An Investigation of Some Forward Security Properties for PEKS and IBE

Transcription

1 An Investigation of Some Forward Security Proerties for PEKS and IBE Qiang Tang APSIA grou, SnT, University of Luxemourg 6, rue Richard Coudenhove-Kalergi, L-359 Luxemourg Astract. In crytograhy, forward secrecy is a well-known roerty of key agreement rotocols. It ensures that a session key remains secure even if one of the long-term secret keys is comromised in the future. In this aer, we investigate some forward security roerties for Pulic-key Encrytion with Keyword Search (PEKS schemes, which allow a client to store encryted data and delegate search oerations to a server. The roosed roerties guarantee that the client s rivacy is rotected to the maximum extent when his rivate key is comromised. Motivated y the generic transformation from anonymous Identity-Based Encrytion (IBE to PEKS, we corresondingly roose some forward security roerties for IBE, in which case we assume the attacker learns the master secret key. We then study several existing PEKS and IBE schemes, including a PEKS scheme y Nishioka, an IBE scheme y Boneh, Raghunathan and Segev, and an IBE scheme y Arriaga, Tang and Ryan. Our analysis indicates that the roosed forward security roerties can e achieved y some of these schemes if the attacker is RO-non-adative (the attacker does not define its distriutions ased on the random oracle. Finally, we show how to extend the Boyen-Waters anonymous IBE scheme to achieve the forward security roerties for adative attackers. Introduction In the seminal work [8], Boneh et al. roosed the concet of Pulic-key Encrytion with Keyword Search (PEKS and formulated it as a crytograhic rimitive with four algorithms (KeyGen, Encryt, TraGen, Test. PEKS is a two-arty (i.e. client-server rimitive aiming at rotecting a client, say Alice s, rivacy in the following encryted routing scenario.. Alice runs a KeyGen algorithm to generate a ulic/rivate key air (PK, SK and ulishes PK. 2. When any user, say Bo, sends an to Alice, he can generate a tag Encryt(x, PK for a keyword x and attach it to the (the should e encryted indeendently and the detail is omitted here. In the view of the server, it has a list of s indexed y Encryt(x, PK, Encryt(x 2, PK, resectively. 3. If Alice wants to retrieve those s indexed with a keyword y, she sends a tradoor TraGen(y, SK to the server, which can then run an algorithm Test on the inut (TraGen(y, SK, Encryt(x i, PK for every i to figure out whether y = x i. As shown in this scenario, PEKS only suorts equality testing (or, exact matching of keywords. To suort more comlex search queries, a lot of extensions have een roosed. Among them, [3, 2, 22] suort search queries with conjunctive keywords, [3, 27] suort suset and range queries, and [23] suorts disjunctions, olynomial equations, and inner roducts. In contrast to the large numer of follow-u works to extend the PEKS functionality, very little has een done to investigate its full security caailities and the only few we know are [3, 4, 9 ].. Prolem Statement With a PEKS scheme imlemented, the server has a list of tags from message senders and a list of tradoors from the client. As a result of the desired search functionality, the server can categorize the tags and the tradoors into three grous. Grou : the tags, which do not match any tradoor. Grou 2: the tradoors, which do not match any tag. Grou 3: the tags and tradoors, which match at least one tradoor or tag.

2 The seminal work [8] and most of follow-us only considered the cihertext rivacy roerty, which catures the rivacy of keywords encryted y the tags in Grou. Boneh et al. [, ] introduced a new function rivacy roerty which catures rivacy of keywords encryted y the tags and tradoors in Grou 3. Arriaga, Tang, and Ryan [3, 4] introduced a new search attern rivacy roerty which catures the rivacy of keywords in the tradoors in Grou 2. Moreover, they showed that these roerties are not comatile with each other. Ideally, a PEKS scheme should rovide maximal rotection for the keywords in all three grous. In this work, we try to answer two questions.. Are the security roerties from [3, 4, 9 ] the strongest we can have? 2. How to construct PEKS schemes to achieve all roerties simultaneously? Interestingly, oth questions can also e asked against the extensions of PEKS (and searchale encrytion schemes in the symmetric-key setting as well. We leave this as a future work..2 Concerning the Entroy of Keywords With resect to PEKS and its extensions, there is a concern aout the low entroy nature of keywords. For examle, in the aforementioned routing examle, the entroy of keywords may not e very high. This makes eole wonder the racticality of rivacy roerties for PKES, articularly the function rivacy roerty [, ] and the search attern rivacy roerty [3, 4]. Nevertheless, we would like to argue that it makes a lot of sense to investigate the maximal level of security guarantees y PEKS. Theoretically, it is always interesting to study the strongest security roerties for a crytograhic rimitive. This has een done for many other rimitives, such as encrytion and signature schemes. Practically, it is not true that the keywords always have low entroy. When a PEKS scheme is deloyed, the underlying alication can always enrich the keyword set with some context information. For instance, instead of using the keyword confidential, the alication can use confidential-roject457. A more effective way to augment the entroy of keywords is using re-shared asswords etween some message senders and the client. An extra advantage of this aroach is that there is no need to store asswords given they are memorale. It is worth noting that augmenting the entroy of keywords may cause some efficiency issues (e.g. there may e several augmented keywords for the same keyword confidential, so that the client needs to generate several tradoors to search for all confidential s. We regard this as a natural tradeoff etween security and efficiency..3 Our Contriution Forward secrecy is a well-known roerty roosed for key agreement rotocols [8, 2], and it ensures that a session key remains secure even if one of the long-term secret keys is comromised in the future. This concet has also een alied to other rimitives, such as signature schemes [6]. Generally seaking, it is a valuale concet for all crytograhic rimitives that involve a long-term secret key. Firstly, we introduce two new forward-secure roerties for PEKS. One is forward-secure function rivacy, which aims at rotecting the keywords in matched tags and tradoors. The other is forwardsecure tradoor unlinkaility, which aims at rotecting the keywords in those tradoors which do not match any tags. These two roerties are augmented variants of those from [, ] and [3, 4] resectively. The augmentation lies not only in allowing the attacker to comromise the long-term secret key ut also in giving it more flexiility to define the keyword distriutions in the attack games. We then analyse a PEKS scheme y Nishioka [25] and show that it achieves our roerties for RO-nonadative attackers which can not choose its distriutions ased on the random oracle. Secondly, motivated y the fact that we can otain a PEKS scheme from an anonymous IBE scheme through a generic transformation [, 8], we introduce two new forward-secure roerties for IBE y giving the master secret key the attacker in the attack games. It is worth noting that this is different from the forward security concet given in [3], where the focus is on the key evolution and the attacker is given secret keys corresonding to some identities. These roerties directly lead to those forwardsecure roerties for PEKS as a result of the generic transformation. Similar to the case of PEKS, oth roerties are augmented variants of those from [, ] and [3, 4] resectively. We then analyse the IBE DLIN2 scheme y Boneh, Raghunathan and Segev [, ], and show that it does not achieve the forward secure function rivacy roerty. We also analyse an IBE scheme y Arriaga, Tang and Ryan [3, 4], and show that it achieves our roerties for RO-non-adative attackers. 2

