Pairing-free equality test over short ciphertexts

Transcription

1 Research Article Pairing-free equality test over short ciphertexts International Journal of Distributed Sensor Networks 217, Vol. 13(6) Ó The Author(s) 217 DOI: / journals.sagepub.com/home/ijdsn Huijun Zhu, Licheng Wang, Haseeb Ahmad Xinxin Niu Abstract The concept of public key encryption with equality test was introduced at CT-RSA 21. It has been used in many fields, especially in cloud storage. However, the previous schemes do not provide an effective authorization mechanism. To fill this gap, Ma et al. presented a public key encryption with equality test supporting flexible authorization based on the bilinear pairings. Recently, Lin et al. presented a pairing-free scheme that employs quadratic curve to perform the equality tests, which can achieve a trade-off between computational cost storage space. In this article, we show that the equality test can be better performed by using a straight line, rather than a quadratic curve. Moreover, we simplify the encryption algorithm, as well as reduce the ciphertext storage space. Keywords Public key encryption with equality test, cloud storage, flexible authorization Date received: 11 October 216; accepted: 16 May 217 Academic editor: Shancang Li Introduction Searchable encryption (SE) scheme, presented in 24 by Boneh et al., 1 allows the server to check whether some messages contain specific keyword without retrieving entire messages. Subsequently, scholastic community presented many improved schemes. 2 8 In 27, Bellare ONeill 9 conceptualized deterministic encryption (DE) for public-key encryption schemes, in which the encryption algorithm is executed in a deterministic manner. Later, DE was uplifted by Bellare et al. 1 Boldyreva ONeill 11 But, DE could not gain immense appreciations due to its deterministic approach. With the development of cloud computing outsourcing, traditional encryption schemes cannot provide the solutions for many applications such as splitting of database. To hle the prescribed issue, Yang et al. 12 proposed the notion of public key encryption with equality test (PKEwET) at CT-RSA 21. This effective mechanism allows anyone to check whether two ciphertexts contain the same message without decryption. Tang 13 intensified PKEwET with finegrained authorization (FG-PKEwET), which authorizes two users to a semi-trusted proxy, who can perform the equality test on their ciphertexts. Later, an extension of FG-PKEwET was also put forward by Tang. 14 Besides, in the same year, Tang 15 presented a new primitive called all-or-nothing PKEwET (AoN- PKEwET), which authorizes the specific users to perform a plaintext equality test from their ciphertexts. Another perspective in the form of identity-based encryption with equality test (IBEwET) was proposed by Ma 16 that combines the concepts of PKEwET identity-based encryption. The privacy of users is an essential context that necessitates to be considered while designing an applied State Key Laboratory of Networking Switching Technology, Beijing University of Posts Telecommunications, Beijing, P.R. China Corresponding author: Licheng Wang, State Key Laboratory of Networking Switching Technology, Beijing University of Posts Telecommunications, Beijing 1876, P.R. China. wanglc212@126.com Creative Commons CC-BY: This article is distributed under the terms of the Creative Commons Attribution 4. License ( which permits any use, reproduction distribution of the work without further permission provided the original work is attributed as specified on the SAGE Open Access pages ( openaccess.htm).

2 2 International Journal of Distributed Sensor Networks protocol. Therefore, Ma et al. 17 strengthened the concept of PKEwET by introducing flexible authorization, which is termed as PKEwET-FA. In his scheme, the author implemented different authorization policies along with a corresponding trapdoor for each authorization to perform the test algorithm. For instance, as described in Ma et al., 17 suppose Alice is a ciphertext receiver, then four types of authorization with different granularity can be described as follows: Type 1. User-level authorization: All ciphertexts of Alice can be compared with all ciphertexts of any other receiver. Type 2. Ciphertext-level authorization: A specific ciphertext of Alice can be compared with a specific ciphertext of any other receiver. Type 3. User-specific ciphertext-level authorization: A specific ciphertext of Alice can be only compared with a specific ciphertext of a specific receiver, for example, Bob, but could not be compared with any ciphertext of any receiver other than Bob. Type 4. Ciphertext-to-user (or user-to-ciphertext) level authorization: A specific ciphertext of Alice can be compared with all ciphertexts of any other receiver (or vice versa). Recently, Lin et al. 18 proposed a new PKEwET-FA scheme, in which the equality tests are performed without bilinear pairing. More precisely, the author utilized the message for generating a quadratic curve then used Shamir s secret sharing scheme to perform the equality test. Although it gets rid of the dependence on bilinear pairings, however, the computational cost of this scheme is high due to the involvement of quadratic curve. Motivation contribution In this article, we improve the scheme presented in Lin et al. 18 by replacing the quadratic curve with the straight line to reduce the computational cost. Moreover, we improve the scheme by simplifying the encryption algorithm while reducing the computation of the modular exponentiation. Comparing with Lin et al., 18 our proposed scheme is more efficient in terms of the equality test as well as with respect to encryption decryption. Furthermore, the storage space of ciphertexts is also smaller than that of Lin et al. 18 We compare the presented scheme with the previous work the