symmetric encryption with ecient keyword searchlingliu/papers/2013/ruizhang-secureco... · 2013. 7....

Symmetric Encryption with E�cient KeywordSearch

Rui Zhang1, Rui Xue1, and Ling Liu2

1 State Key Laboratory Of Information Security (SKLOIS),Institute of Information Engineering, Chinese Academy of Sciences

Beijing 100193, Chinazhangrui,[email protected],

2 College of Computing, Georgia Institute of TechnologyGA 30332-0765, USA

[email protected]

Abstract. Security and e�ciency are widely recognized as importantrequirements for query on encrypted data in the cloud environment. Inthis paper we propose e�cient searchable symmetric encryption (namedESSE) schemes that support binary search and achieve both plaintextprivacy and predicate privacy. Firstly, we present an idea that construct-ing a searchable symmetric encryption scheme that has capability ofsupporting binary search. Then we give a new framework for ESSE andits security definition to show that an ESSE scheme has both plaintext

privacy and predicate privacy if the underlying symmetric-key predicate-only encryption scheme has both plaintext privacy and predicate privacy.Next, we propose a general construction with SKPOE scheme supportinginner product queries, where the class of predicates to be F = {fy|y 2 ⌃}with fy(x) = 1 i↵ hx, yi = 0. Finally, we propose a concrete constructionon the groups of prime order, which achieves both plaintext privacy andpredicate privacy under d-linear assumption. Our initial experimental re-sults show that ESSE schemes are more e�cient for query on encryptedindices in the cloud environment.

Key words: searchable symmetric encryption, binary search, symmetric-key predicate-only encryption, predicate privacy, coud computing

1 Introduction

The proliferation of a new breed of cloud applications that store and processdata at remote locations has led to the emergence of search over encrypted dataas an important research problem. In a typical setting of the problem, data isstored at the remote location in an encrypted form. A query generated at theclient side is transformed into a representation such that it can be evaluateddirectly on encrypted data at the remote location. The returned results mightbe processed by the client after decryption to determine the final answers.

Informally, a practical encryption scheme used above should satisfy the fol-lowing properties: logarithmic (or sublinear) search time, and the ciphertexts to-

zhangrui,[email protected]

[email protected]

2 Rui Zhang et al.

gether with encypted search tokens reveal at most the result of the search. Unfor-tunately, none of the previously-known constructions achieve all these propertiesat the same time.

To address this, we propose first e�cient searchable symmetric encryption(ESSE) scheme to satisfy all the properties outlined above, that is it can searchkeywords in time logarithmic in the size of the number of keywords and achievepredicate privacy proposed in [27], which is a stronger security notion than IND2-CKA.

1.1 Previous Work

Searchable Encryption The problem of searching on symmetrically encrypt-ed data can be solved by the work of Goldreich and Ostrovsky [18] on obliv-ious RAMs. Unfortunately, this approach requires interaction and has a highoverhead. Searchable symmetric encryption was first considered explicitly bySong, Wagner and Perrig in [29], where they give a non-interactive solution thatachieves search time that is linear in the size of the data collection.

Formal security notions for SSE have evolved over time. The first securi-ty notion known as semantic security against adaptive chosen keyword attack(CKA1) was formulated by Goh [17]. CKA1-security guarantees that: (1) theencrypted index and the ciphertexts do not reveal any information about the filecollection other than the number of files and their length; and (2) the encryptedindex and a search token reveal at most the outcome of the search. Then severalwork on SSE schemes uses CKA1 as a security definition [17, 14, 15]. However,CKA1-security only provides security if the search queries are independent ofthe ciphertext of index and of the data collection and of previous search results.Curtmola, Kamara and Ostrovsky [15] proposed a stronger notion of adaptivesecurity against chosen-keyword attacks (CKA2) to address above problem. Lat-er, Kurosawa and Ohtaki [23] put forth the even stronger notion of universallycomposable (UC) SSE that guarantees security even when the scheme is used inarbitrary environments.

While there are several CKA2-secure SSE schemes [15, 23, 24, 21, 13], noneof these schemes are explicitly probabilistic; that is, the tokens they generatewith pseudorandom functions (PRFs) or pseudorandom permutations (PRPs)that are deterministic, in the sense that the same token will always generatedfor the same keyword. It means that searches leak statistical information aboutthe user’s search pattern [20].

In the decade of SSE development, searchable encryption has also been con-sidered in the public-key setting, and much excellent work [11, 1, 9, 25] has beenproposed.

Deterministic Encryption and Order-Preserving Symmetric Encryp-tion Another line of work uses deterministic encryption [3, 4, 6, 16] to enablee�ciently search on encrypted data under an as-strong-as-possible definitionof privacy. The security notion of privacy for deterministic encryption is called

Symmetric Encryption with E�cient Keyword Search 3

PRIV, the encryption may be randomized, but there is a deterministic, collision-resistant function of plaintext that can be computed from the ciphertext andserves as a tag, permitting the fast comparison-based search. In addition, thisapproach requires that plaintexts of data and queries are sampled from a distri-bution of high min-entropy.

Another deterministic symmetric encryption scheme is called order-preservingsymmetric encryption (OPE) [2, 7, 8], whose encryption algorithm produces ci-phertexts that preserve numerical ordering of the plainexts, as a tool to sup-port e�cient range queries on encrypted data. Like deterministic encryptionschemes [3, 4, 6, 16], the standard security notions such as indistinguishabilityagainst chosen-plaintext attack (IND-CPA) is unchievable by a practical OPEscheme. Instead, an ”as-random-as-possible” security notion called a pseudoran-dom order-preserving function (POPF) in the spirit of PRFs is adopt.

We observe that both above searchable symmetric encryption schemes anddeterministic encryption schemes have capability to e�ciently search with sub-linear time complexity, but the deterministic token make them resistless to sta-tistical attack.

Predicate Encryption To deal with this, Shen, Shi and Waters [27] designeda symmetric-key predicate-only encryption (SKPOE) scheme with probabilistictoken based on predicate encryption [22, 28, 5] and considered a new securitynotion called predicate privacy. The property of predicate privacy is that tokensreveal no information about the encoded query predicate, which is inherentlyimpossible to achieve in the public-key setting. However, due to the use of com-plex probabilistic encryption algorithm to generate tokens, the construction of[27] requires O(n2) time to search, where n denotes the number of keywords inthe collection. Table 1 summarizes the di↵erences between our scheme and otherexisting schemes.

1.2 Our Contributions

In this paper, we build probabilistic symmetric searchable encryption schemesthat take time logarithmic in the size of ciphertexts of indices. To the best ofour knowledge, however, there has been no probabilistic searchable scheme haveability to support e�ciently search in logarithmic time complexity, even in thesymmetric-key setting.

– Firstly, we present an idea that constructing e�cient searchable symmetricencryption (ESSE, for short) schemes that have capability of supporting binarysearch. More specifically, we transform the unordered plaintexts of indicesinto a special ordered array, which is able to perform ”exact match” querybetween the encoded token and the ciphertexts of indices to determine whetherthe queried keyword is contained in a certain index. Then we give a newframework for ESSE and its security definition to show that an ESSE schemehas both plaintext privacy and predicate privacy if the underlying symmetric-key predicate-only encryption scheme has both plaintext privacy and predicateprivacy.

4 Rui Zhang et al.

Table 1. Comparison of several SSE Schemes

Scheme Security Complexity Assumption Index size Search time

SWP00 [29] PRF, PRP CPA N/A O(|D|)Z-IDX [17] CKA1 PRF, PRP O(m) O(m)CM05 [14] CKA1 PRF, PRP O(m · n) O(m)SSE-1 [15] CKA1 PRF, PRP O(

Pni=1 #Di + n) O(#Di)

SSE-2 [15] CKA2 PRF, PRP O(m · n) O(m)vLSDHJ10 [24] CKA2 PRF, PRP O(n ·Max(#Di)) O(log n)

KO12 [23] UC PRF, PRP O(m · n) O(n)KPR12 [21] CKA2 PRF, PRP O(

Pni=1 #Di + n) O(#Di)

SKPOE [27] 2P-PRIV Assump.1 of [22],C3DH,DLin O(n2) O(n2)SK-PE-1 [30] 2P-PRIV Assump.1 of [30] O(n2) O(n2)SK-PE-2 [30] 2P-PRIV Def.4 of [30] O(n2) O(n2)

ESSE-1 (this paper) 2P-PRIV Assump.1 of [22],C3DH,DLin O(n2) O(n log n)ESSE-2 (this paper) 2P-PRIV d-Linear O(n2) O(n log n)

For comparison, we let search time is per query for one keyword wi.m: the total number of documents.n: the total number of keywords.D: the ensemble of documents.|D|: the bit length of D.#Di: the number of documents that contain the keyword wi.Max(#Di): the maximum number of documents in which a keyword wi appears.We write 2P-PRIV for plaintext privacy and predicate privacy.