3 Thirdly, we introduce the concet of deterministic scramler, which takes correlated random variales as inut and oututs indeendent random variales. By re-rocessing the identities with a deterministic scramler scheme, an IBE scheme automatically achieves the forward-secure function rivacy roerty against adative attackers. In contrast to the extract-augment-comine aroach from [, ], we do not need to tweak the encrytion and decrytion algorithms of the underlying IBE scheme. We then extend the Boyen-Waters anonymous IBE scheme [4] with comosite order ilinear grous and a deterministic scramler scheme, and show that the resulted scheme achieves our forward-secure roerties..4 Organization The rest of this aer is organized as follows. In Section 2, we resent reliminaries on notation and hardness assumtions. In Section 3, we resent an enhanced security model for PEKS with a focus on the forward security roerties, and analyse the Nishioka scheme. In Section 4, we roose some forward security roerties for IBE. In Section 5, we analyse two IBE schemes y Boneh, Raghunathan and Segev, and an IBE scheme y Arriaga, Tang and Ryan. In Section 6, we introduce the concet of deterministic scramler and extend the Boyen-Waters Scheme. In Section 7, we resent some remarks. 2 Preliminary 2. Notation x y means the concatenation of x and y, P.P.T. stands for roailistic olynomial time. x A O,O 2, (m, m 2, means that x is the outut of the algorithm A which runs with the inut m, m 2, and has access to oracles O, O 2,. When X is a set, x X means that x is chosen from X uniformly at random, and X means the size of X. When D is a distriution on the set X, x D X means that x is a value samled from X according to D. We use old letter, such as X, to denote a vector or matrix. Given a vector X, we use X (i to denote the i-th element in the vector. When g is a grou element, we use g X to denote a new vector or matrix, whose elements are exonentiations of the corresonding elements in X. For two vectors (or matrices Y and Z whose elements are from a grou, we use Y Z to denote the new vector (or matrix after airwise grou oerations. A function P(λ : Z R is said to e negligile with resect to λ if, for every olynomial f (λ, there exists an integer N f such that P(λ < f (λ for all λ N f. When P(λ is negligile, then we say P(λ is overwhelming. A random variale V has min-entroy λ, denoted as H (V = λ, if max v Pr[V = v] = 2 λ, or equivalently λ = log max v Pr[V = v]. If V has min-entroy at least λ, then V is a λ source. Given two random variales V and W, the conditional min-entroy of V with resect to W is defined to e min w H (V W = w, or equivalently log max v,w Pr[V = v W = w]. 2.2 Pairing over Prime-order Grous A rime-order ilinear grou generator is an algorithm G P that takes as inut a security arameter λ and oututs a descrition Γ = (, G, G T, ê, g where: G and G T are grous of rime-order with efficiently-comutale grou laws. g is a randomly-chosen generator of G. ê is an efficiently-comutale ilinear airing ê : G G G T, i.e., a ma satisfying the following roerties: Bilinearity: ê(g a, g = ê(g, g a for all a, Z ; Non-degeneracy: ê(g, g. We say the DLIN (Decision Linear assumtion [7] holds if, for every P.P.T. attacker A, its advantage Pr[ = ] 2 is negligile in the game, defined in Fig.. 3

4 . Γ = (, G, G T, ê, g G P (λ 2. z, z 2, z 3, z 4, r Z 3. X = (Γ, g z, g z 2, g z z 3, g z 2z 4, g z 3+z 4 X = (Γ, g z, g z 2, g z z 3, g z 2z 4, g r 4. R {, } 5. A(X Fig.. DLIN Assumtion 2.3 Pairing over Comosite-order Grous A comosite-order ilinear grou generator is an algorithm G C that takes as inut a security arameter λ and oututs a descrition Γ = (, q, G, G T, ê, g, g q where: G and G T are grous of order n = q, where and q are rimes, with efficiently comutale grou laws. g is a randomly-chosen generator of the sugrou G of order, and g q is a randomly-chosen generator of the sugrou G q of order q. ê is an efficiently-comutale ilinear airing ê : G G G T, i.e., a ma satisfying the following roerties for g G: Bilinearity: ê(g a, g = ê(g, g a for all a, Z q ; Non-degeneracy: ê(g, g. It is worth noting that, instead of setting the order of G to e q, we can require G C to set the order to e the roduct of multile rime numers, e.g. [23 25]. Let Γ = (, q, G, G T, ê, g, g q e the outut y G C (λ, and Γ = (q, G, G T, ê, g, g q. We say the Comosite-DDH assumtion [3, 4] holds if, for every P.P.T. attacker A, its advantage Pr[ = ] 2 is negligile in the game, defined in Fig. 2.. Γ = (, q, G, G T, ê, g, g q G C (λ 2. a, a 2,, 2, 3, r Z q 3. Γ = (q, G, G T, ê, g, g q 4. X = (Γ, g a g q, g a 2 g 2 q, g a a 2 g 3 q X = (Γ, g a g q, g a 2 g 2 q, g r g 3 q 5. R {, } 6. A(X Fig. 2. Comosite-DDH assumtion. Γ = (, q, G, G T, ê, g, g q G C (λ 2. a, a 2, a 3,, 2, 3, 4, r Z q 3. Γ = (q, G, G T, ê, g, g q 4. X = (Γ, g a g q, g a 2 g 2 q, g a a 3 g 3 q, g a 2a 3 g 4 q X = (Γ, g a g q, g a 2 g 2 q, g a a 3 g 3 q, g r g 4 q 5. R {, } 6. A(X Fig. 3. Weak Comosite-DDH assumtion We say the Weak Comosite-DDH assumtion holds if, for every P.P.T. attacker A, its advantage Pr[ = ] 2 is negligile in the game, defined in Fig. 3. Both assumtions are strictly weaker than the C3DH assumtion y Boneh and Waters [3]. 2.4 New Assumtions In [5], Canetti roosed the DDH-II assumtion which differs from the standard DDH assumtion in that one exonent is chosen from a wide sread distriution instead of a uniform one. Damgård, Hazay and, Zottarel [7] showed that this assumtion holds in the generic grou model, and stated that it is a useful tool in leakage resilient crytograhy. Next, we introduce an analog assumtion for ilinear grous. The hilosohy is similar to the case of Comosite-DDH: although it is trivial to solve DDH-II rolem in ilinear grous, adding an additional layer of randomization makes it difficult even with the hel of the ilinear ma. Formally, we say the Comosite-DDH-II assumtion holds if, for every P.P.T. attacker A, its advantage Pr[ = ] 2 is negligile in the game, defined in Fig. 4. In the game, the distriution D from the attacker should guarantee that a has min-entroy not smaller than λ, i.e. a is wide sread according to Canetti [5]. 4

