Keyword guessing attacks on secure searchable public key encryption schemes with a designated tester

The first searchable public key encryption scheme with designated testers (dPEKS) known to be secure against keyword guessing attacks was due to Rhee et al. [H.S. Rhee, W. Susilo, and H.J. Kim, Secure searchable public key encryption scheme against keyword guessing attacks, IEICE Electron. Express 6(5) (2009), pp. 237–243]. Recently, some dPEKS schemes, including the Rhee et al. scheme, were found to be vulnerable to keyword guessing attacks by a malicious server. However, the Rhee et al. dPEKS scheme and its improved variants are still known to be secure against keyword guessing attack by the outsider attacker to date. In this paper, we present a keyword guessing attack by the outsider attacker on the existing dPEKS schemes. We first describe the attack scenario which is possible in the current nature of the Internet and public key encryption with keyword search applications, e.g. email routing. We then demonstrate the detailed attack steps on the Rhee et al. scheme as an attack instance. We emphasize that our attack is generic and it equally applies to all existing dPEKS schemes that claim to be secure against keyword guessing attacks by the outsider attacker.     

指定服务器的基于身份加密连接关键字搜索方案

公钥加密关键字搜索(PEKS)允许用户发送关键字陷门给服务器,服务器可以通过陷门定位到包含用户搜索的关键字的密文。为了消除已有基于身份加密的关键字搜索(IBEKS)方案中服务器和接收者之间的安全信道,Wu等人提出了一种指定服务器基于身份加密的关键字搜索(dIBEKS)方案。可是,Wu等人提出的dIBEKS方案不满足密文不可区分性。为了克服Wu等人方案的不足,本文提出一种指定服务器基于身份加密的多关键字搜索方案。安全性分析表明,本文所提方案同时满足了密文不可区分、陷门不可区分和离线关键字猜测攻击的安全性。效率分析显示,本文的方案更高效。      

高效的适应性选择密文安全公钥加密算法

安全高效的公钥加密算法是信息系统安全的重要保障技术,文中利用陷门承诺函数的思想实现对密文完整性的保护,由此在标准模型下给出一个可证明适应性选择密文攻击安全的公钥加密算法.新算法与著名的CS98公钥加密算法相比公钥参数数量减少20%,私钥参数减少80%;与BMW05公钥加密算法比较,公、私钥参数数量大为减少且安全规约效率...     

Private Keyword-Search for Database Systems Against Insider Attacks

The notion of searchable encrypted keywords introduced an elegant approach to retrieve encrypted data without the need of decryption. Since the introduction of this notion, there are two main searchable encrypted keywords techniques, symmetric searchable encryption (SSE) and public key encryption with keyword search (PEKS). Due to the complicated key management problem in SSE, a number of concrete PEKS constructions have been proposed to overcome it. However, the security of these PEKS schemes was only weakly defined in presence of outsider attacks; therefore they suffer from keyword guessing attacks from the database server as an insider. How to resist insider attacks remains a challenging problem. We propose the first searchable encrypted keywords against insider attacks (SEK-IA) framework to address this problem. The security model of SEK-IA under public key environment is rebuilt. We give a concrete SEK-IA construction featured with a constant-size trapdoor and the proposed scheme is formally proved to be secure against insider attacks. The performance evaluations show that the communication cost between the receiver and the server in our SEK-IA scheme remains constant, independent of the sender identity set size, and the receiver needs the minimized computational cost to generate a trapdoor to search the data from multiple senders.     

有效的带关键字搜索的代理重加密方案

2010年,Shao等人首次引入带关键字搜索的代理重加密(proxy re-encryption with keyword search, PRES)的概念,而且构造出1个在随机预言模型下可证明安全的双向PRES方案,同时该作者提出一个公开问题：怎么构造有效的在标准模型下可证明安全的PRES方案.针对这一公开问题,给出了指定检验者的具有关键字搜索性质的代理重加密(proxy re-encryption with keyword search with a designated tester, dPRES)的定义和安全模型,且构造出1个在适应性合谋模型下可证明具有抵制适应性选择关键字攻击和适应性选择密文攻击安全性的dPRES方案,而且所构造方案在标准模型下可证明安全.所构造的方案有以下3个优点：首先,当用户传递给指定检验者关键字的陷门时,不使用安全信道;第二,能够抵制关键字离线猜测攻击;第三,本方案不使用强不可伪造一次性签名方案,从而使得该方案更加有效.     