– Next, we propose a general construction with symmetric-key predicate-onlyencryption scheme supporting inner product queries, where the class of pred-icates to be F = {f

y

|y 2 ⌃} with fy

(x) = 1 i↵ hx, yi = 0.– Thirdly, we present a concrete construction on the groups of prime order. Thisscheme achieves both plaintext privacy and predicate privacy under d-linearassumption.

– Lastly, we analytically and experimentally prove that ESSE schemes are moree�cient for query on encrypted indices in the cloud environment.

2 Problem Formulation

Our basic idea is to build probabilistic searchable encryption scheme supportinge�ciently search such as binary search. In this section, we describe the methodthat how to achieve e�ciently search with a searchable encryption scheme andits privacy requirements roughly.

2.1 The System Model

Considering a cloud data storage service, involving four di↵erent entities: thedata owner, the data user, the storage service provider (cloud service provider),


and the datacenter (cloud infrastructure provider). The storage service providerdeploys its storage service on top of the utility computing in datacenter anddelivers the service to end users (including data owners and data users) throughInternet. In our setting, neither cloud service provider nor cloud infrastructureprovider is fully trusted by data owners or data users, so they are treated as anintegrated entity, named the cloud server.

The data owner has a set of documents D to be outsourced to the cloudserver in the encrypted form. To enable the query capability over encrypteddocuments, the data owner builds an encrypted searchable index I with keywordsw1, w2, · · · , wn

from D before data outsourcing, and then both the index I andthe encrypted document dataset D are outsourced to the cloud server. For everyquery for w

i

, a data user computes a token T and sends it to cloud server.Upon receiving T from data user, the cloud server performs query over theencrypted index I and returns the encrypted candidate documents. Finally, datauser decrypts the candidate documents and verifies each document by checkingthe keyword.

In this paper, we propose searchable encryption schemes under symmetrickey cryptography, where the data owner plays the role of data user. Moreover,the symmetric key setting is more reasonable in our encryption scheme sincethe data user is required to have knowledge of the structure and the order ofindexes, otherwise he cannot generate corresponding token correctly.

2.2 How to Achieve Fast Search

For e�cient search, our first thought is to transform the disordered structure ofkeywords to an ordered structure, which can support e�ciently search such asbinary search in O(log n) time complexity, where n is the number of keywords.But, the disadvantage of such ordered structure is that it will reveal the structureinformation of the keywords. With the transform method in this paper, it leaksno information but the number of keywords in each plaintext. Therefore, thisordered structure is meaningful in practical applications.

Extension of Index-Based Structure We extend the index-based doc-uments structure for satisfying the requirement of binary search. Let D ={d1, d2, · · · , dm} be the ensemble of documents to be stored in an untrustedserver, where d

i

(1 i m) denotes the i-th document and |D| = m is thenumber of all documents. Each document d

i

contains a set of keywords. LetW = {w1, w2,· · ·, wn

} be the ensemble of keywords in D, where |W| = n is thetotal number of keywords. D

i

✓ D(1 i n) denotes the set of documentscontaining keyword w

i

. Therefore, n keywords classify m documents into n sets.The keywords and the sets of documents are respectively encrypted by encryp-tion algorithms E and Enc and stored in the remote database as shown in theleft side of Figure 1, where E and Enc are di↵erent encryption schemes, E is asearchable symmetric encryption scheme supporting e�ciently search proposedin this paper and Enc can be any secure symmetric encryption scheme. The nencrypted keywords can be regarded as indices of the ciphertexts of documents,

6 Rui Zhang et al.

E (w 1) Enc (D 1)

E (w 2) Enc (D 2)

E (w n) Enc (D n)

... .

..

E (w 1,*,…,*) Enc (D 1)

E (w1,w 2,*,…,*) Enc (D 2)

E (w1,w2,…,w n) Enc (D n)

... .

..

Original Index I Extended Index I’

Fig. 1. The Extended Index

and it can be expressed as I = {I1, · · · , In} = {E(w1), E(w2),· · ·, E(wn

)}. Adata user can issue a query with token T = E(w

i

) for the documents contain-ing keyword w

i

, the sever compares the token T with each Ii

and returns thematched ciphertexts Enc(D

i

) of documents. Obviously, the time complexity ofsuch search operation in the database is O(n).

To enable the binary search, the indices should be ordered and comparable.Thus, we extend the original indices I to I 0 = {I 01, · · · , I 0n} = {E(w1, ⇤,· · ·, ⇤),E(w1, w2, ⇤,· · ·, ⇤),· · ·, E(w1, w2,· · ·, wn

)} as shown in the right side of Figure 1,where I 0

i

= E(w1,· · ·, wi

, ⇤,· · ·, ⇤) denotes the ith index of I 0, and ⇤ can be anyvalue in the domain of keyword with length �. The number of indexes in the setI 0 is |I 0| = n. The sequence of the keywords w1, w2,· · ·, wn

is according to thedata owner’s preference and not necessarily lexicographical.

Query with Binary Search The binary search finds the position of a specifiedvalue (the input keyword) within a sorted array. In each step, the algorithmcompares the input value with the value of the middle element of the array. If thevalues match, then a matching element has been found, so its index or positionis returned. Otherwise, if the sought value is less than the middle element’s key,then the algorithm repeats its action on the sub-array to the left of the middleelement or, if the input value is greater, on the sub-array to the right. If theremaining array to be searched is reduced to zero, then the key cannot be foundin the array and a special ”Not found” indication is returned. A binary searchhalves the number of items to check with each iteration, so locating an item (ordetermining its absence) takes logarithmic time.

Algorithm 1 shows the pseudo-code for query with binary search. Given atoken T for keyword w

i

and the encrypted indices I 0 with n elements, the algo-rithm exposes the index I 0

i

and returns the corresponding ciphertexts of set Di

that all documents in it containing keyword wi

.Specifically, the algorithm first allocates two variables head and end to re-

spectively indicate the beginning and end of I 0, that is, the value of head is 1 andthe value of end is n. In addition, a variable mid is used to indicate the medianof head and end, and a variable round is used to indicate the current number ofrounds, both these two variables are initialized by 0. In the first round, mid isset to head + end = dn/2e. If Query(T, I 0mid) = 1, which means that w

i

is con-tained in I 0mid, then the algorithm continues to perform Query algorithm with


Algorithm 1 Query with Binary Search(I 0, T )

Input: I 0, TOutput: Enc(Di) or ?1: n = length(I 0)2: round = 0, head = 1, end = n, mid = 03: while head end do4: mid = (head+ end) >> 15: if Query(T, I 0mid) = 1 then6: end = mid� 17: else8: head = mid+ 19: end if10: round++11: end while12: return I 0mid+1.value, round

T and the median of the first half of the index, that is to set end = mid � 1and mid = d(head+ end)/2e; otherwise, the algorithm goes to perform Queryalgorithm with T and the median of the latter half of the index, namely setshead = mid + 1 and mid = d(head+ end)/2e. The search process is iterateduntil head > end. Finally, the algorithm outputs the value indexed by I 0mid. IfI 0mid+1.value is not null, then the algorithm returns the corresponding encrypteddocuments set; otherwise, the algorithm returns ? for ”Not found”.

2.3 Privacy Requirements

Data privacy is to prevent the cloud server from prying into outsourced doc-uments, and can be well protected by existing encryption schemes and accesscontrol mechanism. In related works on privacy-preserving query, such as search-able encryption [29, 11, 17], representative privacy requirement is that the servershould learn nothing but query results. With this general privacy statement, weexplore and establish a set of stringent privacy requirements specifically for ourschemes.

Plaintext Privacy With respect to the plaintext privacy, if the cloud serverdeduces any association between frequent keywords and encrypted dataset fromoutsourced indices, it may learn the main content of a document. Therefore,searchable indices should be constructed in such a way that prevents the cloudserver from performing such kind of association attack. This concept is identicalto the plaintext privacy in [27]. However in our setting, due to the modificationof the index structure, the server may know the number of underlying keywordsfrom the sequence of the encoded index. But the server can not deduce anyother information about keywords from the encoded indices and this leakage istolerated in practice.