5 . Γ = (, q, G, G T, ê, g, g, g q G C (λ 2. Γ = (q, G, G T, ê, g, g, g q 3. D A(Γ 4. a D Z 5., s, s 2, s 3, r Z q 6. X = (Γ, g a g s q, g g s 2 q, g a g s 3 q X = (Γ, g a g s q, g g s 2 q, g r g s 3 q 7. R {, } 8. A(X, D. Γ = (, q, G, G T, ê, g, g, g q G C (λ 2. Γ = (q, G, G T, ê, g, g, g q 3. D A(Γ 4. (a,, a L D Z L 5., L, r,, r L, s,, s L, t,, t L Z q 6. X = (Γ, g g s q, g a g t q,, g L g s L q, g a L L g t L q X = (Γ, g g s q, g r g t q,, g L 7. R {, } 8. A(X, D g t L q, g r L g t L q Fig. 4. Comosite-DDH-II assumtion Fig. 5. Correlated Comosite-DDH-II assumtion Further, we say the Correlated Comosite-DDH-II assumtion holds if, for every P.P.T. attacker A, its advantage Pr[ = ] 2 is negligile in the game, defined in Fig. 5. In the game, the distriution D from the attacker should guarantee that a i for any i L has min-entroy not smaller than λ. Comared to the Comosite-DDH-II assumtion, on one hand the values g a,, g a L are not given to the attacker (not even in the randomized form, ut on the other hand the attacker is given multile incomlete DH airs. As to these two new assumtions, it is not clear how to reduce one to the other. Nevertheless, we have the following lemma. The roof is in Aendix I. Lemma. Suose any P.P.T. attacker has at most the advantage ϵ in the Comosite-DDH-II assumtion. Then, any P.P.T. attacker has at most the advantage L ϵ in the Correlated Comosite-DDH-II assumtion in the following two scenarios.. a, a 2,, a L are indeendent according to D. 2. a = a 2 = = a L according to D. It is unclear how to reduce these two assumtions to existing standard assumtions. Nevertheless, we can rove their security in the generic grou model, as what have een done for the DDH-II assumtion in [7]. The roof will aear in the full version of this aer. 3 Forward Security Proerties for PEKS A PEKS scheme involves a client, a server, and senders which can e any entity (including the client and the server. Let λ e the security arameter, a PEKS scheme consists of the following algorithms. KeyGen(λ: Run y the client, this roailistic algorithm oututs a ulic/rivate key air (PK, SK, where PK should define a message sace W. Encryt(x, PK: Run y a sender, this roailistic algorithm oututs a cihertext (or, tag C x for a message (or, keyword x W. TraGen(y, SK: Run y the client, this roailistic algorithm generates a tradoor T y for the message y W. Test(C x, T y, PK: Run y the server, this deterministic algorithm returns if x = y and otherwise. Definition. A PEKS scheme achieves comutational consistency [], if any P.P.T. attacker A s advantage Pr[ = ] is negligile in the attack game, shown in Fig. 6.. (PK, SK KeyGen(λ 2. (x, x, state A(PK 3. Set = iff Test(C x, T x, PK = and x x, where T x = TraGen(x, SK, C x = Encryt(x, PK Fig. 6. Comutational Consistency 5

6 3. Security Proerties for PEKS The following cihertext rivacy roerty is the default roerty for PEKS from [8]. Definition 2. A PEKS scheme achieves cihertext rivacy if any P.P.T. attacker A s advantage Pr[ = ] 2 is negligile in the attack game shown in Fig. 7. In the game, A is not allowed to query the TraGen oracle with the messages x and x. In Definition 3 and Definition 4, we follow the Real-or-Random aradigm. This means that D is defined y the attacker at its will, ut D always reresents an indeendent uniform distriution for every variale. The following forward-secure tradoor unlinkaility says that any P.P.T. attacker cannot determine the links among tradoors as long as the underlying keywords are samled according to distriutions with min-entroy not smaller than λ. This roerty is an augmented variant of the strong search attern rivacy roerty from [3, 4], where the augmentation lies in two asects. One is that the attacker is given SK in Ste 4 of the attack game, and this rings in the forwardsecure flavor. The other is that the attacker is allowed to adatively choose the keyword distriutions ased on the ulic arameters, while the challenger samles the keywords uniformly from the keyword sace in [3, 4]. Definition 3. A PEKS scheme achieves forward-secure tradoor unlinkaility if any P.P.T. attacker A s advantage Pr[ = ] 2 is negligile in the game shown in Fig. 8. In the game, D and D are the joint distriutions of L (deendent λ-source random variales, which take values in the message sace W. The integer L is a olynomial in λ.. (PK, SK KeyGen(λ 2. (x, x, state A TraGen (PK 3. R {, }, C x = Encryt(x, PK 4. A TraGen (state, C x Fig. 7. Cihertext Privacy. (PK, SK KeyGen(λ 2. (D, D, L, state A TraGen (PK 3. R {, }, x D, T = TraGen(x, SK 4. A( SK, state, T Fig. 8. Forward-Secure Tradoor unlinkaility For simlicity, we use TraGen(x, SK to denote (TraGen(x (, SK,, TraGen(x(L, SK in Fig. 8. Such notation is also used in Fig. 9 and roerties definitions for IBE. The following forward-secure function rivacy roerty says that a P.P.T. attacker cannot determine the links among (tag, tradoor airs, as long as the underlying keywords are samled according to distriutions with min-entroy not smaller than λ and they are not equal to each other. This roerty is an augmented variant of the enhanced function rivacy roerty from [], where the augmentation lies in two asects. It is worth noting that the roerty for PEKS is not exlicitly defined in [], ut it is imlied y their discussions (in fact, they use it to motivate the roerty for IBE. One is that the attacker is given SK in Ste 4 of the attack game, and this rings in the forwardsecure flavor. The other is that, in the enhanced function rivacy roerty definition in [], the conditional min-entroy of x (i given x(,, x(i is required to e at least λ, for all 2 i L. While, in our definition, we relax this requirement y asking the samled identities not equal to each other. Based on the fact that the keywords in tradoors may highly correlated, our requirement is more realistic in ractice. Definition 4. A PEKS scheme achieves forward-secure function rivacy if any P.P.T. attacker A s advantage Pr[ = ] 2 is negligile in the game shown in Fig. 9. In the game, D and D are defined in the same way as in Definition 3, ut with the following restriction: for (x (, x(2,, x(l D W L and any i j L, the roaility Pr[x (i ] is negligile. = x(j 6

