Abstract
Searchable encryption is an important cryptographic primitive that enables privacy-preserving keyword search on encrypted electronic medical records (EMRs) in cloud storage. Efficiency of such searchable encryption in a medical cloud storage system is very crucial as it involves client platforms such as smartphones or tablets that only have constrained computing power and resources. In this paper, we propose an efficient secure-channel free public key encryption with keyword search (SCF-PEKS) scheme that is proven secure in the standard model. We show that our SCF-PEKS scheme is not only secure against chosen keyword and ciphertext attacks (IND-SCF-CKCA), but also secure against keyword guessing attacks (IND-KGA). Furthermore, our proposed scheme is more efficient than other recent SCF-PEKS schemes in the literature.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
Introduction
With the increasing popularity of adopting cloud technologies, many health care providers tend to store electronic medical records (EMRs) in cloud storage [10–13, 18, 14]. Health care practitioners can enjoy the benefit of accessing medical records from anywhere with internet connection. To protect privacy of the data, health care practitioners may need to encrypt their data before storing in cloud storage. There should be a mechanism for them to search on the encrypted data without compromising the privacy of patients [9]. In 2004, Boneh et al. [4] introduced the notion of public key encryption with keyword search (PEKS). A PEKS allows one to perform encrypted keyword search on ciphertexts without revealing the original message. This notion has many useful applications, for example, email routing [3, 4], cloud storage [22], electronic health record systems [31, 32], etc.
A PEKS scheme requires a secure channel to transmit a trapdoor from a receiver to a server. Otherwise, an attacker may easily identify which encrypted messages are related to the given trapdoor. Baek et al. [5] solved the secure channel problem by proposing a secure-channel free PEKS (SCF-PEKS) which encrypts keyword with both server’s and receiver’s public keys. This ensures that only a designated server can perform the search and prevents other party that is without server’s private key from determining the relation between keyword ciphertexts and trapdoors. An SCF-PEKS scheme is also known as a PEKS scheme with a designated tester (dPEKS) [27–30]. Baek et al.’s SCF-PEKS scheme [5] is proven secure in the random oracle model. Fang et al. [19] later proposed an SCF-PEKS scheme which is secure in the standard model.
The problem of off-line keyword guessing attacks (KGA) was first addressed by Byun et al. [7]. Subsequently, Yau et al. [35] also showed KGA on Baek et al.’s SCF-PEKS scheme [5]. This attack works as the keyword space of keywords used in PEKS and SCF-PEKS schemes are small. Attackers exploit this weakness by exhaustively guessing some candidate keywords and check whether their guesses are correct or not. Rhee et al. [28] enhanced the security model of [5] as well as proposed the concept of trapdoor indistinguishability. They showed that trapdoor indistinguishability is a sufficient condition for ensuring the security against off-line keyword guessing attacks.
Emura et al. [15, 16] showed a generic construction of adaptive SCF-PEKS from anonymous identity-based encryption (IBE) . Subsequently, Emura and Rahman extended the work in [15] and constructed a more efficient adaptive SCF-PEKS using IBE with partitioned ciphertext structure [16, 17]. However, the schemes proposed in [15–17] are not secure against keyword guessing attacks. Rhee et al. [29] also proposed two generic transformations to construct an SCF-PEKS scheme using two IBE schemes that are either combined in parallel or in sequence. Very recently, Fang et al. [20] proposed the strongest model in SCF-PEKS that is secure against chosen keyword and ciphertext attack (IND-SCF-CKCA) and against keyword guessing attack (IND-KGA). At the same time, they constructed an SCF-PEKS scheme which is proven secure in the standard model. The construction of Fang et al.’s SCF-PEKS scheme [20] is based on Gentry’s IBE scheme [21]. They used the method of identity’s construction in Waters’s IBE scheme [34] in order to achieve KGA resiliency. They also include the test query in their security model which makes it stronger than other SCF-PEKS’s security model in the literature. To secure against this security model, they applied strongly unforgeable one-time signatures on the ciphertext elements of their SCF-PEKS scheme.
Our contributions
In this paper, we propose a very efficient SCF-PEKS scheme that is secure against chosen keyword and ciphertext attack (IND-SCF-CKCA) and against off-line keyword guessing attacks (IND-KGA) without random oracles. Fang et al.’s SCF-PEKS scheme [20] applied strongly unforgeable one-time signature to secure against IND-SCF-CKCA. However, our proposed SCF-PEKS scheme uses the technique of [23] to resist the same attack but requires less computation overhead as well as shorter ciphertext length as compared to the SCF-PEKS scheme of [20]. The main technique used by Fang et al. [20] to resist off-line keyword guessing attacks (IND-KGA) is to use Waters’s hash function [34] to construct user’s key that protects the anonymity of keyword in the trapdoor. This, however, results large key size for user’s public and private keys. In contrast, we adopt the method of generating randomness for trapdoor to achieve IND-KGA secure as well as greatly reduce the key size of the proposed SCF-PEKS scheme. In terms of security proof, Fang et al.’s security proof [20] depends on a stronger q-ABDHE assumption which is related to the number of private key generation queries made by the adversary. While, the security proof of our proposed SCF-PEKS scheme is based on a weaker QDBDH assumption which does not has this constraint. This paper answers in the affirmative the question posed by Fang et al. [20] on how to construct a more efficient SCF-PEKS scheme without random oracles. Our proposed efficient and secure SCF-PEKS scheme is suitable to be used in medical cloud storage to protect the privacy of patients’ medical records.
Paper organization
The rest of this paper is organized as follows: Section “Preliminaries” reviews the definitions related to our proposed SCF-PEKS scheme, including the definitions of bilinear maps, and the underlying assumptions. Section “Secure-channel free public key encryption with keyword search (SCF-PEKS)” reviews the definition and security model of SCF-PEKS. Section “Proposed efficient SCF-PEKS scheme” presents our proposed SCF-PEKS scheme and gives the security proof in the standard model. Section “Application of SCF-PEKS for EMRs in medical cloud storage” describes the application of SCF-PEKS for EMRs in medical cloud storage. We conclude the paper in Section “Conclusion”.
Preliminaries
We first present some notations used throughout this paper. For a prime p, let \(\mathbb {Z}_{p}\) denote the set {0, 1, ⋯ , p−1}, and \(\mathbb {Z}_{p}^{*}\) denote \(\mathbb {Z}_{p}\backslash \{0\}\). For a finite set S, x ∈ R S means choosing an element x from S with a uniform distribution.
Bilinear forms
We write 𝔾1 = 〈g〉 to denote that g generates the group 𝔾1. Let GlobalSetup be an algorithm that, on input the security parameters k, outputs the parameters for a bilinear map as (p, g, 𝔾1, 𝔾2, e), where 𝔾1, 𝔾2 have prime order p and 〈g〉 = 𝔾1. The efficient mapping e : 𝔾1 × 𝔾1 → 𝔾2 is bilinear for all g ∈ 𝔾1 and a, b ∈ ℤ p , e(g a, g b) = e(g, g)ab; and non-degenerate, if g generates 𝔾1, then e(g, g) ≠ 1.
