Searchable encryption is of increasing interest for protecting the data privacy in secure searchable cloud storage. In this paper, we investigate the security of a well-known cryptographic primitive, namely, public key encryption with keyword search (PEKS) which is very useful in many applications of cloud storage. Unfortunately, it has been shown that the traditional PEKS framework suffers from an inherent insecurity called inside keyword guessing attack (KGA) launched by the malicious server. To address this security vulnerability, we propose a new PEKS framework named dual-server PEKS (DS-PEKS). As another main contribution, we define a new variant of the smooth projective hash functions (SPHFs) referred to as linear and homomorphic SPHF (LH-SPHF). We then show a generic construction of secure DS-PEKS from LH-SPHF. To illustrate the feasibility of our new framework, we provide an efficient instantiation of the general framework from a Decision Diffie-Hellman-based LH-SPHF and show that it can achieve the strong security against inside the KGA.
Introduction
With the development of Cloud computing, more and more private and confidential information is being centralized into cloud [3][4]. Therefore, people are increasingly concerned about the security of the cloud. Traditionally, in order to protect the sensitive information stored on the cloud, some kind of access control mechanism may be applied in the database management system, such as MS Access. Access control is an effective way to protect your information under the assumption of a trusted server on which the database runs. However, access control is not a panacea in the real-world applications. In some cases, we cannot fully trust the server. An alternative solution is the encryption the data before saving them on the cloud. This can achieve the confidentiality of the data even against the inside attackers such as curious database system administrators. What the user need to do is to keep the encryption keys carefully without revealing them to the internal system manager. However, an inherent problem is how to retrieve the encrypted data efficiently
Security of our scheme We define security for our scheme in the se
nse of IND-CPA security (Beak et al.2008) and TrapdoorIND-CPA security [2]. As
Dual-Server Public-Key Encryption With Keyword Search for Secure Cloud Storage
Dual-Server Public-Key Encryption With Keyword Search for Secure Cloud Storage
described in [5], IND-CPA guarantees that the server that has not obtained the trapdoors for given keywords cannot tell which PEKS ciphertext encrypts which keyword, and the outside attacker that has not obtained the server’s private key cannot make any decisions about the PEKS ciphertexts even though the attacker gets all the trapdoors for the keywords that it holds. As described in [2], Trapdoor-IND-CPA asks that an attacker (excluding the server and the receiver) can not distinguish between the trapdoors of two challenge keywords. We define the IND-CPA security and trapdoor-INDCPA for our scheme as follows, which had been described in [1] [2]: Let A be an attacker whose running time is bounded by t which is polynomial in a security parameter k and B be a challenger. We consider the following three games: Game 1: A is assumed to be a server. Phase 1-1: The common parameter generation algorithm KeyGenParam(k), the two key generation algorithms KeyGenReceiver(k) and KeyGenServer(k) are run. A common parameter cp, private and public key pairs of the receiver and the server, which we denote by (skR, pkR) and (skS, pkS) respectively, are then generated. cp, pkR,skS, and pkS are given to A while skR is kept secret from A. Phase 1-2: A queries a number of keywords, each of which is denoted by w, to the trapdoor generation oracle Trapdoor and obtains a corresponding trapdoor Tw. Phase 1-3: A outputs a target keyword pair (w ∗ 0 ,w ∗ 1 ). ( Notice that none of w ∗ 0 nor w ∗ 1 has been queried for obtaining a corresponding trapdoor in Phase 1-2). Upon receiving this, the PEKS oracle PEKS chooses β ∈ {0,1} uniformly at random and creates a target PEKS ciphertext S ∗ = PEKS(cp, pkS, pkR,w ∗ β ) and returns it to A. Phase 1-4: A issues a number of trapdoor extraction queries as in Phase 1-2. The restriction here is that w ∗ 0 and w ∗ 1 are not allowed to be queried as trapdoor extraction queries. Phase 1-5: A outputs its guess β ∈ {0,1}. We define A’s success in Game 1 by SuccGame1(k) = Pr[β 0 = β]− 1 2 . Game 2: A is assumed to be an outside attacker (including the receiver). ‘ Phase 2-1: The common parameter generation algorithm KeyGenParam(k), the two key generation algorithms KeyGenReceiver(k) and KeyGenServer(k) are run. A common parameter cp, private and public key pairs of the receiver and the server, which we denote by (skR, pkR) and (skS, pkS) respectively, are then generated. cp, pkR,skR, and pkS are given to A while skS is kept secret from A. Phase 2-2: A queries a number of keywords, each of which is denoted by w to the trapdoor generation oracle Trapdoor and obtains a corresponding trapdoor Tw.