7 . (PK, SK KeyGen(λ 2. (D, D, L, state A TraGen (PK 3. R {, }, x D, T = TraGen(x, SK, C = Encryt(x, PK 4. A TraGen,Encryt ( SK, state, T, C Fig. 9. Forward-Secure Function Privacy In Ste 4 of the aove game, in a TraGen oracle query, the attacker has an index i L as inut and receives TraGen(x (i, SK. In an Encryt oracle query, the attacker has an index j L as inut and receives Encryt(x (j, PK. Note that the samled identities x(,, x(l are not allowed to e equal in the attack game. Hence, oth oracles are necessary even if the attacker ossesses SK, ecause the attacker may not e ale to generate a new tradoor or tag y re-randomizing an existing one. These two oracles faithfully reflect the fact that, in ractice, the attacker (i.e. the server may receive many tags and tradoors for the same keyword. Remark. Similar to the argument in [3], the forward-secure tradoor unlinkaility roerty and the forward-secure function rivacy roerty do not imly each other. We ski the details in this aer. 3.2 Analysis of Nishioka Scheme In [25], Nishioka modeled tradoor unlinkaility for a very restricted setting: the attacker is nonadative, the unlinkaility is only for two tradoors, and the model seems to e selective since the challenge keywords are chosen efore the generation of other arameters (in the SPP exeriment. Relying on ilinear grous of comosite-order qw, Nishioka constructed the following scheme (referred to as Instance 3 in [25] and roved the cihertext rivacy and tradoor unlinkaility roerties under some non-standard assumtions (as stated y Nishioka. In the following, we show that the scheme actually achieves more than what Nishioka has exected. KeyGen(λ TraGen(y, SK (, q, w, G, G T, ê, g, g q, g w G C (λ r Z qw g q G q, g = g g q g w, g w G w W = {, }, H : {, } G T = g r g w PK = (qw, G, G T, ê, g q, g w, g, W, H T 2 = H(y r g w SK = (PK, g T y = (T, T 2 Encryt(x, PK Test(C x, T y, PK r 2 Z qw, g q, g q G q if ê(t, C 2 = ê(t 2, C, outut C = g r2 g q, C 2 = H(x r2 g q otherwise, outut C x = (C, C 2 Note that we use the notation G C to emhasize the fact that this algorithm generates ilinear grous of order qw, in contrast to the definition of G C in Section 2.3. A minor remark is that r is defined to e r Z for the TraGen algorithm in [25], ut it is clear that r Z qw makes the scheme work in the same way. In Definition 3 and 4, we assume the attacker to e fully adative in the sense that it can choose the distriution D ased on everything. An immediate relaxation on these definitions is to make the attacker RO-non-adative, which means that the attacker can choose the distriution D ased on everything excet for the random oracle (i.e. the hash function. In ractice, the keywords in search queries might e related to the system arameters in some manner, ut it is hard to imagine a scenario where the keywords would deend on the ehavior of a random function. We argue that the relaxation is minimal and reasonale. Next, we rove that the scheme achieves forward-secure roerties for RO-non-adative attackers in the random oracle model. The roofs aear in Aendix II. It is worth mentioning that Theorem is imlied y the discussion in []. 7

8 Theorem. The scheme achieves RO-non-adative forward-secure function rivacy roerty in the random oracle model. Theorem 2. The scheme achieves RO-non-adative forward-secure tradoor unlinkaility roerty ased on the Weak Comosite-DDH assumtion in the random oracle model. A natural following-u question is whether or not the scheme is (adatively forward-secure in the random oracle model. Referring to the forward-secure tradoor unlinkaility attack game, as shown in Fig. 8, the attacker is required to distinguish the same airs as in the the roof of Theorem 2, with the excetion that the distriution D is defined y the attacker ased on the knowledge of H. It is straightforward to verify that the attacker s advantage is negligile ased on the correlated Comosite- DDH-II assumtion, defined in Section 2.4. However, it is very tricky for the forward-secure function rivacy roerty. Referring to the attack game, as shown in Fig. 9, the attacker s mission is to distinguish the following two airs. = : ((g r( g ( w, H(x ( r( g ( w, g r( 2 g ( q, H(x ( (g r(l g (L w, H(x (L r(l g (L w, g r(l 2 r( 2 g ( q,, g (L q, H(x (L r(l 2 g (L q = : ((g r( g ( w, H(x ( r( g ( w, g r( 2 g ( q, H(x ( (g r(l g (L w, H(x (L r(l g (L w, g r(l 2 r( 2 g ( q,, g (L q, H(x (L r(l 2 g (L q We are not ale to reduce this assumtion to the correlated Comosite-DDH-II assumtion or any other assumtion, even though we might e ale to rove that distinguishing the two airs is hard in the generic grou model. We leave a further investigation of this as a future work. 4 IBE and its Security Proerties An IBE scheme is secified y four algorithms (Setu, Extract, Enc, Dec, defined as follows. Setu(λ: On inut the security arameter λ, this roailistic algorithm returns a master secret key Msk and ulic arameters arams, which should define a message sace M and identity sace I. Extract(Msk, id: On inut a master secret key Msk and a ulic key id I, this roailistic algorithm oututs a secret key sk id. Enc(m, id: On inut a message m M and a ulic key id I, this roailistic algorithm oututs a cihertext C. Dec(C, sk id : On inut a cihertext C and a secret key sk id, this deterministic algorithm oututs a message m or an error symol. 4. Generic Transformation from IBE to PEKS Given an IBE scheme (Setu, Extract, Enc, Dec, the generic transformation works as follows []. Note that the message sace W of the resulted PEKS scheme is the ulic-key sace I of the original IBE scheme.. (Msk, arams = Setu(λ 2. sk id = Extract(Msk, id 3. C = Enc(m, id 4. Dec(C, sk id = m or Fig.. Original IBE. KeyGen(λ = Setu(λ 2. Encryt(x, PK = (m, Enc(m, x, where m R M 3. TraGen(y, SK = Extract(Msk, y 4. Test(C x, T y, PK = iff m = Dec(Enc(m, x, T y Fig.. Resulted PEKS 8