Complexity assumption
Definition 1
(Quotient Decisional Bilinear Diffie-Hellman (QDBDH) [2]) Let GlobalSetup(1k) → (p, g, 𝔾1, 𝔾2, e), where 〈g〉 = 𝔾1. For all PPT adversaries 𝓐, the following probability is strictly less than 1/2 + 1/p o l y(k) where p o l y(k) represents any polynomial function in k:
Definition 2
(Decisional Bilinear Diffie-Hellman (DBDH) Assumption) Let e : 𝔾1 × 𝔾1 → 𝔾2 be a bilinear map. We define the advantage function
of an adversary 𝓐 as
where \(a,b,c\in \mathbb {Z}_{p}^{*}\), \(Q\in \mathbb {G}_{2}^{*}\) are randomly chosen. We say that the decisional bilinear Diffie Hellman assumption holds if \(Adv_{\mathbb {G}_{1}, \mathcal {A}}^{DBDH}(1^{k})\) is negligible for all probabilistic polynomial time (PPT) adversaries 𝓐.
Definition 3
(Hash Diffie-Hellman (HDH) Problem [1]) Let hLen be in ℕ and H : {0, 1}∗ → {0, 1}hLen be a hash function. The HDH problem in 𝔾 is defined as follows: given (g, g a, g b, H(g c)) ∈ 𝔾3 × {0, 1}hLen and H : {0, 1}∗ → {0, 1}hLen as inputs, outputs “yes” if a⋅b = c and “no” otherwise. An algorithm 𝓐 that outputs b′ ∈ {0, 1} has an advantage 𝜖 in solving the HDH problem in 𝔾 if
where the probability is taken over the random choice of g ∈ 𝔾, the random choice of η ← {0, 1}hLen, the random bits of 𝓐. We say that the HDH assumption holds in 𝔾 if no t-time algorithm has an advantage at least 𝜖 in solving the HDH problem in 𝔾.
Secure-channel free public key encryption with keyword search (SCF-PEKS)
In this section, we review the definition and security model of SCF-PEKS as defined in [20].
Definition of SCF-PEKS
Definition 4
(SCF-PEKS) A secure-channel free public key encryption with keyword search scheme consists of the following algorithms:
-
GlobalSetup(1k): The algorithm inputs a security parameter k and outputs the global parameters params, which includes a description of keyword space \(\mathcal {KS}\).
-
(params): Given the global parameters params, the key generation algorithm outputs a public/private key pair (p k R , s k R ) of a receiver R.
-
(params): Given the global parameters params, the key generation algorithm outputs a public/private key pair (p k s , s k s ) of a server S.
-
(p a r a m s, p k R , p k s , w): On input the global parameters params, a receiver R’s public key p k R , a server’s public key p k s , a keyword \(w\in \mathcal {KS}\), outputs a keyword ciphertext CT of w.
-
dTrapdoor(p a r a m s, s k R , p k s , w): Given the global parameters params, a receiver R’s private key s k R , a server’s public key p k s and a keyword \(w\in \mathcal {KS}\), the trapdoor generation algorithm dTrapdoor outputs a trapdoor T w of the keyword w corresponding to the receiver R. This algorithm is performed by the private key’s owner, who will send the trapdoor to the server. Our scheme does not use secure channel when the user transmits the trapdoor to the server.
-
dTest(p a r a m s, C T, s k s , p k R , T w ): Given the global parameters params, a server’s private key s k s , a receiver’s public key p k R , a trapdoor T w , and a PEKS ciphertext C T = (p a r a m s, p k s , p k R , w′), the test algorithm dTest outputs “yes” if w = w′ or “no” otherwise.
Correctness
For all (p k R , s k R ) output by and (p k s , s k s ) output by , the following equation holds for a correctly generated SCF-PEKS ciphertext associated with keyword w:
Consistency
Suppose there exists an adversary 𝓐 that wants to make consistency fail. The consistency is formally defined as follows [19]:
We define the advantage of 𝓐 as:
The scheme is said to be computationally consistent if it is negligible for polynomial time adversaries 𝓐 to win the above experiment.
Security model of SCF-PEKS
In an SCF-PEKS scheme, we consider two types of adversary, namely, a malicious server and a malicious user. A malicious server should not be able to distinguish which keyword corresponds to a given keyword ciphertext without the trapdoor from a receiver. A malicious user (including the receiver) should not be able to distinguish which keyword corresponds to a target ciphertext without the server’s private key even s/he has the trapdoor of the keyword. We review the security model as defined in [20].
Definition 5
(IND-SCF-CKCA game) Let k be the security parameter and \(\mathcal {A}_{i}~(i=1,2)\) be the adversary. We consider the following two games between the adversary \(\mathcal {A}_{i}~(i=1,2)\) and the challenger ℬ.
-
Game Server : 𝓐1 is assumed to be a malicious server.
-
Setup. ℬ generates public parameters and gives 𝓐1. ℬ also runs (p a r a m s) → (p k R , s k R ), (p a r a m s) → (p k s , s k s ) and returns p k R and (p k s , s k s ) to 𝓐1.
-
Query Phase 1. 𝓐1 makes the following queries.
-
dTrapdoor oracle \(\mathcal {O}_{T_{w}}(w):\) 𝓐1 can adaptively ask ℬ for the trapdoor T w for any keyword w of his choice. ℬ responds the trapdoor T w = (p a r a m s, s k R , p k s , w) to 𝓐1.
-
dTest oracle \(\mathcal {O}_{T}(CT, w)\): 𝓐1 can adaptively asks ℬ for the Test query for any keyword w and any PEKS ciphertext CTof his choice. ℬ first makes a trapdoor query on w to get the trapdoor T w and responds the result of (p a r a m s, T w , p k s , s k s , C T) to 𝓐1.
-
-
Challenge. Once 𝓐1 decides that Query Phase 1 is over, it outputs two keywords (w 0, w 1) from the keyword space that has not been queried in Phase 1. ℬ randomly chooses a bit δ ∈ {0, 1} and returns the challenge PEKS ciphertext C T ∗=(p a r a m s, p k R , p k s , w δ ) to 𝓐1.
-
Query Phase 2. 𝓐1 issues a number of queries from \(\mathcal {O}_{T_{w}}\) and \(\mathcal {O}_{T}\) as in Phase 1. The restriction here is that w 0 and w 1 are not allowed to be queried from \(\mathcal {O}_{T_{w}}\) and 〈C T, w〉 is not allowed to be queried from \(\mathcal {O}_{T}\) if 〈C T, w〉 = 〈C T ∗, w 0〉 or 〈C T, w〉 = 〈C T ∗, w 1〉.
-
Guess. 𝓐1 outputs the guess δ′. The adversary wins if δ′ = δ.
We define 𝓐1’s advantage in G a m e S e r v e r by
-
Game Receiver :𝓐2 is assumed to be an outsider adversary (including a malicious receiver).
-
Setup. ℬ generates the server’s public and private key pair (p k s , s k s ) and the receiver’s public and private key pair (p k R , s k R ) and gives p k s , (p k R , s k R ) to 𝓐2.
-
Query Phase 1. 𝓐2 makes the following query:
-
dTest oracle \(\mathcal {O}_{T}(CT, w):\) On input (C T, w) by \(\mathcal {A}_{2}\), ℬ first makes a trapdoor query on w to get trapdoor T w and responds the result of (p a r a m s, T w , p k s , s k s , C T) to 𝓐2.