result shows that our scheme is more efficient robust. Organization The rest of this article is organized as follows. In section Preliminaries, Shamir s secret sharing scheme the related security model are discussed. In section The proposed scheme, we present our scheme four types of authorization prove the validity of the proposed scheme. In section Security, we provide the security proof of presented scheme. In section Performances analysis, a detailed analysis of the presented scheme comparisons with other schemes are presented. Finally, concluding remarks are given in section Conclusion. Preliminaries Definitions Definition 1. Decision Diffie-Hellman (DDH) Problem: Let G be a group of large prime order q, given two 4- tuples (g, g a, g b, g ab ) (g, g a, g b, g c ) 2 G with g 6¼ 1, where a, b, c 2 Z q. A DDH algorithm A for a group G is a probabilistic polynomial time algorithm satisfying jpr½a(g, G, g a, g b, g ab ) = True Š Pr½A(g, G, g a, g b, g c )= True j.e We say that the group G satisfies the DDH assumption if there is no DDH algorithm for G. Definition 2 (Correctness). If a PKEwET FA scheme is correct, for any sp Setup(k), (pk j, sk j ) KeyGen(sp, i), the following conditions must be satisfied For any M 2 M, Decrypt(Encrypt(M, pk, sk =M always holds. 2. For any ciphertexts c i c j, if Decrypt(c i, sk =Decrypt(c j, sk j ) 6¼?. (a) Type 1 Authorization. Given Aut 1 (sk =td 1, i Aut 1 (sk j )=td 1, j, it holds that Test 1 (c i, td 1, i, c j, td 1, j )=1 (b) Type 2 Authorization. Given Aut 2 (sk i, c =td 2, i, ci Aut 2 (sk j, c j )=td 2, j, cj, it holds that Test 2 (c i, td 2, i, ci, c j, td 2, j, cj )=1 (c) Type-3 Authorization. Given Aut 3 (sk i, c i, c j )= td 3, i, ci, j, c j Aut 3 (sk j, c j, c =td 3, j, cj, i, c i, it holds that Test 3 (c i, td 3, i, ci, j, c j, c j, td 3, j, cj, i, c i )=1 (d) Type 4 Authorization. Given Aut 4 (sk i, c =td 4, i, ci Aut 4 (sk j )=td 4, j, it holds that Test 4 (c i, td 4, i, ci, c j, td 4, j )=1

3 Zhu et al For any ciphertexts c i c j, if Decrypt(c i, sk 6¼ Decrypt(c j, sk j ) (a) Type 1 Authorization. Given Aut 1 (sk = td 1, i Aut 1 (sk j )=td 1, j, it holds that Pr½Test 1 (c i, td 1, i, c j, td 1, j )=1Š is negligible (b) Type 2 Authorization. Given Aut 2 (sk i, c = td 2, i, ci Aut 2 (sk j, c j )=td 2, j, cj, it holds that Pr½Test 2 (c i, td 2, i, ci, c j, td 2, j, cj )=1Š is negligible (c) Type 3 Authorization. Given Aut 3 (sk i, c i, pk j, c j ) =td 3, i, ci, j, c j Aut 3 (sk j, c j, pk i, c =td 3, j, cj, i, c i, it holds that Pr½Test 3 (c i, td 3, i, ci, j, c j, c j, td 3, j, cj, i, c i )=1Š is negligible (d) Type 4 Authorization. Given Aut 4 (sk i, c = td 4, i, ci Aut 4 (sk j )=td 4, j, it holds that is negligible. Pr½Test 4 (c i, td 4, i, ci, c j, td 4, j )=1Š Shamir s secret sharing scheme Shamir s (t, n)-threshold secret sharing scheme is based on Lagrange interpolation polynomial. A detailed introduction is described as follows. Given t distinct points (x i, f (x ), where f (x) is a polynomial of degree less than t, thenf (x) is determined as follows f (x)= Xt Y t (x x j ) (x i x j ) i = 1 j = 1, j6¼i Shamir s scheme is defined for a secret s 2 Z p,bysetting a = s, choosing a 1, a 2,..., a t 1 2 Z q. For all 1 x i q, 1 i n, the trusted party computes f (x, where f (x)= P t 1 k = a kx k. The shares (x i, f (x ) are distributed to n distinct parties. Since the secret is a constant term s = a = f (), hence, the secret can be recovered from any t shares (x i, f (x ) as follows Security models s = f ()= Xt i = 1 f (x Y t j = 1, j6¼i x i (x j x We recall the security models of PKEwET-FA defined in Ma et al. 17 It consists of six algorithms: Setup, KeyGen, Encrypt, Decrypt, Authorization a Test-a (a = 1, 2, 3, 4). Suppose that the system has a label i for user u i. The setup algorithm takes the security parameter as input outputs system parameters sp. The KeyGen algorithm takes as inputs the system parameters, a user i, outputs the public key private key of user i. The encryption algorithm takes the given public key, a message M, outputs ciphertext c i. The decryption algorithm takes the private key sk i, a ciphertext c i, outputs a message M or?. The authorization algorithm takes as inputs the private key sk i other required information outputs the trapdoor. The test algorithm takes as inputs two ciphertexts, the trapdoors, outputs 1 for the same message or for otherwise. Because the Type 4 authorization is a combination of Type 1 Type 2 authorization, we leave out Type 4 authorization queries for simplicity only allow Type-a (a = 1, 2, 3) authorization queries to the adversary in the security games. Two types of adversaries for the security of PKEwET-FA are described as follows: 1. Type I adversary. For Type-a (a = 1, 2, 3) authorization, with Type-a trapdoor information, the attacker cannot recover the plaintext from the challenge ciphertext. 2. Type II adversary. For Type-a (a =1, 2, 3) authorization, without Type-a trapdoor information, the adversary cannot decide c t is the encryption of which message. First, we define one-way against chosen-ciphertext attack (OW-CCA) security for Type-a (a = 1, 2, 3) authorization against Type I adversary in PKEwET- FA as follows. Game 1. Suppose that A 1 is a Type I adversary S is the challenger. The target receiver has label t(1 t n). The game between A 1 S is presented in Figure 1. Here, O 1 (i)= D KeyGen(sp,i), O 2 (i,c = D dec(sk i,c, O 3 (i, )= D ET Auth(sk i, ), O 6 =O 3, but O 4 (i)= O 1(i) i 6¼ t? otherwise O 5 (i, c = O 2(i, c c i 6¼ c? otherwise The advantage of A 1 in the aforementioned game is defined as follows OW CCA, Type a AdvPKEwET FA, A 1 (k)=pr½m t = Mt Š(a = 1, 2, 3) Definition 3. For Type a(a = 1, 2, 3) authorization, a PKEwET-FA scheme is OW-CCA secure if for all OW- OW CCA, Type a CCA adversaries, AdvPKEwET FA, A 1 (k) is negligible in the security parameter k.