8 Rui Zhang et al.

Predicate Privacy Data user usually prefer to keep their query from beingexposed to others like the cloud server, and the most important concern is tohide what they are querying, i.e., the keyword indicated by the correspondingtoken. In our ESSE schemes, the randomized generation of token can guaranteethe privacy of queried keyword, which is called predicate privacy in [27].

3 Preliminaries

Before we define the general framework of ESSE scheme, we first recall the def-inition of symmetric-key predicate-only encryption (SKPOE) scheme [27], sinceeach round of binary search is actually performing a query of SKPOE scheme,in which evaluating a token on a ciphertext outputs a bit indicating whether theencrypted plaintext satisfies the predicate corresponding to the token. Therefore,our ESSE scheme can be constructed from an SKPOE scheme.

3.1 The Framework of SKOPE

Let ⌃ denote a finite set of plaintexts, and let F denote a finite set of predicatesf : ⌃ ! {0, 1}. We say that W 2 ⌃ satisfies a predicate f if f(W ) = 1.

Definition 1 (Symmetric-Key Predicate-Only Encryption Scheme). Asymmetric-key predicate-only encryption scheme consists of the following prob-abilistic polynomial time (PPT) algorithms.

Setup(1�): Takes as input a security parameter 1� and outputs a secret keySK.

Encrypt(SK,W ): Takes as input a secret key SK and a plaintext W 2 ⌃,and outputs a ciphertext I.

TokenGen(SK, fwi): Takes as input a secret key SK and a description of a

predicate fwi 2 F for queried keyword w

i

and outputs a token Tfwi

.

Query(T, I): Takes as input a token Tfwi

and a ciphertext I. It outputs ei-ther 0 or 1, indicating the value of the predicate f

wi evaluated on the underlyingplaintext.

Definition 2 (Correctness). For all �, all W 2 ⌃, and all fwi 2 F , letting

SK Setup(1�), Tfwi TokenGen(SK, f

wi), and I Encrypt(SK,W ),

– If fwi(W ) = 1, then Query(T

fwi, I) = 1.

– If fwi(W ) = 0, then Pr[Query(T

fwi, I) = 0] > 1� ✏(�) where ✏ is a negligible

function.


3.2 Selective Single Challenge Security

Shen et al. gave the formal definitions of security for an SKPOE scheme in agame-based manner, which is refer to as selective single challenge security ofplaintext privacy and predicate privacy [27].

Setup: The challenger C runs Setup(1�) and keeps SK to itself. Then A out-puts two plaintexts W ⇤

0 and W ⇤1 for plaintext challenge and descriptions of two

predicates fw

⇤0and f

w

⇤1for predicate challenge.

Query Phase 1: The adversary A adaptively issues queries, where each queryis of one of two types:

– Plaintext query. On the ith plaintext query, A outputs a bit c = 0 (indicating aplaintext query) and a plaintext W

i

, subject to the restriction that A cannotissue plaintext query with both W ⇤

0 and W ⇤1 , and for all plaintext queries

Wi

, Query(Tfw⇤

0, Encrypt(SK,W

i

)) = Query(Tfw⇤

1, Encrypt(SK,W

i

)). The

challenger responds with Encrypt(SK,Wi

).– Predicate query. On the ith predicate query, A outputs a bit c = 1 (indicat-ing a predicate query) and a description of a predicate f

wi for keyword wi

,subject to the restriction that A cannot issue predicate query with both f

w

⇤0

and fw

⇤1, and for all predicate queries f

wi , Query(Tfwi

, Encrypt(SK,W ⇤0 )) =

Query(Tfwi

, Encrypt(SK,W ⇤1 )). The challenger responds with TokenGen(SK, f

wi).

Challenge: A outputs a request for one of the following:

– Plaintext challenge. A outputs a bit c = 0 (indicating a plaintext challenge).The challenger picks a random bit b and responds with Encrypt(SK,W ⇤

b

).– Predicate challenge. A outputs a bit c = 1 (indicating a predicate challenge).The challenger picks a random bit b and responds with GenToken(SK, f

w

⇤b).

Query Phase 2: A adaptively issues queries as in Query Phase 1, subject tothe same restriction with respect to the Query Phase 1 as above.

Guess: A outputs a guess b0 of b.

The advantage of A is defined as AdvA =��Pr[b0 = b]� 1

2

��.

Definition 3 (Plaintext Privacy). A symmetric-key predicate-only encryp-tion scheme has plaintext privacy if, for all PPT adversaries A, the advantageof A in winning the above game for a plaintext challenge is negligible in �.

Definition 4 (Predicate Privacy). A symmetric-key predicate-only encryp-tion scheme has predicate privacy if, for all PPT adversaries A, the advantageof A in winning the above game for a predicate challenge is negligible in �.

10 Rui Zhang et al.

4 E�cient Symmetric Searchable Encryption

4.1 The Framework of ESSE

Let ⇧ = (Setup,Encrypt,TokenGen,Query) be an SKPOE scheme definedabove, and ⇧⇤ = (Initialize, KeyGen, Encrypt, TokenGen, Query) be an ESSEscheme consists of the following probabilistic polynomial time (PPT) algorithmsas follows:

Initialize(W) ! W 0: Extend the original keywords set W to W 0, whereW 2 ⌃.

KeyGen(1�) ! (SK): Takes as input a security parameter 1� and runs Set-up(1�), outputs a secret key SK.

Encrypt(W 0, SK) ! I 0: Takes the extended keywords set W 0 = {W1, · · · ,Wn

}and the symmetric key SK as inputs, outputs searchable encrypted indicesI 0 = (I 01, · · · , I 0n), where I 0

i

Encrypt(SK,Wi

).

TokenGen(SK, fwi) ! T : Takes the description of a predicate for queried key-

word wi

and the secret key SK as inputs and outputs a token Tfwi TokenGen(SK, f

wi).

Query(Tfwi

, I 0) ! Enc(Di

) or ?: Takes a token Tfwi

and the searchable en-crypted indices I 0 = {I 01, · · · , I 0n} as inputs, outputs the candidate set of en-crypted documents Enc(D

i

) or ? by iteratively running Query(Tfwi

, I 0i

) withbinary search.

4.2 Query Correctness

The query correctness of an ESSE scheme can be defined as follows:

Definition 5 (Query Correctness). For all �, all W 2 ⌃, and all fwi 2 F ,

letting W 0 Initialize(W), SK KeyGen(1�), I 0 Encrypt(W 0, SK),Tfwi TokenGen(SK, f

wi), and the Algorithm 1 is performed correctly,

– If fwi(W) = 1 then Query(T

fwi, I 0) = Enc(D

i

).– If f

wi(W) = 0 then Pr[Query(Tfwi

, I 0) = ?] > 1 � ✏0(�), where ✏0(�) is anegligible function.

4.3 Security

Theorem 1. In the ESSE scheme ⇧⇤, we have the following results.

(a) If the underlying SKPOE scheme ⇧ is plaintext privacy, then ⇧⇤ is plaintextprivacy.

(b) If the underlying SKPOE scheme ⇧ is predicate privacy, then ⇧⇤ is predicateprivacy.


Proof. We think that this theorem is almost trivial. Therefore, we describe itsproof only briefly. Suppose that there exists an adversary A can break ⇧⇤.We then construct a PPT algorithm B for breaking the plaintext privacy (orpredicate privacy) of⇧. B takes (1�) as input, plays the game between A and thechallenger C by simulating the game of ⇧⇤. Finally, B use the outputs b0 2 {0, 1}of A to guess b 2 {0, 1}. Therefore, we have AdvB,⇧

(�) = AdvA,⇧

⇤(�).

5 A General Construction with SKPOE

In this section, we construct an ESSE scheme (named ESSE-1) with an SKPOEscheme [27] supporting inner product queries, where the class of plaintexts is⌃ = Zn

N

and the class of predicates is F = {fy

|y 2 Zn

N

} with fx

(y) = 1 i↵hx, yi = 0 mod N . We show how to achieve e�ciently search with this kind ofinner product in a general way.

Let ⇧1 = (Setup,Encrypt,TokenGen,Query) be an SKPOE scheme definedin Section 3.1 and ⇧⇤

1 = (Initialize, KeyGen, Encrypt, TokenGen, Query) be anESSE scheme defined in Section 4.1. We now describe our general constructionin the following part.

