Key-updatable public-key encryption with keyword search (Or: How to realize PEKS with efficient key updates for IoT environments)

Abstract

Security and privacy are the key issues for the Internet of Things (IoT) systems. Especially, secure search is an important functionality for cooperation among users’ devices and non-trusted servers. Public-key encryption with keyword search (PEKS) enables us to search encrypted data and is expected to be used between a cloud server and users’ mobile devices or IoT devices. However, those mobile devices might be lost or stolen. For IoT devices, it might be difficult to store keys in a tamper-proof manner due to prohibitive costs. In this paper, we deal with such a key-exposure problem on PEKS and introduce the concept of PEKS with key-updating functionality, which we call key-updatable PEKS (KU-PEKS). Specifically, we propose two models of KU-PEKS: the key-evolution model and the key-insulation model. In the key-evolution model, a pair of public and secret keys can be updated if needed (e.g., the secret key is exposed). In the key-insulation model, the public key remains fixed while the secret key can be updated if needed. The former model makes a construction simple and more efficient than the latter. On the other hand, the latter model is preferable for practical use since a user never updates their public key. We show constructions in each model in a black-box manner. We also give implementation results on Raspberry Pi 3, which can be regarded as a reasonable platform of IoT devices.

Appendices

Proof of Lemma 1

We construct a PPT adversary \(\mathcal {B}\) which breaks the \(\mathsf{IND}\text {-}\mathsf{CPA}\) security of \(\mathcal {PKE}\) using a PPT adversary \(\mathcal {A}\) which wins \(\mathsf{G}_2\) or \(\mathsf{G}_3\).

Setup\(\mathcal {B}\) guesses \(i^*\) such that \(i^*\) is a time period when computing the challenge ciphertext, and the guess is correct since \(\mathsf{Fail}\) does not occur. Without loss of generality, we here assume \(i^*\ne 1\). When receiving \((\textsf {par}_{\textsc {pke}},\textsf {ek}^*)\), \(\mathcal {B}\) computes \((\textsf {ek}_1,\textsf {dk}_1)\leftarrow \mathsf{G}(\textsf {par}_{\textsc {pke}})\), \({\textsf {par}_{\textsc {peks}}}\leftarrow {\mathsf{Setup}_{\textsc {peks}}}(1^\lambda )\), and \(({\textsf {mpk}}_1,\textsf {msk}_1)\leftarrow {\mathsf{KeyGen}_{\textsc {peks}}}({\textsf {par}_{\textsc {peks}}})\), and chooses \(\mathsf{H}\overset{\tiny {\$}}{\leftarrow }\mathcal {H}\), \(\mathcal {A}\) then sends \(\textsf {pk}_1:=(\textsf {par}_{\textsc {pke}}, {\textsf {par}_{\textsc {peks}}},\mathsf{H},\textsf {ek}_1,{\textsf {mpk}}_1)\) to \(\mathcal {A}\). \(\mathcal {B}\) stores \(\textsf {sk}_1:=(\textsf {dk}_1,\textsf {msk}_1)\).

Oracle simulation\(\mathcal {B}\) simulates each oracle as follows.

\(\mathcal {O}_{\textsc {kg}}\)::

If \(\mathsf{ctr}\in \{1,\ldots ,i^*-2\}\), \(\mathcal {B}\) computes \((\textsf {ek}_{\mathsf{ctr}+1},\textsf {dk}_{\mathsf{ctr}+1})\leftarrow \mathsf{G}(\textsf {par}_{\textsc {pke}})\) and \(({\textsf {mpk}}_{\mathsf{ctr}+1},\textsf {msk}_{\mathsf{ctr}+1})\leftarrow {\mathsf{KeyGen}_{\textsc {peks}}}({\textsf {par}_{\textsc {peks}}})\), and returns \(\textsf {pk}_{\mathsf{ctr}+1}:{=}(\textsf {par}_{\textsc {pke}},{\textsf {par}_{\textsc {peks}}}, \mathsf{H}, \textsf {ek}_{\mathsf{ctr}+1},{\textsf {mpk}}_{\mathsf{ctr}+1})\) and \(\textsf {rk}_{\mathsf{ctr}\rightarrow \mathsf{ctr}+1}:=\textsf {dk}_{\mathsf{ctr}}\) to \(\mathcal {A}\). It stores \(\textsf {sk}_{\mathsf{ctr}+1}:=(\textsf {dk}_{\mathsf{ctr}+1},\)\(\textsf {msk}_{\mathsf{ctr}+1})\) and sets \(\mathsf{ctr}:=\mathsf{ctr}+1\). If \(\mathsf{ctr}=i^*-1\), \(\mathcal {B}\) computes \(({\textsf {mpk}}_{i^*},\textsf {msk}_{i^*})\leftarrow {\mathsf{KeyGen}_{\textsc {peks}}}({\textsf {par}_{\textsc {peks}}})\), and returns \(\textsf {pk}_{i^*}:=(\textsf {par}_{\textsc {pke}},{\textsf {par}_{\textsc {peks}}}, \mathsf{H}, \textsf {ek}^*,{\textsf {mpk}}_{i^*})\) and \(\textsf {rk}_{i^*-1 \rightarrow i^*}:=\textsf {dk}_{i^*-1}\) to \(\mathcal {A}\). \(\mathcal {B}\) stores only \(\textsf {msk}_{i^*}\) and sets \(\mathsf{ctr}:=i^*\). Note that \(\mathcal {B}\) does not know \(\textsf {dk}_{i^*}\).