4 4 International Journal of Distributed Sensor Networks The advantage of A 2 in the aforementioned game is defined as follows IND CCA, Type a AdvPKEwET FA, A 2 (k)=jpr½b = b Š 1=2j(a = 1, 2, 3) Definition 4. For Type a(a = 1, 2, 3) authorization, a PKEwET-FA scheme is IND-CCA secure if for all OW CCA, Type a IND-CCA adversaries, AdvPKEwET FA, A 2 (k) is negligible in the security parameter k. Figure 1. The game between A 1 S. Notice. The aim of our scheme is to perform equality test for the messages corresponding to the ciphertexts of different users, which can be used in multi-user settings in a public key encryption. The proposed scheme Here, we describe our scheme in detail. Setup(k): Let k be a security parameter, M2f, 1g k, the algorithm outputs system parameters sp as follows: 1. Let G be a group of prime order q, g be a rom generator of G. 2. Select hash functions: H 1 : G!f, 1g k, H 2 : G 4! Z 4 q, H 3, H 4, H 5, H 6 : f, 1g k! Z q. Figure 2. The game between A 2 S. Next, we define the indistinguishable against chosen-ciphertext attacks (IND-CCA) security for Type-a (a = 1, 2, 3) authorization against Type II adversary in PKEwET-FA as follows. Game 2. Suppose that A 2 is a Type II adversary S is the challenger. The target receiver has label t(1 t n). The game between A 2 S is presented in Figure 2. Here, O 1 (i) = D KeyGen(i), O 2 (i, c = D dec(sk i, c, O 3 (i, )= D ET Auth(sk i, ), O 6 = O 3 (a = 1, i 6¼ t) (a = 2 or 3, c i 6¼ c ), but O 4 (i)= O 1(i) i 6¼ t? otherwise O 5 (i, c = O 2(i, c c 6¼ c? otherwise KeyGen(sp, i): This algorithm allocates a label for each user keeps a list of the users with (key, i). With the system parameters sp, it chooses x i, y i 2 Z q romly computes X i = g x i, Y i = g y i The user s key pair: (pk i, sk =((X i, Y, (x i, y ) Encrypt(M, pk : It takes public key pk i the message M 2f, 1g k as input outputs the ciphertext c i =(c i, 1, c i, 2, c i, 3 ) as follows: 1. Use H 3, H 4, H 5, H 6 to create two points p 1 =(H 3 (M), H 4 (M)), p 2 =(H 5 (M), H 6 (M)); 2. Use two points p 1, p 2 to construct a straight line f (x); 3. Choose x i, 1, x i, 2 2f, 1g l romly let f (x i, 1 )=y i, 1, f (x i, 2 )=y i, 2.Ifx i, 1 = or x i, 2 =, then takes x i, 1, x i, 2 2f, 1g l romly again. 4. Choose a rom number r 2 Zq, let c i, 1 = g r c i, 2 = M H 1 (Yi r ) c i, 3 =(x i, 1 jjx i, 2 jjy i, 1 jjy i, 2 ) H 2 (Xi r, c i, 1, c i, 2 ) Decrypt(c, sk): Given sk i a ciphertext c i =(c i, 1, c i, 2, c i, 3 ), the algorithm decrypts as follows M c i, 2 H 1 (c y i i, 1 )

5 Zhu et al. 5 x i, 1 jjx i, 2 jjy i, 1 jjy i, 2 c i, 3 H 2 (c x i i, 1, c i, 1, c i, 2 ) Then, it uses M to create f (x) by employing the same process as step (1) (2) of Encryption process. If both f (x i, 1 )=y i, 1 f (x i, 2 )=y i, 2 hold, the algorithm outputs M; otherwise, it outputs?. Suppose u i u j are two users in the system c i =(c i, 1, c i, 2, c i, 3 ) (resp., c j =(c j, 1, c j, 2, c j, 3 )) is a ciphertext of u i (resp., u j ). r i (resp., r j ) denotes a romness used in the generation of c i (resp. c j ). 1. Type 1 Authorization Auth 1 (sk : The algorithm outputs a trapdoor td (1, i) = x i. Test 1 (c i, td 1, i, c j, td 1, j ): This algorithm performs as follows x i, 1 jjx i, 2 jjy i, 1 jjy i, 2 c i, 3 H 2 (c td 1, i i, 1, c i, 1, c i, 2 ) x j, 1 jjx j, 2 jjy j, 1 jjy j, 2 c j, 3 H 2 (c td 1, j j, 1, c j, 1, c j, 2 ) f i (x) (q,(x i, 1, y i, 1 ), (x j, 1, y j, 1 )) f j (x) (q,(x i, 2, y i, 2 ), (x j, 2, y j, 2 )): Then, it outputs 1 if f i (x)=f j (x) holds, otherwise. 2. Type 2 Authorization Auth 2 (sk i, c : The algorithm computes a trapdoor td (2, i, c = H 2 (c x i i, 1, c i, 1, c i, 2 ). Test 2 (c i, td 2, i, c j, td 2, j ): This algorithm performs as follows x i, 1 jjx i, 2 jjy i, 1 jjy i, 2 c i, 3 td (2, i, c x j, 1 jjx i, 2 jjy i, 1 jjy j, 2 c j, 3 td (2, j, cj ) f i (x) (q,(x i, 1, y i, 1 ), (x j, 1, y j, 1 )) f j (x) (q,(x i, 2, y i, 2 ), (x j, 2, y j, 2 )): Then, it outputs 1 if f i (x)=f j (x) holds, otherwise. 