9 4.2 Security Proerties of IBE In this susection, we resent four IBE security roerties, which resectively lead to the four desirale roerties for the resulted PEKS through the generic transformation. Their corresondence is summarized in the following tale. PEKS Proerties IBE Proerties comutational consistency IND-CPA cihertext rivacy anonymity forward-secure tradoor unlinkaility forward-secure key unlinkaility forward-secure function rivacy forward-secure function rivacy In Definition 6 and Definition 7, we follow the Real-or-Random aradigm in all relevant attack games. This means that D is defined y the attacker at its will, ut D always reresents an indeendent uniform distriution for every variale. Definition 5. An IBE scheme achieves IND-CPA security if any P.P.T. attacker A s advantage Pr[ = ] 2 is negligile in the attack game shown in Fig. 2. In the game, the attacker is not allowed to query the Extract oracle with id. An IBE scheme achieves anonymity if any P.P.T. attacker A s advantage Pr[ = ] 2 is negligile in the game shown in Fig. 3. In the game, the attacker is not allowed to query the Extract oracle with id and id.. (Msk, arams Setu(λ 2. (m, m, id, state A Extract (arams 3. R {, }, C = Enc(m, id 4. A Extract (state, C. (Msk, arams Setu(λ 2. (m, id, id, state A Extract (arams 3. R {, }, C = Enc(m, id 4. A Extract (state, C Fig. 2. IND-CPA Fig. 3. Anonymity The following forward-secure key unlinkaility roerty says that any P.P.T. attacker cannot determine the links among rivate keys as long as the underlying identities are samled according to distriutions with min-entroy not smaller than λ. This roerty is an augmented variant of the strong key unlinkaility roerty from [3, 4], where the augmentation lies in two asects. One is that the attacker is given Msk in Ste 4 of the attack game, and this rings in the forwardsecure flavor. The other is that the attacker is allowed to adatively choose the identity distriution D ased on the ulic arameters, while the challenger samles the identities uniformly at random (according to certain atterns defined y the attacker from the identity sace in [3, 4]. Definition 6. An IBE scheme achieves forward-secure key unlinkaility if any P.P.T. attacker A s advantage Pr[ = ] 2 is negligile in the game shown in Fig. 4. In the game, D and D are the joint distriution of L (deendent λ-source random variales, which take values in the identity sace I. The integer L is a olynomial in λ.. (Msk, arams Setu(λ 2. (D, D, L, state A Extract (arams 3. R {, }, id D, sk = Extract(id, Msk 4. A( Msk, state, sk Fig. 4. Forward-Secure Key Unlinkaility The following forward-secure function rivacy roerty says that any P.P.T. attacker cannot determine the links among (rivate key, cihertext airs, as long as the underlying identities are samled according to distriutions with min-entroy not smaller than λ and they are not equal to each other. This roerty is an augmented variant of the enhanced function rivacy roerty from [], where the augmentation lies in two asects. 9

10 One is that the attacker is given Msk in Ste 4 of the attack game, and this rings in the forwardsecure flavor. The other is that, in the enhanced function rivacy roerty definition from [], the conditional min-entroy of id (i given id (,, id(i is required to e at least λ, for all 2 i L. In our definition, we relax this requirement y only asking the samled identities not equal to each other. Definition 7. An IBE scheme achieves forward-secure function rivacy if any P.P.T. attacker A s advantage Pr[ = ] 2 is negligile in the game shown in Fig. 5. In the game, D and D are defined in the same way as in Definition 6, ut with the following restriction: for (id (, id(2,, id(l D I L and any i j L, the roaility Pr[id (i ] is negligile. = id(j. (PK, SK Setu(λ 2. (D, D, L, state A Extract (arams 3. R {, }, id D, sk = Extract(id, Msk, m M L, C = Enc(m, id 4. A Extract,Enc ( Msk, state, sk, C Fig. 5. Forward-Secure Function Privacy For simlicity, we use Enc(m, id to denote (Enc(m (, id(,, Enc(m(L, id (L in Fig. 5. In Ste 4 of the aove game, in an Extract oracle query, the attacker has an index i L as inut and receives Extract(Msk, id (i. In an Enc oracle the attacker has an index j L as inut and receives Enc(m, id (j. It is ovious that oth oracles are necessary even if the attacker ossesses Msk, ecause the attacker may not e ale to generate a new secret key or a cihertext y re-randomizing an existing one. 5 Existing Function-Private IBE Schemes In this section, we first show that the fully-secure IBE scheme y Boneh, Raghunathan, and Segev [, ] does not achieve the forward-secure function rivacy. We then rove that a scheme y Arriaga, Tang, and Ryan [3, 4] achieves RO-non-adative forward-secure function rivacy and forward-secure key unlinkaility in the random oracle model. 5. Boneh-Raghunathan-Segev IBE DLIN2 Scheme The following scheme is referred to as IBE DLIN2 in []. It has een roven fully-secure with resect to enhanced function rivacy (under the definition in [] ased on the DLIN assumtion in the standard model. Setu(λ Extract(Msk, id Γ = (G, G T, ê, g, = G P (λ id = (id, id 2,, id n {, } n A, B, A,, A n Z 2 m S Z m 2 u Z 2, M = G T, I = {, } n F id,s = [A BS + ( id j A j S] j n Msk = (A, B, A,, A n, u v {x F id,s x = u (mod } arams = (Γ, g A, B, g A,, g A n, g u, M, I z = g v G m+2, sk id = (S, z Enc(m, id Dec(C, sk id id = (id, id 2,, id n {, } n, m G T D(id = id j A j, r Z 2 j n c T = g rt A, c T = g rt [B+D(id], c 2 = m ê(g, g rtu m = c 2 ê(d, z C = (c, c, c 2 d T = [c T (c T S ] = g rt F id,s ê(d, z = ê(g, g rt (F id,s v = ê(g, g rt u

11 We show that this scheme does not achieve forward-secure function rivacy, namely an attacker wins the attack game in Fig. 5 with overwhelming roaility. The following attack makes use of the fact that, with Msk, the attacker can transform a cihertext under an identity id into a cihertext under another identity id, for some carefully chosen id and id. To mount an attack, in ste 2 and 4 of the game, the attacker erforms as follows. In ste 2, the attacker sets L = 2, which means D and D are the joint distriution of two identities (id (, id (2. For D, the attacker sets id ( = (id, id 2,, id n as follows: (id, id 2,, id n {, } n and id n =. The attacker sets id (2 = id ( excet that id n =. In ste 4, the attacker firstly otains Msk = (A, B, A,, A n, u. Then, the attacker comutes X Z m m such that A n = A X. Recall that the challenge is (sk, C. Suose that the first cihertext in C is C = (c, c, c 2, which is in the following form: c T = g rt A, c T = g rt [B+D(id ( ], c 2 = m ê(g, g rtu. The attacker now generates a new cihertext C = (c, c, c 2, where c T = c T (c T X = g rt [B+D(id ( ] g rt A X = g rt [B+D(id ( ] g rt A n Let the secret keys in the challenge sk e denoted as (sk id (, sk id (2. The attacker oututs if Dec(C, sk id (2 = Dec(C, sk id (, and oututs otherwise. Recall that, is an oerator for airwise grou oerations etween two the new vectors or matrices. It is clear that c T = g rt [B+D(id (2 ] if (id (, id (2 is samled according to D, then C is a cihertext for Dec(C, sk id ( under the identity id (2. But, this equality holds with a negligile roaility if the identities are samled according to D. The attack works. 5.2 Arriaga-Tang-Ryan IBE Scheme The following scheme was roosed y Arriaga, Tang, and Ryan in [3, 4], ased on an anonymous IBE scheme y Boyen and Waters [4]. This scheme has een roven secure with resect to the strong key unlinkaility roerty (under the definition in [3, 4] in the random oracle model. Comared with our forward-secure key unlinkaility roerty, the definition from [3, 4] is weaker in three asects: ( the attacker is not allowed to adatively choose the identity distriution D and it can only secify the identity atterns (i.e. which identities are equal; (2 according to the atterns, the challenger samles the identities uniformly at random from the identity sace; (3 there is no forward security. Setu(λ Extract(Msk, id Γ = (, q, G, G T, ê, g, g, g q = G C (λ r Z n Γ = (n = q, G, G T, ê, g, g, g q x, x, x 2 G q x, t, t 2 Z n d = x g rt t 2 Ω = ê(g, g xt t 2, v = g t, v 2 = g t 2 d = x g xt 2 H(id rt 2 M = G T, I = {, }, H : {, } G d 2 = x 2 g xt H(id rt Msk = (x, t, t 2, arams = (Γ, Ω, v, v 2, M, I, H sk id = (d, d, d 2 Enc(m, id Dec(C, sk id s, s R Z n e = ê(c, d, e = ê(c, d ĉ = Ω s m, c = H(id s, c = v s s, and c 2 = v s e 2 2 = ê(c 2, d 2, C = (ĉ, c, c, c 2 m = ĉ e e e 2 Similar to the discussions in Section 3.2, an immediate relaxation on Definition 6 and 7 is to make the attacker RO-non-adative, which means that the attacker can choose the distriution D ased on everything excet for the random oracle (i.e. the hash function. Next, we rove that the aove scheme is secure under Definition 6 and 7 for a RO-non-adative attacker. This result is much stronger that what has een roven in [3, 4].

12 Theorem 3. The scheme achieves RO-non-adative forward-secure function rivacy roerty in the random oracle model. The roof of Theorem 3 is exactly the same as that for Theorem, and it is imlied y Theorem 6. from []. Next, we rove the RO-non-adative forward-secure key unlinkaility roerty. This result is an imrovement to Lemma 3 from [3], and it relies on Weak Comosite-DDH assumtion instead of Comosite-DDH assumtion. The roof aears in Aendix III. Theorem 4. The scheme achieves RO-non-adative forward-secure key unlinkaility roerty ased on the Weak Comosite-DDH assumtion in the random oracle model. With these results, a following-u question is whether or not the scheme is (adatively forwardsecure. Referring to the forward-secure key unlinkaility attack game, as shown in Fig. 4, it is straightforward to verify that the attacker s advantage is negligile ased on the correlated Comosite-DDH-II assumtion, similar to the roof of Theorem 6 in next section. However, it is very tricky for the forwardsecure function rivacy roerty. Referring to the attack game, as shown in Fig. 5, the attacker s mission is to distinguish the following two airs. = : ((g r(, H(id ( r( r, (g (2, H(id (2 r(2,, (g r (L, H(id (L r(l = : ((g r(, H(id ( r( r, (g (2, H(id (2 r(2,, (g r (L, H(id (L r(l This seems to e strictly easier for the attacker than in the case of correlated Comosite-DDH-II assumtion, ecause these airs are not randomized y anything from G q. 6 Forward-Secure IBE Construction In [, ], Boneh, Raghunathan and Segev indicated that function rivacy against non-adative attackers is almost trivial to achieve in the random oracle model. In Section 5.2, we showed that forward-secure function rivacy can e achieved against RO-non-adative attackers in the random oracle model. But, it ecomes very tricky in the resence of adative attackers. If an attacker defines the distriutions ased on the ehavior of random oracle (i.e. hash function, then we cannot easily reduce the security to standard hardness assumtions, as shown in the end of last section. In Section?? and 5., our attacks show that the elegant extract-comine-augment aroach from [, ] falls short of achieving our forward-secure function rivacy roerty, intuitively ecause it introduces good algeraic structures into the cihertexts and allows the attacker to mount an attack accordingly. In its imlementation, the extract-comine-augment aroach requires secific modifications to oth encrytion and decrytion algorithms in the underlying IBE scheme. This may not e an easy task to achieve, in articularly to achieve our forward security roerties. In the following, we introduce the concet of deterministic scramler, which serves as a uilding lock to re-rocess identities for any IBE scheme. Similar to the extract ste in the extract-comine-augment aroach, a deterministic scramler scheme eliminates the deendency relationshis among correlated random variales while it does not require any further change to the underlying IBE scheme. As an examle alication, we extend the Boyen-Waters anonymous IBE scheme and rove its security roerties. 6. Deterministic Scramler A deterministic scramler scheme is a crytograhic rimitive to ma inuts from a set X to oututs from another set Y. Formally, it consists of two algorithms. DS.init(λ: this roailistic algorithm returns the ulic arameter aram. DS.enc(x, aram: this deterministic algorithm returns a scramled outut y Y. A deterministic scramler scheme is sound if it is injective with overwhelming roaility. Formally, the roaility that, an attacker can find x x 2 X such that DS.enc(x, aram = DS.enc(x 2, aram, is negligile. 2