-
-
Challenge. 𝓐2 outputs a target keyword pair (w 0, w 1) from the keyword space. ℬ randomly chooses a bit δ ∈ {0, 1} and returns the challenge PEKS ciphertext C T ∗=(p a r a m s, p k R , p k s , w δ ) to 𝓐2.
-
Query Phase 2. 𝓐1 issues a number of queries from \(\mathcal {O}_{T}\) as in Phase 1. The restriction here is that 〈C T, w〉 is not allowed to be queried from \(\mathcal {O}_{T}\) if 〈C T, w〉 = 〈C T ∗, w 0〉 or 〈C T, w〉 = 〈C T ∗, w 1〉.
-
Guess. 𝓐1 outputs the guess δ′. The adversary wins if δ′ = δ.
We define 𝓐1’s advantage in G a m e R e c e i v e r by
The SCF-PEKS scheme is said to be IND-SCF-CKCA secure if \(Adv_{\mathcal {A}_{i}}^{Game_{j}}(k)\), is negligible, where ((i = 1∧j = S e r v e r)∨(i = 1∧j = R e c e i v e r)).
SCF-PEKS secure against off-line keyword guessing attacks
Rhee et al. introduced the concept of trapdoor indistinguishability and showed that if an SCF-PEKS scheme satisfies trapdoor indistinguishability, the scheme can resist off-line keyword-guessing attacks [28]. Fang et al. [20] also proposed a similar notion of indistinguishability of SCF-PEKS against keyword guessing attacks (IND-KGA). In this subsection, we review the security against off-line keyword guessing attacks of SCF-PEKS as defined in [20].
Definition 6
(IND-KGA game) Let 𝓐3 be an outsider adversary (neither the server nor the receiver) that performs the off-line keyword guessing attack. Let k be the security parameter, the security game is defined as follows:
-
Setup. The global parameter generation algorithm, GlobalSetup(1k), the two key generation algorithms, (p a r a m s) and (p a r a m s), are run. params, p k R , p k s are given to 𝓐3 while s k R and s k s are kept secret from 𝓐3.
-
Query Phase 1. 𝓐3 makes the following query:
-
dTrapdoor oracle \(\mathcal {O}_{T_{w}}(w):\) 𝓐3 can adaptively ask ℬ for the trapdoor T w of any keyword w of his choice. ℬ responds the trapdoor T w = (p a r a m s, s k R , p k s , w) to 𝓐3.
-
-
Challenge. 𝓐3 gives ℬ two keywords w 0 and w 1, on which it wishes to be challenged. The restriction is that the corresponding trapdoors \(T_{w_{0}}\) and \(T_{w_{1}}\) have not been queried by the adversary in Phase 1. ℬ picks a random δ ∈ {0, 1} and returns the trapdoor \(T_{w_{\delta }}=\mathtt {dTrapdoor}(params, pk_{R}, pk_{s}, w_{\delta })\) to 𝓐3.
-
Query Phase 2. 𝓐3 issues a number of queries from \(\mathcal {O}_{T_{w}}\) as in Phase 1. The restriction here is that w 0 and w 1 are not allowed to be queried from \(\mathcal {O}_{T_{w}}\).
-
Guess. 𝓐3 outputs the guess δ′ ∈ {0, 1} and wins in the IND-KGA game, if δ′ = δ.
We define 𝓐3’s advantage in the IND-KGA game by
The SCF-PEKS scheme is said to be IND-KGA attack secure if \(Adv_{\mathcal {A}_{3}}^{IND-KGA}(k)\) is negligible.
Proposed efficient SCF-PEKS scheme
Our construction
The description of our SCF-PEKS scheme is as follows.
-
GlobalSetup(1k): Let k be the security parameter and \((p, g, \mathbb {G}_{1}, \mathbb {G}_{2},e)\) be the bilinear map parameters. g 1, u, v, d, h are random generators in \(\mathbb {G}_{1}\). Select collision-resistant hash functions \(H: \mathbb {G}_{1}\rightarrow \mathbb {G}_{1}\), \(H_{1}: \mathbb {G}_{2}\longrightarrow \{0, 1\}^{k}\) and \(H_{2}: \mathbb {G}_{1} \times \{0, 1\}^{k}\longrightarrow \mathbb {Z}_{p}^{*}\). Output the public parameters params = \((p, \mathbb {G}_{1}, \mathbb {G}_{2}, e, g, g_{1}, u, v, d, h, H, H_{1}, H_{2}, \mathcal {KS})\), where 𝓚𝓢 is a description of keyword space.
-
n R (params): On input params, a receiver R selects a random \(x_{R}\in \mathbb {Z}_{p}^{*}\) and sets the public key as p k R = g xR and private key as s k R = x R .
-
n S (params): A server S selects a random \(x_{s}\in \mathbb {Z}_{p}^{*}\) and sets the public key as p k s = g xs and private key as s k s = x s .
-
(p a r a m s, p k R , p k s , w): On input a receiver R’s public key p k R , a server S’s public key p k s and a keyword w, a sender computes the keyword ciphertext as follows:
-
1.
Pick \(r\in _{R} \mathbb {Z}_{p}^{*}\) and \(C_{1}=p{k_{R}^{r}}\). Compute \(T=e(pk_{s}, {g_{1}^{w}}h)^{r}\), C 2 = H 1(T).
-
2.
Pick \(s\in _{R} \mathbb {Z}_{p}^{*}\) , compute h′ = H 2(C 1, C 2) and \(C_{3}=(u^{h^{\prime }}v^{s}d)^{r}\).
-
3.
Output the PEKS ciphertext C T = (s, C 1, C 2, C 3).
-
1.
-
dTrapdoor(p a r a m s, s k R , p k s , w): On input a receiver R’s private key s k R , a server’s public key p k s and a keyword w, the receiver R randomly selects \(r^{\prime }\in _{R} \mathbb {Z}_{p}^{*}\), computes \(T_{1}=g^{r^{\prime }}\) and \(T_{2}=({g_{1}^{w}}h)^{1/{sk_{R}}}\cdot H(pk_{s}^{r^{\prime }})\), outputs the trapdoor associated with the keyword w as T w = (T 1, T 2).
-
dTest(p a r a m s, C T, s k s , p k R , T w ): On input a server’s private key s k s = x s , a trapdoor T w = (T 1, T 2) and a ciphertext C T = (s, C 1, C 2, C 3), the server perform the following computation:
Compute h′ = H 2(C 1, C 2) and test if equation
$$ e(C_{1}, (u^{h^{\prime}}v^{s}d)) = e(pk_{R}, C_{3}) $$(1)is valid. If not, output ⊥. Otherwise, the server computes \(\mathcal {T}=T_{2}/H(T_{1}^{x_{s}})\), and checks if \(C_{2}=H_{1}(e(C_{1}, \mathcal {T}^{x_{s}}))\). If the equality is satisfied, then output “yes”; otherwise, output “no”.
Correctness
We show that a correctly generated PEKS ciphertext can be correctly tested by the server who has the correct trapdoor. Let a PEKS ciphertext C T = (s, C 1, C 2, C 3) associated with keyword w under the public key p k s and p k R . Let the trapdoor T w = (T 1, T 2), where \(T_{1}=g^{r^{\prime }}\) and \(T_{2}=({g_{1}^{w}}h)^{1/{x_{R}}}\cdot H(pk_{s}^{r^{\prime }})\). We have
Therefore, we have (p a r a m s, (p a r a m s, p k R , p k s , w),s k S , p k R , (p a r a m s, s k R , p k s , w)) = y e s.