Initialize(W) ! W 0. This algorithm extends the original keyword set W ={w1, w2, · · · , wn

} to the extended keyword setW 0 = {(w1, ⇤, · · · , ⇤), (w1, w2, ⇤, · · · , ⇤),· · · , (w1, w2, · · · , wn

)}, while remains the corresponding set of documents un-changed. Let W

i

= (w1, w2, · · · , wi

, ⇤, · · · , ⇤) denote the i-th element of W 0.For each W

i

(i = 1, 2, · · · , n), for j = 1 to n, if j i, then set wj

= wi

, elseset w

j

= ⇤. Therefore, W 0 is an ordered set with n elements, which is able toeasily support binary search and each element in it is an n-dimensional sequence.

KeyGen(1�)! (SK). The algorithm runs Setup(1�) to obtain the secret key SK.

Encrypt(W 0, SK) ! I 0. For each Wi

2 W, let xi

= (xi[1], · · · , xi[n]) =

(0, · · · , 0, xi[i+1], · · · , xi[n]), where x

i[j] denote the j-th element of vector xi

and xi[j]

R � ZN

for i + 1 j n. The algorithm runs Encrypt(SK, xi

) andoutputs the ciphertext I 0

i

. Finally, the algorithm outputs the encrypted indexI 0 = {I 01, I 02, · · · , I 0n}.

TokenGen(wi

, SK)! T . For keyword wi

, let y = (yi[1], · · · , yi[n]) = (y

i[1], · · · , yi[i],0, · · · , 0), where y

i[j]R � Z

N

and 1 j i. The algorithm runs TokenGen(SK, y)and outputs the token T .

Query(T, I 0) ! Enc(Di

) or ?. The algorithm performs the binary search asAlgorithm 1. In each round of search, it runs Query(T, I 0

i

) to output 0 or 1.Once the binary search has been finished, the algorithm outputs the correspond-ing encrypted documents set Enc(D

i

) or a ? for ”Not found”.

12 Rui Zhang et al.

Query Correctness. The correctness for each round is analyzed in [27]. Theconditions of correctness finally boils down to the following three cases. Ifhx, yi = 0 mod N , then the validation expression evaluates to 1. If hx, yi 6= 0mod N , then the validation expression evaluates to 1 with negligible probability.If hx, yi 6= 0 mod q, then the validation expression does not evaluates to 1 withall but negligible probability.

In our construction, we set x = (0, · · · , 0, xi[i+1], · · · , xi[n]) for i = 1 to n,

and set y = (yi[1], · · · , yi[i], 0, · · · , 0) for a query of w

i

. For j = 1 to n, if j i,then hx, yi = 0; if j > i, then hx, yi 6= 0. Therefore, the above scheme ⇧⇤

1 cancorrectly support ”exact match” query and perform binary search.

From above analysis, we have conclusion that according to Definition 2 andDefinition 5, ⇧⇤

1 satisfies query correctness.

Security. Under the generalized Assumption 1 of the KSW construction [22],the generalized C3DH assumption, and the Decisional Linear assumption, thescheme ⇧1 has both plaintext privacy and predicate privacy [27]. According toDefinition 3, 4 and Theorem 1, we have following theorem.

Theorem 2. Under the generalized Assumption 1 of the KSW construction [22],the generalized C3DH assumption, the Decisional Linear assumption, and The-orem 1, ⇧⇤

1 has both plaintext privacy and predicate privacy.

6 A Concrete Construction Based on d-Linear Assumption

The SKPOE scheme in [27] is constructed with the groups of composite ordersthat make the scheme complicated and have high computation overhead. Inspiredby [12], we present a concrete ESSE scheme (named ESSE-2) on groups of primeorder in this section. This scheme has low computation complexity and thesecurity is based on d-linear assumption.

6.1 The d-Linear Assumption

The d-Linear assumption [19, 26] is a generalization of the decision Di�e-Hellman assumption that may hold even in groups with an e�ciently computabled-linear map. The 1-Linear assumption is DDH, while the 2-Linear assumptionis also known as the Decision Linear assumption [10]. The assumption is asfollows:

Definition 6. Let d � 1 be an integer, and let G be a finite cyclic group of orderq. We say the d-Linear assumption holds in G if the distributions

{(g1, · · · , gd, gr11 , · · · , grdd

, g, gr1+···+rd) : g1, · · · , gdR � G, r1, · · · , rd

R � Zq

},{(g1, · · · , gd, gr11 , · · · , grd

d

, g, gs) : g1, · · · , gdR � G, r1, · · · , rd, s

R � Zq

}

are computationally indistinguishable.


Theorem 3. For any d � 1, the d-linear assumption implies the (d + 1)-linearassumption [19].

We also stress that if the underlying group G is associated with a bilinearmap, the security of the scheme is based on the d-linear assumption for d � 2(as the 1-linear, i.e. DDH, cannot hold in such a group).

6.2 The Construction

Let GroupGen be a probabilistic polynomial-time algorithm that takes as inputa security parameter 1�, and outputs a triple (G, q, g), where G is a group ofprime order q that is generated by g 2 G, and q is a �-bit prime number. LetG

T

be a (di↵erent) group of order q. A bilinear map e : G ⇥ G ! GT

has thefollowing properties.

1. Bilinearity: for all g1, g2 2 G, a, b 2 Z it holds that e(ga1 , gb

2)=e(g1, g2)ab;2. Non-degeneracy: e(g, g) 6= 1;

3. It follows that gT

def= e(g, g) generates G

T

.

For describing our second scheme we overload the notation gX to matrices:for X 2 Mn⇥n, we let gX 2 Gn⇥n denote the matrix defined as (gX)

i,j

= gXi,j ,

where 1 i, j n. Let gX·�Tand g�·X denote the product defined as

(gX1,1�1+···+X1,n�n , · · · , gXn,1�1+···+Xn,n�n). The scheme is parameterized by thesecurity parameter � and the message length n=n(�).

Let ⇧⇤2=(Initialize’, KeyGen’, Encrypt’, TokenGen’, Query’) be our sec-

ond ESSE scheme. The detail construction of each algorithm is as follows.

Initialize’(W) ! W 0. The Initialize’ algorithm is the same as theInitialize algorithm in ⇧⇤

1 .

KeyGen’(1�) ! (SK). The algorithm samples (G, q, g) GroupGen(1�), an

(n + 1)-bit vector SR � {0, 1}n+1 satisfying that S 6= {0, · · · , 0}, two ma-

trices M1,M2 Z(n+1)⇥(n+1)q

, and a vector ⇢R � Zn

q

. It then sets SK =

(S, ⇢,M1,M2,M1�1,M2

�1) as the secret key. Note that M1,M2 are invertiblewith all but a negligible probability.

Encrypt’(W 0, SK) ! I 0. For each Wi

(1 i n), the algorithm encrypts itwith secret key SK and outputs the encrypted index I 0

i

as follows.

1. Generate an n-dimensional vector pi

as follows.

– If j i, set pi[j] = ⇢[j];

– Otherwise, set pi[j] = x

i,j

R � Zq

.

2. Extend pi

to (n+ 1)-dimensional vector bpi

by setting bpi[n+1] = 1.

3. Split bpi

to two vectors bp0i

and bp00i

with the splitting indicator S as follows.For 1 j n+ 1,

14 Rui Zhang et al.

– if S[j] = 0, set bp0i[j] = bp00

i[j] = bpi[j];

– if S[j] = 1, set bp0i[j] + bp00

i[j] = bpi[j].

4. Encrypt these two vectors as I 0i

= (gbp0iM1 , gbp

00i M2) = (I 0

i,1, I0i,2) for Wi

.

Finally, the algorithm outputs the encrypted index I 0 = {I 01, I 02, · · · , I 0n}.

TokenGen’(wi

, SK) ! T . With the query keyword wi

, the algorithm createstoken T as follwos.

1. Generate an n-dimensional query vector t as follows. For 1 j n,

– if j = i, set t[j] = rR � Z

q

;– otherwise, set t[j] = 0.

2. Extend t to (n+ 1)-dimensional vector bt by setting bt[n+1] = aR � Z

q

.

3. Split bt to two vectors bt0 and bt00 with the splitting indicator S as follows. For1 j n+ 1,

– if S[j] = 1, set bt0[j] = bt00[j] = bt[j];– if S[j] = 0, set bt0[j] + bt00[j] = bt[j].

