Public Key Encryption With Keyword Search Research Articles

Expressive Public-Key Encryption With Keyword Search: Generic Construction From KP-ABE and an Efficient Scheme Over Prime-Order Groups

Public key encryption with keyword search (PEKS) allows a cloud server to retrieve particular ciphertexts without leaking the contents of the searched ciphertexts. This kind of cryptographic primitive gives users a special way to retrieve the encrypted documents they need while preserving privacy. Nevertheless, most existing PEKS schemes only offer single-keyword search or conjunctive-keyword searcha. The poorly expressive ability and constantly inaccurate search results make them hard to meet users' requirements. Although several expressive PEKS (EPEKS) schemes were proposed, they entail high computation and communication costs. An ideal EPEKS scheme should enable fast and accurate ciphertext retrieval, while lowering the storage server's load and reducing the amount of communication data. Drawing on the strongly expressive ability of key-policy attribute-based encryption (KP-ABE), we propose a generic construction of EPEKS from KP-ABE. We demonstrate that the derived EPEKS scheme is secure under the chosen keyword attack if the implicit KP-ABE scheme fulfills the anonymity under the chosen plaintext attack. Furthermore, we present a concrete EPEKS scheme over the prime-order groups. The comparison and experimental results indicate that our scheme is more efficient than the existing EPEKS schemes.

A Decryptable Attribute-Based Keyword Search Scheme on eHealth Cloud in Internet of Things Platforms

Recently, attribute-based keyword search (ABKS) schemes have been used to provide fine-grained search over encrypted data on eHealth cloud in the Internet of Things (IoT) platforms. As compared to conventional public key encryption with keyword search (PEKS) schemes, ABKS schemes provide more powerful and flexible search operations which allow encrypted data to be retrieved by multiple users that satisfy set of attributes. However, there are still some limitations and security issues on the existing ABKS schemes. Many of the existing ABKS schemes only support for the encryption of keyword and require a separate cryptographic primitive to encrypt the message. Also, most of the schemes cannot resist offline keyword guessing attacks by inside attackers (i.e., the honest-but-curious servers). A secure-channel is needed for most of the ABKS schemes to transmit the trapdoors between the server and receivers. To solve these problems, we propose a secure-channel free ciphertext-policy decryptable attribute-based keyword search (CP-DABKS) scheme. The proposed scheme allows the authorised user who satisfy the access structure to decrypt the ciphertext. Our scheme not only resists the insider keyword guessing attack, but also eliminates the secure channel for trapdoor transmission. We formally define and prove the security of the proposed CP-DABKS scheme. We also demonstrate its application on an eHealth cloud platform.

An Efficient Public Key Searchable Encryption Scheme for Mobile Smart Terminal

With the wide application of the mobile smart terminals, the data privacy protection of the mobile smart terminals stored in the cloud is more and more important. Public key encryption with keyword search (PEKS) and secure channel free PEKS (SCF-PEKS) have been proposed for public key searchable encryption previously. However, the security of keyword search is far from enough. In addition, these schemes are mostly based on bilinear pairing and the computational efficiency is relatively low. In this paper, we propose a novel non-bilinear pairs SCF-PEKS schemes for mobile smart terminal that offer a high computational efficiency along with better security assurances than that of the existing alternatives. Without random oracle model, we prove the security and privacy of the scheme’s keyword ciphertext and keyword trapdoor through the game hopping method. Therefore, the scheme is capable of resisting outside online keyword guessing attack and inside offline keyword guessing attack. Based on the comparison and experimental results, the scheme turns out to be secure and practicable.

Public key encryption with conjunctive keyword search on lattice

Outsourcing data in cloud storage is gaining popularity recently. For protecting data privacy, the data should be encrypted, and it is thus critical to provide search services for encrypted outsourced data. However, it becomes a problem about how to retrieve encrypted data while protecting data privacy at the same time. Therefore, public key encryption with keyword search (PEKS) is proposed. Nevertheless, the majority of the existing PEKS schemes are based on bilinear mappings and do not provide quantum security. Although some lattice-based PEKS schemes have been proposed, they cannot support conjunctive keyword search. In this paper, we first propose a public key encryption with conjunctive keyword search (PECK) using lattices. Our PECK scheme provides efficient search over encrypted data containing multiple keywords for a single data user. To support multiple data users, a multi-user PECK scheme is also presented. The two schemes are proved secure against indistinguishable chosen keyword attacks (IND-CKA) based on learning with errors (LWE) problem in the random oracle model. Finally, we provide performance evaluation of our proposed scheme by theoretical analysis and experimental simulation.