\(\mathcal {O}_{\textsc {kl}}\)::

For a query \(j\in \{1,\ldots ,\mathsf{ctr}-1\}\), \(\mathcal {B}\) returns \(\textsf {sk}_j\).

\(\mathcal {O}_{\textsc {td}}\)::

For \((w,j)\in \mathcal {W}\times \{1,\ldots ,\mathsf{ctr}\}\), \(\mathcal {B}\) returns \({{\mathsf {Trapdoor}}_{\textsc {peks}}}(\textsf {msk}_j,\)\(\mathsf{H}(w))\).

Challenge\(\mathcal {B}\) receives \((w_0^*,w_1^*)\) from \(\mathcal {A}\) and randomly chooses \(\beta \leftarrow \{0,1\}\). \(\mathcal {B}\) chooses a zero-bit string \(0^{\log |\mathcal {Y}|}\) whose length is the same as the output of \(\mathsf{H}\) (we assume \(0^{\log |\mathcal {Y}|}\) can be efficiently encoded into an element of \(\mathcal {Y}\)). \(\mathcal {B}\) sends \((\hat{w}_0^*,\hat{w}_1^*):=(\mathsf{H}(w_{\beta }^*),0^{\log |\mathcal {Y}|})\) to the challenger of \(\mathcal {PKE}\) as challenge plaintexts. The challenger chooses \(b\overset{\tiny {\$}}{\leftarrow }\{0,1\}\), and returns \(\textsf {ct}_{\mathsf{ctr}}\leftarrow \mathsf{E}(\textsf {ek}^*,\hat{w}_b^*)\) to \(\mathcal {B}\). \(\mathcal {B}\) computes \(\textsf {ct}_{w_{\beta }^*,\mathsf{ctr}}\leftarrow {{\mathsf{Enc}}_{\textsc {peks}}}({\textsf {mpk}}_{\mathsf{ctr}},\mathsf{H}(w_\beta ^*))\), and returns \(\textsf {c}_{w_\beta ^*,\mathsf{ctr}}^{(0)}:=(\textsf {ct}_{\mathsf{ctr}},\textsf {ct}_{w_{\beta }^*,\mathsf{ctr}})\) to \(\mathcal {A}\).

Output If \(\mathcal {A}\)’s output \(\beta '\) satisfies \(\beta '=\beta \), \(\mathcal {B}\) outputs \(b'=0\). Otherwise, \(\mathcal {B}\) outputs \(b'=1\).

If \(b=0\), \(\textsf {c}_{w_\beta ^*,i^*}^{(0)}\) is the challenge ciphertext in \(\mathsf{G}_2\) where \(\mathsf{Fail}\) does not occur. On the other hand, if \(b=1\), \(\textsf {c}_{w_\beta ^*,i^*}^{(0)}\) is the challenge ciphertext in \(\mathsf{G}_3\) where \(\mathsf{Fail}\) does not occur. Therefore, we have

$$\begin{aligned}&\mathsf{Adv}_{\mathcal {PKE},\mathcal {B}}^{\mathsf{CPA}}(1^\lambda ) \\&\quad =\left| \Pr [\mathsf{Exp}_{\mathcal {PKE},\mathcal {B}}^{\mathsf{CPA}}(1^\lambda )=1]-\frac{1}{2} \right| \\&\quad = \left| \Pr [b'=b]-\frac{1}{2} \right| \\&\quad = \left| \Pr [b'=0 \wedge b=0] + \Pr [b'=1 \wedge b=1]-\frac{1}{2} \right| \\&\quad = \left| \frac{1}{2}\Pr [b'=0 \mid b=0] + \frac{1}{2}\Pr [b'=1 \mid b=1]-\frac{1}{2} \right| \\&\quad {=} \left| \frac{1}{2} \Pr [b'{=}0 \mid b{=}0] {+} \frac{1}{2}\left( 1 {-} \Pr [b'{=}0 \mid b{=}1]\right) {-}\frac{1}{2} \right| \\&\quad = \frac{1}{2}\left| \Pr [b'=0 \mid b=0]- \Pr [b'=0 \mid b=1] \right| \\&\quad = \frac{1}{2}\left| \Pr [\beta '=\beta \mid b=0]- \Pr [\beta '=\beta \mid b=1] \right| \\&\quad = \frac{1}{2}\left| \Pr [\mathsf{S}_2 \mid \lnot \mathsf{Fail}]- \Pr [\mathsf{S}_3 \mid \lnot \mathsf{Fail}] \right| . \end{aligned}$$

