Privacy-Preserving and Efficient Public Key Encryption with Keyword Search Based on CP-ABE in Cloud

1. Introduction

• We propose an efficient and privacy-preserving PEKS-CPABE scheme, which enables the data owner to control the search and use of its outsourced encrypted data in the cloud according to its access control policy. Our scheme can achieve keyword search queries over encrypted data with fine-grained access control;
• We formalize the security definition, and prove that our scheme achieves selective indistinguishability security against an adaptive chosen keyword attack and can also ensure keyword privacy;
• We present the performance analysis in terms of theoretical analysis and experimental analysis, and demonstrate the efficiency of our scheme. Finally, the experimental results show that our PEKS-CPABE scheme performs better than the CP-ABKS scheme proposed in [22] and CP-ABSE scheme proposed in [23].

2. Related Work

3. Preliminaries

4. System Model

5. PEKS-CPABE Construction

• Setup$\left(1^{\lambda }\right)$: The setup algorithm is called by the TA, which takes as input the security parameter $\lambda$, and outputs the public parameter $pp$ and the master private key $msk$, which is processed as follows:

  —

  The TA first chooses two cyclic groups $\mathbb{G}$ and ${\mathbb{G}}_T$ of order p, which is a $\lambda$ bit prime, g is the generator of $\mathbb{G}$, and selects a bilinear map $\widehat{e}:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_T$;

  —

  Let $H_1:{\{0,1\}}^{\ast }\to {\mathbb{Z}}_p^{\ast }$ and $H_2:{\{0,1\}}^{\ast }\to \mathbb{G}$ be two secure hash functions;

  —

  Then, the TA selects a random element $\alpha ,\beta \in {\mathbb{Z}}_p^{\ast }$ and sets

  $$pp=(\mathbb{G},{\mathbb{G}}_T,p,\widehat{e},g,g^{\alpha },g^{\beta },H_1,H_2), msk=(\alpha ,\beta );$$

• KeyGen$(pp,msk,S_U)$: The key generation algorithm is invoked by the TA, which takes as input the public parameter $pp$, the master private key $msk$ and the data user’s attribute set $S_U$, and outputs the private key of the data user $S{K}_U$, which is processed as follows:

  —

  The TA randomly selects $r\in {\mathbb{Z}}_p^{\ast }$ and computes $K=g^{\frac{\alpha +r}{\beta }},K^{\prime }=g^r$;

  —

  For each attribute $a{t}_j\in S_U$, compute $K_{a{t}_j}=K^{\prime }{g}^{H_1\left(a{t}_j\right)}$;

  —

  Set the private key of the data user as

  $$S{K}_U=(K,\left\{\left(K_{a{t}_j}\right)\right|\forall a{t}_j\in S_U\})$$

• Encryption$(pp,T,w)$: The encryption algorithm is invoked by the DO, which takes as input the public parameter $pp$, the access tree T and the index keyword w, and outputs the encrypted index $I_w$, which is processed as follows:

  —

  The DO first computes $I_1=\widehat{e}{(g,g)}^{\alpha s}\widehat{e}(g^{s\beta },H_2\left(w\right))$, $I_2=g^{s\beta }$;

  —

  For each node x in the access tree T, the DO chooses a $d_x$ degree polynomial $q_x$ in a top-down manner, where $d_x=k_x-1$, where $k_x$ is the threshold value of node x;

  —

  For the root node $root$ of access tree T, the DO randomly picks up a secret key $s\in {\mathbb{Z}}_p^{\ast }$ and sets $q_{root}\left(0\right)=s$. Then, the DO randomly chooses $d_{root}$ other points of to define the polynomial $q_{root}$ completely;

  —

  For other non-root node x, the DO sets $q_x\left(0\right)=q_{parent\left(x\right)}(index\left(x\right))$, and randomly chooses $d_x$ other points to define the polynomial $q_x$ completely;

  —

  Finally, for each node $x\in lvs\left(T\right)$, compute $A_x=g^{q_x\left(0\right)}$ and $B_x=g^{H_1(att\left(x\right))q_x\left(0\right)}$. The encrypted index is given as

  $$I_w=(T,I_1,I_2,\left\{(A_x,B_x)\right|\forall x\in lvs\left(T\right)\})$$

• TrapGen$(pp,S{K}_U,w^{\prime })$: The trapdoor generation algorithm is called the DU, which takes as input the public parameter $pp$, the private key of the data user $S{K}_U$ and the search query for keyword $w^{\prime }$, and outputs the trapdoor $T_{w^{\prime }}$, which is processed as follows:

  —

  The DU computes $T_0=K_1{H}_2\left(w^{\prime }\right)=g^{\frac{\alpha +r}{\beta }}{H}_2\left(w^{\prime }\right)$;