3. Type 3 Authorization Auth 3 (sk i, c i, c j ): The algorithm computes a trapdoor as follows td (3, i, ci, j, c j ) =(z i, V i, 1, V i, 2 ) =(½H 2 (c x i i, 1, c i, 1, c i, 2 )Š 2l 1, Z y i, 1 i, Z y i, 2 where Z i = c j, 1 c i, 1. Test 3 (c i, td 3, i, c j, td 3, j ): It is performed as follows x i, 1 jjx i, 2 x j, 1 jjx j, 2 ½c i, 3 Š 2l 1 z i ½c j, 3 Š 2l 1 z j : Then, it employs the Lagrange interpolation coefficients to compute D i, 1 =(x i, 2 )=(x i, 2 x i, 1 ) (mod q), D i, 2 =(x i, 1 )=(x i, 1 x i, 2 ) (mod q), D j, 1 =(x j, 2 )= (x j, 2 x j, 1 ) (mod q), D j, 2 =(x j, 1 )=(x j, 1 x j, 2 ) (mod q). Finally, it tests whether or not V D i, 1 i, 1 V D j, 1 j, 1 = V D j, 2 j, 2 V D i, 2 i, 2 holds. If it is, it returns 1, otherwise. 4. Type 4 Authorization Auth 4 (sk i, c : The algorithm computes a trapdoor td (4, i, c = Aut 2 (sk i, c =H 2 (c x i i, 1, c i, 1, c i, 2 ). Aut 4 (sk j ): The algorithm outputs a trapdoor td (4, j) = Aut 1 (sk j )=x j Test 4 (c i, td 4, i, c j, td 4, j ): This algorithm performs as follows x i, 1 jjx i, 2 jjy i, 1 jjy i, 2 c i, 3 td (4, i, c x j, 1 jjx i, 2 jjy i, 1 jjy j, 2 c j, 3 H 2 (c td 4, j j, 1, c j, 1, c j, 2 ) f i (x) (q,(x i, 1, y i, 1 ), (x j, 1, y j, 1 )) f j (x) (q,(x i, 2, y i, 2 ), (x j, 2, y j, 2 )) Then, it outputs 1 if f i (x)=f j (x) holds, otherwise. Theorem 1. According to Definition 2, our proposed PKEwET FA scheme is correct. Proof. Here, we prove that our scheme satisfies the three conditions, as defined in Definition 2: 1. It is not difficult to check that the first condition is satisfied. 2. Considering the second condition, for any sp Setup(k),(pk i,sk KeyGen(sp,i),c i =(c i,1, c i,2,c i,3 )= Encrypt(M i,pk c j =(c j,1,c j,2,c j,3 ) =Encrypt(M j,pk j ), the following equalities hold. For any message M i (resp: M j ), the straight line f i (x)(resp:, f j (x)) is constructed by passing through two points (x i, 1, y i, 1 ), (x j, 1, y j, 1 )or(x i, 2, y i, 2 ), (x j, 2, y j, 2 ). If f i (x)=f j (x) (or f i ()=f j (), in Type 3 Authorization), we have M i = M j. Type 1 Authorization: With td (1, i) = x i td (1, j) = x j, we compute x i, 1 jjx i, 2 jjy i, 1 jjy i, 2 x j, 1 jjx j, 2 jjy j, 1 jjy j, 2 c i, 3 H 2 (c td 1, i i, 1, c i, 1, c i, 2 ) c j, 3 H 2 (c td 1, j j, 1, c j, 1, c j, 2 ) Therefore, f i (x)=f j (x) holds for M i = M j. Type 2 Authorization: With td (2, i, c = H 2 (c x i i, 1, c i, 1, c i, 2 ) td (2, j, cj ) = H 2 (c x j j, 1, c j, 1, c j, 2 ), we compute

6 6 International Journal of Distributed Sensor Networks x i, 1 jjx i, 2 jjy i, 1 jjy i, 2 c i, 3 td (2, i, c x j, 1 jjx i, 2 jjy i, 1 jjy j, 2 c j, 3 td (2, j, cj ) Therefore, f i (x)=f j (x) holds for M i = M j. Type 3 Authorization: With td (3, i, ci, j, c j ) =(z i, V i, 1, V i, 2 ) =(½H 2 (c x i i, 1, c i, 1, c i, 2 )Š 2l 1, Z y i, 1 i, Z y i, 2 td (3, j, cj, i, c =(z j, V j, 1, V j, 2 ) =(½H 2 (c x j j, 1, c j, 1, c j, 2 )Š 2l 1, Z y j, 1 j, Z y j, 2 j ) where Z i = c j, 1 c i, 1, Z j = c i, 1 c j, 1,thenZ i = Z j = g r i, 1 + r j, 1 td (3, j, cj, i, c =(z j, V j, 1, V j, 2 ) =(½H 2 (c x j j, 1, c j, 1, c j, 2 )Š 2l 1, Z y j, 1 i, Z y j, 2 with td (3, i, ci, j, c j ) td (3, j, cj, i, c, we compute x i, 1 jjx i, 2 x j, 1 jjx j, 2 ½c i, 3 Š 2l 1 z i ½c j, 3 Š 2l 1 z j V D i, 1 i, 1 V D j, 1 j, 1 = Zy i, 1D i, 1 i Z y j, 1D j, 1 i = Z y i, 1D i, 1 + y j, 1 D j, 1 i = Z f i() i V D j, 2 j, 2 V D i, 2 i, 2 = Zy j, 2D j, 2 i Z y i, 2D i, 2 i = Z y j, 2D j, 2 + y i, 2 D i, 2 i = Z f j() i Therefore, f i ()=f j () holds for M i = M j. Type 4 Authorization: With td (4, i, c = H 2 (c x i i, 1, c i, 1, c i, 2 ) td (4, j, cj ) = x j, we compute x i, 1 jjx i, 2 jjy i, 1 jjy i, 2 c i, 3 td (4, i, c x j, 1 jjx i, 2 jjy i, 1 jjy j, 2 c j, 3 H 2 (c td 4, j j, 1, c j, 1, c j, 2 ) Therefore, f i (x)=f j (x) holds for M i = M j. 3. For the third condition, the following scenarios hold: Type 1 Authorization: If Test 1 (c i, td 1, i, c j, td 1, j )=1, implies that f i (x)=f j (x). Since Pr½f i (x)=f j (x)š is negligible for M i 6¼ M j, we have Pr½Test 1 (c i, td 1, i, c j, td 1, j )=1Š is negligible. Type 2 Authorization: If Test 2 (c i, td 2, i, ci, c j, td 2, j, cj )=1, implies that f i (x)=f j (x). Since Pr½f i (x)=f j (x)š is negligible for M i 6¼ M j, we have Pr½Test 2 (c i, td 2, i, ci, c j, td 2, j, cj )=1Š is negligible. Type 3 Authorization: If Test 3 (c i, td 3, i, c i, j, c j, c j, td 3, j, cj, i, c i )=1, implies that V D 1 i, 1 V D 1 j, 1 = V D 2 j, 2 V D 2 i, 2 