Consistency
Let \(r, r^{\prime }\in _{R} \mathbb {Z}_{p}^{*}\) denote two values chosen randomly by the SCF-PEKS scheme. Let \(C_{1}=p{k_{R}^{r}}\), \(C_{2}=H_{1}(e(pk_{s}, {g_{1}^{w}}h)^{r})\) be the partial ciphertext associated with the keyword w. Let \(T_{w^{\prime }}=(T_{1}^{\prime }, T_{2}^{\prime })\) be the trapdoor associated with the keyword w′, where \(T_{1}^{\prime }=g^{r^{\prime }}\) and \(T_{2}^{\prime }=(g_{1}^{w^{\prime }}h)^{1/{x_{R}}}\cdot H(pk_{s}^{r^{\prime }})\).
If \(H_{1}(e(C_{1}, (T_{2}^{\prime }/H(T_{1}^{\prime x_{s}}))^{x_{s}})) = C_{2}\)
But w ≠ w′, and H 1 is a collision-resistant hash function. Therefore, it holds \(H_{1}(e(C_{1}, (T_{2}^{\prime }/H(T_{1}^{\prime x_{s}}))^{x_{s}})\neq C_{2}\) with a high probability.
Security of our SCF-PEKS scheme
In this subsection, we analyze the security of our SCF-PEKS scheme in the standard model. The analysis of G a m e S e r v e r and G a m e R e c e i v e r as follows.
Theorem 1
The above scheme is IND-SCF-CKCA secure in the standard model assuming that QDBDH problem and DBDH problem are intractable.
Lemma 1
Our scheme is semantically secure against a chosen keyword and ciphertext attacks in Game Server in the standard model assuming QDBDH problem is intractable.
Proof
We assume that 𝓐1 is a malicious server with an advantage 𝜖 in breaking the proposed scheme. We assume that H, H 1 and H 2 are target collision resistant. Then suppose that there exists an adversary 𝓐1 who can break the \((q_{T_{w}}, q_{T}, \epsilon )\)-IND-SCF-CKCA security of our SCF-PEKS scheme, where \(q_{T_{w}}\) denotes the times of trapdoor queries and q T denotes the times of test queries. We can construct an algorithm ℬ which can break the QDBDH assumption with 𝜖′ in \((\mathbb {G}_{1}, \mathbb {G}_{2})\) with \(\epsilon ^{\prime }\geq \frac {\epsilon }{e\cdot q_{T_{w}}}-Adv_{H}^{TCR}\).
Suppose algorithm ℬ is given a QDBDH instance \((g, A=g^{a}, B=g^{b}, Q)\in ({\mathbb {G}_{1}})^{3}\times \mathbb {G}_{2}\) with unknown \(a, b\in _{R} \mathbb {Z}_{p}^{*}\). ℬ′s goal is to decide whether Q = e(g, g)b/a. In the G a m e S e r v e r ℬ works by interacting with adversary 𝓐1 as follows:
-
Setup. ℬ chooses random \(x_{u}, x_{v}\in \mathbb {Z}_{p}\) and sets g 1 = B α0, h = B β, u = (g xu A α1), v = (g xv A α2), and d = A α3 for random \(\alpha _{0}, \beta , \alpha _{1}, \alpha _{2}, \alpha _{3}\in _{R} \mathbb {Z}_{p}^{*}\) and provides them to 𝓐1. ℬ picks \(x_{R}\in \mathbb {Z}_{p}^{*}\). Next, using the Corons technique [11], it flips a biased coin c i ∈ {0, 1} that yields 1 with probability θ and 0 otherwise. If c i = 1, it sets p k R = g xR; else p k R = A xR. Next, ℬ adds the tuple (p k R , x R , c i ) to L List. ℬ generates the server’s public and private key pair (p k s , s k s ), and returns p k R and (p k s , s k s ) to 𝓐1.
-
Query Phase 1. 𝓐1 issues a series of queries . ℬ maintains a list L list and answers these queries for 𝓐1 as follows:
-
dTrapdoor oracle \(\mathcal {O}_{T_{w}}(w)\): \(\mathcal {B}\) randomly selects \(r^{\prime }\in \mathbb {Z}_{p}^{*}\). If c i = 1, it means that s k R = x R , \(\mathcal {B}\) outputs T w = (T 1, T 2), where \(T_{1}=g^{r^{\prime }}\), \(T_{2}=({g_{1}^{w}}h)^{1/x_{R}}\cdot H(pk_{s}^{r^{\prime }})\). If c i = 0,\(\mathcal {B}\) outputs a random bit in {0, 1} and aborts.
-
dTest oracle \(\mathcal {O}_{T}(CT, w)\): \(\mathcal {A}_{1}\) asks \(\mathcal {B}\) for the test query of keyword w and PEKS ciphertext CT of his choice. \(\mathcal {B}\) computes h′ = H 2(C 1, C 2) and then tests if \(e(C_{1}, u^{h^{\prime }}v^{s}d) = e(pk_{R}, C_{3})\) holds. Then \(\mathcal {B}\) first query a trapdoor query on 〈w〉. If c i = 1, \(\mathcal {B}\) gets the trapdoor T w and then responds by sending the result of (p a r a m s, T w , s k s , p k R , C T) to \(\mathcal {A}_{1}\). If c i = 0, p k R = A xR. \(\mathcal {B}\) have \(C_{1}=p{k_{R}^{r}}=A^{x_{R}\cdot r}\), \(C_{3}=(u^{h^{\prime }}v^{s}d)^{r}=(g^{x_{u}h^{\prime }+x_{v}s}A^{\alpha _{1}h^{\prime }+\alpha _{2}s+\alpha _{3}})^{r}\). \(\mathcal {B}\) can deduce \(g^{r}=(\frac {C_{3}}{C_{1}^{\frac {\alpha _{1}h^{\prime }+\alpha _{2}s+\alpha _{3}}{x_{R}}}})^{\frac {1}{x_{u}h^{\prime }+x_{v}s}}\). \(\mathcal {B}\) checks if
$$ H_{1}(e(g^{r},{g_{1}^{w}}h)^{x_{s}}) = C_{2} $$(2)is valid, because
$$H_{1}(e(g^{r},{g_{1}^{w}}h)^{x_{s}}) = H_{1}(e(pk_{s},{g_{1}^{w}}h)^{r}) = C_{2}.$$Then \(\mathcal {B}\) responds by sending the result of (p a r a m s, T w , s k s , p k R , C T) to \(\mathcal {A}_{1}\).
-
-
Challenge. When Phase 1 is over, \(\mathcal {A}_{1}\) outputs a challenge tuple (p k R∗, w 0, w 1). \(\mathcal {B}\) responds as follows:
-
1.
Recover tuple (p k R∗, x R∗, c i∗) from L list. If c i∗ = 1,\(\mathcal {B}\) outputs a random bit in {0, 1} and aborts. Otherwise, it means that \(pk_{R^{*}}=A^{x_{R^{*}}}\) and \(\mathcal {B}\) proceeds to execute the rest of the steps.
-
2.