Construction of a key-dependent message secure symmetric encryption scheme in the ideal cipher model

Key-dependent message (KDM) security is an important security issue that has attracted much research in recent years. In this paper, we present a new construction of the symmetric encryption scheme in the the ideal cipher model (ICM); we prove that our scheme is KDM secure against active attacks with respect to arbitrary polynomialtime challenge functions. Our main idea is to introduce a universal hash function (UHF) h as a random value for each encryption, and then use s = h(sk) as the key of the ideal cipher F, where sk is the private key of our symmetric encryption scheme. Although many other schemes that are secure against KDM attacks have already been proposed, in both the ideal standard models, the much more significance of our paper is the simplicity in which we implement KDM security against active attacks.     

An efficient non-interactive deniable authentication scheme based on trapdoor commitment schemes

Deniable authentication scheme is one of useful tools for secure communications. The scheme allows a sender to prove the authenticity of a message to a specified receiver without permitting the receiver to prove that the message was authenticated by the sender. Non-interactive schemes are more attractive than interactive schemes in terms of communication overhead, and thus several non-interactive deniable authentication scheme have been proposed. In this paper, we propose an efficient non-interactive deniable authentication scheme based on trapdoor commitment scheme. We construct an efficient trapdoor commitment scheme which provides very efficient commitment evaluation operation. Then we design an efficient non-interactive deniable authentication scheme by using the trapdoor commitment scheme. We also prove the security of our scheme under firmly formalized security model.     

An efficient improvement remote user mutual authentication and session key agreement scheme for E-health care systems

The E-health care systems allow patients to gain the health monitoring facility and access medical services remotely. A secure mechanism for mutual authentication and session key agreement is the most important requirements for E-Health Care Systems. Recently, Amin et al.’s proposed a mutual authentication and session key agreement protocol and claimed that their scheme is secure against all possible attacks. In this paper, we show that not only their scheme is vulnerable to privileged-insider attack, replay attack, session key disclosure attack, but also does not provide patient untraceability and backward secrecy. In order to withstand the mentioned security weaknesses, we propose an efficient remote mutual authentication scheme for the systems which are using ECC and Fuzzy Extractor. The proposed scheme not only resists against different security attacks, but it also provides an efficient registration, login, mutual authentication, session key agreement, and password and biometric update phases. During the experimentation, it has been observed that the proposed scheme is secure against various known attacks. Beside, our scheme is robust against privileged-insider attack that it rarely checked in security analysis. The informal analysis will ensure that our scheme provides well security protection against the different security attacks. Furthermore, we analyzed the security of the scheme using AVISPA software and Random Oracle Model. The formal analysis results and performance evaluation vouch that our scheme is also secure and efficient in computation and communication cost.     

Provably secure server-aided verification signatures

A server-aided verification signature scheme consists of a digital signature scheme and a server-aided verification protocol. With the server-aided verification protocol, some computational tasks for a signature verification are carried out by a server, which is generally untrusted; therefore, it is very useful for low-power computational devices. In this paper, we first define three security notions for server-aided verification signatures, i.e., existential unforgeability, security against collusion attacks and security against strong collusion attacks. The definition of existential unforgeability includes the existing security requirements in server-aided verification signatures. We then present, on the basis of existing signature schemes, two novel existentially unforgeable server-aided verification signature schemes. The existential unforgeability of our schemes can be formally proved both without the random oracle model and using the random oracle model. We also consider the security of server-aided verification signatures under collusion attacks and strong collusion attacks. For the first time, we formally define security models for capturing (strong) collusion attacks, and propose concrete server-aided verification signature schemes that are secure against such attacks.     

标准模型下可证明安全的基于身份多代理签名

基于身份多代理签名的2类主要形式化安全模型分别存在敌手攻击目标不准确和敌手分类不完备的问题,而且,目前仍缺乏真正可证明安全的有效方案.融合现有安全模型,重新定义了基于身份多代理签名的标准安全模型.新模型立足于改进现有模型存在的问题,采用更加完备的敌手分类标准,形式化定义各类敌手的行为和攻击目标,采用简单清晰的证明结构.在新安全模型框架下,提出一种基于身份的多代理签名方案,其安全性被规约为多项式时间敌手求解CDH问题.此外,着重分析了最近提出的一种基于身份多代理签名方案及其安全模型,指出其中的3个主要缺陷.对比分析表明,新的安全模型更加完备,新提出的多代理签名是一种真正的、在标准模型下可证明安全的基于身份密码方案.     