Hence, we have

$$\begin{aligned} \left| \Pr [\mathsf{S}_2 \mid \lnot \mathsf{Fail}]- \Pr [\mathsf{S}_3 \mid \lnot \mathsf{Fail}] \right| = 2 \mathsf{Adv}_{\mathcal {PKE},\mathcal {B}}^{\mathsf{CPA}}(1^{\lambda }). \qquad \square \end{aligned}$$

Proof of Lemma 2

We construct a PPT adversary \(\mathcal {B}\) which breaks the \(\mathsf{IND}\text {-}\mathsf{CKA}\) security of \(\mathcal {PEKS}\) using a PPT adversary \(\mathcal {A}\) which wins \(\mathsf{G}_3\) when \(\mathsf{Fail}\) does not occur.

Setup This procedure is almost the same as that in the proof of Lemma 1. \(\mathcal {B}\) guesses \(i^*\) such that \(i^*\) is a time period when generating the challenge ciphertext, and the guess is correct since \(\mathsf{Fail}\) does not occur. Without loss of generality, we here assume \(i^*\ne 1\). When receiving \(({\textsf {par}_{\textsc {peks}}},{\textsf {mpk}}^*)\), \(\mathcal {B}\) runs \(\textsf {par}_{\textsc {pke}}\leftarrow \mathsf{PG}(1^\lambda )\), \((\textsf {ek}_1,\textsf {dk}_1)\leftarrow \mathsf{G}(\textsf {par}_{\textsc {pke}})\), and \(({\textsf {mpk}}_1,\textsf {msk}_1)\leftarrow {\mathsf{KeyGen}_{\textsc {peks}}}({\textsf {par}_{\textsc {peks}}})\), and chooses \(\mathsf{H}\overset{\tiny {\$}}{\leftarrow }\mathcal {H}\). \(\mathcal {B}\) sends \(\textsf {pk}_1:=(\textsf {par}_{\textsc {pke}},{\textsf {par}_{\textsc {peks}}},\mathsf{H},\textsf {ek}_1,{\textsf {mpk}}_1)\) to \(\mathcal {A}\), and stores \(\textsf {sk}_1:=(\textsf {dk}_1,\textsf {msk}_1)\).

Oracle simulation\(\mathcal {B}\) simulates each oracle as follows.

\(\mathcal {O}_{\textsc {kg}}\)::

If \(\mathsf{ctr}\in \{1,\ldots ,i^*-2\}\), \(\mathcal {B}\) computes \((\textsf {ek}_{\mathsf{ctr}+1},\textsf {dk}_{\mathsf{ctr}+1})\leftarrow \mathsf{G}(\textsf {par}_{\textsc {pke}})\) and \(({\textsf {mpk}}_{\mathsf{ctr}+1},\textsf {msk}_{\mathsf{ctr}+1})\leftarrow {\mathsf{KeyGen}_{\textsc {peks}}}({\textsf {par}_{\textsc {peks}}})\), and returns \(\textsf {pk}_{\mathsf{ctr}+1}:=(\textsf {par}_{\textsc {pke}},{\textsf {par}_{\textsc {peks}}}, \mathsf{H}, \textsf {ek}_{\mathsf{ctr}+1},{\textsf {mpk}}_{\mathsf{ctr}+1})\) and \(\textsf {rk}_{\mathsf{ctr}\rightarrow \mathsf{ctr}+1}:=\textsf {dk}_{\mathsf{ctr}}\) to \(\mathcal {A}\). It stores \(\textsf {sk}_{\mathsf{ctr}+1}:=(\textsf {dk}_{\mathsf{ctr}+1},\)\(\textsf {msk}_{\mathsf{ctr}+1})\) and sets \(\mathsf{ctr}:=\mathsf{ctr}+1\). If \(\mathsf{ctr}=i^*-1\), \(\mathcal {B}\) computes \((\textsf {ek}_{i^*},\textsf {dk}_{i^*})\leftarrow \mathsf{G}(\textsf {par}_{\textsc {pke}})\), and returns \(\textsf {pk}_{i^*}:=(\textsf {par}_{\textsc {pke}},{\textsf {par}_{\textsc {peks}}}, \mathsf{H}, \textsf {ek}_{i^*},{\textsf {mpk}}^*)\) and \(\textsf {rk}_{i^*-1 \rightarrow i^*}:=\textsf {dk}_{i^*-1}\) to \(\mathcal {A}\). \(\mathcal {B}\) stores only \(\textsf {dk}_{i^*}\) and sets \(\mathsf{ctr}:=i^*\). Note that \(\mathcal {B}\) does not know \(\textsf {msk}_{i^*}\).