Pick δ ∈ R {0, 1}, define \(C_{1}^{*}=g^{x_{R^{*}}}\) and compute T ∗ = Q xs(wδα0+β), \(C_{2}^{*}=H_{1}(T^{*})\). It sets \(h^{\prime *}=H_{2}(C_{1}^{*}, C_{2}^{*}),s^{*}=\frac {-x_{u}{h^{\prime *}}}{x_{v}}\) and compute \(C_{3}^{*}=g^{\alpha _{1}{h^{\prime *}+\alpha _{2}s^{*}+\alpha _{3}}}\). Finaly, \(\mathcal {B}\) returns \(CT^{*}=(s^{*}, C_{1}^{*},\) \( C_{2}^{*}, C_{3}^{*} )\) as the challenge ciphertext to \(\mathcal {A}_{1}\).
If \(Q=e(g,g)^{\frac {b}{a}}\), C T ∗ is indeed a valid challenge PEKS ciphertext under public key p k R∗. To see this, let \(r^{*}=\frac {1}{a},\) we have
$$\begin{array}{@{}rcl@{}} &&C_{1}^{*}=g^{x_{R^{*}}}=(g^{a})^{x_{R^{*}}\cdot \frac{1}{a}}=(A^{x_{R^{*}}})^{r^{*}}=pk_{R^{*}}^{r^{*}},\\ &&C_{2}^{*}= H_{1}(Q^{x_{s}(w_{\delta{\alpha_{0}}}+\beta)}) = H_{1}(e(pk_{s}, g^{(w_{\delta{\alpha_{0}+\beta)}} })^{\frac{b}{a}})\\ &&=H_{1}(e(pk_{s}, B^{({\alpha_{0}}{w_{\delta}}+\beta)})^{r^{*}}) = H_{1}(e(pk_{s}, (g_{1}^{w_{\delta}}h))^{r^{*}}),\\ &&C_{3}^{*}=g^{(\alpha_{1}{h^{\prime}}^{*}+\alpha_{2}s^{*}+\alpha_{3})}=(A^{\alpha_{1}{h^{\prime}}^{*}+\alpha_{2}s^{*}+\alpha_{3}})^{r^{*}}=\\ &&(g^{x_{u}{h^{\prime}}^{*}+x_{v}s^{*}}\cdot A^{\alpha_{1}{h^{\prime}}^{*}}\cdot A^{\alpha_{2}s^{*}}\cdot A^ {\alpha_{3}})^{r^{*}}=((g^{x_{u}}A^{\alpha_{1}})^{{h^{\prime}}^{*}}\cdot\\ &&(g^{x_{v}}A^{\alpha_{2}})^{s^{*}}\cdot A^{\alpha_{3}})^{r^{*}}= (u^{{h^{\prime}}^{*}}v^{s^{*}}d)^{r^{*}}. \end{array} $$
On the other hand, when Q is uniform and independent in \(\mathbb {G}_{2}\), the challenge ciphertext ciphertext C T ∗ is independent of δ in the adversary’s view.
-
1.
-
Query Phase 2. 𝓐1 continues making queries as in the Query Phase 1. The restriction is that w 0 and w 1 are not allowed to be queried from \(\mathcal {O}_{T_{w}}\) and 〈C T, w〉 are not queried from \(\mathcal {O}_{T}\) if 〈C T, w〉 = 〈C T ∗, w 0〉 or 〈C T, w〉 = 〈C T ∗, w 1〉. otherwise, ℬ returns ⊥ which is not in the trapdoor space.
-
Guess. Eventually, 𝓐1 returns a guess δ′ ∈ {0, 1}. If δ′ = δ, ℬ outputs 1 meaning \(Q=e(g, g)^{\frac {b}{a}}\); else, ℬ outputs 0 meaning Q = e(g, g)r.
Now we begin to analyze the probability. Let Abort denotes the event of ℬ’s aborting during the simulation of oracles \(\mathcal {O}_{T_{w}}\), \(\mathcal {O}_{T}\) or in challenge phase. We have \(\mathtt {Pr}[\neg Abort]\geq \theta ^{q_{T_{w}}}(1-\theta )\) which is maximized at \(\theta _{opt}=\frac {q_{T_{w}}}{1+q_{T_{w}}}\). Using θ o p t , the probability [¬A b o r t] is at least \(\frac {1}{e\cdot q_{T_{w}}}\). Therefore, we have \(\epsilon ^{\prime }\geq \frac {\epsilon }{e\cdot q_{T_{w}}}-Adv_{H}^{TCR}\), where e denotes the base of the natural algorithm. This completes the proof of lemma 1. □
Lemma 2
Our scheme is semantically secure against a chosen keyword attack in Game Receiver in the standard model assuming DBDH problem is intractable.
Proof
We assume that 𝓐2 is an outsider adversary (including the receiver) with an advantage 𝜖 in breaking the proposed scheme. We assume that H, H 1 and H 2 are target collision resistant. Then suppose that there exists an adversary 𝓐2 who can break the 𝜖-IND-CKA security of our PEKS scheme. We can construct an algorithm ℬ which can break the DBDH assumption with \(\epsilon ^{\prime }=(\epsilon -Adv_{H}^{TCR})\) in \((\mathbb {G}_{1}, \mathbb {G}_{2})\).
Suppose algorithm ℬ is given a DBDH instance \((g, A=g^{a}, B=g^{b}, C=g^{c}, Q)\in ({\mathbb {G}_{1}})^{3}\times \mathbb {G}_{2}\) with unknown \(a, b, c\in _{R} \mathbb {Z}_{p}^{*}\). ℬ′s goal is to decide whether Q = e(g, g)abc. ℬ works by interacting with adversary 𝓐2 in the IND-CKA game as follows:
-
Setup. ℬ provides 𝓐2 with public parameters g 1 = B = g b, h = B β, u = A α1, v = A α2, and d = g α3 for random \( \alpha _{1}, \alpha _{2}, \alpha _{3},\beta \in _{R} \mathbb {Z}_{p}^{*}\). Let p k s = A = g a be the server’s public key. ℬ randomly chooses \(x_{R}\in \mathbb {Z}_{p}^{*}\) and sets p k R = g xR and s k R = x R as the receiver’s public and private key respectively. ℬ sends (p k R , s k R ) to 𝓐2.
-
Query Phase 1. 𝓐2 queries the dTest oracle as follows:
-
dTest oracle \(\mathcal {O}_{T}(CT, w)\): 𝓐2 can adaptively ask ℬ for the test query of any keyword w and any PEKS ciphertext C T = (s, C 1, C 2, C 3) of his choice. ℬ computes h′ = H 2(C 1, C 2) and then tests if \(e(C_{1}, u^{h^{\prime }}v^{s}d) = e(pk_{R}, C_{3})\) holds. Since \(C_{1}=p{k_{R}^{r}}=(g^{r})^{x_{R}}\), \(C_{3}=(u^{h^{\prime }}v^{s}d)^{r}=(A^{\alpha _{1}h^{\prime }+\alpha _{2}s}g^{\alpha _{3}})^{r}\), we have \(g^{r}=C_{1}^{\frac {1}{x_{R}}}\) and \(A^{r}=(\frac {C_{3}}{C_{1}^{\frac {\alpha _{3}}{x_{R}}}})^{\frac {1}{\alpha _{1}h^{\prime }+\alpha _{2}s}}\). ℬ checks if
$$H_{1}(e({g_{1}^{w}}h, A^{r})) = C_{2},$$because \(H_{1}(e({g_{1}^{w}}h, A^{r})) = H_{1}(e({g_{1}^{w}}h, pk_{s})^{r}) = C_{2}\). ℬ then randomly selects \(r^{\prime }\in \mathbb {Z}_{p}^{*}\), and computes T w = (T 1, T 2), where \(T_{1}=g^{r^{\prime }}\), \(T_{2}=({g_{1}^{w}}h)^{1/x_{R}}\cdot H(pk_{s}^{r^{\prime }})\). ℬ returns the result of (p a r a m s, T w , s k s , p k R , C T) to 𝓐2.