13 Definition 8. A deterministic scramler scheme is secure if the attacker s advantage Pr[ = ] 2 is negligile in the attack game, shown in Fig. 6. In the game, D and D are the joint distriutions of L (deendent λ-source random variales, which take values in the sace X. It is required that, for (x (, x(2,, x(l D X L and any i j L, the roaility Pr[x (i ] is negligile. The integer L is a olynomial in λ. = x(j. aram DS.init(λ 2. (D, D, L, state A(aram D 3. R {, }, x X L, y = DS.enc(x, aram 4. A(state, y Fig. 6. Deterministic Scramler Security Note that, we follow the Real-or-Random aradigm, which means that D is defined y the attacker at its will, ut D reresents an indeendent uniform distriution for every variale. The concet of deterministic scramler is closely related to that of correlated-inut secure hash functions y Goyal, O Neill and Rao [9]. Its soundness roerty is indeed the standard collision resistance roerty of hash function, and its security roerty is related to the correlated-inut seudorandomness roerty. Unfortunately, only selective security roerties have een considered in [9] and the constructions assume certain secific correlations among the inuts. The concet of deterministic scramler is also related to that of unseeded deterministic extractors [28]. But, they have sutle differences: deterministic scramler generates indistinguishale oututs for correlated inuts and random inuts, while unseeded deterministic extractor generates oututs which are indistinguishale from random strings. It may seem straightforward to instantiate a deterministic scramler scheme from an unseeded deterministic extractor scheme. However, the existing constructions for unseeded deterministic extractors usually ut strict constraints on the sources (or, inuts, hence it is unclear how to instantiate a deterministic scramler scheme from them. Yet another related concet is deterministic encrytion [5] since oth rimitives aim at hiding the deendent relationshis of their inuts. With resect to their functionalities, deterministic scramler is simler ecause it does not need a decrytion function. With resect to security, deterministic scramler is stronger in the sense that it assumes adative attackers while the security definitions in [5] and most following-us assume non-adative attackers. Very recently, Raghunathan, Segev and Vadhan have considered adative security for deterministic encrytion schemes [26]. Based on their scheme, we can instantiate a deterministic scramler scheme in a straightforward manner: set aram to e the ulic key and set the function DS.enc e the encrytion function. In the instantiation, there may e a need to align the cihertext sace with the outut sace of the deterministic scramler, in which case a standard collision-resistant hash function can e used. 6.2 Extended Boyen-Waters Scheme Given a sound and secure deterministic scramler scheme (DS.init, DS.enc, the following scheme is achieved y extending Boyen-Waters scheme [4] in two stes. The first ste is to relace the identity id in all algorithms with DS.enc(id, aram. This ste guarantees the forward-secure function rivacy roerty, without affecting the IND-CPA and anonymity roerties. The second ste is to emloy comosite-order ilinear grous, similar to the Arriaga-Tang-Ryan IBE Scheme descried in Section 5.2. This ste guarantees that the elements in the secret key can e randomized y randomly-chosen elements from a sugrou. 3

14 Setu(λ Extract(Msk, id Γ = (, q, G, G T, ê, g, g q = G C (λ r, r 2 Z n, Γ = (n = q, G, G T, ê, g, g q x, x, x 2, x 3, x 4 G q x, t, t 2, t 3, t 4 Z n d = x g r t t 2 +r 2 t 3 t 4 Ω = ê(g, g xt t 2, g, g G d = x g xt 2 v = g t, v 2 = g t 2, v 3 = g t 3, v 4 = g t 4 d 2 = x 2 g xt M = G T, I = Z n, aram DS.init(λ (g g DS.enc(id,aram r t 2 (g g DS.enc(id,aram r t d 3 = x 3 (g g DS.enc(id,aram r 2t 4 Msk = (x, t, t 2, t 3, t 4 d 4 = x 4 (g g DS.enc(id,aram r 2t 3 arams = (Γ, g, g, Ω, v, v 2, v 3, v 4, M, I, aram sk id = (d, d, d 2, d 3, d 4 Enc(m, id Dec(C, sk id s, s, s 2 Z n e = ê(c, d, e = ê(c, d ĉ = Ω s m, c = (g g DS.enc(id,aram s, c = v s s e 2 = ê(c 2, d 2,e 3 = ê(c 3, d 3 c 2 = v s 2, c 3 = v s s 2, c 3 4 = v s 2 e 4 4 = ê(c 4, d 4 C = (ĉ, c, c, c 2, c 3, c 4 m = ĉ e e e 2 e 3 e 4 Based on the fact that Boyen-Waters IBE is oth IND-CPA and anonymous ased on the DLIN assumtion, it is clear that the extended scheme achieves the same security roerties given the deterministic scramler scheme is sound. Next, we show that the scheme achieves the other two roerties. The roofs aear in Aendix IV. Theorem 5. The extended scheme achieves the forward-secure function rivacy roerty, if the emloyed deterministic scramler scheme is secure. Theorem 6. The extended scheme achieves the forward-secure key unlinkaility roerty, if the emloyed deterministic scramler scheme is secure. 7 Concluding Remarks In this aer, we have defined two forward-secure roerties for PEKS and IBE resectively. Moreover, we have analysed several existing PEKS and IBE schemes, and extended the Boyen-Waters anonymous IBE scheme y using a new uilding lock (i.e. deterministic scramler. Our analysis shows that it is relatively easy to achieve our roerties against RO-non-adative attackers. However, it is not an easy task to construct secure schemes against adative attackers. In fact, the task seems to e very difficult if we want to use standard hardness assumtions and get rid of random oracle model. Our work has motivated many interesting future directions, and some of them are listed elow. The extract-comine-augment aroach from [, ] is a very elegant aroach to achieve function rivacy without forward security. It remains oen whether the schemes from [, ] achieve key unlinkaility or even forward-secure key unlinkaility. Moreover, as ointed out earlier, this aroach introduces some algeraic structure into cihertexts, which makes the schemes not forwardsecure with resect to function rivacy. It is an interesting task to augment these schemes and enhance the aroach to achieve our forward-secure roerties. As to the concet of deterministic scramler, we only know one method to instantiate it, i.e. using the adative secure deterministic encrytion scheme y Raghunathan, Segev and Vadhan [26]. Unfortunately, the scheme is only secure in the random oracle model, and it seems difficult to have a secure scheme in the standard model as ointed y Wichs [29]. It is a very interesting task to see how to instantiate a deterministic scramler scheme in the standard model. Both PEKS and IBE are secial tyes of functional encrytion [2]. Hence, the concet of forward security is also valuale for other functional encrytion schemes, including other PEKS variants and searchale encrytion schemes in the symmetric-key setting. As shown in [2, 2], roosing aroriate security definitions for these schemes may e very tricky due to the more comlex functionalities and the inequality of indistinguishaility and simulation ased aroaches. This is a ig oen research area for the future. The forward-secure roerties for IBE have een motivated y constructing forward-secure PEKS schemes. It is interesting to investigate their imlications in other alications of IBE, and study their relationshis with other secial roerties such as those from [6, 3]. 4