means f i()=f j (). Since Pr½f i ()=f j ()Š is negligible for M i 6¼ M j, we have Pr½Test 3 (c i, td 3, i, ci, j, c j, c j, td 3, j, cj, i, c i ) = 1Š is negligible. Type 4 Authorization: If Test 4 (c i, td 4, i, ci, c j, td 1, j )=1, implies that f i (x)=f j (x). Since Pr½f i (x)=f j (x)š is negligible for M i 6¼ M j,it concludes that Pr½Test 4 (c i,td 4,i,ci,c j,td 1,j )=1Š is negligible. Security Scheme security In this section, we prove the security of our proposed scheme. Theorem 2. Our proposed scheme is OW-CCA secure based on DDH assumption in the rom oracle model for Type a(a = 1, 2, 3) authorization against Type I adversary. Proof. Suppose A 1 is the Type I adversary breaking the cryptosystem. We build an algorithm B that solves the DDH problem in G by simulating an attack environment to such an adversary. Algorithm B is given with four-tuple (g, g a, g b, g c ) 2 G 4, its target is to test whether or not g ab = g c holds. During the course of the interaction, B records answers that adversary makes in response to all queries, additionally maintains a separate watch lists for H 1. Let A 1 chooses t as his target at the beginning of the game. 1. Setup. B creates system parameter sp =(G, g, H 1, H 2, H 3, H 4, H 5, H 6 ) by employing a security parameter k as in Setup provides sp to A 1, where H 1 is rom oracle controlled by B. Then, B generates n public/private key pairs (pk i, sk (1 i n) by algorithm KeyGen provides all pk i =(X i = g x i, Y i = g y i )toa 1 (if i = t, pk t =(X t = g x t, Y t = g a )) keeps the sk i =(x i, y (if i = t, then sk t =(x t ) he doesn t know the sk t corresponding to Y t ) as secret, where x i, y i, x t 2 Zq. 2. Phase 1. A 1 may issue queries to all rom oracles for polynomial number of times. The constraint is that t does not appear in the decryption key to retrieve the queries: H 1 query: Responding to A 1 queries, B keeps a list of tuples-h 1, a tuple of the form (a i, u. B does the following: If a i already appears in the H 1 list in the form (a i, u, then B responds with H 1 (a =u i Otherwise, B picks u i 2f, 1g k romly, adds a new tuple (a i, u into H 1 -list responds with H 1 (a =u i

7 Zhu et al. 7 Decryption key queries retrieval (i): B responds A 1 with sk i created in the Setup (i 6¼ t). Decryption queries (i, c : Suppose c i =(c i, 1, c i, 2, c i, 3 ). If i 6¼ t, B runs algorithm Decrypt with a valid c i sk i as inputs responds A 1 with the output Else B proceeds as follows: If each tuple (a i, u in H 1 -list, B computes: 1. M i = c i, 2 u i x i, 1 jjx i, 2 jjy i, 1 jjy i, 2 = c i, 3 H 2 (c x i i, 1, c i, 1, c i, 2 ) 2. Using M i to generate P 1, P 2 as done in the algorithm Encrypt 3. Using the two points: P 1, P 2 to construct a straight line f i (x) 4. Test whether f i (x i, 1 )=y i, 1 f i (x i, 2 )=y i, 2 hold, if yes, then B returns M i to A 1 Else, it responds? to A 1. Authorization queries (i, ): For a Type a(a = 1, 2, 3) authorization: 1. For a = 1 with given i, B runs Auth 1 (sk ) by sk i responds A 1 with td i, 1 = x i (x i = sk ; 2. For a = 2 with given (i, c, B runs Auth 2 (sk i, c by sk i responds A 1 with td i, 2 = H 2 (c x i i, 1, c i, 1, c i, 2 ) (x i = sk ; 3. For a = 3 with given (i, c i, j, c j ), B runs Auth 3 (sk i, c i, c j ) by sk i, responds with the following td (3, i, ci, j, c j ) =(z i, V i, 1, V i, 2 ) =(½H 2 (c x i i, 1, c i, 1, c i, 2 )Š 2l 1, Z y i, 1 i, Z y i, 2 where Z i = c i, 1 c j, 1, c i =(c i, 1, c i, 2, c i, 3 ), c j =(c j, 1, c j, 2, c j, 3 ) 3. Challenge. Once A 1 decides that Phase 1 is over, B takes a message M t romly, which will be challenged, encrypts it to generate two points (x t, 1, y t, 1 ), (x t, 2, y t, 2 ), computes the challenge ciphertext c t =(c t, 1, c t, 2, c t, 3 ) as follows c t, 1 = gb c t, 2 = M H 1(g c ) c t, 3 =(x t, 1jjx t, 2 jjy t, 1 jjy t, 2 ) H 2 (c x t t, 1, c t, 1, c t, 2 ) Finally, it provides c t to A 1 as the challenge ciphertext. 4. Phase 2. A 1 issues more queries as in Phase 1. But there are two conditions as follows: During decryption key queries retrieval, i 6¼ t holds; During decryption queries process, (t, c t )is not allowed. 