\(\mathcal {O}_{\textsc {kl}}\)::

For a query \(j\in \{1,\ldots ,\mathsf{ctr}-1\}\), \(\mathcal {B}\) returns \(\textsf {sk}_j\).

\(\mathcal {O}_{\textsc {td}}\)::

If \(\mathsf{ctr}\ne i^*\), for a query \((w,j)\in \mathcal {W}\times \{1,\ldots ,\mathsf{ctr}\}\), \(\mathcal {B}\) returns \({{\mathsf {Trapdoor}}_{\textsc {peks}}}(\textsf {msk}_j,\mathsf{H}(w))\). If \(\mathsf{ctr}= i^*\), \(\mathcal {B}\) simulates the oracle as follows. For a query \((w,j)\in \mathcal {W}\times \{1,\ldots ,\mathsf{ctr}\}\), if \(j\ne i^*\), \(\mathcal {B}\) returns \({{\mathsf {Trapdoor}}_{\textsc {peks}}}(\textsf {msk}_j,\mathsf{H}(w))\). Otherwise, \(\mathcal {B}\) sends w to \(\mathcal {O}_{\textsc {td}}\) of \(\mathcal {PEKS}\) to get \(\textsf {t}_{w}^*\leftarrow {{\mathsf {Trapdoor}}_{\textsc {peks}}}(\textsf {msk}^*,\)\(\mathsf{H}(w))\), and transfers it to \(\mathcal {A}\).

Challenge When receiving \((w_0^*,w_1^*)\) from \(\mathcal {A}\), \(\mathcal {B}\) sends \((\mathsf{H}(w_0^*),\)\(\mathsf{H}(w_1^*))\) to the challenger of \(\mathcal {PEKS}\). The challenger randomly chooses \(b\overset{\tiny {\$}}{\leftarrow }\{0,1\}\), and returns \(\textsf {ct}_{w_b^*,\mathsf{ctr}}\leftarrow {{\mathsf{Enc}}_{\textsc {peks}}}({\textsf {mpk}}^*,\)\(\mathsf{H}(w_b^*))\) to \(\mathcal {B}\). \(\mathcal {B}\) computes \(\textsf {ct}_{\mathsf{ctr}}\leftarrow \mathsf{E}(\textsf {ek}_{\mathsf{ctr}},0^{\log |\mathcal {Y}|})\), and returns \(\textsf {c}_{w_\beta ^*,\mathsf{ctr}}^{(0)}:=(\textsf {ct}_{\mathsf{ctr}},\textsf {ct}_{w_{\beta }^*,\mathsf{ctr}})\) to \(\mathcal {A}\).

Output\(\mathcal {B}\) outputs \(b'\), the output of \(\mathcal {A}\) as is.

The success probability of \(\mathcal {B}\) for the \(\mathsf{IND}\text {-}\mathsf{CKA}\) game is the same as that of \(\mathcal {A}\) for \(\mathsf{G}_3\). Therefore, we have

$$\begin{aligned} \left| \Pr [\mathsf{S}_3 \mid \lnot \mathsf{Fail}] - \frac{1}{2}\right| = \mathsf{Adv}_{\mathcal {PEKS},\mathcal {B}}^{\mathsf{CKA}}(1^\lambda ). \qquad \qquad \square \end{aligned}$$

\(\mathsf{DBDH}\) Assumption

The decisional bilinear Diffie–Hellman (DBDH) assumption is defined as follows. Let \(\mathcal {A}\) be a PPT adversary, and we consider the following game against \(\mathcal {A}\).

Definition 14

(\(\mathsf{DBDH}\)assumption) We say that the \(\mathsf{DBDH}\) assumption relative to a generator \(\mathcal {G}\) holds if for all PPT adversaries \(\mathcal {A}\), \(\mathsf{Adv}_{\mathcal {G},\mathcal {A}}^{\mathsf{DBDH}}(1^\lambda ):= |\Pr [\mathsf{Exp}_{\mathcal {G},\mathcal {A}}^{\mathsf{DBDH}}(1^\lambda )=1]-1/2|\) is negligible in \(\lambda \).