\tilde{\phi }}g_1^{\gamma _n\tilde{\psi }}\right) , $$

where \(b \in _R \{0,1\}\) and \(\tilde{\phi }, \tilde{\psi } \in _R \mathbb {Z}_N\) are as chosen by \({\mathcal S}\).

(v) \({\mathcal A}\) runs the Test algorithm on \((CT_b,W_{Q^{\prime }},PP)\). This amounts to computing the following quantities:

$$\begin{aligned} A&= e(g_1^{\psi \delta },g_1^{\tilde{\psi }\delta }) ~~~\text{ and } \\ B&= e(g_0^{m_0\phi }g_1^{\psi (\gamma _1+\gamma _2)},g_0^{m_1 \tilde{\phi }}g_1^{\gamma _1\tilde{\psi }})\cdot e(g_0^{-m_1\phi }g_1^{\psi (\gamma _2-\gamma _1)},g_0^{m_b \tilde{\phi }}g_1^{\gamma _2\tilde{\psi }}) \cdot \\&~~~~~\prod _{i=3}^{n-1} e(g_0^{\phi }g_1^{\psi \gamma _i},g_0^{\tilde{\phi }}g_1^{\gamma _i\tilde{\psi }}) \cdot e(g_0^{-(n-3)\phi }g_1^{\psi \gamma _n},g_0^{\tilde{\phi }}g_1^{\gamma _n\tilde{\psi }}). \end{aligned}$$

If \(A=B\) then \({\mathcal A}\) outputs \(b^\prime =0\), otherwise \({\mathcal A}\) outputs \(b^\prime =1\).

We see that \(A=B\) implies \(b=0\), except with negligible probability. Hence, the adversary wins the selective FtG game with overwhelming probability of success.    \(\square \)

Remark 3

We give yet another attack on the scheme for even n. Let \(x=(x_1,\ldots ,x_n)\) be any valid message. Observe that both

$$\begin{aligned} \delta ^2&=\gamma _1(\gamma _1+\gamma _2)+\gamma _2(\gamma _2-\gamma _1)+\ldots +\gamma _{n-1}(\gamma _{n-1}+\gamma _n)+\gamma _n(\gamma _n-\gamma _{n-1}),\\ \delta ^2&=\gamma _1(\gamma _1-\gamma _2)+\gamma _2(\gamma _2+\gamma _1)+\ldots +\gamma _{n-1}(\gamma _{n-1}-\gamma _n)+\gamma _n(\gamma _n+\gamma _{n-1}) \end{aligned}$$

hold modulo q. Hence, from the ciphertext for x, pseudo-ciphertexts for both

$$\begin{aligned} \xi _1&=(x_1+x_2,x_2-x_1,\ldots ,x_{n-1}+x_n,x_n-x_{n-1})~\text{ and }\\ \xi _2&=(x_1-x_2,x_2+x_1,\ldots ,x_{n-1}-x_n,x_n+x_{n-1}) \end{aligned}$$

can be formed. Note that neither \(\xi _1\) nor \(\xi _2\) is orthogonal to x, while \(\xi _1\) is orthogonal to \(\xi _2\). Thus, for example, after setting \((\xi _1,x)\) as the challenge pair, querying x and computing pseudo-ciphertext for \(\xi _2\), the adversary can win the FtG game. A similar attack may also be worked out for odd n.

Remark 4

It would have been illustrating to see where exactly the proof of [29, Theorem 5.1] fails. Unfortunately no such proof is provided by the authors.

5.3 Insecurity Beyond Indistinguishability

Recall that in the ciphertext of PR scheme described in Sect. 5.1, the message components reside in the exponent and even the party who possesses the secret key does not have the ability to decrypt. Thus it is not reasonable to expect that one can attack the scheme in the sense of message recovery for high min-entropy messages. Our next attack demonstrates that an adversary is still capable of extracting significant amount of information. This will lead to a total break of the scheme when the messages come from a smaller domain, which could be the case in applications dealing with, for example, certain types of streaming data as envisaged in [29].

We assume that the adversary is allowed to make just one query and is given a valid ciphertext as response. We show how the adversary can process the given ciphertext and then utilize pairing to unmask the subgroup elements containing the message vector of any ciphertext, by working in the target group.

Attack for \(\varvec{n=2}\) Case. Suppose the adversary makes a query (1/2,1/2) and gets the ciphertext \((c_0,c_1,c_2)=(g_1^{\psi \delta },g_0^{\phi /2}g_1^{\psi \gamma _1},g_0^{\phi /2}g_1^{\psi \gamma _2})\). Observe that

$$\begin{aligned} (c_0,c_1\cdot c_2,c_2/c_1)&=(g_1^{\psi \delta },g_0^{\phi }g_1^{\psi (\gamma _1+\gamma _2)},g_1^{\psi (\gamma _2-\gamma _1)})\\ (c_0,c_1/c_2,c_1\cdot c_2)&=(g_1^{\psi \delta },g_1^{\psi (\gamma _1-\gamma _2)},g_0^{\phi }g_1^{\psi (\gamma _1+\gamma _2)}) \end{aligned}$$

are pseudo-ciphertexts (see Definition 6) for (1, 0) and (0, 1), respectively, which can be computed by the adversary. We represent the formation of the two pseudo-ciphertexts, respectively, via the following two matrices with the obvious interpretation:

$$ \begin{array}{llllllll} M_1=\begin{bmatrix}1 &{} 1\\ -1 &{} 1 \end{bmatrix} &{}{\text {and}}&{} M_2=\begin{bmatrix} 1 &{} -1 \\ 1 &{} 1\end{bmatrix}. \end{array} $$

Suppose now the adversary gets a ciphertext for some unknown message \(x=(x_1,x_2)\) as \((C_0,C_1,C_2)=(g_1^{\tilde{\psi }\delta },g_0^{\tilde{\phi }x_1}g_1^{\tilde{\psi }\gamma _1},g_0^{\tilde{\phi }x_2}g_1^{\tilde{\psi }\gamma _2})\). With the pseudo-ciphertext for (1, 0), the adversary computes

$$\begin{aligned} \frac{e(C_1,c_1 \cdot c_2)e(C_2,c_2/c_1)}{e(C_0,c_0)}&=\frac{e(g_0^{\tilde{\phi }x_1}g_1^{\tilde{\psi }\gamma _1},g_0^{\phi }g_1^{\psi (\gamma _1+\gamma _2)})\cdot e(g_0^{\tilde{\phi }x_2}g_1^{\tilde{\psi }\gamma _2},g_1^{\psi (\gamma _2-\gamma _1)})}{e(g_1^{\tilde{\psi }\delta },g_1^{\psi \delta })}\\&=e(g_0,g_0)^{\phi \tilde{\phi }x_1}. \end{aligned}$$

Thus the adversary now possesses \((e(g_0,g_0)^{\phi \tilde{\phi }x_1},e(g_0,g_0)^{\phi \tilde{\phi }x_2})\), after processing the pseudo-ciphertext for (0, 1) similarly.

This trivially breaks the FtG security of PR scheme. Moreover, the adversary can test if x is orthogonal to any \(y=(y_1,y_2)\) of his choice by checking whether

$$ \left( e(g_0,g_0)^{\phi \tilde{\phi }x_1}\right) ^{y_1}\cdot \left( e(g_0,g_0)^{\phi \tilde{\phi }x_2}\right) ^{y_2}=1. $$

The adversary may also test for relations among the message coordinates, like whether \(x_1=\alpha x_2\) for some \(\alpha \) in a testable range. If x comes from a small domain then one can exhaustively try for all candidate y to check whether x and y are orthogonal and thereby recover x with non-negligible probability.

Attack for General \(\varvec{n.}\) Before describing the attack, we show that many a pseudo-ciphertexts can be formed from a valid ciphertext.

Lemma 4

For \(1 \le i \le n\), let \(M_i=((m_{st}^{(i)}))\) be an \(n \times n\) matrix defined as follows. Define \(m_{it}^{(i)}=1,~1 \le t \le n\). For \(1 \le s \le n\), but \(s \ne i\)

$$ m_{st}^{(i)}={\left\{ \begin{array}{ll} 1,~t=s\\ -1,~t=i\\ 0,~{otherwise}. \end{array}\right. } $$

Let \(CT=(c_0,c_1,\ldots ,c_n)\) be a valid ciphertext for \(x=(x_1,\ldots ,x_n)\). Define \(\xi _i=M_i x^T\). Define \(W_i=(d_0^{(i)},d_1^{(i)},\ldots ,d_n^{(i)})\) as follows. For all j, define

$$ d_j^{(i)}={\left\{ \begin{array}{ll} c_0,~{if}~j=0\\ \prod _{k=1}^{n}c_k^{m_{jk}^{(i)}},~{otherwise}. \end{array}\right. } $$

Then \(W_i\) is a pseudo-ciphertext for \(\xi _i\).

Proof

We provide details for \(i=1\) – the general case is similar. Observe that by applying \(M_1\) to \(x^T\) one obtains \(\xi _1=(\sum _{l=1}^{n} x_l,x_2-x_1,\ldots ,x_n-x_1)\). We also note that \(M_1(\gamma _1,\ldots ,\gamma _n)^T=(\sum _{l=1}^{n} \gamma _l,\gamma _2-\gamma _1,\ldots ,\gamma _n-\gamma _1)\). By an easy computation:

$$ \gamma _1\sum \gamma _l+\gamma _2(\gamma _2-\gamma _1)+\ldots +\gamma _n(\gamma _n-\gamma _1)=\delta ^2 \pmod {q}. $$

Let \((g_1^{\psi \delta },g_0^{\phi x_1}g_1^{\psi \gamma _1},\ldots ,g_0^{\phi x_n}g_1^{\psi \gamma _n})\) be a valid ciphertext for x. From this, we compute a pseudo-ciphertext for \(\xi _1\) as

$$ W_1=(g_1^{\psi \delta },g_0^{\phi \sum x_l}g_1^{\psi \sum \gamma _l},g_0^{\phi (x_2-x_1)}g_1^{\psi (\gamma _2-\gamma _1)},\ldots ,g_0^{\phi (x_n-x_1)}g_1^{\psi (\gamma _n-\gamma _1)}). $$

Let a ciphertext for \(y=(y_1,\ldots ,y_n)\) be given as

$$\begin{aligned} CT_y=(c_0,c_1,\ldots ,c_n)=\left( g_1^{\tilde{\psi } \delta },g_0^{\tilde{\phi }y_1}g_1^{\tilde{\psi } \gamma _1},\ldots ,g_0^{\tilde{\phi }y_n}g_1^{\tilde{\psi } \gamma _n}\right) . \end{aligned}$$

Suppose we run Test with \(CT_y\) and \(W_1\). It is easy to see that:

$$\begin{aligned} \frac{e(c_0,g_0^{\phi \sum x_l}g_1^{\psi \sum \gamma _l}) \prod _{l=2}^{n} e(c_l,g_0^{\phi (x_l-x_1)}g_1^{\psi (\gamma _l-\gamma _1)})}{e(g_1^{\tilde{\psi } \delta },g_1^{{\psi } \delta })}&=e(g_0,g_0)^{\phi \tilde{\phi }(y \cdot \xi _1)}\\&=1 \end{aligned}$$

if and only if y is orthogonal to \(\xi _1\), except with negligible probability.    \(\square \)

Corollary 1

By querying the vector \(x=(1/n,\ldots ,1/n)\), one can obtain the pseudo-ciphertexts for each of the unit vectors \(e_i=(0,\ldots ,0,1,0\ldots ,0)\) (1 in the ith place), \(1\le i \le n\).

In the following theorem we describe the attack for general n.

Theorem 2

Suppose in the proposed PR scheme of [29] the adversary is allowed to make one query for any message of its choice. Then, given a valid ciphertext for any unknown message \((x_1,\ldots ,x_n)\), the adversary can extract the tuple of elements \((\eta ;\eta ^{\phi ^{\prime }x_1},\ldots ,\eta ^{\phi ^{\prime }x_n})\) for some \(\eta \) belonging to the order-p subgroup of \({\mathbb G}_T\) and \(\phi ^{\prime } \in \mathbb {Z}_N\).

Proof

Let \((d_0,d_1,\ldots ,d_n)=(g_1^{\psi \delta },g_0^{\phi /n}g_1^{\psi \gamma _1},\ldots ,g_0^{\phi /n}g_1^{\psi \gamma _n})\) be the ciphertext for the queried message \((1/n,\ldots ,1/n)\). A ciphertext \(CT_x\) for some unknown \(x=(x_1,\ldots ,x_n)\) is given to the adversary, where \(CT_x=(c_0,c_1,\ldots ,c_n)=\left( g_1^{\tilde{\psi } \delta },g_0^{\tilde{\phi }x_1}g_1^{\tilde{\psi } \gamma _1},\ldots ,g_0^{\tilde{\phi }x_n}g_1^{\tilde{\psi } \gamma _n}\right) \).

Notice that the unit vector \(e_i\) can be written as \(e_i=M_i (1/n,\ldots ,1/n)^T\). From Lemma 4, the adversary can compute \(W_i=(w_0^{(i)},w_1^{(i)},\ldots ,w_n^{(i)})\), a pseudo-ciphertext for \(e_i\) as

$$ W_i=\left( g_1^{\psi \delta },g_1^{\psi (\gamma _1-\gamma _i)},\ldots ,g_1^{\psi (\gamma _{i-1}-\gamma _i)},g_0^{\phi }g_1^{\psi (\sum \gamma _j)},g_1^{\psi (\gamma _{i+1}-\gamma _i)},\ldots ,g_1^{\psi (\gamma _{n}-\gamma _i)}\right) . $$

The adversary further computes \(\left( {\prod _{l=1}^{n}e(c_l,w_l^{(i)})}\right) /{e(c_0,w_0^{(i)})}=e(g_0,g_0)^{\phi \tilde{\phi }x_i}\). In a similar fashion, the adversary obtains a tuple over the order-p subgroup of the target group \({\mathbb G}_T\) as \(\varOmega =\left( e(g_0,g_0)^{\phi \tilde{\phi }x_1},\ldots ,e(g_0,g_0)^{\phi \tilde{\phi }x_n}\right) \). The adversary now computes \(\eta :=\left( {\prod _{i=1}^n e(d_i,d_i)}\right) /{e(d_0,d_0)}=e(g_0,g_0)^{\phi ^2/n}\). Rewriting \(\varOmega \) as powers of \(\eta \), s/he gets \(\varOmega =(\eta ^{\phi ^{\prime }x_1},\ldots ,\eta ^{\phi ^{\prime }x_n})\). Hence the result.    \(\square \)

As already pointed out for the \(n=2\) case, the above argument shows that the adversary is capable of extracting a lot of information from the ciphertext of any unknown message vector x. Recall that the fundamental reason for having PPTag in symmetric setting is to prevent the adversary from being able to test whether a ciphertext of some unknown message satisfies a certain property and thereby learn some non-trivial information about the message. Given \(\varOmega \) the adversary can precisely do that and thus the scheme in [29] defeats the very purpose of symmetric key property preserving encryption.

6 Concluding Remarks

In this work we perform a comprehensive (crypt)analysis of property preserving symmetric encryption. On the definitional front, we revisit the FtG and LoR separation result in [29]. To do that we show equality property captures property \(P_{qr}\) used in the separation results and provide a simple construction for equality property to demonstrate that the separation results are non-vacuous. Based on the security attributes of our construction and its generalization we raised the pertinent question of whether the separation results actually indicate any real world difference between the two notions of security and argue for a property specific study of the security notions. Continuing further in this direction, we see that an LoR-secure scheme may be constructed from a so-called weaker FtG-secure one for orthogonality. We demonstrate several attacks on the PPTag scheme for testing orthogonality from [29] refuting the claim that the scheme is provably secure. Our main attack successfully unmasks the subgroup elements where the message vector is mapped to and thereby points to greater vulnerability beyond the notion of indistinguishability.