FS-IBEKS: Forward secure identity-based encryption with keyword search from lattice

Public Key Encryption with Keyword Search (PEKS) makes it possible for a cloud server (CS) to match a trapdoor and a ciphertext. However, with the upgrowth of quantum techniques, most of the existing PEKS schemes will be broken by quantum computers in the coming future. Moreover, they are also under the threat of potential key exposure. Lattice-based forward secure PEKS scheme (FS-PEKS) overcomes the two problems above by combining the techniques of forward security and lattice-based cryptography. However, FS-PEKS schemes work in public key infrastructure (PKI), which will incur complicated certificate management procedures. In this work, to overcome the key management issue but still guarantee security even when attackers corrupt the keys, we extend the FS-PEKS scheme into the identity-based framework and present a forward secure identity-based encryption with keyword search (FS-IBEKS) scheme from lattice. The proposed scheme is secured under the selective identity against chosen plaintext attack (IND-sID-CPA) in the random oracle model. To further improve the security, we present another FS-IBEKS scheme into the standard model and give concrete security proof under the adaptive identity against chosen plaintext attack (IND-ID-CPA). The comprehensive performance evaluation demonstrates that our FS-IBEKS schemes are feasible for cloud computing.     

Efficient and secure identity-based encryption scheme with equality test in cloud computing

Efficient searching on encrypted data outsourced to the cloud remains a research challenge. Identity-based encryption with equality test (IBEET) scheme has recently been identified as a viable solution, in which users can delegate a trapdoor to the server and the server then searches on user outsourced encrypted data to determine whether two different ciphertexts are encryptions of the same plaintext. Such schemes are, unfortunately, inefficient particularly for deployment on mobile devices (with limited power/battery life and computing capacity). In this paper, we propose an efficient IBEET scheme with bilinear pairing, which reduces the need for time-consuming HashToPoint function. We then prove the security of our scheme for one-way secure against chosen identity and chosen ciphertext attacks (OW–ID–CCA) in the random oracle model (ROM). The performance evaluation of our scheme demonstrates that in comparison to the scheme of Ma (2016), our scheme achieves a reduction of 36.7% and 39.24% in computation cost during the encryption phase and test phase, respectively, and that our scheme is suitable for (mobile) cloud deployment.     

一种可抵抗统计攻击的安全索引

现有的大部分可检索加密方案建立的安全索引面临着统计攻击的威胁.为了抵抗统计攻击,部分方案设计出关键词/文档一一对应的陷门,以检索时多次的陷门计算为代价保证安全性,但是这样又导致检索速度过于慢而无法接受.为此,研究了针对密文的安全检索方案,在克服已有方案缺点的同时保证对于统计攻击的安全性.该方案使用Bloom过滤器为文档的关键词构造索引.为了确保检索效率,对于相同的关键词构造唯一对应的陷门.通过增加伪造的文档索引,并且在索引中进行插值来确保每个关键词在文档集合中出现的次数相似,从而达到语义安全并且能够抵抗统计攻击.在实现中,对索引进行倒排进一步提高检索效率.证明了本方案的安全性,且采用实验验证了其有效性和高效性.     

适合移动云存储的基于属性的关键词搜索加密方案

近年来,随着移动设备性能的不断提升和移动互联网的迅猛发展,越来越多的移动终端参与云端数据存储与共享.为了更好地解决资源受限的移动设备参与云端数据共享的安全和效率问题,基于支持通配符的与门访问结构,提出了一种高效的基于属性的关键词搜索加密方案,并证明了其在标准模型下满足选择关键词明文攻击的不可区分安全性和关键词安全性.该方案采用韦达定理使得每个属性仅需用一个元素表示,方案中索引长度固定,陷门和密钥的长度及陷门算法和搜索算法的计算复杂度与访问结构中可使用的通配符数量上限成正比,同时,移除了索引和陷门传输过程中的安全信道,进一步降低了开销.效率分析表明：与其他方案相比,该方案的计算开销和通信开销较小,更加适用于移动云存储环境.     