4. Encrypt these two vectors as T = (gM�11

bt

0T, gM

�12

bt

00T, gh⇢,ti+a) = (T1, T2, T3)

for query wi

.

Query’(T, I 0)! Enc(Di

) or ?. With the token T , the server performs the binarysearch as same as the Algorithm 1. In each round of search, it checks whetherEquation (1) holds or not.

e(I 0i,1, T1) · e(I 0

i,2, T2) = e(g, T3) (1)

6.3 Query Correctness

Theorem 4. If each algorithm is performed correctly, our second ESSE scheme⇧⇤

2 satisfies the query correctness as defined in Definition 5.

Proof. The data owner runs the Initialize’ algorithm and generates an ex-tended keyword set W 0 with n di↵erent keywords. Then he/she calls the KeyGen’algorithm to create the secret key SK = (S, ⇢,M1,M2,M1

�1,M2�1), where

⇢ = (⇢[1],· · ·, ⇢[n]) 2 Zn

q

and S = (S[1],· · ·, S[n+1]) 2 {0, 1}n+1. Finally, the da-ta owner runs the Encrypt’ algorithm to encrypt every W

i

and build index I 0

correctly. In order to easy formulating, we assume the odd elements of S are setto 1 and the even elements of S are set to 0 and all the sequence numbers, liken, i, u, v are even. The same result can be deduced in the assumption that anyof them, one or more is an odd number.

A data user, who has the secret key SK, runs the TokenGen’ to generatea token T

i

= (gM�11 t̂

0T, gM

�12 t̂

00T, gh⇢,ti+a) for keyword w

i

(i n), where t̂0 =(0, t0[2],· · ·, 0, r, 0,· · ·, t0[n], a) and t̂00 = (0, 0�t0[2],· · ·, 0, r�r, 0,· · ·, 0�t0[n], a) are


two split vector respected to the splitting indicator S. Then the data user sendsthe token to the cloud server. The cloud server performs the Query’ algorithmand returns the result to the data user.

We analyze the correctness of each round in two cases: 1) an index I 0u

(u � i)contains w

i

, that is Equation (1) holds; 2) an index I 0v

(v < i) does not containw

i

, that is Equation (1) does not hold.

1. In the first case, the vector p̂u

= (⇢[1],· · ·, ⇢[i],· · ·, ⇢[u], xu,u+1,· · ·, xu,n

, 1),

where xu,u+1,· · ·, xu,n

R �Zp

. According to the splitting indicator S, the two s-plit vectors can be expressed as p̂0

u

=(⇢[1],· · ·, ⇢[i],· · ·, ⇢[u], xu,u+1,· · ·, xu,n

, xu,n+1)

and p̂00u

=(⇢[1]�⇢[1],· · ·, ⇢[i],· · ·, ⇢[u], xu,u+1�xu,u+1,· · ·, xu,n

, 1�xu,n+1). The

Equation (1) can be checked as follows.

e(I 0u,1, T1) · e(I 0

u,2, T2) = e(gp̂0uM1 , gM

�11 t̂

0T) · e(gp̂00

uM2 , gM�12 t̂

00T)

= e(g, g)p̂0u t̂

0T+p̂

00u t̂

00T

= e(g, g)⇢ur+a

(2)

e(g, T3) = e(g, gPn

j=1 ⇢[j]t[j]+a)= e(g, g)

Pnj=1 ⇢[j]t[j]+a

= e(g, g)⇢ur+a

(3)

Obtained from Equation (2) and Equation (3), Equation (1) holds.2. In the second case, the vector p̂

v

= (⇢[1],· · ·, ⇢[v], xv,v+1,· · ·, xv,i

,· · ·, xv,n

, 1),

where xv,v+1,· · ·, xv,i

,· · ·, xv,n

R �Zq

. According to the splitting indicator S,the two split vectors can be expressed as p̂0

v

=(⇢[1],· · ·, ⇢[v], xv,v+1,· · ·, xv,i

,· · ·,xv,n

, xv,n+1) and p̂00

v

=(⇢[1]�⇢[1],· · ·, ⇢[v], xv,v+1�xv,v+1,· · ·, xv,i

,· · ·, x�v, n, 1�xv,n+1). The Equation 1 can be checked as follows.

e(I 0v,1, T1) · e(I 0

v,2, T2) = e(gp̂0vM1 , gM

�11 t̂

0T) · e(gp̂00

vM2 , gM�12 t̂

00T)

= e(g, g)p̂0v t̂

0T+p̂

00v t̂

00T

= e(g, g)xv,ir+a

(4)

Obtained from Equation (3) and Equation (4), Equation (1) holds if andonly if x

v,i

= ⇢[u]. Since xv,i

is an integer randomly chosen from Zq

, theprobability that the equation holds is 1/q for a large prime q.

Since every validation is an independent event in the binary search, then for aquery T formed by keyword w

i

, the maximum probability that the Query’(T, I 0)outputs an encrypted documents set when queried keyword w

i

does not con-tained in the keywords set W is (q � 1)/q2. Therefore, the probability thatQuery’(T, I 0) correctly outputs ?, which means the server does not find a sub-index I 0

j

(1 j n) containing the queried keyword wi

when it completed thebinary search, is great than or equal to 1� (q � 1)/q2.

6.4 Security

This section describes a sequence of hybrid security games proving that oursecond scheme satisfies both plaintext privacy and predicate privacy.

16 Rui Zhang et al.

Proof Intuition We first describe the main ideas underlying the plaintex-t privacy and predicate privacy of this scheme. For simplicity, we argue thatan encryption of a message (in this scheme, the message to be encrypted isa vector sampled from the distribution ensemble over Zn

q

) is computationallyindistinguishable from g↵, for uniformly chosen vector ↵. More specifically, we

respectively prove that (I 0i,1, I

0i,2)

c⇡ (g⌫ , g) and (T1, T2, T3)c⇡ (g⌧ , g�, T3), under

d-linear assumption, where ⌫,, ⌧, � are uniformly chosen vectors from Zn

q

.

Plaintext Privacy A security game for selective security o↵ers the adversarya choice of predicates or plaintexts as challenges and gives the adversary a num-ber of ciphertexts and tokens. To prove plaintext privacy, we restrict that thaadversary can query only plaintexts.

Theorem 5. Under the d-linear assumption, our second ESSE scheme ⇧⇤2 has

plaintext privacy.

Proof. Let (gp̂00⇤M1 , gp̂

000⇤M2) and (gp̂

01⇤M1 , gp̂

001⇤M2) denote the ciphertexts encrypt-

ed on the pair of challenge plaintexts (W ⇤0 ,W

⇤1 ). To prove that ESSE-2 has

plaintext privacy, we use a sequence of hybrid games in which all ciphertextsand tokens are generated properly at query phases and only challenge plaintextsare di↵erently defined as follows.

Scheme 0: I 0 = (gp̂00⇤M1 , gp̂

000⇤M2)

Scheme 1: I 0 = (g⌫ , gp̂000⇤M2)

Scheme 2: I 0 = (gp̂01⇤M1 , gp̂

000⇤M2)

Scheme 3: I 0 = (gp̂01⇤M1 , g)

Scheme 4: I 0 = (gp̂01⇤M1 , gp̂

001⇤M2)

We respectively prove plaintext privacy between Schemes 0 and 1, Schemes1 and 2, Schemes 2 and 3, and Schemes 3 and 4 under d-linear assumption.

Lemma 1. Scheme 0 and Scheme 1 are computationally indistinguishable underd-linear assumption.



We describe all details in Lemmas 1, 2, and 3 in the Appendix A. Accordingto above lemmas, the adversary A cannot distinguish Scheme 0 from Scheme 4,each of which is generated from the challenge plaintexts W ⇤

0 and W ⇤1 .

Predicate Privacy

Theorem 6. Under the d-linear assumption, our second ESSE scheme ⇧⇤2 has

predicate privacy.


Proof. Let (gM�11 t̂

0T0⇤ , gM

�12 t̂

00T0⇤ , gh⇢,ti+a) and (gM

�11 t̂

0T1⇤ , gM

�12 t̂

00T1⇤ , gh⇢,ti+a) denote

the ciphertexts encrypted on the pair of challenge tokens (fw

⇤0, f

w

⇤1). To prove

that ESSE-2 has predicate privacy, we use a sequence of hybrid games in whichall ciphertexts and tokens are generated properly at query phases and only chal-lenge tokens are di↵erently defined as follows.

