Security and Communication Networks

Volume 2018, Article ID 7254305, 7 pages

https://doi.org/10.1155/2018/7254305

## A Secure Ciphertext Retrieval Scheme against Insider KGAs for Mobile Devices in Cloud Storage

^{1}School of Mathematics, Yibin University, Yibin, China^{2}School of Computer and Information Engineering, Yibin University, Yibin, China^{3}School of Computer Science, Guangzhou University, Guangzhou, China^{4}School of Computer Science, Southwest Petroleum University, Chengdu, China

Correspondence should be addressed to Chongzhi Gao; nc.ude.uhzg@oagzc

Received 13 February 2018; Revised 24 April 2018; Accepted 10 May 2018; Published 6 June 2018

Academic Editor: Ilsun You

Copyright © 2018 Run Xie et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

With the advent of cloud computing, data privacy has become one of critical security issues and attracted much attention as more and more mobile devices are relying on the services in cloud. To protect data privacy, users usually encrypt their sensitive data before uploading to cloud servers, which renders the data utilization to be difficult. The ciphertext retrieval is able to realize utilization over encrypted data and searchable public key encryption is an effective way in the construction of encrypted data retrieval. However, the previous related works have not paid much attention to the design of ciphertext retrieval schemes that are secure against inside keyword-guessing attacks (KGAs). In this paper, we first construct a new architecture to resist inside KGAs. Moreover we present an efficient ciphertext retrieval instance with a designated tester (dCRKS) based on the architecture. This instance is secure under the inside KGAs. Finally, security analysis and efficiency comparison show that the proposal is effective for the retrieval of encrypted data in cloud computing.

#### 1. Introduction

With the development and deployment of cloud computing, more and more mobile devices are connected to the cloud and receiving services provided by the cloud servers. Cloud storage service is one of the most critical applications of cloud computing, which offers great convenience to users, including the storage of data and sharing of data [1]. However, the cloud service providers are usually cannot be completely trusted because they are managed and controlled by a third party such as Google or Amazon. Thus, the users have to take the risk that the cloud servers may find and leak their sensitive information.

To tackle the challenge of security in cloud storage, a lot of research has been performed to address the security and privacy issues in cloud computing, such as the cloud data access control [2–4], cloud data outsourcing computation [5–8], and privacy in data processing [9–13].

To protect data privacy, data are usually encrypted before they are uploaded to the cloud server. Nevertheless, this way generates the new obstacles that the cloud server is not able to carry out data retrieval over ciphertext data [14]. When users would like to access the part of encrypted data, they have to get entire data back or share the keys with the cloud server. As a result, users have to pay more for the bandwidth or give up their data privacy.

To overcome this obstacle, the concept of searchable encryption [15] was first proposed by Song et al. at 2000. Meanwhile, based on symmetric encryption, they proposed the keyword search scheme based on symmetric encryption, namely, Searchable Symmetric Encryption (abbreviation SSE). The searchable encryption permits users to retrieve a particular keyword over encrypted data by sending a trapdoor to the cloud server. However, the SSE involves detailed secret key management.

To overcome weakness and improve security, a new searchable encryption primitive was presented by Boneh and Boyen, which is called Public key Encryption with Keyword Search (PEKS in short) [16]. In their solution, with public information, the sender can encrypt the keyword associated with encrypted data and store its ciphertext to cloud server. To achieve keyword retrieval over the encrypted data, the receiver creates a trapdoor corresponding to the keyword, then he delivers the trapdoor to server. By the testing procedure, the server can find the ciphertext of keyword associated with the trapdoor. Then it sends corresponding data to receiver. Yet, there is the requirement of secure channel in their PEKS [16]. Usually, it is difficult to fulfill this requirement. This weakness limits the applications of their scheme. Following Boneh’s PEKS, Baek et al. presented a new PEKS solution, which is called Secure Channel Free Public Key Encryption with Keyword Search [17] (denoted as SCF-PEKS). However, Baek’s scheme was proved to be insecure by Yau et al. [18] with the following reasons. When the outside adversary acquires a trapdoor in channel, he can launch keyword-guessing attacks. This attack is called outside KGAs. So far, many of existing solutions concentrate on building up the security to resist outside KGAs [19–23]. Only a few schemes [24–28] are secure against this attacks.