5. Guess. A 1 outputs a guess Mt 2M.IfMt = M t holds, B outputs 1 meaning g ab = g c, otherwise. c is a valid ciphertext for challenging information, when g ab = g c. Theorem 3. Our proposed scheme is IND-CCA secure based on DDH assumption in the rom oracle model for Type a(a = 1, 2, 3) authorization against Type II adversary. Proof. Suppose that A 2 is the Type II adversary breaking the encryption scheme. We build an algorithm B that solves the DDH problem in G by simulating an attack environment against such an adversary. Algorithm B is given a four-tuple (g, g a, g b, g c ) 2 G 4, his target is to test whether or not g ab = g c holds. During the course of the interaction, B records answers it makes in response to all queries, additionally maintains a separate watch lists for H 1. Let A 2 chooses t as his target at the beginning of the game. 1. Setup. B generates system parameter sp =(G, g, H 1, H 2, H 3, H 4, H 5, H 6 ) while considering a security parameter k as in the Setup provides sp to A 2, where H 1 is rom oracles controlled by B. Subsequently, B generates n public/private key pairs (pk i, sk (1 i n) by invoking algorithm KeyGen provides all pk i =(X i = g x i, Y i = g y i ) to A 1 (if i = t, pk t =(X t = g x t, Y t = g a )) keeps the sk i =(x i, y (if i = t then sk t =(x t ), it does not know sk t corresponding to Y t ) as secret, where x i, y i, x t 2 Zq. 2. Phase 1. A 2 may issue queries to all rom oracles for polynomial number of times. The constraint is that t does not appear in the decryption key to retrieve queries: H i -query: Responding to A 2 queries, B keeps a list of tuples-h 1, a tuple of the form (a i, u. Responding to query a i, B does the following:

8 8 International Journal of Distributed Sensor Networks If a i already appears in the H 1 list in the form (a i, u, then B responds with H 1 (a =u i Otherwise, B picks u i 2f, 1g k romly, adds a new tuple (a i, u into H 1 -list responds with H 1 (a =u i Decryption key queries retrieval (i): B responds A 2 with sk i created in the Setup (i 6¼ t). Decryption queries (i, c : Suppose c i =(c i, 1, c i, 2, c i, 3 ). If i 6¼ t, B runs algorithm Decrypt with a valid c i sk i as inputs, responds A 1 with the output. Else B proceeds as follows. If each tuple (a i, u in H 1 -list, B computes: 1. M i = c i, 2 u i x i, 1 kx i, 2 k y i, 1 ky i, 2 k = c i, 3 H 2 (c x i i, 1, c i, 1, c i, 2 ); 2. Uses M i to generate P 1, P 2 as done in the algorithm Encrypt; 3. Constructs f i (x) with two points P 1, P 2 ; 4. Tests whether f i (x i, 1 )=y i, 1 f i (x i, 2 )=y i, 2 hold, if yes, then b returns M i to A 2. Else, it responds? to A 2. Authorization queries (i, ): For a Type a(a = 1, 2, 3) authorization: 1. In Type 1 authorization, with given i, B runs Auth 1 (sk bysk i responds A 2 with td i, 1 = x i (x i = sk ; 2. In Type 2 authorization, given (i, c, B runs Auth 2 (sk i, c with sk i responds A 2 with td i, 2 = H 2 (c x i i, 1, c i, 1, c i, 2 )(x i = sk ; 3. In Type 3 authorization, given (i, c i, j, c j ), B runs Auth 3 (sk i, c i, c j ) with sk i responds as follows td (3, i, ci, j, c j ) =(z i, V i, 1, V i, 2 ) =(½H 2 (c x i i, 1, c i, 1, c i, 2 )Š 2l 1, Z y i, 1 i, Z y i, 2 where Z i = c i, 1 c j, 1, c i =(c i, 1, c i, 2, c i, 3 ), c j = :3(c j, 1, c j, 2, c j, 3 ). 3. Challenge. Once A 2 decides that Phase 1 is over, it provides two messages M, M 1 2f, 1g k romly to B. B chooses a rom bit b 2f, 1g, then runs Encrypt to generate two points (x b, 1, y b, 1 ), (x b, 2, y b, 2 ) outputs the challenge ciphertext c t =(c t, 1, c t, 2, c t, 3 ) as follows c t, 1 = gb c t, 2 = M b H 1 (g c ) c t, 3 =(x b, 1jjx b, 2 jjy b, 1 jjy b, 2 ) H 2 (c x t t, 1, c t, 1, c t, 2 ) Finally, it provides c t to A 1 as the challenge ciphertext. 