Certificateless signcryption scheme in the standard model

Certificateless public key signcryption scheme is an important cryptographic primitive in cryptography. Barbosa and Farshim proposed a certificateless signcryption scheme. However, their construction is proven to be secure in the random oracle model but not the standard model, and the scheme is also vunlerable to the malicious-but-passive key generation center (KGC) attacks. To overcome these disadvantages, we introduce a formal security model for certificateless signcryption schemes secure against the malicious-but-passive KGC attacks and propose a novel certificateless signcryption scheme. The proposed certificateless signcryption scheme is proven to be IND-CCA2 secure under the decisional Bilinear Diffie-Hellman intractability assumption without using the random oracles. The proposed scheme is also proven to be existentially unforgeable under the computational Diffie-Hellman intractability assumptions. Furthermore, performance analysis shows that the proposed scheme is efficient and practical.     

Tight chosen ciphertext attack （CCA）-secure hybrid encryption scheme with full public verifiability

In this paper, we propose a new ＂full public verifiability＂ concept for hybrid public-key encryption schemes. We also present a new hybrid public-key encryption scheme that has this feature, which is based on the decisional bilinear Diffie-Hellman assumption. We have proven that the new hybrid public-key encryption scheme is secure against adaptive chosen ciphertext attack in the standard model. The ＂full public verifiability＂ feature means that the new scheme has a shorter ciphertext and reduces the security requirements of the symmetric encryption scheme. Therefore, our new scheme does not need any message authentication code, even when the one-time symmetric encryption scheme is passive attacks secure. Compared with all existing publickey encryption schemes that are secure to the adaptive chosen ciphertext attack, our new scheme has a shorter ciphertext, efficient tight security reduction, and fewer requirements （if the symmetric encryption scheme can resist passive attacks）.     

Direct chosen-ciphertext secure identity-based key encapsulation without random oracles

We describe a practical identity-based encryption scheme that is secure in the standard model against chosen-ciphertext attacks. Our construction applies “direct chosen-ciphertext techniques” to Waters’ chosen-plaintext secure scheme and is not based on hierarchical identity-based encryption. Furthermore, we give an improved concrete security analysis for Waters’ scheme. As a result, one can instantiate the scheme in smaller groups, resulting in efficiency improvements.     

抗关键词猜测攻击的可搜索公钥加密方案

已有带关键词搜索的公钥加密方案和无安全信道的带关键词搜索的公钥加密方案存在关键词猜测攻击的安全性缺陷。针对这一问题,提出了一个无安全信道无指定服务器的带关键词搜索的公钥加密方案框架。该框架不仅具有无安全信道和无指定服务器的优点,而且有效解决了关键词猜测攻击的问题。基于该框架,构造了一个高效基于双线性对的无安全信道无指定服务器的带关键词搜索的公钥加密方案,并在标准模型中严格证明了该方案满足适应性选择关键词攻击下的关键词密文不可区分安全性和关键词陷门不可区分安全性。与已有的一些带关键词搜索的公钥加密方案和无安全信道的带关键词搜索的公钥加密方案相对比,该方案不仅具有优良的特性,而且在计算效率和通信代价上具有明显的优势。     

无证书签名改进方案的安全性证明

分析明洋等提出的无证书签名方案(电子科技大学学报,2008年第37卷第2期),指出该方案不能抵抗公钥替换攻击。采用“绑定”公钥到哈希函数的方法对明方案进行改进,改进方案可以抵抗公钥替换攻击并具有较高的效率,其安全性依赖于q-SDH困难问题和扩展逆计算Diffie-Hellman困难问题。在随机预言机模型下,证明改进方案能够抵抗适应性选择消息攻击下的存在性伪造。     

Cryptanalysis of a certificateless signcryption scheme in the standard model

Certificateless signcryption is a useful primitive which simultaneously provides the functionalities of certificateless encryption and certificateless signature. Recently, Liu et al. [15] proposed a new certificateless signcryption scheme, and claimed that their scheme is provably secure without random oracles in a strengthened security model, where the malicious-but-passive KGC attack is considered. Unfortunately, by giving concrete attacks, we indicate that Liu et al. certificateless signcryption scheme is not secure in this strengthened security model.