15 Acknowledgement. The author would like to thank Afonso Arriaga and Vincenzo Iovino for their helful discussions. References. M. Adalla, M. Bellare, D. Catalano, E. Kiltz, T. Kohno, T. Lange, J. Malone-Lee, G. Neven, P. Paillier, and H. Shi. Searchale encrytion revisited: Consistency roerties, relation to anonymous ie, and extensions. J. Crytol., 2(3:35 39, S. Agrawal, S. Agrawal, S. Badrinarayanan, A. Kumarasuramanian, M. Prahakaran, and A. Sahai. Function rivate functional encrytion and roerty reserving encrytion : New definitions and ositive results. htt://erint.iacr.org/23/744, A. Arriaga, Q. Tang, and P. Ryan. Tradoor rivacy in asymmetric searchale encrytion schemes. htt://erint.iacr.org/23/33.df, A. Arriaga, Q. Tang, and P. Ryan. Tradoor rivacy in asymmetric searchale encrytion schemes. In D. Pointcheval and D. Vergnaud, editors, Progress in Crytology AFRICACRYPT 24, volume 8469 of LNCS, ages 3 5. Sringer, M. Bellare, A. Boldyreva, and A. O Neill. Deterministic and efficiently searchale encrytion. In A. Menezes, editor, Advances in crytology CRYPTO 27, volume 4622 of LNCS, ages Sringer, M. Bellare and S. K. Miner. A forward-secure digital signature scheme. In M. J. Wiener, editor, Advances in Crytology CRYPTO 999, volume 666 of LNCS, ages Sringer, D. Boneh, X. Boyen, and H. Shacham. Short grou signatures. In M. Franklin, editor, Advances in Crytology CRYPTO 24, volume 352 of LNCS, ages 4 55, D. Boneh, G. Di Crescenzo, R. Ostrovsky, and G. Persiano. Pulic Key Encrytion with Keyword Search. In C. Cachin and J. Camenisch, editors, Advances in Crytology EUROCRYPT 24, volume 327 of LNCS, ages Sringer, D. Boneh and M. K. Franklin. Identity-ased encrytion from the weil airing. In J. Kilian, editor, Advances in Crytology CRYPTO 2, volume 239 of Lecture Notes in Comuter Science, ages Sringer, 2.. D. Boneh, A. Raghunathan, and G. Segev. Function-rivate identity-ased encrytion: Hiding the function in functional encrytion. In R. Canetti and J. A. Garay, editors, Advances in Crytology CRYPTO 23, volume 843 of LNCS, ages Sringer, 23.. D. Boneh, A. Raghunathan, and G. Segev. Function-rivate identity-ased encrytion: Hiding the function in functional encrytion. htt://erint.iacr.org/23/283.df, D. Boneh, A. Sahai, and B. Waters. Functional encrytion: Definitions and challenges. In Y. Ishai, editor, Theory of Crytograhy - 8th Theory of Crytograhy Conference, TCC 2, volume 6597 of LNCS, ages Sringer, D. Boneh and B. Waters. Conjunctive, suset, and range queries on encryted data. In S. P. Vadhan, editor, Proceedings of the 4th conference on Theory of crytograhy, volume 4392 of LNCS, ages Sringer, X. Boyen and B. Waters. Anonymous hierarchical identity-ased encrytion (without random oracles. In C. Dwork, editor, Advances in Crytology CRYPTO 26, volume 47 of LNCS, ages Sringer, R. Canetti. Towards realizing random oracles: Hash functions that hide all artial information. In B. S. Kaliski Jr., editor, Advances in Crytology CRYPTO 997, volume 294 of Lecture Notes in Comuter Science, ages Sringer, S. M. Chow. Removing escrow from identity-ased encrytion. In S. Jarecki and G. Tsudik, editors, Pulic Key Crytograhy PKC 29, 2th International Conference on Practice and Theory in Pulic Key Crytograhy, volume 5443 of LNCS, ages Sringer, I. Damgård, C. Hazay, and A. Zottarel. Short aer on the generic hardness of DDH-II. htt://cs.au.dk/ angela/hardness.df, Accessed in May, W. Diffie, P. C. Oorschot, and M. J. Wiener. Authentication and authenticated key exchanges. Designs, Codes and Crytograhy, 2(2:7 25, V. Goyal, A. O Neill, and V. Rao. Correlated-inut secure hash functions. In Y. Ishai, editor, Theory of Crytograhy 8th Theory of Crytograhy Conference, TCC 2, volume 6597 of Lecture Notes in Comuter Science, ages Sringer, C. Günther. An identity-ased key-exchange rotocol. In J. Quisquater and J. Vandewalle, editors, Advances in Crytology EUROCRYPT 989, volume 434 of Lecture Notes in Comuter Science, ages Sringer, Y. H. Hwang and P. J. Lee. Pulic key encrytion with conjunctive keyword search and its extension to a multi-user system. In T. Takagi, editor, Pairing-Based Crytograhy Pairing 27, volume 4575 of LNCS, ages Sringer, V. Iovino and G. Persiano. Hidden-vector encrytion with grous of rime order. In S. D. Galraith and K. G. Paterson, editors, Pairing-Based Crytograhy Pairing 28, volume 529 of LNCS, ages Sringer, 28. 5