Additionally, the most difficult issue is to resist keyword-guessing attacks launched by the cloud server, namely, inside KGAs. The inside KGAs are that the test server launched keyword-guessing attacks. Actually, such kind of attack also has been considered in deduplication system [30] and other security protocols [3, 31–33]. Specifically, the malicious server can create their ciphertext since the production of a PEKS ciphertext of keyword involves only public parameters. Given the trapdoor, the malicious cloud server can perform the test procedure with the guessing keyword. Therefore the server is able to know if the guessing keyword matches given trapdoor. Repeating guessing-then-testing process, the server can find the correct keyword. Because of the weakness of the small size of keyword space, this attack is available. Based on dual-server, Chen et al. [34] presented a new PEKS scheme which is considered to be secure against insider KGAs. However, in their solution, the front server can test whether the ciphertext of keyword relates to given trapdoor. Hence, under the original framework of [16], designing a secure scheme against inside KGAs is out of the question.

Recently, a new scheme [29] has been proposed by Jiang et al. based on slightly different architecture. With the aid of TTP (trusted third party), their solution can resist inside KGAs. In [29], TTP delivers its secret key to the sender from a safe channel. With his own secret key, the sender produces the legal ciphertext of keywords. Without the sender’s secret key, the server is not able to generate a correct ciphertext of keyword as inputs of the test procedure. Hence, the server is not able to launch inside KGAs.

##### 1.1. Our Contributions

In this paper, we present a new ciphertext retrieval system with a designated tester (dCRKS) based on the new security model. Compared with some analogous works, such as the cloud data retrieval schemes [35–37], the advantages of this system can be summarized as follows.

Firstly, we build security model of ciphertext retrieval system. Here, the server will not be considered as special attacker. So this model is more simple.

Second, we design an instance of dCRKS. This dCRKS instance can resist inside KGAs. In the instance, the server can not produce a correct ciphertext of keywords without the secret key of sender. Meanwhile the server can not generate a valid trapdoor without the secret key of receiver. Therefore, the malicious server is not able to launch inside KGAs. Most of the existing literatures (as [25, 28]) can not resist inside KGAs. Although the [29] is secure against inside KGAs, the TTP (trusted third party) is required in their scheme.

Thirdly, in this dCRKS instance, only a specified server is able to test whether given trapdoor relates to a dCRKS ciphertext. So, the proposal is stronger than [29].

Last, the analysis proves that the generation method of trapdoor and the testing algorithm are more effective than those of [29].

#### 2. Preliminaries

Here, we will build the framework of dCRKS and its security model. Next, we introduce the hard assumptions which are used to prove the security of the instance of dCRKS system. In security model, let be an adversary. The challenger denoted by . The dCRKS ciphertexts refer to the list of encrypted keywords.

##### 2.1. Framework of dCRKS and Security Model

###### 2.1.1. Framework of dCRKS

The dCRKS system is a ciphertext retrieval approach. In this system, only the specified server can carry out the testing procedure with the correct dCRKS ciphertext. The framework of dCRKS consists of the four algorithms. They are defined as follows.

*Setup*. Here is the essential parameter. Let be the set public parameter. Inputting , this algorithm outputs .

*KeyGen *. When the are imported, this algorithm outputs (), (), and (). The (or ) is the sender’s public (or private) key. Similarly, the receiver’s public (private) is the (). The server’s public (private) is the ().

*EndCRKS *. Let be a keyword. Taking , , , , and the public parameter as input, this EndCRKS produces corresponding to , where is dCRKS ciphertext.

*dTrapdoor *. When the keywords , , , and are imported, this algorithm produces a trapdoor corresponding to .

*dTest *. In this algorithm, the server takes a trapdoor , , a dCRKS ciphertext , and its private key as input. If , it replies “yes”; otherwise it replies “no”.

###### 2.1.2. Security Model

Here, we construct the security architecture of the dCRKS. The security of dCRKS ciphertext and trapdoor are defined by this architecture. The security of dCRKS is based on the two games.

In game 1, the adversary can be a malicious server or a malicious receiver or other attackers. So, the adversary can know the server’s secret key or the receiver’s secret key. The only limitation is that the adversary can not query the trapdoors corresponding to the challenge keywords , . The dCRKS ciphertext is secure. That means the adversary is unable to differentiate between the dCRKS ciphertext of and the dCRKS ciphertext of keyword when the coupling trapdoor has not be obtained.

In game 2, the adversary can be a malicious server or a malicious sender or other attackers. Clearly, he can obtain the server’s secret key or the receiver’s secret key. The security of trapdoor requires that the is unable to differentiate between a trapdoor of and a trapdoor of when the coupling trapdoor has not be obtained, where and are the challenge keywords.

The game 1 is described as follows.

*Game 1*. In this game, the can enquire for private key and trapdoor. Yet is not permitted to enquire the coupling trapdoors of the challenge keywords , , where both and are his choice. It requires that differentiates between the dCRKS ciphertext of keyword and the dCRKS ciphertext of . If the can not win this game with nonnegligible probability, the dCRKS scheme is secure to resist the chosen keyword attacks.

*Init*. In this phase, issues as the challenge public key .