Lightweighted Secure Searching Over Public-Key Ciphertexts for Edge-Cloud-Assisted Industrial IoT Devices

For the industrial Internet of Things (IIoT), public-key encryption with keyword search (PEKS) is a type of applicable and promising encryption technique to maintain the data stored in clouds secure and searchable. To further improve the efficiency of searching, it is popular to introduce edge computing near the IIoT as the substitute for a cloud. However, the straightforward collaboration of the two techniques performs negatively in latency-sensitive applications since the sluggish encryption of PEKS by IIoT devices negates the instant reaction of edges. To meet this challenge, in this article, we exploit the capability of the edge-cloud architecture and propose a lightweight-designed scheme called edge-aided searchable public-key encryption (ESPE). It allows IIoT devices to delegate their costly cryptographic operations to the nearby edge for fast computing and guarantees that all outsourced ciphertexts are semantically secure. Consequently, ESPE accelerates the corresponding ciphertext procedures on edges and saves over 70% encryption cost of an IIoT device.

ISEkFT

Public-key encryption with keyword search (PEKS) is a well-known technique which allows searching on encrypted data using the public key system. However, this technique suffers from the keyword guessing attack (KGA). To address this problem, a modified version of PEKS called public key encryption with fuzzy keyword search (PEFKS) has been introduced where each keyword is associated with an exact search trapdoor (EST) and a fuzzy search trapdoor (FST) which is provided to the cloud server. PEFKS prevents KGA in such a way that two or maximum three keywords share the same FST. Hence, even if the cloud server knows the FST it cannot link it to the corresponding keyword. But, with a probability of 1/3 the malicious cloud server can still guess the keyword corresponding to FST. Therefore, in this article, the authors present an approach which can improve the security of the PEFKS technique by reducing the probability of guessing the keyword to 1/k where k is the number of keywords that share the same FST, thus enhancing the overall reliability. In addition, the authors have used an identity-based encryption (IBE) as an underlying technique to construct the searchable encryption scheme and proved its security in the standard model.

A Secure Data Sharing Scheme with Designated Server

The cloud-assisted Internet of Things (CIoT) is booming, which utilizes powerful data processing capabilities of the cloud platform to solve massive Internet of Things (IoT) data. However, the CIoT faces new security challenges, such as the confidentiality of the outsourced data. Data encryption is a fundamental technique that can guarantee the confidentiality of outsourced data, but it limits target encrypted data retrieval from cloud platform. Public key encryption with keyword search (PEKS) provides a promising solution to address this problem. In PEKS, a cloud server can be authorized to search the keyword in encrypted documents and retrieve associated encrypted documents for the receiver. However, most existing PEKS schemes merely focus on keyword search function while ignoring the associated documents encryption/decryption function. Thus, in practice, a PEKS scheme must cooperate with another separated public key encryption (PKE) scheme to fulfill a completely secure data sharing scheme. To address this problem, in this paper, we propose a secure data sharing scheme with designated server that combines PKE scheme with PEKS scheme, which provides both keyword search and documents encryption/decryption functions. Furthermore, only the designated server can search the keyword via encrypted documents for enhanced security in our work. Moreover, our scheme also satisfies the public verifiability of search results, which includes both keywords and documents ciphertexts’ correctness and integrity. As to the security, our scheme provides stronger indistinguishability security of document and keyword in the proposed security model.

Blockchain-Assisted Public-Key Encryption with Keyword Search Against Keyword Guessing Attacks for Cloud Storage

Cloud storage enables users to outsource data to storage servers and retrieve target data efficiently. Some of the outsourced data are very sensitive and should be prevented for any leakage. Generally, if users conventionally encrypt the data, searching is impeded. Public-key encryption with keyword search (PEKS) resolves this tension. Whereas, it is vulnerable to keyword guessing attacks (KGA), since keywords are low-entropy. In this paper, we present a secure PEKS scheme called SEPSE against KGA, where users encrypt keywords with the aid of dedicated key servers via a threshold and oblivious way. SEPSE supports key renewal to periodically replace an existing key with a new one on each key server to thwart the key compromise. Furthermore, SEPSE can efficiently resist online KGA, where each keyword request made by a user is integrated into a transaction on a public blockchain (e.g., Ethereum), which allows key servers to learn the number of keyword requests made by the user without requiring a synchronization between them for per-user rate limiting. Security analysis and performance evaluation demonstrate that SEPSE provides a stronger security guarantee compared with existing schemes, at the expense of acceptable computational costs.

A Secure and Efficient Data Sharing and Searching Scheme in Wireless Sensor Networks.

Wireless sensor networks (WSN) generally utilize cloud computing to store and process sensing data in real time, namely, cloud-assisted WSN. However, the cloud-assisted WSN faces new security challenges, particularly outsourced data confidentiality. Data Encryption is a fundamental approach but it limits target data retrieval in massive encrypted data. Public key encryption with keyword search (PEKS) enables a data receiver to retrieve encrypted data containing some specific keyword in cloud-assisted WSN. However, the traditional PEKS schemes suffer from an inherent problem, namely, the keyword guessing attack (KGA). KGA includes off-line KGA and on-line KGA. To date, the existing literature on PEKS cannot simultaneously resist both off-line KGA and on-line KGA performed by an external adversary and an internal adversary. In this work, we propose a secure and efficient data sharing and searching scheme to address the aforementioned problem such that our scheme is secure against both off-line KGA and on-line KGA performed by external and internal adversaries. We would like to stress that our scheme simultaneously achieves document encryption/decryption and keyword search functions. We also prove our scheme achieves keyword security and document security. Furthermore, our scheme is more efficient than previous schemes by eliminating the pairing computation.

Key-updatable public-key encryption with keyword search (Or: How to realize PEKS with efficient key updates for IoT environments)

Security and privacy are the key issues for the Internet of Things (IoT) systems. Especially, secure search is an important functionality for cooperation among users’ devices and non-trusted servers. Public-key encryption with keyword search (PEKS) enables us to search encrypted data and is expected to be used between a cloud server and users’ mobile devices or IoT devices. However, those mobile devices might be lost or stolen. For IoT devices, it might be difficult to store keys in a tamper-proof manner due to prohibitive costs. In this paper, we deal with such a key-exposure problem on PEKS and introduce the concept of PEKS with key-updating functionality, which we call key-updatable PEKS (KU-PEKS). Specifically, we propose two models of KU-PEKS: the key-evolution model and the key-insulation model. In the key-evolution model, a pair of public and secret keys can be updated if needed (e.g., the secret key is exposed). In the key-insulation model, the public key remains fixed while the secret key can be updated if needed. The former model makes a construction simple and more efficient than the latter. On the other hand, the latter model is preferable for practical use since a user never updates their public key. We show constructions in each model in a black-box manner. We also give implementation results on Raspberry Pi 3, which can be regarded as a reasonable platform of IoT devices.

NormaChain: A Blockchain-Based Normalized Autonomous Transaction Settlement System for IoT-Based E-Commerce

Internet of Things (IoT)-based E-commerce is a new business model that relies on autonomous transaction management on IoT-devices. The management system toward IoT-based E-commerce demands autonomy, lightweight, and legitimacy. As blockchain is an innovative technology that is competent in governing the decentralized network, we adopt it to design the autonomous transaction management system on IoT E-commerce. However, current blockchain solutions, most namely cryptocurrencies, have fatal drawbacks of nonsupervisability and huge computational overhead, and hence cannot be directly applied on IoT-based E-commerce. In this paper, we propose NormaChain, a blockchain-based normalized autonomous transaction settlement system for IoT-based E-commerce. By designing a special three-layer sharding blockchain network, we can significantly increase transaction efficiency and system scalability. Additionally, by designing an innovative decentralized public key searchable encryption scheme (decentralized public key encryption with keyword search (PEKS) scheme), we can uncover illegal and criminal transactions and achieve crime traceability. Our new decentralized PEKS scheme cryptographically eliminates the dependence of a trusted central authority in the original PEKS scheme and instead expands it to a fully decentralized governance, which distributes the supervision power equally among all parties. More importantly, by proving NormaChain is secure against chosen ciphertext attacks and against the stealing of the secret key, we show that NormaChain prevents a legitimate user’s privacy from being violated by banks, supervisors or malicious adversaries. Finally, we deliver the NormaChain system with design details and full implementations. Experiments show that the average transaction-per-second on IoT devices is around 113, and the supervision accuracy is 100% when proper target illegal keywords are provided.

Pairing-Free Identity-Based Encryption with Authorized Equality Test in Online Social Networks

Online social networking applications have become more and more popular in the advance of the technological age. Much of our personal information has been disclosed in social networking activities and privacy-preserving still remains a research challenge in social network. Public key encryption scheme with equality test(PKEET), which is an extension of public key encryption with keyword search (PEKS), seems to be a solution. PKEET enables the tester to check whether two given ciphertexts are derived from the same plaintext. Recently, Zhu et al. proposed a pairing-free public key encryption scheme with equality test based on the traditional public key cryptosystem. However, it suffers from certificates management issue. In this paper, we propose a pairing-free identity-based encryption scheme with authorized equality test(PF-IBEAET). The PF-IBEAET scheme also provides fine-grained authorizations. We prove that the scheme is one way secure against chosen identity and chosen ciphertext attack (OW-ID-CCA) and indistinguishable against chosen-identity and chosen-ciphertext attack (IND-ID-CCA) in the random oracle model (ROM). Performance analysis shows that the scheme achieves a better performance than similar schemes.

Witness-based searchable encryption with optimal overhead for cloud-edge computing

Abstract The security and utilization of cloud storage are well-known open issues. Public key encryption with keyword search (PEKS) provides an important primitive to discuss applications in the field of cloud storage, where the receiver can use the trapdoor of the keyword to search. However, the internal attack derived by the cloud server is an inherent issue of PEKS. There are two breakthroughs, so-called authenticated PEKS (APKES) and witness-based searchable encryption (WBSE), to tackle this issue by modifying framework of PEKS. The existing schemes of APEKS and WBSE can offer security against the internal attacks, but they require the trapdoor size is proportional to c n where n is the total number of senders, and c is the constant size of the ciphertext or proportion to the security parameter. In this paper, we propose a new WBSE scheme with constant overhead as long as n is bounded. We analyze the security of our scheme based on homomorphic encryption and digital signature. Finally, we provide implementations to show the effectiveness on the cloud-edge model.

Lattice-based proxy-oriented identity-based encryption with keyword search for cloud storage

Public-key encryption with keyword search (PEKS) enables users to search over encrypted data and retrieve target data efficiently. However, most of existing PEKS schemes are vulnerable to adversaries equipped with quantum computers in the near future, and even incur complex certificate management procedures due to the public key infrastructure (PKI). To this end, we propose a proxy-oriented identity-based encryption with keyword search (PO-IBEKS) scheme from lattices for cloud storage, which is post-quantum secure. In PO-IBEKS, an original data owner authorizes a proxy to encrypt sensitive data as well as corresponding keywords and upload ciphertexts to clouds, which alleviates the data processing burden on the original data owner. Besides, PO-IBEKS can resist inside keyword guessing attacks (IKGA) from misbehaved cloud servers by integrating the learning with errors (LWE) encryption and preimage sampleable function. Each entity in PO-IBEKS is identified with her/his recognizable information, thereby eliminating managing certificates. Formal security analysis proves that PO-IBEKS can achieve ciphertext indistinguishability, existential unforgeability, and delegation security. Experimental results demonstrate PO-IBEKS is much more practical when compared with existing schemes.

A Generic Construction of Integrated Secure-Channel Free PEKS and PKE and its Application to EMRs in Cloud Storage.

To provide a search functionality for encrypted data, public key encryption with keyword search (PEKS) has been widely recognized. In actual usage, a PEKS scheme should be employed with a PKE scheme since PEKS itself does not support the decryption of data. Since a naive composition of a PEKS ciphertext and a PKE ciphertext does not provide CCA security, several attempts have been made to integrate PEKS and PKE in a joint CCA manner (PEKS/PKE for short). In this paper, we further extend these works by integrating secure-channel free PEKS (SCF-PEKS) and PKE, which we call SCF-PEKS/PKE, where no secure channel is required to send trapdoors. We give a formal security definition of SCF-PEKS/PKE in a joint CCA manner, and propose a generic construction of SCF-PEKS/PKE based on anonymous identity-based encryption, tag-based encryption, and one-time signature. We also strengthen the current consistency definition according to the secure-channel free property, and show that our construction is strongly consistent if the underlying IBE provides unrestricted strong collision-freeness which is defined in this paper. We also show that such an IBE scheme can be constructed by employing the Abdalla et al. transformations (TCC 2010/J. Cryptology 2018). Finally, as an application of SCF-PEKS/PKE, we strengthen the security of encrypted Electronic Medical Record (EMR) system proposed by Guo and Yau (J. Medical Sys. 2015).

Public-key encryption with keyword search: a generic construction secure against online and offline keyword guessing attacks

In public-key setting, the problem of searching for keywords in encrypted data is handled by the notion of public-key encryption with keyword search (PEKS). An important challenge in designing secure PEKS schemes is providing resistance against variants of an attack known as the keyword guessing attack (KGA). Basically, by KGA, an adversary is able to determine the searched keyword through using the data communicated in the search process. Security against offline KGA performed by both inside/outside adversaries is well-studied in the literature. However, this is not true about the online version. In this paper, we employ a technique called ciphertext re-randomization to propose a generic construction for designing PEKS schemes which are secure against both online and offline KGAs performed by outsiders. We show that compared to existing literature, our construction is more efficient in terms of computational and communication costs.