Scheme 0’: T = (gM�11 t̂

0T0⇤ , gM

�12 t̂

00T0⇤ , gh⇢,ti+a)

Scheme 1’: T = (g⌧ , gM�12 t̂

00T0⇤ , gh⇢,ti+a)


0T1⇤ , gM

�12 t̂

00T0⇤ , gh⇢,ti+a)


0T1⇤ , g�, gh⇢,ti+a)


0T1⇤ , gM

�12 t̂

00T1⇤ , gh⇢,ti+a)

We respectively prove predicate privacy between Schemes 0’ and 1’, Schemes1’ and 2’, Schemes 2’ and 3’, and Schemes 3’ and 4’ under d-linear assumption.

Lemma 4. Scheme 0’ and Scheme 1’ are computationally indistinguishable un-der d-linear assumption.



We describe all details in Lemmas 4-6 in the Appendix B. According to abovelemmas, the adversary A cannot distinguish Scheme 0’ from Scheme 4’, each ofwhich is generated from the challenge tokens f

w

⇤0and f

w

⇤1.

7 Performance

In this section, we show the superiority of our ESSE scheme from complexityanalysis and experimental results.

7.1 Complexity Analysis and Comparison

For time complexity, our ESSE scheme uses binary search to greatly reduces thetime of query in the server side. Specifically, the ESSE scheme is able to search intime logarithmic in the size of ciphertexts of indices (see Table 1). We concretelyanalyze time complexity from two folds: client side and server side.

In the client side, the computation time complexity of both SKPOE schemeand ESSE � 1 (⇧⇤

1 ) scheme for generating ciphertexts of indices and a tokenof a queried keyword are O(n). In the server side, the computation time com-plexity of the ESSE � 1 to perform Query algorithm is O(n log n), whereas thecomputation time complexity of the SKPOE scheme to perform Query algorith-m is O(n2). However, due to the introduction of the matrix in the encryption

18 Rui Zhang et al.

Table 2. Experimental Setup

Hardware/Software Components

Processor Intel(R) Core(TM) i7-3520M CPU @ 2.90GHzMemory 3537MB

Operating system Ubuntu 12.10Programming language/Library C++/PBC

calculation, time complexity of Encrypt and TokenGen algorithms of ESSE� 2are O(n3) and O(n2) respectively that are higher than the time complexity ofESSE � 1.

The space complexity of index size of SKPOE, ESSE � 1 and ESSE � 2are all O(n2). However, because of the introduction of matrix, the key size ofESSE � 2 is O(n2), whereas the key size of ESSE � 1 and SKPOE are bothO(n).

7.2 Experimental Evaluation

We realize our second scheme ESSE�2 to evaluate the e�ciency of ESSE schemesupporting binary search. Table 2 contains a summary of hardware and softwareused in our experiments. Each experiment was run 100 times and averaged. Itis known that the matrix inversion is time-consuming in the KeyGen algorithmof ESSE � 2 scheme, but it can be pre-computed in the client. An importantparameter to measure the e�ciency of an ESSE scheme is the time of queryoperation. Since in the data outsourced setting, the response time of the cloudserver performing the query on the encrypted data decides whether users willcontinue to use this kind of service.

Figure 7.2 shows the experiment results of ESSE � 2. Figure 2(a) showsthe time consumption of a client for running Encrypt and TokenGen algorithms.Although the time spent on encryption is much more than the time spent on thetoken generation, it is acceptable, because there requires encryption only once inthe entire indexing and query process. Figure 2(b) shows the time consumptionof a server for performing query with both normal search and binary search onthe encrypted indices. Apparently, with the increasing of the number of keywordsn, the e�ciency of binary search is far higher than linear search method.

8 Conclusions

We have put forward probabilistic symmetric searchable encryption schemes thattake time logarithmic in the size of ciphertexts of indices.

Firstly, we have presented an idea that constructing a searchable symmetricencryption scheme that has capability of supporting binary search. Then wehave given a new framework for ESSE and its security definition to show that an


0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 750

500

1000

1500

2000

2500

Number of keywords [#]Ti

me

[s]

EncryptTokenGen

(a) Time consumption of encryption and tokengeneration

0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 750123456789

1011121314151617

Number of keywords [#]

Tim

e [s

]

Query-NormalSearchQuery-BinarySearch

(b) Time consumption of normal search and bi-nary search

Fig. 2. Time consumption of ESSE2

ESSE scheme has both plaintext privacy and predicate privacy if the underlyingsymmetric-key predicate-only encryption scheme has both plaintext privacy andpredicate privacy. Next, we have proposed a general construction with SKPOEscheme supporting inner product queries, where the class of predicates to be F ={f

y

|y 2 ⌃} with fy

(x) = 1 i↵ hx, yi = 0. Thirdly, we have proposed a concreteconstruction on the groups of prime order, which achieves both plaintext privacyand predicate privacy under d-linear assumption. Lastly, we have analyticallyand experimentally proved that ESSE schemes are more e�cient for query onencrypted indices in the cloud environment.

While this e�ciently search method is inherently impossible in the public-keysetting, since it reveals the information of keywords structure. In the future wemight wish to consider realization e�cient searchable encryption schemes based

20 Rui Zhang et al.

on partial public-key encryption, in which a public key might allow a user togenerate only a subset of valid ciphertexts.

Acknowledgments. The first author acknowledges the support from grantsunder China Postdoctoral Science Foundation (No.2012M510567) and the ”S-trategic Priority Research Program” of the Chinese Academy of Sciences (No.XDA06010701). The second author acknowledges the support from grants underNational Natural Science Foundation of China (No.61170280) and IIE’s Cryp-tography Research Project. The third author acknowledges the partial supportfrom grants under NSF NetSE program, SaTC program and a grant from IntelScience and Technology Center on Cloud Computing.

References

[1] Abdalla M, Bellare M, Catalano D, Kiltz E, Kohno T, Lange T, Malone-LeeJ, Neven G, Paillier P, Shi H (2005) Searchable encryption revisited: Con-sistency properties, relation to anonymous ibe, and extensions. In: Shoup V(ed) Advances in Cryptology, Proceedings of CRYPTO 2005, Lecture Notesin Computer Science, vol 3621, Springer Berlin Heidelberg, pp 205–222

[2] Agrawal R, Kiernan J, Srikant R, Xu Y (2004) Order preserving encryptionfor numeric data. In: Proceedings of the 2004 ACM SIGMOD internationalconference on Management of data, ACM, New York, NY, USA, SIGMOD’04, pp 563–574

[3] Bellare M, Boldyreva A, O’Neill A (2007) Deterministic and e�cientlysearchable encryption. In: Menezes A (ed) Advances in Cryptology - CRYP-TO 2007, Lecture Notes in Computer Science, vol 4622, Springer BerlinHeidelberg, pp 535–552

[4] Bellare M, Fischlin M, O’Neill A, Ristenpart T (2008) Deterministic encryp-tion: Definitional equivalences and constructions without random oracles.In: Wagner D (ed) Advances in Cryptology - CRYPTO 2008, Lecture Notesin Computer Science, vol 5157, Springer Berlin Heidelberg, pp 360–378

[5] Blundo C, Iovino V, Persiano G (2010) Predicate encryption with partialpublic keys. In: Heng SH, Wright R, Goi BM (eds) Cryptology and Net-work Security, Lecture Notes in Computer Science, vol 6467, Springer BerlinHeidelberg, pp 298–313

[6] Boldyreva A, Fehr S, ONeill A (2008) On notions of security for deter-ministic encryption, and e�cient constructions without random oracles. In:Wagner D (ed) Advances in Cryptology - CRYPTO 2008, Lecture Notes inComputer Science, vol 5157, Springer Berlin Heidelberg, pp 335–359

[7] Boldyreva A, Chenette N, Lee Y, O’Neill A (2009) Order-preserving sym-metric encryption. In: Proceedings of the 28th Annual International Con-ference on Advances in Cryptology: the Theory and Applications of Cryp-tographic Techniques, Springer-Verlag, Berlin, Heidelberg, EUROCRYPT’09, pp 224–241


[8] Boldyreva A, Chenette N, ONeill A (2011) Order-preserving encryption re-visited: Improved security analysis and alternative solutions. In: Rogaway P(ed) Advances in Cryptology C CRYPTO 2011, Lecture Notes in ComputerScience, vol 6841, Springer Berlin Heidelberg, pp 578–595

