A Proxy Re-Encryption with Keyword Search Scheme in Cloud Computing

Yongli Tang, Huanhuan Lian, Zemao Zhao and Xixi Yan,

Abstract: With the widespread use of cloud computing technology, more and more users and enterprises decide to store their data in a cloud server by outsourcing. However, these huge amounts of data may contain personal privacy, business secrets and other sensitive information of the users and enterprises. Thus, at present, how to protect, retrieve, and legally use the sensitive information while preventing illegal accesses are security challenges of data storage in the cloud environment. A new proxy re-encryption with keyword search scheme is proposed in this paper in order to solve the problem of the low retrieval efficiency of the encrypted data in the cloud server. In this scheme, the user data are divided into files, file indexes and the keyword corresponding to the files, which are respectively encrypted to store. The improved scheme does not need to re-encrypt partial file cipher-text as in traditional schemes, but re-encrypt the cipher-text of keywords corresponding to the files. Therefore the scheme can improve the computational efficiency as well as resist chosen keyword attack. And the scheme is proven to be indistinguishable under Hash Diffie-Hellman assumption. Furthermore, the scheme does not need to use any secure channels, making it more effective in the cloud environment.

Keywords: Cloud computing, keyword search, proxy re-encryption, provable security.

1 Introduction

The applications of cloud service on the Internet are greatly promoted by the rapid development of cloud computing technology [Gupta (2015); Li, Chen, Huang et al.(2014)]. Recently, a large number of users choose data outsourcing services due to its convenience and interactivity. Compared with the traditional storage mode, the data outsourcing services do not require the local storage media, which not only save the cost of local storage, but also improve the efficiency of access and increase the security of the data storage. As more and more data which include personal privacy of users and business secrets of enterprises are outsourced to cloud servers, the amounts of data increase exponentially. However, for the legitimate users which request to access encrypted data, how to retrieve the cipher-text data in cloud servers and improve retrieval efficiency are the main challenges in cloud storage.

There are effective ways that users can encrypt their data locally and send to a cloud server to protect the sensitive information. But how to retrieve their data in the cloud server is a difficult problem. There are two ways to solve the problem. The simplest way is that users download all their encrypted data from the cloud server to the local media.Then the users decrypt the cipher-text and complete the corresponding keyword search on the plaintext data. The disadvantages of this way not only waste a lots of network resources and access costs, users will also waste a lot of computational overhead on the decryption of the encrypted data. Another more security idea is that users send their encryption key and search keywords to the cloud server. The cloud server can decrypt cipher-text according to the key. Thus the users complete keyword search in the cloud server. However, this idea makes the data to be stored in the form of plaintext for the cloud server. It is a great threat to the security of the sensitive information. Therefore, it has theoretical value and practical significance to research the keyword search of ciphertext data in the cloud environment.

1.1 Related work

In order to retrieve the encrypted data efficiently, the first construction of searchable encryption scheme based on symmetric algorithm which supported keyword search work in the cipher-text data was proposed by Song et al. [Song, Wagner and Perrig (2000)] in 2000. In recent years, searchable encryption has been researched and developed by the researchers [Terrorism (2013); Tan, Chin, Poh et al. (2015); Wen, Lu, Lei et al. (2014)].The public key encryption with keyword search based on a bilinear pairing [Dan,Crescenzo, Ostrovsky et al. (2004)] was proposed, which provided a theoretical guide for the subsequent implementation of the cipher-text retrieval in the public key cryptosystem.Next, Wei et al. [Wei, Yang and Chen (2013)] proposed RSA’s multiplicative homomorphism to ensure the storage security of privacy in a database. The searchable encryption schemes establish a foundation for the retrieval of cipher-text from encrypted databases. Furthermore, the proxy re-encryption with keyword search schemes are researched on the searchable encryption schemes [Blaze, Bleumer and Strauss (1998);Wang, Huang, Yang et al. (2012)].

Blaze et al. [Blaze, Bleumer and Strauss (1998)] first proposed the concept of proxy reencryption (PRE) in the European cryptography conference in 1998, PRE is a cryptographic primitive, where a (potentially untrusted) proxy do not know why you mean here? There are problems with this sentence and it needs to be fixed without being able to see anything about the encrypted messages. After the PRE is proposed, it has attracted widely attention and has been studied by the domestic and foreigner researchers.Also it has been popularly applied in the cloud environment. Different technologies are used in the PRE schemes for application in the cloud storage environment [Shi, Liu, Han et al. (2014); Liu, Guo, Fan et al. (2018)]. In order to securely search encrypted messages and delegate the decryption right, Shao et al. [Shao, Cao, Liang et al. (2010)] firstly proposed the concept of proxy re-encryption with keyword search scheme (PRES) which combined the public key encryption with keyword search [Dan, Crescenzo, Ostrovsky et al. (2004)] and proxy re-encryption, and proved the security of the scheme in the random oracle model. However, in 2011, Chen et al. [Chen and Li (2011)] proposed that the security of the Shao’s scheme was built at the cost of reduced computational efficiency.In 2014, Lee et al. [Lee and Lee (2014)] improved the PRES scheme in, which effectively improved the search speed and storage capacity of the scheme. But there was no security proof in the scheme. Chen et al. [Chen, Li, Guo at al. (2014)] proposed a fine-grained access control scheme based on PRES, which limit the user’s authority and resist collusion attack. Guo et al. [Guo and Lu (2014)] proposed a scheme which combined ideas of literature [Shao, Cao, Liang et al. (2010)] and [Rhee, Park, Susilo et al. (2010)].Also they extracted the definitions of PRES and security model. In the re-encryption phase, the scheme only needs to re-encrypt partial file cipher-text. But the calculation efficiency of the scheme can be further optimized.

1.2 Our contribution

In this paper, a new proxy re-encryption with keyword search scheme, based on bilinear pairings, is proposed to solve the above problem. Compared with the traditional schemes,the re-encryption phase in our scheme does not need to re-encrypt partial file cipher-text,but only re-encrypt the cipher-text of keyword corresponding to the file. Besides, the security of our proposed scheme is analyzed and we could draw a conclusion, that is, in Hash Diffie-Hellman assumption, our scheme is proven to be indistinguishable under adaptive chosen keywords attack. Furthermore, the proposed scheme does not need to use any secure channels and strongly unforgeable one-time signatures, making it more effective in the cloud environment. The proposed scheme in this paper is safer compared with other similar schemes.

1.3 Paper organization

The rest of the paper is organized as follows. Section 2 gives some preliminaries of the bilinear map and Hash Diffie-Hellman assumption. In Section 3, we define our PRES scheme and give its security model. The flow and the construction of the scheme are shown in Section 3.2. Then we prove the security of the scheme and compare its efficiency with similar schemes. Finally, we conclude this paper in Section 4.

2 Preliminaries

2.1 Bilinear maps

2.2 Headings

The trapdoor security of our scheme is based on the Hash Diffie-Hellman (HDH)assumption [Abdalla, Bellare and Rogaway (2001)]. We define the HDH assumption inGas follows:

We say that the HDH assumption holds inGif not-time algorithm has an advantage at leastin solving the HDH problem inG.

3 A proxy re-encryption with keyword search scheme

First the definitions of PRES system model and security model of trapdoor indistinguishability are given. Then the process of PRES scheme is shown in Fig. 1. Then we describe the algorithm to construct the proposed scheme and prove its security.Finally, its efficiency is compared with congener schemes.

3.1 The basic definition

A PRES scheme is based on the searchable encryption scheme. It mainly includes three entities which are the cloud serverS, the data ownerAand the data receiverB.

3.2 Our proposal

3.2.1 The scheme model

In this paper, the proxy re-encryption scheme with keyword search mainly includes the data owner, data receiver, cloud server (main server and content server) and other entities,as well as re-encryption generation, re-encryption and search process. The model is shown in Fig. 1.

Figure 1: The model of PRES

The data of the owner are divided into the files, the file index and the corresponding keywords of the file, respectively, in which the cipher-text of the file index is mapped to form the address table and stored in the main server. The file cipher-text is divided into blocks, according to the corresponding address table stored in the content server; in the re-encryption stage, the main server re-encrypt the keyword cipher-text that stored in the main server. The data receiver uses the private key and searches keywords to generate trapdoor, the master server checks the generated trapdoor. If the trapdoor is valid, the master server reads the cipher-text file according to the address table and sends the cipher-text file to the data receiver. The data receiver decrypts the cipher-text.

3.2.2 The flow of the scheme

There are some algorithms as followed:

1) The data ownerA, the data receiverBand the cloud serverSgenerate public and private key pairs according to theKeyGen(params)algorithm. The public keys are overt and the private keys are kept secret by their owners.

2) Enc Phase:Adivides the data into three parts, these are, file, file index and the keyword corresponding to the file, and then encrypts them for cloud storage, respectively.The file is encrypted by the symmetric key in the encryption process; file index is encrypted by the symmetric keyand random numberwhileAcomputesand then sendstoB; the keyword corresponding to the file is encrypted by the encryption key ofA. After the encryption phase,Awill send the cipher-text of the three parts toSfor storage.

3) RKGen Phase: The private key ofBis carried out using the specified hash function and the encrypted hash message is sent toA.Acalculates the re-encryption key by thealgorithm and sends the re-encryption key toS.

4) ReEnc Phase:Suses encryption key to re-encrypt the keyword cipher-text.Sutilizes a re-encryption key that allows it to translate the keyword cipher-text under the encryption key ofAinto the keyword cipher-text under the encryption key ofB, without being able to see anything about the encrypted messages.

5) TGen Phase:Binputs the searching keyword that produces the trapdoor according toalgorithm and sends the trapdoor toS.

6) Test Phase:Stests the trapdoor which is given byBin accordance withalgorithm. If the input keyword is an effective keyword query,Swill send the index cipher-text and the cipher-text file toB.Bcontinues to decrypt; otherwise,Swill cease operation.

7) Dec Phase: According to the index cipher-text,Bcomputesusing its private key. The symmetric key of the cipher-text file is calculated, and the plaintext is obtained according to the decryption of the cipher-text file.

The work process of proxy re-encryption with keyword search is shown in Fig. 2.

Figure 2: The work process of proxy re-encryption with keyword search

3.2.3 Construction for PRES

Correctness:

3.3 Security proof

Obviously, the probability cannot be ignored, thus the proof is completed. Therefore, if the HDH of G is intractable, our scheme can satisfy the trapdoor indistinguishability.

In the security proof part, we do not take into account the security issue about the encryption of file plaintextM, because the file plaintextMuses a standard semantics secure symmetric encryption algorithm (such as AES symmetric encryption algorithm) in the encryption phase, which can ensure the security of data storage. The standard semantic security of public key encryption algorithm (such as RSA public key encryption algorithm) is used in the encryption of the file index, therefore the security of the file index cipher-textFIDdoes not need to be proven in the security of the game. Because of the complexity of the algorithm based on public key cryptosystem, we can use non-secure channels to communicate between the users. Above all, we only consider the security of the PRES scheme, if the scheme satisfies trapdoor indistinguishability, it is proved that the scheme can resist chosen keyword attack.

3.4 Efficiency comparison

The efficiency comparison between our scheme, Shao et al.’s [Shao, Cao, Liang et al.(2010)] scheme, Fang et al.’s [Fang, Susilo, Ge et al. (2012)] scheme and an efficient proxy re-encryption with keyword search scheme proposed by Lee et al. [Lee and Lee(2014)] are given in Tab. 1. The encryption phase, the re-encryption phase, the trapdoor generation phase and the decryption phase of the schemes are analyzed in detail in termsof the communication cost and computation cost, etc. We denote as the computational cost of a bilinear pairings andas an exponential cost. The efficiency comparison results are shown in Tab. 1.

Table 1: Comparison of schemes efficiency

We understand that because of the properties of the bilinear pairings operations, when the number of embedding is bigger than 1, its computational cost is much greater than an exponentiation over a bilinear group. In the scheme, the computation of the hash function is negligible compared to the exponentiation and bilinear operations. In addition, Shao et al. [Shao, Cao, Liang et al. (2010] and Fang et al. [Fang, Susilo, Ge et al. (2012)] also use strongly unforgeable one-time signatures and verification operations. The specific efficiency is analyzed as follows:

1) Enc Phase: Strongly unforgeable one-time signatures are constructed in the encryption phase in Shao et al. [Shao, Cao, Liang et al. (2010] and Fang et al. [Fang, Susilo, Ge et al.(2012)]. Furthermore, the scheme in Fang et al. [Fang, Susilo, Ge et al. (2012)] does not use bilinear pairings, but there are eight exponentiation operations, while our scheme has only one exponentiation operation. In summary, the scheme in Lee et al. [Lee and Lee(2014)] and our scheme are more efficient, better than the schemes in Shao et al. [Shao,Cao, Liang et al. (2010] and Fang et al. [Fang, Susilo, Ge et al. (2012)].

2) REnc Phase: Our scheme has the same efficiency as the scheme in Lee et al. [Lee and Lee (2014)], which is slightly superior to the scheme in Fang et al. [Fang, Susilo, Ge et al.(2012)]. Compared with the scheme in Shao et al. [Shao, Cao, Liang et al. (2010], the other three schemes have obvious advantages in the bilinear pairings operations.

3) TGen Phase: In the trapdoor generation phase, each scheme is only related to the exponentiation operation. The four schemes have the same computation cost in this phase.4) Dec Phase: The scheme in Shao et al. [Shao, Cao, Liang et al. (2010] uses multiple bilinear pairings operations. The scheme in Fang et al. [Fang, Susilo, Ge et al. (2012)]uses verification algorithms and five exponentiation operations. While the scheme in Wang et al. [Wang, Huang, Yang et al. (2012)] uses one more exponentiation operation than our scheme. Therefore, our scheme is superior to the other three schemes in terms of computational efficiency.

4 Conclusions

In this paper, we propose a new proxy re-encryption with keyword search scheme which can be proved secure. The scheme can be effectively applied in the cloud environment.The trapdoor of our scheme is proven to be indistinguishable under Hash Diffie-Hellman assumption, that is, our scheme satisfies trapdoor indistinguishable under adaptive chosen keywords attack. In the re-encryption phase, compared with other traditional schemes,our scheme does not need to re-encrypt partial file cipher-text, and only need to reencrypt the cipher-text of the keyword corresponding to the file. Compared congener schemes, our scheme can improve the computation efficiency, proving the feasibility and effectiveness of the scheme. The next step is to extend its application in multi-user multifile in cloud environment, and to study the complete attribute-based re-encryption scheme with keyword search, so that the practicality of the scheme can be further improved.

Acknowledgements:This work is supported by “13th Five-Year” National Crypto Development Fund (No. MMJJ20170122), Zhejiang Provincial Natural Science Foundation of China (No. Y15F020053), the Project of Education Department of Henan Province (No.18A413001, No. 16A520013), Natural Science Foundation of Henan Polytechnic University (No. T2018-1).