Decentralized attribute-based conjunctive keyword search scheme with online/offline encryption and outsource decryption for cloud computing

In recent years, the increasing popularity of cloud computing has led to a trend that data owners prefer to outsource their data to the clouds for the enjoyment of the on-demand storage and computing services. For security and privacy concerns, fine-grained access control and secure data retrieval for the outsourced data is of critical importance. Attribute-based keyword search (ABKS) scheme, as a cryptographic primitive which explores the notion of public key encryption with keyword search (PEKS) into the context of attribute-based encryption (ABE), can enable the data owner to flexibly share his data to a specified group of users satisfying the access policy and meanwhile, maintain the confidentiality and searchable properties of the sensitive data. However, in most of the previous ABKS schemes, the decryption service is not provided, and a fully trusted central authority is required, which is not practical in the scenario that the access policy is written over attributes or credentials issued across different trust domains and organizations. Moreover, the efficiency of storage and computation is also the bottleneck of implementation of ABKS scheme. In this paper, for the first time, we propose a decentralized ABKS scheme with conjunctive keyword search for the cloud storage system. Besides the multi-keyword search in the decentralized setting, our scheme outsources the undesirable costly operations of decryption to the cloud without degrading the user’s privacy. Furthermore, the encryption phase is also divided into two phases, an offline pre-computation phase which is independent with the plaintext message, access policy, and keyword set, and can be performed at any time when the data owner’s device is otherwise not in use, and an online encryption phase which only incurs very little computation costs. Security analysis indicates that our scheme is provably secure in the random oracle model. The asymptotic complexity comparison and simulation results also show that our scheme achieves high computation efficiency.

Public-Key Encryption with Integrated Keyword Search

Since the last decade, the public-key encryption with keyword search (PEKS) has been studied as a popular technique for searching data over encrypted files. The notion finds useful application for fine-grained data search on outsourced encrypted data like iCloud, mobile cloud data, etc. In this paper, we present a concrete public-key encryption (PKE)+PEKS scheme and prove its security in the standard model. We prove that our scheme is both IND-PKE-CCA secure, that is, provides message confidentiality against an adaptive chosen-ciphertext adversary, and IND-PEKS-CCA secure, that is, provides keyword privacy against an adaptive chosen-ciphertext adversary, under the Symmetric eXternal Diffie-Hellman (SXDH) assumption. Our construction uses asymmetric pairings which enable a fast implementation useful for practical applications. Our scheme has much shorter ciphertexts than other known PKE+PEKS schemes. Particularly, we compare our scheme with other proposed PEKS and integrated PKE+PEKS schemes and provide a relative analysis of various parameters including assumption, security, and efficiency.

An ElGamal-like Secure Channel Free Public Key Encryption with Keyword Search Scheme

The idea of public key encryption with keyword search (PEKS), proposed by Boneh et al., enables one to send a trapdoor containing a encrypted keyword to query data without revealing the keyword. In Boneh et al.’s design, the trapdoor has to be transferred through a secure channel, which is both costly and inefficient. Baek et al. then proposed an efficient secure channel free public key encryption scheme with keyword search (SCF-PEKS). After that, vast amounts of research have focused on the protection against the off-line keyword guessing attack (OKGA) by enhancing the model. However, most of the PEKS/SCF-PEKS schemes developed so far are constructed by applying bilinear pairing and are susceptible to off-line keyword guessing attacks. In this paper, we propose a new SCF-PEKS scheme based on the ElGamal cryptosystem. The proposed scheme is not only secure against off-line keyword guessing attacks but also improves the efficiency.

Provably secure public-key encryption with conjunctive and subset keyword search

Public-key encryption with keyword search (PEKS) schemes enable public key holders to encrypt documents, while the secret key holder is able to generate queries for the encrypted data. In this paper, we present two PEKS schemes with extended functionalities. The first proposed scheme supports conjunctive queries. That is, it enables searching for encrypted documents containing a chosen list of keywords. We prove the computational consistency of our scheme, and we prove security under the asymmetric DBDH assumption. We show that it improves previous related schemes in terms of efficiency and in terms of index and trapdoor size. The second proposed scheme supports subset queries and some more general predicates. We prove the computational consistency of our scheme, and we prove our scheme secure under the p-BDHI assumption. We show that it improves previous related schemes in terms of efficiency and expressiveness. Moreover, unlike previous related schemes, it admits an arbitrary keyword space.