4. Phase 2. A 2 issues more queries as in Phase 1. However, it requires the following: During decryption key queries retrieval, i 6¼ t holds; During decryption queries phase, (t, c t )is not allowed. For a Type a(a = 1, 2, 3) authorization queries: 1. In Type 1 authorization queries, i = t is not allowed; 2. In Type 2 authorization queries, (t, c t ) is not allowed; 3. In Type 3 authorization queries, (t, c t,) is not allowed; 5. Guess. A 2 outputs a guess b.ifb = b, B outputs 1 meaning g ab = g c, otherwise it outputs. When g ab = g c, c is a valid ciphertext for challenging information. Authorization security In this section, we analyze the security of authorization. In Type 4 authorization, the authorized party has td (4, i, c = Aut 2 (sk i, c =H 2 (c x i i, 1, c i, 1, c i, 2 ) td (4, j) = Aut 1 (sk j )=x j. He cannot get the sk i = x i, which is used by the user. Therefore, adversary cannot get Type 1 authorization. In Type 3 authorization, the authorized party has the followings td (3, i, ci, j, c j ) =(z i, V i, 1, V i, 2 ) =(½H 2 (c x i i, 1, c i, 1, c i, 2 Š 2l 1, Z y i, 1 i, Z y i, 2 td (3, j, cj, i, c =(z j, V j, 1, V j, 2 ) =(½H 2 (c x j j, 1, c j, 1, c j, 2 Š 2l 1, Z y j, 1 j, Z y j, 2 j ) where Z i = c j, 1 c i, 1, Z j = c i, 1 c j, 1, adversary cannot get (y i, 1, y i, 2, y j, 1, y j, 2, x i, x j ) without M. Thus, adversary cannot get Type 4 authorization, Type 2 authorization, Type 1 authorization. In Type 2 authorization, the authorized party has td (2, i, c = H 2 (c x i i, 1, c i, 1, c i, 2 ). Adversary cannot get (x i, x j ). Therefore, it cannot get Type 4 authorization Type 1 authorization.

9 Zhu et al. 9 Table 1. The comparison of computational complexity. C Enc C Dec Auth Test Type 1 Type 2 Type 3 Type 4 Type 1 Type 2 Type 3 Type 4 Ma et al. 17 6E 5E 2E 2E + 2P 1E 2E + 2P 2E + 2P 2E + 2P + 2I 2E + 2P Lin et al. 18 4E + 3I 3E + 3I 1E 4E 1E 2E+ 6I 6I 6E + 6I 1E + 6I Our scheme 3E + 1I 2E + 1I 1E 3E 1E 2E+ 2I 2I 4E + 4I 1E + 2I C Enc, C Dec, Auth Test: the computation complexity of algorithms for encryption, decryption, Type-a of authorization, Type-a of test; E, P I: the exponentiation operation, the pairing operation, the inversion operation in the group G. Table 2. The comparison of storage space. Performances analysis pk sk C len Lin et al. 18 2logq(Bit) 2logq(Bit) 8logq(Bit) Our scheme 2logq(Bit) 2logq(Bit) 6logq(Bit) pk, sk, C len : the bit size of public key, secret key, ciphertext; logq: the bit length of the public key, the secret key, the ciphertext. In this section, we discuss the efficiency of our scheme. According to the experimental results in previous studies, a bilinear pairing costs about five times than an exponentiation. Computational complexity in modular exponentiation is higher than in modular inverse. We provide an efficiency comparison with the papers by Ma et al. 17 Lin et al. 18 in Table 1, the storage space comparison with Lin et al. 18 in Table 2, a brief comparison with others in Table 3. In Table 1, we compare the presented scheme with the scheme in Ma et al. 17 Lin et al. 18 with respect to the computation complexity of Encrypt (C Enc ), Decrypt (C Dec ) (from the second to the third columns), four types of Authorization (Auth) (from the fourth to the seventh columns) four types of Test (from the 8th to the 11th columns). In Table 2, we compare the storage space with Lin et al., 18 in terms of the sizes of pk, sk, C len (from the second to the forth columns). In Table 3, we present a comparison with the earlier PKEwET schemes while considering the computation complexity in encryption, decryption (from the second to the third columns). It is quite clear from the tables that our scheme requires smaller ciphertext storage compared to the previous study by Lin et al. 18 Computational cost is less when compared to the previous studies by Ma et al. 17 Lin et al. 18 in case of Encrypt, Decrypt, four types of Authorizations, four types of Tests. Thus, our presented scheme is more efficient. From Table 3, it can be observed that our scheme is more efficient than that of Tang in encryption. As a whole, our scheme supports much more flexible authorization is more efficient, compared to Table 3. The comparison of computational complexity with others. previous studies ,17,18 Thus, we remark that our scheme is more practical for the age of big data. Conclusion C Enc C Dec Tang 13,14 4E 2E Tang 15 5E 2E Ma 16 6E + 2P 2E + 2P + 1I Our scheme 3E + 1I 2E + 1I C Enc C Dec : the computation complexity of algorithms for encryption decryption; E, P I: the exponentiation operation, the pairing operation, the inversion operation in the group G. In this article, we present an improved PKEwET-FA scheme. We prove that our scheme is more flexible more practical comparing with previous works. For the