*Setup*. Running the setup procedure, generates the public parameters and gives the public parameters to adversary .

*Phase 1*. performs repeatedly inquiries. The restriction is that the number of enquiries is no more than polynomially bounded.

*Pk-Query (Private Key Query)*. For , sends to , then replies with .

*T-Query (Trapdoor Query)*. issues and to . runs the trapdoor procedure and replies the trapdoor for , to .

*Challenge*. chooses the pair keywords () and as the challenge keywords for . The restriction is that the private key corresponding to or the trapdoors corresponding to and have not been enquired by . generates the challenge ciphertext and replies to , where is a random bit.

*Phase 2*. In this phase, can still enquire the secret keys () and the trapdoors () or the trapdoor for with , . replies as Phase 1.

*Outputs*. In the end, guesses . When , it means that wins this game.

*Game 2*. Here, can enquire for dCRKS ciphertext and secret key. Yet, is not allowed to enquire the dCRKS ciphertexts corresponding to the challenge keywords and , where both and are his choice. It requires that differentiates between the trapdoor of keyword and the trapdoor of . If the can not win this game with nonnegligible advantage probability, the dCRKS system can resist the chosen keyword attacks.

*Init*. issues the challenge public key .

*Setup*. Running setup procedure, the produces public parameters and delivers the parameters to .

*Phase 1*. performs repeatedly inquiries. The restriction is that the number of inquiries is no more than polynomially bounded.

*Pk-Query*. sends to , , and responds to with .

*dc-Query (dCRKS Ciphertext Query)*. sends and to . Running the EndCRKS procedure, replies the ciphertext for , to .

*Challenge*. chooses a pair keywords , , and as the challenge keywords for . The restriction is that the secret key for or the dCRKS ciphertext of , for has not been inquired by . generates as challenge trapdoor and replies to , where is a random bit.

*Phase 2*. In this phase, can still enquire the dCRKS ciphertexts and the secret key for or the dCRKS ciphertexts for and , . replies as the first phase.

*Outputs*. In the end, guesses . When , it means that wins this game.

##### 2.2. Complexity Assumptions

###### 2.2.1. Bilinear Map

Let and be multiplicative cyclic groups with the order (prime). Let be a bilinear map. has the following properties:

(1) , exist, such that is not equal to .

(2) For all and , , the is true.

(3) For all , the can be calculated in polynomial time.

###### 2.2.2. Complexity Assumptions

According to [38], the Computational Diffie-Hellman (CDH) problem is considered to be hard on and . Meanwhile, we know that the Decision Diffie-Hellman (DDH) problem [39] is hard on .

In additional, to prove the security of dCRKS system, we need to introduce a new hard problem on and , namely, the Strong Decisional Diffie-Hellman assumption (in short SDDH). The SDDH problem is defined as follows.

The SDDH problem in () is as follows.

Given as input, output “yes” if and “no” otherwise, where , , , .

As is known, is not able to infer from because the is considered to be one-way functions. Moreover, can not be calculated from , , and . In fact, even the DDH problem is easy, the SDDH problem is seemingly still intractable.

Additionally, the DLP (discrete logarithm problem) is assumed to hold over and .

#### 3. dCRKS against Insider Attacks

##### 3.1. The Instance of dCRKS

Now, we will describe the instance of dCRKS. Here, the and are given groups as the previous definition. Let be the hash function, which is considered as random oracle in security model.

*Setup*. Let be a bilinear map on . Let be the order of and , where both and are multiplicative cyclic group. This procedure produces , where is the set of public parameters. The generator of is .

*KeyGen *. Takes as input , , , , and , where , , . This procedure generates key as the following way.

and , where and are the sender’s private key and public key, respectively.

and , where and are the receiver’s private key and public key.

and , where and are the server’s private key and public key.

*EndCRKS *. The sender takes a keyword , , , , , and a random as input. This procedure produces as the dCRKS ciphertext of output. , , and are calculated as follows:

*dTrapdoor *. The receiver takes a keyword , , , , and as inputs. This procedure produces as the trapdoor of output. and are calculated as follows: ; .

*dTest*. Receiving a trapdoor , the server runs dTest algorithm over the dCRKS ciphertexts with his private key . Let be a dCRKS ciphertext. The retrieving operation is executed by checking

If the above equation is true, the algorithm returns 1; otherwise it returns 0.

##### 3.2. Correctness of dCRKS

Now, we show that the above instance is correct. Let be a dCRKS ciphertext which matches the trapdoor . By the following equations, we can verify the correctness of dTest. ; ; ; ; .

When , we can obtain the equations

As a result, the correctness of dTest is verified as follows: .

##### 3.3. Security of dCRKS

###### 3.3.1. Security of dCRKS Ciphertext

In this section, we demonstrate that the ciphertexts of keywords are secure under the chosen keyword attack in the instance.

Theorem 1. *Suppose the SDDH problem is hard; the dCRKS instance can achieve dCRKS ciphertext indistinguishability.*

*Proof. *Let be polynomial-time adversary. If can break the dCRKS instance with nonnegligible advantage probability, we construct an algorithm as the challenger, who can solve the SDDH problem with nonnegligible advantage probability.*Init*. The issues the challenge public key and a keyword set .*Setup*. Let be a SDDH instance. is given and (, , ). The setup procedure produces parameters , then sends to .*Phase 1*. can carry out multiple queries. The restriction is that the number of enquiries is no more than polynomially bounded.*Pk-Query*. To inquire ’s private key, transmits to . If , returns to .*T-Query*. To inquire the trapdoor of , issues and to . responds the trapdoor for , by calling the trapdoor oracle.*Challenge*. Let be the sender’s identity. selects , , and as challenge. The restriction is that the secret key for or the trapdoor for , for have not been inquired by . replies the challenge ciphertext to , where is a tuple () and , , and .*Phase 2*. can still enquire the trapdoor and the secret key for or the trapdoor for and , . replies as the front phase.*Outputs*. In the end, outputs .*Analysis*. Because the actual dCRKS ciphertext is , , and , the distribution of challenge ciphertext is identical to that in the actual system. In fact, for the uniformly random , , needs to differentiate between the tuple (, ) and the tuple (, ). If , the simulation is perfect. denotes nonnegligible probability. As a result, if has advantage probability to determine the bits correctly, then the can solve the SDDH problem with identical advantage probability .

This completes the proof of dCRKS ciphertexts indistinguishability.

###### 3.3.2. Security of Trapdoor

Now, we show that the trapdoor is secure under the chosen keyword attack.

Theorem 2. *The dCRKS instance can achieve the trapdoor indistinguishability to resist the chosen keyword attack under random oracle model in game 2.*

*Proof. *In this section, we show that the polynomial-time algorithm is able to differentiate between the ciphertext of keyword and the ciphertext of keyword if and only if he can distinguish two uniform distributions on .*Init*. issues as the challenge public key.*Setup*. Running the setup procedure, gives the public parameters to .*Phase 1*. implements multiple queries without exceeding polynomial bounded.*Pk-Query.* To inquire ’s private key, sends to , . Then returns .*dc-Query*. issues and to . Running EndCRKS oracle, returns for , to .*Challenge*. chooses keywords , , and as his challenge. The restriction is that the ciphertext for , for or the private key for has not be enquired by . picks two random , and computes the challenge trapdoor , where . Then replies the challenge trapdoor to .*Phase 2*. can still enquire the ciphertext and the secret key for or the ciphertext for and , . replies as first phase.*Outputs*. outputs .*Analysis*. By enquiring, can obtain , , and . In scheme, , where is uniform random value. Thus the distribution of is a uniform distribution on . Meanwhile, the is uniform distribution on with taking uniform random , . As a result, the simulation is perfect, namely, the distribution of is identical to that in the actual system.

Moreover, as game 2, can not know and . Even if can calculate the following value: = cannot distinguish (where ) from (where ).

Therefore, can guess with nonnegligible advantage probability, then can distinguish between and uniformly distribution on with identical advantage probability.

###### 3.3.3. Analysis of against Inside KGAs

In this section, we show that the dCRKS instance is secure against inside KGAs as follows.

First, given the trapdoor , the server can generate the legal ciphertext corresponding to if and only if it can obtain the specified senders private key. Maybe the server can select and calculate to produce ciphertext corresponding to , where

Let , then

Based on the dTest, the is true if and only if and , where and correspond to . However, given the trapdoor , the probability of selecting such that is negligible, even . Therefore, the malicious cloud server is not able to launch keyword-guessing attacks by computing the dCRKS ciphertext of all possible keywords.

Second, given the ciphertext , the cloud server can not produce a legal trapdoor corresponding to . Although the server may select a , , and to generate the trapdoor, the probability of selecting such that is negligible, where is the receiver’s private key associated with the . Based on the same analysis, we know that the malicious cloud server is not able to launch keyword-guessing attacks by creating the trapdoor of all possible keywords.

Lastly, taking , , and , the server may build the following equation:

However, this equation can not help to find correct trapdoor or launch KGAs since contains a random number. Summarize these reasons; the proposal is secure under the inside KGAs.

#### 4. Performance Analysis

Now, we demonstrate efficiency of the proposal by analyzing its security and calculation cost. With the analysis in Table 1, it shows that only [29] and our scheme are secure to resist inside KGAs. Furthermore, the TTP is removed in our scheme.