[9] Boneh D, Waters B (2007) Conjunctive, subset, and range queries on en-crypted data. In: Proceedings of the 4th conference on Theory of cryptog-raphy, Springer-Verlag, Berlin, Heidelberg, TCC’07, pp 535–554

[10] Boneh D, Boyen X, Shacham H (2004) Short group signatures. In: Ad-vances in Cryptology—CRYPTO 2004, Berlin: Springer-Verlag, LectureNotes in Computer Science, vol 3152, pp 41–55, available at http://www.cs.stanford.edu/

~

xb/crypto04a/

[11] Boneh D, Crescenzo G, Ostrovsky R, Persiano G (2004) Public key encryp-tion with keyword search. In: Cachin C, Camenisch J (eds) Advances inCryptology - EUROCRYPT 2004, Lecture Notes in Computer Science, vol3027, Springer Berlin Heidelberg, pp 506–522

[12] Cao N, Yang Z, Wang C, Ren K, Lou W (2011) Privacy-preserving queryover encrypted graph-structured data in cloud computing. In: ICDCS’11,pp 393–402

[13] Cash D, Jarecki S, Jutla C, Krawczyk H, Rosu M, Steiner M (2013) Highly-scalable searchable symmetric encryption with support for boolean queries.Cryptology ePrint Archive, Report 2013/169, http://eprint.iacr.org/

[14] Chang YC, Mitzenmacher M (2005) Privacy preserving keyword searcheson remote encrypted data. In: Proceedings of the Third international con-ference on Applied Cryptography and Network Security, Springer-Verlag,Berlin, Heidelberg, ACNS’05, pp 442–455

[15] Curtmola R, Garay J, Kamara S, Ostrovsky R (2006) Searchable symmetricencryption: improved definitions and e�cient constructions. In: Proceedingsof the 13th ACM conference on Computer and communications security,ACM, New York, NY, USA, CCS ’06, pp 79–88

[16] Fuller B, O’Neill A, Reyzin L (2012) A unified approach to deterministicencryption: New constructions and a connection to computational entropy.Cryptology ePrint Archive, Report 2012/005, URL http://eprint.iacr.

org/

[17] Goh EJ (2003) Secure indexes. Cryptology ePrint Archive, Report2003/216, URL http://eprint.iacr.org/2003/216/

[18] Goldreich O, Ostrovsky R (1996) Software protection and simulation onoblivious rams. J ACM 43(3):431–473

[19] Hofheinz D, Kiltz E (2007) Secure hybrid encryption from weakened keyencapsulation. In: Menezes A (ed) Advances in Cryptology - CRYPTO 2007,Lecture Notes in Computer Science, vol 4622, Springer Berlin Heidelberg,pp 553–571

[20] Islam MS, Kuzu M, Kantarcioglu M (2012) Access pattern disclosure onsearchable encryption: Ramification, attack and mitigation. In: Networkand Distributed System Security Symposium - NDSS 2012

http://www.cs.stanford.edu/~xb/crypto04a/

http://www.cs.stanford.edu/~xb/crypto04a/

http://eprint.iacr.org/



http://eprint.iacr.org/2003/216/

22 Rui Zhang et al.

[21] Kamara S, Papamanthou C, Roeder T (2012) Dynamic searchable symmet-ric encryption. In: Proceedings of the 2012 ACM conference on Computerand communications security, ACM, New York, NY, USA, CCS ’12, pp965–976

[22] Katz J, Sahai A, Waters B (2008) Predicate encryption supporting disjunc-tions, polynomial equations, and inner products. In: Proceedings of the the-ory and applications of cryptographic techniques 27th annual internationalconference on Advances in cryptology, Springer-Verlag, Berlin, Heidelberg,EUROCRYPT’08, pp 146–162

[23] Kurosawa K, Ohtaki Y (2012) Uc-secure searchable symmetric encryption.In: Keromytis A (ed) Financial Cryptography and Data Security, LectureNotes in Computer Science, vol 7397, Springer Berlin Heidelberg, pp 285–298

[24] Liesdonk P, Sedghi S, Doumen J, Hartel P, Jonker W (2010) Computation-ally e�cient searchable symmetric encryption. In: Jonker W, Petkovi? M(eds) Secure Data Management, Lecture Notes in Computer Science, vol6358, Springer Berlin Heidelberg, pp 87–100

[25] Nishioka M (2012) Perfect keyword privacy in peks systems. In: Takagi T,Wang G, Qin Z, Jiang S, Yu Y (eds) Provable Security, Lecture Notes inComputer Science, vol 7496, Springer Berlin Heidelberg, pp 175–192

[26] Shacham H (2007) A cramer-shoup encryption scheme from the linear as-sumption and from progressively weaker linear variants

[27] Shen E, Shi E, Waters B (2009) Predicate privacy in encryption systems.In: Proceedings of the 6th Theory of Cryptography Conference on Theoryof Cryptography, Springer-Verlag, Berlin, Heidelberg, TCC ’09, pp 457–473

[28] Shi E, Waters B (2008) Delegating capabilities in predicate encryption sys-tems. In: Proceedings of the 35th international colloquium on Automata,Languages and Programming, Part II, Springer-Verlag, Berlin, Heidelberg,ICALP ’08, pp 560–578

[29] Song DX, Wagner D, Perrig A (2000) Practical techniques for searches onencrypted data. In: Security and Privacy, 2000. S P 2000. Proceedings. 2000IEEE Symposium on, pp 44 –55

[30] Yoshino M, Kunihiro N, Naganuma K, Sato H (2012) Symmetric inner-product predicate encryption based on three groups. In: Takagi T, WangG, Qin Z, Jiang S, Yu Y (eds) Provable Security, Lecture Notes inComputer Science, vol 7496, Springer Berlin Heidelberg, pp 215–234,DOI 10.1007/978-3-642-33272-2 14, URL http://dx.doi.org/10.1007/

978-3-642-33272-2_14

Appendix A: A Sequence of Hybrid Games amongSchemes 0-4

This section proves that ESSE-2 satisfies Definition 3 (plaintext privacy). Usinga sequence of hybrid games, Schemes 0-4 are proven to be indistinguishable.

http://dx.doi.org/10.1007/978-3-642-33272-2_14

http://dx.doi.org/10.1007/978-3-642-33272-2_14


Lemma 1. Scheme 0 and Scheme 1 are computationally indistinguishableunder d-linear assumption.

Proof. We build a simulator B that tries to break d-linear assumption. Theadversary A tries to distinguish Scheme 0 from Scheme 1.

The simulator B is given the public parameter (G, q, g, e,GT

) and instances

of d-linear assumption: (g↵�1, gM

0, gM

0�1) and (T0 = g↵M

0, T1 = g�), where

↵, �R � Zn+1

q

, M 0 = {m0i,j

}(n+1)⇥(n+1) Z(n+1)⇥(n+1)q

(1 i, j n + 1) isinvertible with all but a negligible probability, and let M�1 denote its invertiblematrix.

Setup: A is given the public parameter and outputs two challenge plaintextsW ⇤

0 ,W⇤1 2 ⌃ to B. B forwards the challenge plaintexts W ⇤

0 and W ⇤1 to the chal-

lenger C, and generates SR � {0, 1}n+1 such that S 6= {0, · · · , 0}, ⇢ R � Zn

q

, and

an invertible matrix M2R � Z(n+1)⇥(n+1)

q

.

Phase 1 (plaintext query): B receives plaintext query Wi

(where Wi

6= W ⇤0

and Wi

6= W ⇤1 ) from A and responds for A as follows.

B generates an (n+1)-dimensional vector bpi

= (⇢[1], · · · , ⇢[i], xi,i+1, · · · , xi,n

, 1),

where xi,j

R � Zq

and i+ 1 j n. B splits bpi

as follows. For j = 1 to n+ 1,

– if S[j] = 0, set bp0i[j] = bp00

i[j] = bpi[j];

– if S[j] = 1, set bp0i[j] + bp00

i[j] = bpi[j].

Therefore, the ciphertext of Wi

is I 0i

= (gbp0iM

0, gbp

00i M2).

Phase 1 (predicate query): B receives predicate fwi from A subject to the re-

striction that:Query(Tfwi

, Encrypt(SK,W ⇤0 )) = Query(T

fwi, Encrypt(SK,W ⇤

1 )).B responds for A as follows.