-
-
Challenge. When Phase 1 is over, 𝓐2 outputs a challenge tuple (p k R∗, w 0, w 1). ℬ responds by choosing a random δ ∈ {0, 1}. Let the challenge keyword be w ∗=w δ , ℬ computes \(C_{1}^{*}=(g^{c})^{x_{R}^{*}}\), \(T^{*}=H_{1}(Q^{w^{*}+\beta })\), \({h^{\prime }}^{*}=H_{2}(C_{1}^{*}, C_{2}^{*})\), \(s^{*}=\frac {-\alpha _{1}{h^{\prime }}^{*}}{\alpha _{2}}\), and \(C_{3}^{*}=C^{\alpha _{3}}\). ℬ sends the challenge PEKS ciphertext \(C^{*}=(s^{*}, C_{1}^{*}, C_{2}^{*}, C_{3}^{*})\) to 𝓐2.
If Q = e(g, g)abc, C T ∗ is indeed a valid challenge ciphertext under public key p k R∗. To see this, let r ∗ = c, we have
$$\begin{array}{@{}rcl@{}} &&C_{1}^{*}=(g^{c})^{x_{R^{*}}}==(g^{x_{R^{*}}})^{r^{*}}=pk_{R^{*}}^{r^{*}},\\ &&C_{2}^{*}= H_{1}(Q^{(w^{*}+\beta)}) = H_{1}(e(g, g)^{abc(w^{*}+\beta)})\\ &&=H_{1}(e(g^{a}, g^{b(w^{*}+\beta)})^{c}) = H_{1}(e(pk_{s}, g_{1}^{w^{*}}h)^{r^{*}}),\\ &&C_{3}^{*}=(g^{c})^{\alpha_{3}}=(g^{\alpha_{3}})^{c}=(A^{\alpha_{1}{h^{\prime}}^{*}}\cdot A^{\alpha_{2} (\frac{-\alpha_{1}{h^{\prime}}^{*}}{\alpha_{2}})}\cdot \\ &&g^{\alpha_{3}})^{c}=(A^{\alpha_{1}{h^{\prime}}^{*}}\cdot A^{\alpha_{2} s^{*}}\cdot g^{\alpha_{3}})^{c}=(u^{{h^{\prime}}^{*}}v^{s^{*}}d)^{r^{*}}. \end{array} $$ -
Query Phase 2. 𝓐2 issues a number of queries from \(\mathcal {O}_{T}\) as in Phase 1. The restriction here is that 〈C T, w〉 is not allowed to be queried from \(\mathcal {O}_{T}\) if 〈C T, w〉 = 〈C T ∗, w 0〉 or 〈C T, w〉 = 〈C T ∗, w 1〉. Otherwise, ℬ returns ⊥.
-
Guess. Eventually, 𝓐2 returns a guess δ′ ∈ {0, 1}. If δ′ = δ, ℬ outputs 1 meaning Q = e(g, g)abc; else, ℬ outputs 0 meaning Q = e(g, g)r.
□
Off-line keyword guessing attack resiliency
Theorem 2
Our SCF-PEKS scheme is IND-KGA secure in the standard model, under the assumption that Hash Diffie-Hellman (HDH) is intractable.
Proof
Let 𝓐3 be an outsider adversary who makes at most \(q_{T_{w}}\) trapdoor queries. Assume that 𝓐3 has an advantage 𝜖 in breaking IND-KGA Game of the proposed scheme, we build an algorithm ℬ which has an advantage 𝜖′ = 𝜖 in solving the HDH problem in \(\mathbb {G}_{1}\). ℬ takes as input a random HDH instance \((g, A=g^{a}, B=g^{b}, \eta )\in \mathbb {G}_{1},\) and \(H: \{0, 1\}^{*}\rightarrow \mathbb {G}_{1}\), where H is a hash function and η is either H(g ab) or a random element of \(\mathbb {G}_{1}\).
-
Setup. Algorithm ℬ randomly chooses \(g_{1}\in \mathbb {G}_{1}\), \(x_{R}\in \mathbb {Z}_{p}^{*}\) and sets the receiver R’s private key s k R = x R and public key p k R = g xR. It chooses a random value \(l\in _{R} \mathbb {Z}_{p}^{*}\) and sets the server’s public key p k s = A l=(g a)l, where the private key of the server is implicitly defined as s k s = a l. ℬ sends (p k R , p k s ) to 𝓐3.
-
Query Phase 1.
-
dTrapdoor oracle \(\mathcal {O}_{T_{w}}(w)\): When 𝓐3 issues a query for a trapdoor that corresponds to the keyword w j , ℬ responds as follows:
-
ℬ randomly chooses \(r^{\prime }\in \mathbb {Z}_{p}^{*}\) and computes \(T_{1}=g^{r^{\prime }}, T_{2}=(g_{1}^{w_{j}}h)^{\frac {1}{x_{R}}}\cdot H(pk_{s}^{r^{\prime }})\).
-
ℬ responds to 𝓐3 with the trapdoor, \(T_{w_{j}}=(T_{1}, T_{2})\) of w j .
-
-
-
Challenge. 𝓐3 outputs two keywords w 0 and w 1 that she wishes to be challenged on. ℬ generates the challenge trapdoor \(T_{w_{\delta }}=(T_{1}^{*}, T_{2}^{*})\) as follows.
-
ℬ picks a random bit δ ∈ {0, 1} and sets \(T_{1}^{*}=B^{\frac {1}{l}}, T_{2}^{*}=(g_{1}^{w_{\delta }}h)^{\frac {1}{x_{R}}}\cdot \eta \) where \(l\in _{R} \mathbb {Z}_{p}^{*}\) is the value that is selected in the setup phase and η is a component of the HDH challenge.
-
ℬ responds with the challenge trapdoor \(T_{w_{\delta }}^{*}=(T_{1}^{*}, T_{2}^{*})\).
If η = H(g ab),\(T_{w_{\delta }}^{*}=(T_{1}^{*}, T_{2}^{*})\) is a valid trapdoor under public key p k R . Let \(r^{\prime *}=\frac {b}{l},\) we have \(T_{1}^{*}=B^{\frac {1}{l}}=g^{r^{\prime *}},\) \(T_{2}^{*}= (g_{1}^{w_{\delta }}h)^{\frac {1}{x_{R}}}\cdot \eta =(g_{1}^{w_{\delta }}h)^{\frac {1}{sk_{R}}}\cdot H(g^{ab}) = (g_{1}^{w_{\delta }}h)^{\frac {1}{sk_{R}}}\cdot H(g^{al\cdot \frac {b}{l}}) = (g_{1}^{w_{\delta }}h)^{\frac {1}{sk_{R}}}\cdot H(pk_{s}^{r^{\prime *}})\).
-
-
Query Phase 2. 𝓐3 can issue trapdoor queries for the keyword w j . The restriction is that w j ≠ w 0, w 1. Algorithm ℬ responds to these queries as before.
-
Guess. Eventually, 𝓐3 outputs the guess δ′ ∈ {0, 1}, which indicates whether the challenge \(T_{w_{\delta }}^{*}\) is (p a r a m s, s k R , p k s , w 0) or (p a r a m s, s k R , p k s , w 1). If δ = δ′, then ℬ outputs 1, meaning η = H(g ab); otherwise, it outputs 0, meaning \(\eta \in _{R} \mathbb {G}_{1}\).
□
Performance evaluation
In Table 1, we compare our scheme with Fang et al. [20] (denoted by FS13) and Rhee et al. [28] (denoted by RP10) schemes. We use t p , t e , t s , t v to represent the computational cost of a bilinear pairing operation, an exponentiation, signing and verifying operations of a one-time signature respectively. “Length of pk” and “Length of sk” denote the length of a public key and a private key, respectively. n denotes the length of keyword space. “Without RO?” denotes whether or not the scheme uses random oracle model in the security proof.
To the best of our knowledge, our SCF-PEKS scheme and the one proposed by Fang et al. in [20] are the only two SCF-PEKS schemes which are proven secure without random oracles. However, our SCF-PEKS scheme only requires a very short key size as compared to Fang et al. scheme [20]. For example, the length of a public key is \(|\mathbb {G}_{1}|\) and the length of a secret key is p in our scheme but the length of a public key is \(2|\mathbb {G}_{1}|+(n+1)|\mathbb {G}_{1}|\) and a secret key is 2p+(n+1)p in [20]. Here \(n=160, p=2^{160}, |\mathbb {G}_{1}|=2^{512}\). Therefore, the key size of our proposed SCF-PEKS scheme is 99.4% shorter than the Fang et al.’s scheme [20].
We implemented our proposed SCF-PEKS scheme using JAVA programming language on a Dell Inspiron laptop that operates on Windows 8 (64-bit) with CPU of Intel Core i7-4500U, 1.8GHz and memory of 8GB DDR3L. We run each algorithm for 100 rounds to get an average run time as shown in Table 2. To further show that the SCF-PEKS scheme is feasible to run on a client platform with constrained resources, such as a tablet, we also conducted a preliminary experiment by running the dTrapdoor and PEKS algorithms on ASUS VivoTab Smart ME400C that operates on Windows 8 with processor of Intel Atom Z2760 Dual-core 1.8GHz and memory of 2GB. The average run time of dTrapdoor and PEKS is recorded as 0.38s and 0.48s, respectively.
Application of SCF-PEKS for EMRs in medical cloud storage
With the rapid development of cloud computing and mobile networking technologies, health care practitioners are able to access electronic medical records that stored on a medical cloud storage with mobile devices (e.g., tablets). Confidentiality of the stored contents is one of the major concerns of the patients [25, 26]. The property of confidentiality should also be maintained even if health care practitioners designate the storage provider to search and retrieve patients’ records associated with certain keywords.
Consider a medical cloud application that consists of a cloud service provider (CSP) and health care providers that store EMRs on the cloud storage. The health care practitioners encrypt all the stored EMRs to ensure the confidentiality of the contents. To retrieve encrypted EMRs related to a specific keyword by using the conventional approach, the health care practitioners have to download all the stored EMRs, decrypt, and perform their search on local systems. For example, if the medical cloud storage contains 1 gigabyte of EMRs, but only 1 megabyte of data is related to the specific keyword. It is required to retrieve all the 1 gigabyte of data which is inefficient.
To solve this problem, we consider the application of SCF-PEKS schemes for many-writer/single-reader (MWSR) setting [22], where a health care practitioner S (sender) who generates and stores the encrypted EMRs is different from another health care practitioner R (receiver) that requests CSP to search and retrieves it from the storage. As shown in Fig. 1, the health care practitioner S who uploads EMRs to the medical cloud storage will first encrypt EMRs with a conventional public key encryption scheme under the public key of the health care practitioner R. In addition, a keyword w associated with the EMRs is encrypted with SCF-PEKS scheme under the public key of both R and the CSP. The health care practitioner R who wants to selectively download certain EMRs that are only related to the keyword w will generate a trapdoor under his/her private key. This trapdoor is then sent to the CSP. Upon receiving this trapdoor, the CSP run the dTest algorithm to test the received trapdoor and keyword ciphertexts that stored in the medical cloud storage. It will then return those encrypted EMRs that are associated with w to R.
A complete implementation of such medical cloud application may incorporate other cryptographic primitives and techniques to either enhance its efficiency or functionalities. The complexity of search time for our proposed SCF-PEKS is O(n), where n is the number of encrypted EMRs stored in the medical cloud for a particular medical practitioner. To improve the search efficiency, we may incorporate the hybrid-indexed search method proposed in [33]. The hybrid index consists of a static index and a dynamic index. If a keyword is queried for the fist time, the hybrid-indexed search refers to the static index for searching the encrypted EMRs. While, the dynamic index is used for searching EMRS associated with a keyword that has been queried before. We note that the trapdoor which used as the dynamic index in [33] is deterministic. Therefore, the hybrid-indexed search method in [33] cannot be directly applied to our SCF-PEKS scheme that generates a probabilistic trapdoor. In addition, we may consider to apply the techniques proposed in [6, 14, 36, 37] to combine the public key encryption (PKE) of the EMRs with our SCF-PEKS. We plan to investigate on how to tweak all these techniques to suit our proposed SCF-PEKS scheme for implementing a real-life application in future.
Conclusion
In this paper, we proposed a very efficient SCF-PEKS scheme that is secure against chosen keyword and ciphertext attacks, and keyword guessing attacks based on the QDBDH, DBDH, and HDH assumptions in the standard model. Our proposed SCF-PEKS scheme is suitable to be used for searching encrypted EMRs in a medical cloud environment which involves mobile devices or client platforms with constrained system resources.
There are several open problems related to this research. First, the construction of both Fang et al. [20] and our proposed SCF-PEKS schemes require pairing operations, it would be good if an IND-KGA secure SCF-PEKS scheme can be constructed without using pairing operations. Second, it is worth to investigate on constructing an efficient SCF-PEKS scheme in a stronger security model, such as the malicious server generates her public key and secret key by herself in the security model.