  —

  For each $a{t}_j\in S_U$, compute $T_{a{t}_j}=K_{a{t}_j}$. The trapdoor is given as

  $$T_{w^{\prime }}=(T_0,\left\{\left(T_{a{t}_j}\right)\right|\forall a{t}_j\in S_U\})$$

• Search$(pp,I_w,T_{w^{\prime }},S_U)$: The search query algorithm is called by the CSP, which takes as input the public parameter $pp$, the encrypted index $I_w$, the trapdoor for query keyword $T_{w^{\prime }}$ and the data user’s attribute set $S_U$. The CSP selects a data user’s attribute set $S_U$ that satisfies the access tree T contained the encrypted index. If $S_U$ does not exist, the algorithm returns 0. Otherwise, it computes as follows:

  —

  If the node x is a leaf node in the T, for each attribute $a{t}_j\in S_U$, then

  $$E_x=\frac{\widehat{e}(T_{a{t}_j},A_x)}{\widehat{e}(g,B_x)}=\frac{\widehat{e}(g^r{g}^{H_1\left(a{t}_j\right)},g^{q_x\left(0\right)})}{\widehat{e}(g,g^{H_1\left(att\left(x\right)\right)q_x\left(0\right)})}=\widehat{e}{(g,g)}^{r{q}_x\left(0\right)},att\left(x\right)=a{t}_j,x\in lvs\left(T\right).$$

  —

  If the node x is a non-leaf node in the T, we get the $E_x$ by computing $E_{x^{\prime }}$ in a recursive manner, where $x^{\prime }$ is the children nodes of x. Let $S_x$ represent an arbitrary $k_x$ set of children nodes x, if no such set exists, $E_{x^{\prime }} = \perp$; otherwise, compute as follows

  $$\begin{array}{cc}\hfill E_x& =\prod _{x^{\prime }\in S_x}{E}_{x^{\prime }}^{{\Delta }_{i,S_x^{\prime }\left(0\right)}}\hfill \\ \hfill & =\prod _{x^{\prime }\in S_x}{\left(\widehat{e}{(g,g)}^{r{q}_{x^{\prime }}\left(0\right)}\right)}^{{\Delta }_{i,S_x^{\prime }\left(0\right)}}\hfill \\ \hfill & =\prod _{x^{\prime }\in S_x}{\left(\widehat{e}{(g,g)}^{r{q}_{parent\left(x^{\prime }\right)}\left(index\left(x^{\prime }\right)\right)}\right)}^{{\Delta }_{i,S_x^{\prime }\left(0\right)}}\hfill \\ \hfill & =\prod _{x^{\prime }\in S_x}{\left(\widehat{e}{(g,g)}^{r{q}_x\left(i\right)}\right)}^{{\Delta }_{i,S_x^{\prime }\left(0\right)}}\hfill \\ \hfill & =\widehat{e}{(g,g)}^{r{q}_x\left(0\right)}\hfill \end{array}$$

  (1)

  where $i=index\left(x^{\prime }\right),S_x^{\prime }=\{index\left(x^{\prime }\right):x^{\prime }\in S_x\}$;

  —

  If x is a root node in T, $E_{root}=\widehat{e}{(g,g)}^{r{q}_{root}\left(0\right)}=\widehat{e}{(g,g)}^{rs}.$ Finally, if $\widehat{e}(I_2,T_0)=E_{root}{I}_1$, the search algorithm returns 1; otherwise, it returns 0.

  Correctness. $I_1$ and $I_2$ are generated by the encryption algorithm, and $T_0$ is generated in the trapdoor generation algorithm. The proposed PEKS-CPABE scheme is correct when the following equation holds.

  $$\begin{array}{cc}\hfill I_1& =\frac{\widehat{e}(I_2,T_0)}{E_{root}}\hfill \\ \hfill & =\frac{\widehat{e}(g^{s\beta },g^{\frac{\alpha +r}{\beta }}{H}_2\left(w^{\prime }\right))}{\widehat{e}{(g,g)}^{rs}}\hfill \\ \hfill & =\frac{\widehat{e}{(g,g)}^{s(\alpha +r)}\widehat{e}(g^{s\beta },H_2\left(w^{\prime }\right))}{\widehat{e}{(g,g)}^{rs}}\hfill \\ \hfill & =\widehat{e}{(g,g)}^{\alpha s}\widehat{e}(g^{s\beta },H_2(w^{\prime })).\hfill \end{array}$$

  (2)
  If the query keyword $w^{\prime }$ matches the encrypted keyword index, namely $w=w^{\prime }$, then we have the equation $\frac{\widehat{e}(I_2,T_0)}{E_{root}}=I_1$ hold.

6. Security Proof

7. Performance Analysis

8. Conclusions