B randomly chooses r, aR � Z

q

and sets t = (0, · · · , 0| {z }i�1

, r, 0, · · · , 0| {z }n�i

) and t̂ =

(0, · · · , 0| {z }i�1

, r, 0, · · · , 0| {z }n�i

, a). Then B splits t̂ to two vectors t̂0 and t̂00 with splitting

indicator S. For j = 1 to n+ 1,

– if S[j] = 1, set bt0[j] = bt00[j] = bt[j];– if S[j] = 0, set bt0[j] + bt00[j] = bt[j].

Therefore, the encrypted token of fwi is T = (gM

0�1bt

0T, gM

�12

bt

00T, gh⇢,ti+a).

Challenge: B receives plaintext challenge W0⇤ from A. B behaves the sameas Phase 1 to generate vectors bp0

i

and bp00i

and outputs the ciphertext for plain-text challenge I 00⇤ = (T

b

gbp0iM

0, gbp

00i M2) with a random bit b 2 {0, 1}

It can be verified that when b = 1, then T1 = g� and I 00⇤,1 = gbp0iM

0+�, thedistribution of the ciphertext is exactly the same as in Scheme 0, whereas if

24 Rui Zhang et al.

b = 0, then T0 = g↵M0and I 00⇤,1 = g(↵+bp0)M 0

, the distribution of the ciphertextis exactly the same as in Scheme 1.

Phase 2 (plaintext/predicate query): B behaves the same as Phase 1.

Guess: B receives the guess b0 from A and output the same guess b0 to C.

If the adversary A has advantage ✏ in distinguishing Scheme 0 from Scheme1, then the simulator B also has the same advantage ✏ in breaking d-linearassumption.


Proof. We build a simulator B using an adversary A, which tries to distinguishScheme 1 from Scheme 2. The simulator B is given d-linear assumption instancesas same as the game of Scheme 0 and Scheme 1.

Setup: A and B behave the same as the game of Scheme 0 and Scheme 1.


(where Wi

6= W ⇤0

and Wi

6= W ⇤1 ) from A and responds for A as the same as the game of Scheme

0 and Scheme 1.

Phase 1 (predicate query): B receives predicate fwi from A subject to the re-

striction that:Query(Tfwi

, Encrypt(SK,W ⇤0 )) = Query(T

fwi, Encrypt(SK,W ⇤

1 )).B outputs the encrypted token for predicate query as same as the game of Scheme0 and Scheme 1.

Challenge: B receives plaintext challenge W1⇤ from A. B behaves the sameas the game between Scheme 0 and Scheme 1 to generate vectors bp0

i

and bp00i

and outputs the ciphertext for plaintext challenge I 01⇤ = (Tb

gbp0iM

0, gbp

0iM2) with a

random bit b 2 {0, 1}It can be verified that when b = 1, then T1 = g� and I 01⇤,1 = gbp

0iM

0+�, thedistribution of the ciphertext is exactly the same as in Scheme 2, whereas ifb = 0, then T0 = g↵M

0and I 01⇤,1 = g(↵+bp0)M 0

, the distribution of the ciphertextis exactly the same as in Scheme 1.


Guess: B receives the guess b0 from A and output the same guess b0 to C.If the adversary A has advantage ✏ in distinguishing Scheme 1 from Scheme

2, then the simulator B also has the same advantage ✏ in breaking d-linearassumption.



Proof. The proof that Scheme 2 and Scheme 3 are indistinguishable exactlyparallels the proof of Lemma 1, while the proof that Scheme 3 and Scheme 4 areindistinguishable exactly parallels the proof of Lemma 2

Appendix B: A Sequence of Hybrid Games amongSchemes 0’-4’

This section proves that ESSE-2 satisfies Definition 4 (predicate privacy). Usinga sequence of hybrid games, Scheme 0’-4’ are proven to be indistinguishable.

Lemma 3. Scheme 0’ and Scheme 1’ are computationally indistinguishableunder d-linear assumption.

Proof. We build a simulator B that tries to break d-linear assumption. The sim-ulator B uses an adversary A that tries to distinguish Scheme 0’ from Scheme1’. The simulator B is given instances of d-linear assumption: (g↵

�1, gM

0, gM

0�1)

and (T0 = gM0�1

↵, T1 = g�), where ↵, �R � Zn+1

q

, M 0 = {m0i,j

}(n+1)⇥(n+1) Z(n+1)⇥(n+1)q

(1 i, j n+1) is invertible with all but a negligible probability,and let M�1 denote its invertible matrix.

Setup: A is given the public parameter and outputs two challenge predicatesfw

⇤0, f

w

⇤12W to B. B gives the predicates f

w

⇤0and f

w

⇤1to the challenger C, and

generates random numbers SR � {0, 1}n+1, ⇢

R � Zn

q

. In addition, we let l0 andl1 respectively denote the sequence of f

w

⇤0and f

w

⇤1.


from A subject tothe restriction thatQuery(T

fw⇤0, Encrypt(SK,W

i

)) = Query(Tfw⇤

1, Encrypt(SK,W

i

)).

B outputs the ciphertext I 0i

= (gbp0iM

0, gbp

00i M2) as the same as the plaintext query

of game between Scheme 0 and Scheme 1.

Phase 1 (predicate query): B receives predicate fwi (where f

wi 6= fw

⇤0and

fwi 6= f

w

⇤1) from A. B outputs the encrypted token for predicate query as same

as the game of Scheme 0 and Scheme 1.

Challenge: B receives predicate challenge fw

⇤0from A. B behaves the same

as Phase 1 to generate vectors bt0 and bt00 and outputs the encrypted predicatechallenge T

f0⇤ = (Tb

gM0�1b

t

0T, gM

�12

bt

00, gh⇢,ti+a) with a random bit b 2 {0, 1}.

It can be verified that when b = 1, then T1 = g� and Tf0⇤ ,1 = gM

0�1bt

0+�,the distribution of the ciphertext is exactly the same as in Scheme 0’, whereasif b = 0, then T0 = gM

0�1↵ and T

f0⇤ ,1 = gM0�1(bt0+�), the distribution of the

ciphertext is exactly the same as in Scheme 1’.


26 Rui Zhang et al.

Guess: B receives the guess b0 from A and output the same guess b0 to C.If the adversary A has advantage ✏ in distinguishing Scheme 0’ from Scheme

1’, then the simulator B also has the same advantage ✏ in breaking d-linearassumption.


Proof. We build a simulator B using an adversary A, which tries to distinguishScheme 1’ from Scheme 2’. The simulator B is given d-linear assumption in-stances as same as the game of Scheme 0’ and Scheme 1’.

Setup: A and B behave the same as the game of Scheme 0’ and Scheme 1’.


from A subject tothe restriction thatQuery(T

fw⇤0, Encrypt(SK,W

i

)) = Query(Tfw⇤

1, Encrypt(SK,W

i

))

and responds for A as the same as the game of Scheme 0’ and Scheme 1’.

Phase 1 (predicate query): B receives predicate fwi (where f

wi 6= fw

⇤0and

fwi 6= f

w

⇤1) from A and B outputs the encrypted token for predicate query as

same as the game of Scheme 0’ and Scheme 1’.

Challenge: B receives predicate challenge fw

⇤1from A. B behaves the same

as Phase 1 to generate vectors bt0 and bt00 and outputs the encrypted predicatechallenge T

f1⇤ = (Tb

gM0�1b

t

0T, gM

�12

bt

00, gh⇢,ti+a) with a random bit b 2 {0, 1}.

It can be verified that when b = 1, then T1 = g� and Tf1⇤ ,1 = gM

0�1bt

0+�,the distribution of the ciphertext is exactly the same as in Scheme 2’, whereasif b = 0, then T0 = gM

0�1↵ and T

f1⇤ ,1 = gM0�1(bt0+�), the distribution of the

ciphertext is exactly the same as in Scheme 1’.


Guess: B receives the guess b0 from A and output the same guess b0 to C.If the adversary A has advantage ✏ in distinguishing Scheme 1’ from Scheme

2’, then the simulator B also has the same advantage ✏ in breaking d-linearassumption.


Proof. The proof that Scheme 2’ and Scheme 3’ are indistinguishable exactlyparallels the proof of Lemma 4, while the proof that Scheme 3’ and Scheme 4’are indistinguishable exactly parallels the proof of Lemma 5

symmetric encryption with ecient keyword searchlingliu/papers/2013/ruizhang-secureco... · 2013. 7....

Documents