References
Abdalla, M., Bellare, M., Rogaway, P.: DHIES: an encryption scheme based on the Diffie-Hellman problem. In: CT-RSA 2001, LNCS 2020. pp. 143–158 (2001)
Ateniese, G., Fu, K.V., Green, M., Hohenberger, S.: Improved proxy re-encryption schemes with applications to secure distributed storage. In: Internet Society (ISOC): NDSS 2005. pp. 29–43 (2005)
Aviv, A.J., Locasto, M.E., Potter, S., Keromytis, A.D.: SSARES: Secure searchable automated remote email storage. In: ACSAC 2007. pp. 129–139 (2007)
Boneh, D., Crescenzo, G.D., Ostrovsky, R., Persiano, G.: Public key encryption with keyword search. In: EUROCRYPT 2004, LNCS 3027. pp. 506–522 (2004)
Baek, J., Safavi-Naini, R., Susilo, W.: Public key encryption with keyword search revisited. In: ICCSA 2008, LNCS 5072. pp. 1249–1259 (2008)
Baek, J., Safavi-Naini, R., Susilo, W.: On the integration of public key data encryption and public key encryption with keyword search. In: ISW 2006, LNCS 4176. pp. 217–232 (2006)
Byun, J.W., Rhee, H.S., Park, H.A., Lee, D.H.: Off -line keyword guessing attacks on recent keyword search schemes over encrypted data. In: Proceedings of SDM 2006, LNCS 4165. pp. 75–83 (2006)
Coron, J.S.: On the exact security of full domain hash. In: Crypto 2000. LNCS 1880. pp. 229–235 (2000)
Chen, Y.-C., Horng, G., Lin, Y.-J., Chen, K.-C.: Privacy preserving index for encrypted electronic medical records. J. Med. Syst. doi:10.1007/s10916-013-9992-x (2013)
Chen, T.-S., Liu, C.-H., Cen, T.-L., Chen, C.-S., Bau, J.-G., Lin, T.-C., Secure dynamic access control scheme of PHR in cloud computing. J. Med. Syst. 36(6):4005–4020, 2012.
Chen, Y.-Y., Lu, J.-C., Jan, J.-K., A secure EHR system based on hybrid clouds. J. Med. Syst. 36(5): 3375–3384, 2012.
Chen, C.-L., Yang, T.-T., Chiang, M.-L., Shih, T.-F., A privacy authentication scheme based on cloud for medical environment. J. Med. Syst. 38(11), 2014. doi:10.1007/s10916-014-0143-9.
Chen, C.-L., Yang, T.-T., Shih, T.-F., A secure medical data exchange protocol based on cloud environment. J. Med. Syst. 38(9), 2014. doi:10.1007/s10916-014-0112-3.
Chen, Y., Zhang, J., Lin, D., Zhang, Z.: Generic constructions of integrated PKE and PEKS. Des. Codes Crypt. doi:10.1007/s10623-014-0014-x (2014)
Emura, K., Miyaji, A., Omote, K.: Adaptive secure-channel free public-key encryption with keyword search implies timed release encryption. In: ISC 2011, LNCS 7001. pp. 102–118 (2011)
Emura, K., Miyaji, A., Rahman, M.S., Omote, K.: Generic constructions of secure-channel free searchable encryption with adaptive security. IACR Cryptology ePrint Archive. Available at http://eprint.iacr.org/2013/321 (2013)
Emura, K., and Rahman, M.S.: Constructing secure-channel free searchable encryption from anonymous IBE with partitioned ciphertext structure. In: SECRYPT 2012. pp. 84–93 (2012)
Fernández-Cardeñosa, G., de la Torre-Díez, I., López-Coronado, M., Rodrigues, J.J.P.C., Analysis of cloud-based solutions on EHRs systems in different scenarios. J. Med. Syst. 36(6):3777–3782, 2012.
Fang, L.M., Susilo, W., Ge, C.P., Wang, J.D.: A secure channel free public key encryption with keyword search scheme without random oracle. In: CANS 2009, LNCS 5888. pp. 248–258 (2009)
Fang, L.M., Susilo, W., Ge, C.P., Wang, J.D., Public key encryption with keyword search secure against keyword guessing attacks without random oracle. Inf. Sci. 238:221–241, 2013.
Gentry, C.: Practical identity-based encryption without random oracles. In: EUROCRYPT 2006, LNCS 4004. pp. 445–464 (2006)
Kamara, S., and Lauter, K.: Cryptographic cloud storage. In: FC 2010, LNCS 6054. pp. 136–149 (2010)
Lai, J.Z., Deng, R.H., Liu, S.L.: Efficient CCA-secure PKE from Identity-based techniques. In: CT-RSA 2010, LNCS 5985, pp. 132–147 (2010)
Low, C., and Hsueh Chen, Y., Criteria for the evaluation of a cloud-based hospital information system outsourcing provider. J. Med.l Syst. 36(6):3543–3553, 2012.
Lu, C., Wu, Z., Liu, M., Chen, W., Guo, J., A patient privacy protection scheme for medical information system. J. Med. Syst. 37 (6), 2013. doi:10.1007/s10916-013-9982-z.
Mat Kiah, M.L., Nabi, M. S., Zaidan, B.B., Zaidan, A.A., An enhanced security solution for electronic medical records based on AES hybrid technique with SOAP/XML and SHA-1. J. Med. Syst. 37 (5), 2013. doi:10.1007/s10916-013-9971-2.
Rhee, H. S., Park, J. H., Susilo, W., Lee, D. H.: Improved searchable public key encryption with designated tester. In: ASIACCS 2009, ACM. pp. 376–379 (2009)
Rhee, H.S., Park, J.H., Susilo, W., Lee, D.H., Trapdoor security in a searchable public key encryption scheme against keyword guessing attacks. J. Syst. ans Softw. 6(5):237–243, 2010.
Rhee, H.S., Park, J.H., Lee, D.H., Generic construction of designated tester public-key encryption with keyword search. Inf. Sci. Express 205(1):93–109, 2014.
Rhee, H.S., Susilo, W., Kim, H.J., Secure searchable public key encryption scheme against keyword guessing attacks. IEICE Electron. Express 83:763–771, 2009.
Sun, J., and Fang, Y., Cross-domain data sharing in distributed electronic health record systems. IEEE Trans. Parallel Distrib. Syst. 21(6):754–764, 2010.
Susilo, W., and Win, K.T., Security and access of health research data. J. Med. Syst. 31(2):103–107, 2007.
Wang, W., Xu, P., Li, H., Yang, L.T.: Secure hybrid-indexed search for high efficiency over keyword searchable ciphertexts. Future Gener. Comput. Syst. doi:10.1016/j.future.2014.07.008 (2014)
Waters, B.: Efficient identity based encryption without random oracles. In: EUROCRYPT 2005, LNCS 3494. pp. 114–127. Springer-Verlag (2005)
Yau, W.C., Heng, S.H., Goi, B.M.: Off-line keyword guessing attacks on recent public key encryption with keyword search schemes. In: ATC 2008, LNCS 5060. pp. 100–105 (2008)
Zhang, R., and Imai, H.: Generic combination of public key encryption with keyword search and public key encryption. In: CANS 2007, LNCS 4856. pp. 159–174 (2007)
Zhang, R., and Imai, H., Combining public key encryption with keyword search and public key encryption. IEICE Trans. 92-D(5):888–896, 2009.
Acknowledgments
The authors would like to thank anonymous reviewers for their useful comments. We also thank Syh-Yuan Tan (Multimedia University) for his helpful discussions on Java implementation of the proposed scheme. L. Guo is supported by the National Science Foundation of China under Grant No. 61202365 and Technology Foundation for Selected Overseas Chinese Scholar, Department of Human Resources and Social Security of Shanxi Province. W.-C. Yau is partially supported by FRGS Grant (FRGS/1/2012/TK06/MMU/03/9).
Author information
Authors and Affiliations
Corresponding author
Additional information
This article is part of the Topical Collection on Systems-Level Quality Improvement.
Rights and permissions
About this article
Cite this article
Guo, L., Yau, WC. Efficient Secure-Channel Free Public Key Encryption with Keyword Search for EMRs in Cloud Storage. J Med Syst 39, 11 (2015). https://doi.org/10.1007/s10916-014-0178-y
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s10916-014-0178-y