Encrypt, Decrypt, Test algorithms, we use a straight line instead of the quadratic curve. Finally, we conclude that the presented scheme achieves lower computational complexity smaller storage space under the same level of security. Declaration of conflicting interests The author(s) declared no potential conflicts of interest with respect to the research, authorship, /or publication of this article. Funding The author(s) disclosed receipt of the following financial support for the research, authorship, /or publication of this article: This work was supported by the National Natural Science Foundation of China (NSFC) (Nos , ). References 1. Boneh D, Crescenzo GD, Ostrovsky R, et al. Public key encryption with keyword search In: Cachin C

10 1 International Journal of Distributed Sensor Networks Camenisch JL (eds) Advances in cryptology EURO- CRYPT 24, vol Heidelberg: Springer, 24, p.56c Abdalla M, Bellare M, Catalano D, et al. Searchable encryption revisited: consistency properties, relation to anonymous IBE, extensions. In: Shoup V (ed.) Annual international cryptology conference CRYPTO 25 (Lecture notes in computer science), vol Berlin, Heidelberg: Springer, 25, pp Liu C, Zhu L, Wang M, et al. Search pattern leakage in searchable encryption: attacks new construction. Inform Sciences 214; 265: 76C Byun JW, Rhee HS, Park HA, et al. Off-line keyword guessing attacks on recent keyword search schemes over encrypted data. In: Jonker W Petković M (eds) Secure data management. Berlin, Heidelberg: Springer, 26, pp Cao N, Wang C, Li M et al. Privacy-preserving multikeyword ranked search over encrypted cloud data. IEEE T Parall Distr 214; 25(1): Fang L, Susilo W, Ge C, et al. Public key encryption with keyword search secure against keyword guessing attacks without rom oracle. Inform Sciences 213; 238: Hofheinz D Weinreb E. Searchable encryption with decryption in the stard model cryptology eprint archive (Report 28/423), 28, 8. Nishioka M. Perfect keyword privacy in PEKS systems. In: Nishioka M (ed.) Provable security. Berlin, Heidelberg: Springer, 212, pp Bellare AB ONeill A. Deterministic efficiently searchable encryption. In: Menezes A (ed.) Advances in cryptology CRYPTO 27 (Lecture notes in computer science), vol Heidelberg: Springer, 27, p Bellare M, Fischlin M, ONeill A, et al. Deterministic encryption: definitional equivalences constructions without rom oracles. In: Wagner D (ed.) Advances in cryptology (Lecture notes in computer science), vol Berlin: Springer, 28, pp Boldyreva SF ONeill A. On notions of security for deterministic encryption, efficient constructions without rom oracles. In: Proceedings of the annual international cryptology conference, Santa Barbara, CA, August 28, pp Berlin: Springer. 12. Yang G, Tan CH, Huang Q, et al. Probabilistic public key encryption with equality test. In: Pieprzyk J (ed.) Cryptographers track at the RSA conference. Berlin, Heidelberg: Springer, 21, pp Tang Q. Towards public key encryption scheme supporting equality test with fine-grained authorization. In: Proceedings of the 16th Australasian conference on information security privacy, Melbourne, VIC, Australia, July 211, vol. 6812, p.389c46. New York: ACM. 14. Tang Q. Public key encryption schemes supporting equality test with authorisation of different granularity. Int J Appl Cryptograp 212; 2(4): 34C Tang Q. Public key encryption supporting plaintext equality test user-specified authorization. Secure Commun Netw 212; 5(12): 1351C Ma S. Identity-based encryption with outsourced equality test in cloud computing. Inform Sciences 216; 328: Ma S, Huang Q, Zhang M, et al. Efficient public key encryption with equality test supporting flexible authorization. IEEE T Inf Foren Sec 215; 1(3): Lin XJ, Qu H Zhang X. Public key encryption supporting equality test flexible authorization without bilinear pairings IACR cryptology eprint archive, 216, Lynn B. Pairing based cryptography-benchmarks, crypto.stanford.edu/pbc/times.html, Lauter K. The advantages of elliptic curve cryptography for wireless security. IEEE T Wirel Commun 24; 11(1): Yoshitomi M, Takagi T, Kiyomoto S, et al. Efficient implementation of the pairing on mobile phones using BREW. IEICE T Inf Syst 28; 6434: