Keywords

1 Introduction

Integration of Searchable Encryption and Public Key Encryption: Public key encryption with keyword search (PEKS) [6] has been widely recognized as a cryptographic primitive providing a search functionality for encrypted data. Briefly, a trapdoor \(t_{\omega }\) is generated with respect to a keyword \(\omega \), and one can search a ciphertext of \(\omega \) by using \(t_{\omega }\). As defined by Abdalla et al. [1], PEKS should provide (wrong keyword) consistency and keyword privacy. Briefly, the former guarantees that for two distinct keywords \(\omega \) and \(\omega ^\prime \), a ciphertext of \(\omega \) is not searched by \(t_{\omega ^\prime }\). The latter guarantees that no information of keyword is revealed from the ciphertext. Abdalla et al. [1] gave a generic construction of PEKS from anonymous identity-based encryption (IBE), e.g., [7, 11, 23].

In actual usage, PEKS should be employed with a PKE scheme since PEKS itself does not support the decryption of data. For example, assume that an e-mail is required to be encrypted. Then, a sender encrypts the mail header or title using a PEKS scheme, and encrypts the mail body using a PKE scheme whose public key is managed by the receiver. Then, a mail gateway can forward the encrypted e-mail by using PEKS, and the receiver can decrypt the ciphertext using their own secret key of the PKE scheme. From now on, we denote the integrated PEKS and PKE as PEKS/PKE as in [30]. As a naive composition, for a PEKS ciphertext \(C_\mathsf{PEKS}\) and a PKE ciphertext \(C_\mathsf{PKE}\), a ciphertext of PEKS/PKE is described as its concatenation \(C_\mathsf{PEKS}||C_\mathsf{PKE}\).

Although indistinguishability against chosen ciphertext attack (IND-CCA) is widely recognized as a standard security definition of PKE, obviously, the naive composition does not provide CCA security even if the underlying PKE scheme is CCA secure. For example, the challenge ciphertext \(C^*_\mathsf{PEKS}||C^*_\mathsf{PKE}\) can be modified such as \(C_\mathsf{PEKS}||C^*_\mathsf{PKE}\) where \(C_\mathsf{PEKS}\ne C^*_\mathsf{PEKS}\), and one can send it to the decryption oracle. This was pointed out by Baek et al. [4] who gave a definition of joint CCA security for PEKS/PKE. Later, Zhang and Imai [30] pointed out that Baek et al.’s definition does not consider keyword privacy. They gave a formal definition of PEKS/PKE that captures both data privacy and keyword privacy, and proposed a generic construction of PEKS/PKE. Abdalla et al. [2, 3] further pointed out that there is a room for improvement in the Zhang-Imai model since an adversary is not allowed to access the test oracle in the model. Chen et al. [12] further considered the trapdoor oracle, and proposed a generic construction of PEKS/PKE from (hierarchical) IBE schemes. As concrete constructions, Buccafurri et al. [9] and Saraswat and Sahu [27] proposed PEKS/PKE schemes from (asymmetric) pairings.Footnote 1

Secure-Channel Free PEKS: In typical usage of PEKS, a receiver generates a trapdoor, and sends it to a server (e.g., mail gateway). Then, since anyone can run the test algorithm when they obtain a trapdoor, the trapdoor must be sent to the server via a secure channel. To remove the secure channel, secure-channel free PEKS (SCF-PEKS), which is also called designated tester PEKS, has been proposed [13,14,15, 20, 26, 28]. Unlike the case of employing SSL/TLS in a naive way, only the designated server can run the test algorithm even if trapdoors are exposed. In SCF-PEKS, the server also has a public key and a secret key, and a keyword is encrypted by using the server pubic key in addition to the receiver pubic key. The test algorithm is run by using the server secret key in addition to a trapdoor.

Our Contribution: As in PEKS, all PEKS/PKE have assumed that trapdoors are sent to the server via a secure channel. In this paper, to remove this limitation we propose PEKS/PKE supporting secure-channel free property, which we call SCF-PEKS/PKE.

First we give a formal security definition of SCF-PEKS/PKE in a joint CCA manner. Basically, we extend the security definition of SCF-PEKS given by Fang et al. [16].Footnote 2 We strengthen their consistency definition as follows. First, an adversary is allowed to access the trapdoor oracle in our model. Owing to the secure-channel free property, this setting is natural since trapdoors are sent via a public channel. Moreover, we give the server secret key to the adversary to guarantee that the server has no way of producing inconsistent ciphertexts. We call this weak consistency. We further strengthen the consistency, which we call strong consistency, where (1) an adversary can obtain trapdoors even for challenge keywords, and (2) an adversary is allowed to produce the challenge ciphertext. The first extension is the same as that of unrestricted strong robustness [17], and the second extension is the same as those of strong robustness [2, 3] and strong collision-freeness [25]. For keyword privacy, as in Fang et al., we consider two situations where either an adversary is modeled as the server (then the server secret key is given to the adversary), or an adversary is modeled as a receiver (then the receiver secret key is given to the adversary). In the former, the adversary is allowed to access the trapdoor oracle and the test oracle, and in the latter, the adversary is allowed to access the test oracle. We additionally consider the decryption oracle to integrate SCF-PEKS and PKE in our joint CCA security. We further define data privacy. To guarantee that the server does not obtain information of data via the test procedure, we give the server secret key to the adversary. Moreover, the adversary is allowed to access the decryption oracle.

Second, we propose a generic construction of SCF-PEKS/PKE with weak consistency from anonymous IBE, tag-based encryption (TBE) [24], and a one-time signature (OTS). We also show that our construction is strongly consistent if the underlying anonymous IBE provides unrestricted strong collision-freeness which is implied by unrestricted strong robustness [17]. We will show how to construct these ingredients in Sect. 5. Our construction can be seen as an extension of a generic construction of SCF-PEKS from the same ingredients as above, proposed by Emura et al. [14], by considering an observation given by Abdalla et al. [2, 3]. Namely, Abdalla et al. mentioned that if PEKS and PKE support tags, then these can be combined via the Canetti-Halevi-Katz (CHK) transformation [10], leading to a PEKS/PKE scheme secure in the joint CCA manner. That is, by introducing an OTS scheme, a verification key is regarded as a tag of both ciphertexts, and a signature is produced on them. We point out that the Emura et al. construction yields a “tag-based” SCF-PEKS scheme. By introducing a TBE scheme as the underlying PKE scheme supporting tags, we can construct SCF-PEKS/PKE secure in the joint CCA manner. We further modify the construction to protect against re-encryption attacks (See Sect. 4: High-level Description of Our Construction for details) by preparing an IBE plaintext to be correlated to a verification key.

2 Preliminaries

We denote that \(x \xleftarrow {\$} S\) when x is chosen uniformly from a set S. \(y \leftarrow A(x)\) means that y is an output of an algorithm A under an input x. We denote \({ State}\) as the state information transmitted by the adversary to himself across stages of the attack in experiments.

First, we introduce the definition of TBE [24] as follows. Let \(\mathcal{TAG}\) and \(\mathcal{M}_\mathsf{TBE}\) be a tag space of TBE and a plaintext space of TBE, respectively.

Definition 1

(Syntax of TBE). A TBE scheme \(\mathsf{TBE}\) consists of the following three algorithms, TBE.KeyGen, TBE.Enc and TBE.Dec:

  • TBE.KeyGen(\(1^{\kappa }\)): This key generation algorithm takes as an input the security parameter \(\kappa \in \mathrm N\), and return a public key \(pk_\mathsf{TBE}\) and a secret key \(sk_\mathsf{TBE}\).

  • TBE.Enc(\(pk_\mathsf{TBE}\), t, M): This encryption algorithm takes as input \(pk_\mathsf{TBE}\), a message M \(\in \mathcal{M}_\mathsf{TBE}\) with a tag t \(\in \mathcal{TAG}\), and returns a ciphertext \(C_\mathsf{TBE}\).

  • TBE.Dec(\(sk_\mathsf{TBE}\), t, \(C_\mathsf{TBE}\)): This decryption algorithm takes as inputs \(sk_\mathsf{TBE}\), t, and \(C_\mathsf{TBE}\), and returns a message M or a reject symbol \(\perp \).

Correctness is defined as follow: For all (\(pk_\mathsf{TBE}\), \(sk_\mathsf{TBE}\)) \(\leftarrow \) TBE.KeyGen(\(1^\kappa \)), all \(M \in \mathcal{M}_{TBE}\), and all t \(\in \mathcal{TAG},\) TBE.Dec(\(sk_\mathsf{TBE}\), t, \(C_\mathsf{TBE}\)) = M holds, where \(C_\mathsf{TBE}\) \(\leftarrow \) TBE.Enc(\(pk_\mathsf{TBE}\), t, M).

Next, we define selective-tag weakly secure against chosen ciphertext attack (IND-stag-CCA) as follows.

Definition 2

(IND-stag-CCA). For any probabilistic polynomial-time (PPT) adversary \(\mathcal{A}\) and the security parameter \(\kappa \in \mathrm N\), we define the experiment \(\mathrm{Exp_{\mathsf{TBE}, \mathcal{A}}^{IND\text {-}stag\text {-}CCA}}(\kappa )\) as follows.

  • \(\mathcal{O}_\mathsf{TBE.DEC}\): This decryption oracle takes as input a tag and a ciphertext \((t, C_\mathsf{TBE})\ne (t^*,C_\mathsf{TBE}^*)\) and returns the result of \(\mathsf{TBE.Dec}(sk_\mathsf{TBE}, t, C_\mathsf{TBE})\).

We say that \(\mathsf{TBE}\) is IND-stag-CCA secure if the advantage

$$\mathrm{Adv_{\mathsf{TBE}, \mathcal{A}}^{IND\text {-}stag\text {-}CCA}}(\kappa ) \mathrel {\mathop :}= \mid \mathrm{Pr[Exp_{\mathsf{TBE}, \mathcal{A}}^{IND\text {-}stag\text {-}CCA}(\kappa ) = 1] - 1/2\mid }$$

is negligible for any PPT adversary \(\mathcal{A}\).

Next, we introduce definition of anonymous IBE with CCA security [19] as follows. Let \(\mathcal{{ID}}\) and \(\mathcal{M}_\mathsf{IBE}\) be an identity space and a plaintext space of IBE, respectively.

Definition 3

(Syntax of IBE). An IBE scheme \(\mathsf{IBE}\) consists of the following four algorithms, IBE.Setup, IBE.Extract, IBE.Enc and IBE.Dec:

  • IBE.Setup(\(1^{\kappa }\)): This setup algorithm takes as an input the security parameter \(\kappa \in \mathrm N\), and return a public key params and a master key mk.

  • IBE.Extract(params, mk, ID): This extract algorithm takes as input an identity ID \(\in \mathcal{ID}\) and mk, and returns a secret key \(sk_{ID}\) corresponding to ID.

  • IBE.Enc(params, ID, M): This encryption algorithm takes as input params, ID \(\in \mathcal{ID}\), a message M \(\in \mathcal{M}_\mathsf{IBE}\), and returns a ciphertext \(C_\mathsf{IBE}\).

  • IBE.Dec(params, \(sk_{ID}\), \(C_\mathsf{IBE}\)): This decryption algorithm takes as inputs \(sk_{ID}\) and \(C_\mathsf{IBE}\), and returns a message M or a reject symbol \(\perp \).

Correctness is defined as follows: For all \((params,mk)\leftarrow \mathsf{IBE.Setup}(1^{\kappa })\), all \(M \in \mathcal{M}_\mathsf{IBE}\), and all ID \(\in \mathcal{ID}\), IBE.Dec(params, \(sk_{ID}\), \(C_\mathsf{IBE}\)) = M holds, where \(C_\mathsf{IBE} \leftarrow \) IBE.Enc(params, ID, M) and \(sk_{ID} \leftarrow \) IBE.Extract(params, mk, ID).

Next, we define indistinguishability against chosen ciphertext attack (IBE-IND-CCA) as follows.

Definition 4

(IBE-IND-CCA). For any PPT adversary \(\mathcal{A}\) and the security parameter \(\kappa \in \mathrm N\), we define the experiment \(\mathrm{Exp_{\mathsf{IBE}, \mathcal{A}}^{IBE\text {-}IND\text {-}CCA}}(\kappa )\) as follows.

  • \(\mathcal{O}_\mathsf{IBE.DEC}\): This decryption oracle takes as input \((ID, C_\mathsf{IBE}) \ne (ID^*, C_\mathsf{IBE}^*)\) and returns the result of \( \mathsf{IBE.Dec}(params, sk_{ID}, C_\mathsf{IBE})\) where \(sk_{ID}\leftarrow \mathsf{IBE.Extract} (params, mk, ID)\).

  • \(\mathcal{O}_\mathsf{IBE.EXTRACT}\): This extract oracle takes as input an identity ID \(\ne \) \(ID^*\)and returns the corresponding secret key \(sk_{ID}\) \(\leftarrow \) IBE.Extract(params, mk, ID).

We say that \(\mathsf{IBE}\) is IBE-IND-CCA secure if the advantage

$$\mathrm{Adv_\mathsf{IBE, \mathcal A}^{IBE\text {-}IND\text {-}CCA}}(\kappa ) \mathrel {\mathop :}= \mid \mathrm{Pr[Exp_{\mathsf{IBE}, \mathcal{A}}^{IBE\text {-}IND\text {-}CCA}(\kappa ) = 1] - 1/2\mid }$$

is negligible for any PPT adversary.

Next, we define anonymity against chosen-ciphertext attack (IBE-ANO-CCA).

Definition 5

(IBE-ANO-CCA). For any PPT adversary \(\mathcal{A}\) and the security parameter \(\kappa \in \mathrm N\), we define the experiment \(\mathrm{Exp_{\mathsf{IBE}, \mathcal{A}}^{IBE\text {-}ANO\text {-}CCA}}(\kappa )\) as follows.

  • \(\mathcal{O}_\mathsf{IBE.DEC}\): This decryption oracle takes as input \((ID, C_\mathsf{IBE}) \not \in \{(ID_0^*, C_\mathsf{IBE}^*), (ID_1^*, C_\mathsf{IBE}^*)\}\) and returns the result of \(\mathsf{IBE.Dec}(params, sk_{ID}, C_\mathsf{IBE})\) where \(sk_{ID}\leftarrow \mathsf{IBE.Extract}(params, mk, ID)\).

  • \(\mathcal{O}_\mathsf{IBE.EXTRACT}\): This extract oracle takes as input \(ID\not \in \{ID_0^*, ID_1^*\}\) and returns the corresponding secret key \(sk_{ID}\leftarrow \mathsf{IBE.Extract}(params, mk, ID)\).

We say that \(\mathsf{IBE}\) is IBE-ANO-CCA secure if the advantage

$$\mathrm{Adv_{\mathsf{IBE}, \mathcal{A}}^{IBE\text {-}ANO\text {-}CCA}}(\kappa ) \mathrel {\mathop :}= \mid \mathrm{Pr[Exp_{\mathsf{IBE}, \mathcal{A}}^{IBE\text {-}ANO\text {-}CCA}(\kappa ) = 1] - 1/2 \mid }$$

is negligible for any PPT adversary.

Next, we define unrestricted strong collision-freeness where strong means that an adversary is allowed to produce the challenge ciphertext \(C^*_\mathsf{IBE}\). This is an extension of strong collision-freeness [25]. Informally, strong collision-freeness guarantees that no adversary can produce a ciphertext whose decryption result for two decryption keys are the same, i.e., \(M_0^* = M_1^*\). In addition, in our unrestricted strong collision-freeness definition, the trapdoor oracle has no restriction as in unrestricted strong robustness [17]. Informally, unrestricted strong robustness guarantees that no adversary can produce a ciphertext whose decryption result for two decryption keys are both non-\(\bot \). Since the condition \(M_0^* = M_1^*\) is not required, our unrestricted strong collision-freeness is an intermediate notion where it is weaker than unrestricted strong robustness and is stronger than strong collision-freeness. How to construct an IBE scheme with unrestricted strong collision-freeness is explained in Sect. 5.

Definition 6

(Unrestricted Strong Collision-Freeness). For any PPT adversary \(\mathcal{A}\) and the security parameter \(\kappa \in \mathrm N\), we define the experiment \(\mathrm{Exp_\mathsf{IBE, \mathcal A}^{IBE\text {-}usCF}}(\kappa )\) as follows.

  • \(\mathcal{O}_\mathsf{IBE.EXTRACT}\): This extract oracle takes as input ID with no restriction, and returns the corresponding secret key \(sk_{ID}\leftarrow \mathsf{IBE.Extract}(params, mk, ID)\).

We say that \(\mathsf{IBE}\) is unrestricted strongly collision-free if the advantage

$$\mathrm{Adv_\mathsf{IBE, \mathcal A}^{IBE\text {-}usCF}} (\kappa )\mathrel {\mathop :}= \mathrm{Pr[Exp_\mathsf{IBE, \mathcal A}^{IBE\text {-}usCF}(\kappa ) = 1]}$$

is negligible for any PPT adversary \(\mathcal{A}\).

Next, we introduce OTS [5] as follows. Let \(\mathcal{M}_\mathsf{Sig}\) be a message space.

Definition 7

(Syntax of OTS). A OTS scheme \(\mathsf{OTS}\) consists of the following three algorithms, Sig.KeyGen, Sign and Verify:

  • \(\mathsf{Sig.KeyGen}(1^{\kappa })\): This key generation algorithm takes as an input the security parameter \(\kappa \in \mathrm N\), and returns signing/verification key pair (\(K_s\), \(K_v\)).

  • \(\mathsf{Sign}(K_s, M)\): This signing algorithm takes as inputs \(K_s\) and a message \(M\in \mathcal{M}_\mathsf{Sig}\), and returns a signature \(\sigma \).

  • \(\mathsf{Verify}(K_v, M,\sigma )\): This verification algorithm takes as input \(K_v\), M, and \(\sigma \), and returns 1 (valid) or 0 (invalid).

Correctness is defined as follows: For all (\(K_s\), \(K_v\)) \(\leftarrow \) Sig.KeyGen(\(1^\kappa \)) and all \(M \in \mathcal{M}_\mathsf{Sig}\), Verify(\(K_v, M,\sigma ) = 1\) holds, where \(\sigma \leftarrow \mathsf{Sign}(K_s, M)\).

Next, we define strong existential unforgeability against chosen message attack (sEUF-CMA) of OTS as follows.

Definition 8

(one-time sEUF-CMA). For any PPT adversary \(\mathcal{A}\) and the security parameter \(\kappa \in \mathrm N\), we define the experiment \(\mathrm{Exp_{\mathsf{OTS}, \mathcal{A}}^{one\text {-}time sEUF\text {-}CMA}}(\kappa )\) as follows.

We say that \(\mathsf{OTS}\) is one-time sEUF-CMA secure if the advantage

$$\mathrm{Adv_{\mathsf{OTS}, \mathcal{A}}^{one\text {-}time~sEUF\text {-}CMA}}(\kappa ) \mathrel {\mathop :}= \mathrm{Pr[Exp_{\mathsf{OTS}, \mathcal{A}}^{one\text {-}time~sEUF\text {-}CMA}(\kappa ) = 1]}$$

is negligible for any PPT adversary.

3 Definitions of SCF-PEKS/PKE

In this section, we define SCF-PEKS/PKE. As in SCF-PEKS, the server and a receiver manage keys separately. A keyword \(\omega \) and a plaintext M are encrypted by the server public key, \(pk_\mathrm{S}\), and the receiver public key, \(pk_\mathrm{R}\). Although a secret key of the receiver, \(sk_\mathrm{R}\), plays the role of generating trapdoors in SCF-PEKS, we additionally require that \(sk_\mathrm{R}\) plays a role of decrypting a ciphertext. To search for an encrypted keyword, the test algorithm requires both the server secret key, \(sk_\mathrm{S}\), and the corresponding trapdoor. Let \(\mathcal{{K}}\) be the keyword space and \(\mathcal{M}\) be the message space.

Definition 9

(Syntax of SCF-PEKS/PKE). A SCF-PEKS/PKE scheme \(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE}\) consists of the following six algorithms, \(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE.KeyGen_S}\), \(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE.KeyGen_R}\), \(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE.Trapdoor}\), \(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE.Enc}\), \(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE.Dec}\) and \(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE.Test}\):

  • \(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE.KeyGen_S}\)(\(1^{\kappa }\)): This server key generation algorithm takes as input the security parameter \(1^{\kappa }\) (\(\kappa \in \mathrm N\)), and returns a server public key \(pk_\mathrm{S}\) and a server secret key \(sk_\mathrm{S}\).

  • \(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE.KeyGen_R}\)(\(1^{\kappa }\)): This receiver key generation algorithm takes as input the security parameter \(1^{\kappa }\) (\(\kappa \in \mathrm N\)), and returns a receiver public key \(pk_\mathrm{R}\) and a receiver secret key \(sk_\mathrm{R}\).

  • \(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE.Trapdoor}\)(\(pk_\mathrm{R}\), \(sk_\mathrm{R}, \omega \)): This trapdoor generation algorithm takes as input \(pk_\mathrm{R}\), \(sk_\mathrm{R}\), and a keyword \(\omega \in \mathcal{K}\), and returns a trapdoor \(t_{\omega }\) corresponding to keyword \(\omega \).

  • \(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE.Enc}\)(\(pk_\mathrm{S}\), \(pk_\mathrm{R}\), \(\omega , M\)): This encryption algorithm takes as input \(pk_\mathrm{R}\), \(pk_\mathrm{S}\), \(\omega \), and a message M \(\in \mathcal{M}\), and returns a ciphertext \(\lambda \).

  • \(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE.Dec}\)(\(pk_\mathrm{R}\), \(sk_\mathrm{R}\), \(\lambda \)): This decryption algorithm takes as input \(pk_\mathrm{R}\), \(sk_\mathrm{R}\), and \(\lambda \), and returns a message M or a reject symbol \(\perp \).

  • \(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE.Test}\)(\(pk_\mathrm{S}\), \(sk_\mathrm{S}\), \(pk_\mathrm{R}\), \(t_{\omega }\), \(\lambda \)): This test algorithm takes as input \(pk_\mathrm{S}\), \(sk_\mathrm{S}\), \(pk_\mathrm{R}\), \(t_{\omega }\), and \(\lambda \), and returns 1 if \(\omega = \omega ^\prime \), where \(\omega ^\prime \) is the keyword which was used for computing \(\lambda \), and 0 otherwise.

Correctness is defined as follows: For all \((pk_\mathrm{S}, sk_\mathrm{S})\leftarrow \mathsf{SCF}\text {-}\mathsf{PEKS/PKE.KeyGen_S} (1^{\kappa })\), all \((pk_\mathrm{R}, sk_\mathrm{R})\leftarrow \mathsf{SCF}\text {-}\mathsf{PEKS/PKE.KeyGen_R}(1^\kappa )\), all \(\omega \in \mathcal{K}\) and all \(M \in \mathcal{M}\), let \(\lambda \leftarrow \mathsf{SCF}\text {-}\mathsf{PEKS/PKE.Enc}(pk_\mathrm{S}, pk_\mathrm{R}, \omega , M)\) and \(t_{\omega } \leftarrow \mathsf{SCF}\text {-}\mathsf{PEKS/PKE.}\mathsf{Trapdoor} (pk_\mathrm{R}, sk_\mathrm{R}, \omega )\). Then

$$\begin{aligned}&\mathsf{SCF}\text {-}\mathsf{PEKS/PKE.Test}(pk_\mathrm{S}, sk_\mathrm{S}, pk_\mathrm{R}, t_{\omega }, \lambda ) = 1~and\\&\mathsf{SCF}\text {-}\mathsf{PEKS/PKE.Dec}(pk_\mathrm{R}, sk_\mathrm{R}, \lambda ) = M~holds. \end{aligned}$$

Next, we define consistency. Basically, consistency guarantees that for two trapdoors \(t_{\omega ^*}\) and \(t_{\hat{\omega }^*}\) where \(\omega ^*\ne \hat{\omega }^*\), a ciphertext of \(\omega ^*\) is not searched by \(t_{\hat{\omega }^*}\). We give two definitions. The former case, which we call weak consistency, is essentially the same as that of Chen et al. [12] where the ciphertext \(\lambda ^*\) is honestly generated. Due to the secure-channel free setting, we additionally consider the trapdoor oracle, and give \(sk_\mathrm{S}\) to the adversary.

Definition 10

(Weak Consistency). For any PPT adversary \(\mathcal{A}\) and the security parameter \(\kappa \in \mathrm N\), we define the experiment as follows.

: This trapdoor oracle takes as input \(\omega \) where \(\omega \not \in \{\omega ^*, \hat{\omega }^*\}\) and returns \(t_{\omega }\leftarrow \mathsf{SCF}\text {-}\mathsf{PEKS/PKE.Trapdoor}(pk_\mathrm{R},sk_\mathrm{R},\omega )\).

We say that \(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE}\) is weakly consistent if the advantage

is negligible for any PPT adversary \(\mathcal{A}\).

Next, we strengthen weak consistency, which we call strong consistency. Here, an adversary is allowed to produce the ciphertext \(\lambda ^*\). This situation is the same as those of strong robustness [2, 3] and strong collision-freeness [25]. Note that, an adversary is not allowed to obtain decryption keys for challenge identities in these models. In our model, the trapdoor oracle has no restriction, i.e., an adversary can obtain trapdoors of challenge keywords. This situation is the same as that of unrestricted strong robustness [17]. Our strong consistency captures the following situation. Owing to the secure-channel free property, an adversary can observe trapdoors. Let the adversary obtain \(t_{\omega ^*}\) and \(t_{\hat{\omega }^*}\). Moreover, assume that the adversary knows keywords \(\omega ^*\) and \(\hat{\omega }^*\) associated with \(t_{\omega ^*}\) and \(t_{\hat{\omega }^*}\), respectively.Footnote 3 Then, the adversary may produce a ciphertext where the test algorithm decides that the ciphertext is associated with both \(\omega ^*\) and \(\hat{\omega }^*\). Strong consistency prevents this attack.

Definition 11

(Strong Consistency). For any PPT adversary \(\mathcal{A}\) and the security parameter \(\kappa \in \mathrm N\), we define the experiment as follows.

  • : This trapdoor oracle takes as input \(\omega \) with no restriction, and returns \(t_{\omega }\leftarrow \mathsf{SCF}\text {-}\mathsf{PEKS/PKE.Trapdoor}(pk_\mathrm{R}, sk_\mathrm{R},\omega )\).

We say that \(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE}\) is strongly consistent if the advantage

is negligible for any PPT adversary \(\mathcal{A}\).

Next, we define two security notions for keyword privacy, indistinguishability of keywords against chosen keyword attack with the server secret key (IND-CKA-SSK) and indistinguishability of keywords against chosen keyword attack with all trapdoors (IND-CKA-AT). In the IND-CKA-SSK definition, an adversary \(\mathcal {A}\) is modeled as the server, and thus \(sk_\mathrm{S}\) is given to \(\mathcal {A}\). If \(\mathcal {A}\) obtains trapdoors, then \(\mathcal {A}\) can run the test algorithm by myself. Thus, trapdoors of challenge keywords \((\omega _0^*,\omega ^*_1)\) are not given to \(\mathcal {A}\). Instead, \(\mathcal {A}\) is allowed to access the test oracle for \((\lambda , \omega )\notin \{(\lambda ^*,\omega _{0}^*),(\lambda ^*,\omega _{1}^*)\}\). To guarantee that no information of keyword is revealed via the decryption procedure, \(\mathcal {A}\) is allowed to access the decryption oracle with no restriction.

Definition 12

(IND-CKA-SSK). For any PPT adversary \(\mathcal{A}\) and the security parameter \(\kappa \in \mathrm N\), we define the experiment as follows.

  • : This decryption oracle takes as input \(\lambda \) with no restriction, and returns the result of \(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE.Dec}(pk_\mathrm{R}, sk_\mathrm{R},\lambda )\). Remark that \(\lambda ^*\) is also allowed to input.

  • : This trapdoor oracle takes as input \(\omega \) where \(\omega \not \in \{\omega _0^*,\omega _1^*\}\) and returns \(t_{\omega }\leftarrow \mathsf{SCF}\text {-}\mathsf{PEKS/PKE.Trapdoor}(pk_\mathrm{R}, sk_\mathrm{R},\omega )\).

  • : This test oracle takes as input \((\lambda ,\omega )\) where \((\lambda ,\omega )\notin \{ (\lambda ^*,\omega _{0}^*), (\lambda ^*,\omega _{1}^*) \}\), compute \(t_{\omega } \leftarrow \mathsf{SCF}\text {-}\mathsf{PEKS/PKE.Trapdoor}(pk_\mathrm{R}, sk_\mathrm{R},\omega )\), and returns result of \(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE.Test}(pk_\mathrm{S}, sk_\mathrm{S}, pk_\mathrm{R},t_{\omega }, \lambda )\).

We say that a SCF-PEKS/PKE scheme \(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE}\) is IND-CKA-SSK secure if the advantage

is negligible for any PPT adversary \(\mathcal{A}\).

Next, we define IND-CKA-AT. In the IND-CKA-AT definition, an adversary \(\mathcal {A}\) is modeled as a receiver. Thus, \(sk_\mathrm{R}\) is given to \(\mathcal {A}\). Then, \(\mathcal {A}\) can generate trapdoors for all keywords. Since \(\mathcal {A}\) does not have \(sk_\mathrm{S}\), \(\mathcal {A}\) is not allowed to run the test algorithm. Thus, \(\mathcal {A}\) is allowed to access the test oracle for \((\lambda ,\omega )\notin \{ (\lambda ^*,\omega _{0}^*), (\lambda ^*,\omega _{1}^*) \}\). To guarantee that no information of keyword is revealed via the decryption procedure, \(\mathcal {A}\) is allowed to access the decryption oracle with no restriction.

Definition 13

(IND-CKA-AT). For any PPT adversary \(\mathcal{A}\) and the security parameter \(\kappa \in \mathrm N\), we define the experiment as follows.

  • : This decryption oracle takes as input \(\lambda \) with no restriction, and returns the result of \(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE.Dec}(pk_\mathrm{R}, sk_\mathrm{R},\lambda )\). Remark that \(\lambda ^*\) is also allowed to input.

  • : This test oracle takes as input \((\lambda ,\omega )\notin \{ (\lambda ^*,\omega _{0}^*), (\lambda ^*,\omega _{1}^*) \}\), computes \(t_{\omega } \leftarrow \mathsf{SCF}\text {-}\mathsf{PEKS/PKE.Trapdoor}(pk_\mathrm{R}, sk_\mathrm{R},\omega )\), and returns result of \(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE.Test}(pk_\mathrm{S}, sk_\mathrm{S}, pk_\mathrm{R}, t_{\omega }, \lambda )\).

We say that a SCF-PEKS/PKE scheme \(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE}\) is IND-CKA-AT security if the advantage

is negligible for any PPT adversary \(\mathcal{A}\).

Next, we define the data privacy for SCF-PEKS/PKE under chosen ciphertext attack with the server secret key and all trapdoors (IND-CCA-SSK/AT) as follows. To guarantee that the server does not obtain any information of plaintext, the adversary \(\mathcal {A}\) is given to \(sk_\mathrm{S}\). Moreover, to guarantee that no information of plaintext is revealed via the text procedure, \(\mathcal {A}\) is allowed to access the trapdoor oracle with no restriction.

Definition 14

(IND-CCA-SSK/AT). For any PPT adversary \(\mathcal{A}\) and the security parameter \(\kappa \in \mathrm N\), we define the experiment as follows.

  • : This decryption oracle takes as input a ciphertext \(\lambda \ne \lambda ^*\), and returns the result of \(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE.Dec}(pk_\mathrm{R},sk_\mathrm{R},\lambda )\).

  • : This trapdoor oracle takes as input \(\omega \) with no restriction, and returns \(t_{\omega }\leftarrow \mathsf{SCF}\text {-}\mathsf{PEKS/PKE.Trapdoor}(pk_\mathrm{R}, sk_\mathrm{R},\omega )\). Remark that \(\omega ^*\) is also allowed to input.

We say that a SCF-PEKS/PKE scheme \(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE}\) is IND-CCA-SSK/AT secure if the advantage

is negligible for any PPT adversary \(\mathcal{A}\).

4 Generic Construction of SCF-PEKS/PKE

In this section, we propose a generic construction of SCF-PEKS/PKE. We construct SCF-PEKS/PKE from IBE = (IBE,Setup,IBE.Extract,IBE.Enc,IBE.Dec), TBE = (TBE.KeyGen,TBE.Enc,TBE.Dec), and OTS = (Sig.KeyGen,Sign,Verify). Our construction can be seen as an extension of a generic construction of PEKS (from anonymous IBE proposed by Abdalla et al. [1]) and a generic construction of SCF-PEKS (from anonymous IBE, TBE, and OTS proposed by Emura et al. [14]).

The Abdalla et al. construction is briefly explained as follows. A receiver has the master key mk as its secret key \(sk_\mathrm{R}^\mathsf{IBE}\). A keyword \(\omega \) is regarded as an identity, i.e., \(\mathcal{K}\) is set to \(\mathcal{ID}\), and is encrypted as follows. First, a random plaintext \(R\in \mathcal{M}_\mathsf{IBE}\) is chosen, and next R is encrypted by IBE such that \(C_\mathsf{IBE}\leftarrow \mathsf{IBE.Enc}(params, \omega ,R)\). Then, the PEKS ciphertext is \((C_\mathsf{IBE},R)\). A trapdoor \(t_\omega \) is the decryption key \(sk_{\omega }\leftarrow \mathsf{IBE.Extract}(params, sk_\mathrm{R}^\mathsf{IBE}, \omega )\). The test algorithm outputs 1 if \(\mathsf{IBE.Dec}(params,t_{\omega }, C_\mathsf{IBE})=R\) holds. Since the underlying IBE is required to be anonymous, no information of \(\omega \) is revealed from \(C_\mathsf{IBE}\). By additionally employing TBE and OTS, Emura et al. [14] added the secure-channel property to the Abdalla et al. construction. In their construction, the server manages a key pair of TBE \((pk_\mathrm{S}^\mathsf{TBE},sk_\mathrm{S}^\mathsf{TBE})\). A random plaintext \(R\in \mathcal{M}_\mathsf{IBE}\) is encrypted by IBE, and the IBE ciphertext is encrypted by TBE such that \(C_\mathsf{TBE}\leftarrow \mathsf{TBE.Enc}(pk_\mathrm{S}^\mathsf{TBE},H_{tag}(K_v),C_\mathsf{IBE})\), where the verification key \(K_v\) is regarded as the tag and \(H_{tag}: \{0,1\}^{*}\rightarrow \mathcal{TAG}\) is a target collision-resistant (TCR) hash function. Finally, a signature is computed such that \(\sigma \leftarrow \mathsf{Sign}(K_s,(C_\mathsf{TBE},R))\). The SCF-PEKS ciphertext is \((C_\mathsf{TBE},K_v,\sigma )\). The test algorithm first decrypts \(C_\mathsf{TBE}\) using \(sk_\mathrm{S}^\mathsf{TBE}\), next it decrypts its decryption result using a trapdoor, and then obtains R. The test algorithm outputs 1 if \(\sigma \) is valid on \((C_\mathsf{TBE},R)\). Owing to the double encryption, both \(sk_\mathrm{S}^\mathsf{TBE}\) and \(t_\omega \) are required to run the test algorithm. It is particularly worth noting that the random plaintext R is NOT contained in the ciphertext. Emura et al. mentioned that even if R is contained in a ciphertext, it does not affect the security, and the reason for removing R is to reduce the ciphertext size.

High-Level Description of Our Construction: To integrate SCF-PEKS and PKE, the receiver additionally manages a key pair of TBE \((pk_\mathrm{R}^\mathsf{TBE},sk_\mathrm{R}^\mathsf{TBE})\). Since the Emura et al. construction above can be seen as “tag-based” SCF-PEKS, a plaintext \(M\in \mathcal{M}_\mathsf{TBE}\) is encrypted by \(pk_\mathrm{R}^\mathsf{TBE}\) with the same tag \(H_{tag}(K_v)\) such that

$$\begin{aligned}&C_{\mathsf{TBE},\mathrm{S}}\leftarrow \mathsf{TBE.Enc}(pk_\mathrm{S}^\mathsf{TBE},H_{tag}(K_v),C_\mathsf{IBE})~and\\&C_{\mathsf{TBE},\mathrm{R}}\leftarrow \mathsf{TBE.Enc}(pk_\mathrm{R}^\mathsf{TBE},H_{tag}(K_v),M) \end{aligned}$$

Here, for the sake of clarity, we use subscript \(\mathrm{S}\) for ciphertexts encrypted by the server pubic key \(pk_\mathrm{S}^\mathsf{TBE}\), and use subscript \(\mathrm{R}\) for ciphertexts encrypted by the receiver pubic key \(pk_\mathrm{R}^\mathsf{TBE}\). The sender computes the OTS \(\sigma \) on \((C_{\mathsf{TBE},\mathrm{S}},C_{\mathsf{TBE},\mathrm{R}},R)\). A SCF-PEKS/PKE ciphertext is described as \(\lambda =(C_{\mathsf{TBE},\mathrm{S}},C_{\mathsf{TBE},\mathrm{R}},K_v,\sigma ,R)\). It is particularly worth noting that the random plaintext R is contained in the ciphertext unlike in the Emura et al. construction. The ciphertext now provides public verifiability since anyone can verify \(\sigma \). Since the decryption algorithm needs to verify \(\sigma \), this public verifiability is necessary.

The construction basically works well since TBE+OTS yields CCA-secure PKE [24]. The main difficulty to be handled is explained as follows. Let \(\lambda ^*=(C_{\mathsf{TBE},\mathrm{S}}^*,C_{\mathsf{TBE},\mathrm{R}}^*,K^*_v,\sigma ^*,R^*)\) be the challenge ciphertext in the IND-CKA-SSK game. Now we consider how to reduce the IND-CKA-SSK security to the IBE-ANO-CCA security. Since the adversary \(\mathcal {A}\) has \(sk_\mathrm{S}^\mathsf{TBE}\), \(\mathcal {A}\) can decrypt \(C_{\mathsf{TBE},\mathrm{S}}^*\). Let \(C_{\mathsf{IBE}}^*\) be the decryption result. Then, \(\mathcal {A}\) can compute a valid ciphertext \(\lambda \ne \lambda ^*\) such that (1) \((K_s,K_v)\) is chosen by \(\mathcal {A}\) with the condition \(K_v\ne K^*_v\), (2) \(C_{\mathsf{IBE}}^*\) is re-encrypted with the tag \(H_{tag}(K_v)\) such that \(C_{\mathsf{TBE},\mathrm{S}}\leftarrow \mathsf{TBE.Enc}(pk_\mathrm{S}^\mathsf{TBE},H_{tag}(K_v), C^*_\mathsf{IBE})\), (3) \(C_{\mathsf{TBE},\mathrm{R}}\leftarrow \mathsf{TBE.Enc}(pk_\mathrm{R}^\mathsf{TBE},H_{tag}(K_v),M)\) is computed with arbitrary M, (4) \(\sigma \leftarrow \mathsf{Sign}(K_s,(C_{\mathsf{TBE},\mathrm{S}},C_{\mathsf{TBE},\mathrm{R}},R^*))\) is computed, and (5) \(\lambda =(C_{\mathsf{TBE},\mathrm{S}}, C_{\mathsf{TBE},\mathrm{R}},K_v,\sigma ,R^*)\) is sent to the test oracle with \(\omega \in \{\omega ^*_0,\omega ^*_1\}\). Although the reduction algorithm obtains \(C_{\mathsf{IBE}}^*\), the algorithm cannot send the challenge ciphertext \(C_{\mathsf{IBE}}^*\) with either \(\omega _0^*\) or \(\omega ^*_1\) to the decryption oracle of IBE. Thus, the security proof fails. To protect against this re-encryption attack, we modify the plaintext of \(C_{\mathsf{IBE}}\) as

$$ C_\mathsf{IBE}\leftarrow \mathsf{IBE.Enc}(params, \omega ,R)~\text {with}~R=H_{ibe}(K_v) $$

where \(H_{ibe}:\{0,1\}^*\rightarrow \mathcal{M}_\mathsf{IBE}\) is a TCR hash function, and the test algorithm checks whether or not \(R=H_{ibe}(K_v)\). This structure prevents the adversary from employing different \(K_v\) and thus, if \(C_{\mathsf{IBE}}^*\) appears as above, then \(K_v=K^*_v\) must hold unless the TCR property is broken. Since this situation contradicts sEUF-CMA security, our simulation works well. Since R can be computed from \(K_v\), we can now remove R from \(\lambda \) without losing public verifiability, and an SCF-PEKS/PKE ciphertext is described as \(\lambda =(C_{\mathsf{TBE},\mathrm{S}},C_{\mathsf{TBE},\mathrm{R}},K_v,\sigma )\).

We give our construction as follows. Assume that \(\mathcal{C}_\mathsf{IBE}\subseteq \mathcal{M}_\mathsf{TBE}\) and \(\mathcal{C}_\mathsf{TBE}\times \mathcal{C}_\mathsf{TBE}\times \mathcal{M}_\mathsf{IBE}\subseteq \mathcal{M}_\mathsf{Sig}\), where \(\mathcal{C}_\mathsf{IBE}\) and \(\mathcal{M}_\mathsf{IBE}\) are a ciphertext space and plaintext space of IBE respectively, \(\mathcal{M}_\mathsf{TBE}\) is a plaintext space of TBE, and \(\mathcal{M}_\mathsf{Sig}\) is a message space of OTS.

The Proposed Construction

  • \(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE.KeyGen_S}(1^{\kappa })\): Run (\(pk_\mathrm{S}^\mathsf{TBE}, sk_\mathrm{S}^\mathsf{TBE})\leftarrow \mathsf{TBE.KeyGen}(1^{\kappa })\). Output \(pk_\mathrm{S} = pk_\mathrm{S}^\mathsf{TBE}\) and \(sk_\mathrm{S} = sk_\mathrm{S}^\mathsf{TBE}\).

  • \(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE.KeyGen_R}(1^{\kappa })\): Run (\(pk_\mathrm{R}^\mathsf{IBE}, sk_\mathrm{R}^\mathsf{IBE})\leftarrow \mathsf{IBE.Setup}(1^{\kappa })\) and (\(pk_\mathrm{R}^\mathsf{TBE}, sk_\mathrm{R}^\mathsf{TBE})\leftarrow \mathsf{TBE.KeyGen}(1^{\kappa })\). Output \(pk_\mathrm{R} = (pk_\mathrm{R}^\mathsf{IBE},pk_\mathrm{R}^\mathsf{TBE})\) and \(sk_\mathrm{R} = (sk_\mathrm{R}^\mathsf{IBE}, sk_\mathrm{R}^\mathsf{TBE})\). We assume that TCR hash functions \(H_{tag}: \{0,1\}^{*}\rightarrow \mathcal{TAG}\) and \(H_{ibe}:\{0,1\}^*\rightarrow \mathcal{M}_\mathsf{IBE}\) are contained in \(pk_\mathrm{R}\).

  • \(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE.Trapdoor}(pk_\mathrm{R}, sk_\mathrm{R}, \omega )\): Parse \(pk_\mathrm{R} = (pk_\mathrm{R}^\mathsf{IBE},pk_\mathrm{R}^\mathsf{TBE})\) and \(sk_\mathrm{R} = (sk_\mathrm{R}^\mathsf{IBE},sk_\mathrm{R}^\mathsf{TBE})\). Run \(sk_{\omega }\leftarrow \mathsf{IBE.Extract}(pk_\mathrm{R}^\mathsf{IBE},sk_\mathrm{R}^\mathsf{IBE}, \omega )\) and output \(t_{\omega }=sk_{\omega }\).

  • \(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE.Enc}(pk_\mathrm{S},pk_\mathrm{R},\omega ,M)\): Parse \(pk_\mathrm{S} = pk_\mathrm{S}^\mathsf{TBE}\) and \(pk_\mathrm{R} = (pk_\mathrm{R}^\mathsf{IBE}, pk_\mathrm{R}^\mathsf{TBE})\). Run \((K_s, K_v)\leftarrow \mathsf{Sig.KeyGen}(1^{\kappa })\) and compute \(t = H_{tag}(K_v)\) and \(R=H_{ibe}(K_v)\). Run \(C_\mathsf{IBE}\leftarrow \mathsf{IBE.Enc}(pk_\mathrm{R}^\mathsf{IBE},\omega , R)\). Compute \(C_{\mathsf{TBE},\mathrm{S}}\leftarrow \mathsf{TBE.Enc}(pk_\mathrm{S}^\mathsf{TBE},t,C_\mathsf{IBE})\), \(C_{\mathsf{TBE},\mathrm{R}}\leftarrow \mathsf{TBE.Enc}(pk_\mathrm{R}^\mathsf{TBE},t,M)\), and \(\sigma \leftarrow \mathsf{Sign}(K_s, (C_{\mathsf{TBE},\mathrm{S}},C_{\mathsf{TBE},\mathrm{R}},R))\), and output \(\lambda = (C_{\mathsf{TBE},\mathrm{S}},C_{\mathsf{TBE},\mathrm{R}},K_v,\sigma )\).

  • \(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE.Dec}(pk_\mathrm{R}, sk_\mathrm{R},\lambda )\): Parse \(pk_\mathrm{R} = (pk_\mathrm{R}^\mathsf{IBE},pk_\mathrm{R}^\mathsf{TBE})\), \(sk_\mathrm{R} = (sk_\mathrm{R}^\mathsf{IBE}, sk_\mathrm{R}^\mathsf{TBE})\) and \(\lambda = (C_{\mathsf{TBE},\mathrm{S}},C_{\mathsf{TBE},\mathrm{R}}, K_v,\sigma )\). Compute \(R=H_{ibe}(K_v)\). If \(\mathsf{Verify}(K_v,(C_{\mathsf{TBE},\mathrm{S}},C_{\mathsf{TBE},\mathrm{R}},R),\sigma ) = 0\), then output \(\bot \). Otherwise, compute \(t = H_{tag}(K_v)\) and output \(M\leftarrow \mathsf{TBE.Dec}(pk_\mathrm{R}^\mathsf{TBE},sk_\mathrm{R}^\mathsf{TBE},t,C_{\mathsf{TBE},\mathrm{R}})\).

  • \(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE.Test}(pk_\mathrm{S}, sk_\mathrm{S}, pk_\mathrm{R},t_{\omega }, \lambda )\): Parse \(pk_\mathrm{S} = pk_\mathrm{S}^\mathsf{TBE}\), \(sk_\mathrm{S} = sk_\mathrm{S}^\mathsf{TBE}\), \(pk_\mathrm{R} = (pk_\mathrm{R}^\mathsf{IBE},pk_\mathrm{R}^\mathsf{TBE})\), and \(\lambda = (C_{\mathsf{TBE},\mathrm{S}},C_{\mathsf{TBE},\mathrm{R}},K_v,\sigma )\). Compute \(t = H_{tag}(K_v)\), and run \(C^{\prime }_\mathsf{IBE}\leftarrow \mathsf{TBE.Dec}(pk_\mathrm{S}^\mathsf{TBE},sk_\mathrm{S}^\mathsf{TBE},t,C_{\mathsf{TBE},\mathrm{S}})\) and \(R^\prime \leftarrow \mathsf{IBE.Dec}(pk_\mathrm{R}^\mathsf{IBE}, t_{\omega },C^{\prime }_\mathsf{IBE})\). Output 1 if \(R^\prime =H_{ibe}(K_v)\) and \(\mathsf{Verify}(K_v,(C_{\mathsf{TBE},\mathrm{S}}, C_{\mathsf{TBE},\mathrm{R}}, R^\prime ),\sigma ) = 1\) hold, and 0 otherwise.

Obviously, correctness holds if TBE, IBE, and OTS are correct. Due to the page limitation, we omit security proofs of following theorems. We will show the details of proofs in the full version of this paper.

Theorem 1

\(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE}\) is weakly consistent if IBE is IBE-IND-CPA secure.

Theorem 2

\(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE}\) is strongly consistent if IBE is unrestricted strong collision-free.

Theorem 3

\(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE}\) is IND-CKA-SSK secure if IBE is IBE-ANO-CCA secure, OTS is one-time sEUF-CMA secure, and \(H_{ibe}\) is a TCR hash function.

Theorem 4

\(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE}\) is IND-CKA-AT secure if TBE is IND-stag-CCA secure, OTS is one-time sEUF-CMA secure, and \(H_{tag}\) is a TCR hash function.

Theorem 5

\(\mathsf{SCF}\text {-}\mathsf{PEKS/PKE}\) is IND-CCA-SSK/AT secure if TBE is IND-stag-CCA secure, OTS is one-time sUF-CMA secure, and \(H_{tag}\) is a TCR hash function.

5 Instantiation of Our Generic Construction

For TBE, we can simply employ the Kiltz TBE scheme [24], and for the OTS, we can employ any sEUF-CMA secure OTS scheme, e.g., the Wee OTS scheme [29]. We explain how to construct an IBE scheme that matches our requirements, i.e., with unrestricted strong collision-freeness which defined in this paper, and with IBE-ANO-CCA security. To the best of our knowledge, the strongest notion among several robustnesses and collision-freenesses is complete robustness defined by Farshim et al. [17]. They showed that complete robustness implies unrestricted strong robustness. Since unrestricted strong collision-freeness is implied by unrestricted strong robustness, it is enough to construct an IBE scheme with complete robustness for our purpose. Farshim et al. also showed that the transformation from weakly robust IBE (and commitment with the standard hiding and binding properties) to strongly robust IBE, proposed by Abdalla et al. [2, 3], is already powerful enough to construct completely robust IBE.Footnote 4 Moreover, Abdalla et al. also proposed a transformation from IBE to weakly robust IBE. Since these transformations preserve the anonymity and CCA security of the underlying IBE scheme, we can construct an IBE-ANO-CCA secure IBE scheme with unrestricted strong collision-freeness by applying the two Abdalla et al. transformations (from normal to weakly robust, and from weakly robust to strongly robust).

We have three candidates as the underlying IBE scheme.Footnote 5 One candidate is the Gentry IBE scheme [19] which is IBE-ANO-CCA secure in the standard model. As another standard model construction, we can employ a variant of the Boyen-Waters IBE scheme [8] that uses the CHK transform to achieve IBE-ANO-CCA security. Although Abdalla et al. [2, 3] mentioned that these schemes are not robust, we can add unrestricted strong collision-freeness property to them via the Abdalla et al. transformations. Other candidate is the CCA-version of the Boneh-Franklin IBE scheme [7] which is IBE-ANO-CCA secure in the random oracle model. The scheme is also known to provide strong robustness. However, it is not clear whether the scheme provides unrestricted strong collision-freeness. Thus, we need to properly employ the Abdalla et al. transformation.

Since unrestricted strong collision-freeness is weaker than complete robustness, employing the two Abdalla et al. transformations as above may be somewhat excessive. Thus, directly and simply constructing an IBE-ANO-CCA secure IBE scheme with unrestricted strong collision-freeness is left as an interesting open problem.