About the Authors:

Shangping Wang

Roles Formal analysis, Methodology

Affiliation: School of Science, Xi’an University of Technology, Xi’an, Shaanxi, China

ORCID logo http://orcid.org/0000-0002-8964-5328

Qian Zhang

Roles Methodology, Writing – original draft

* E-mail: [email protected]

Affiliation: School of Science, Xi’an University of Technology, Xi’an, Shaanxi, China

ORCID logo http://orcid.org/0000-0001-9557-483X

Yaling Zhang

Roles Validation, Writing – review & editing

Affiliation: School of Computer Science and Engineering, Xi’an University of Technology, Xi’an, Shaanxi, China

Jin Sun

Roles Validation

Affiliation: School of Science, Xi’an University of Technology, Xi’an, Shaanxi, China

Juanjuan Chen

Roles Writing – review & editing

Affiliation: School of Science, Xi’an University of Technology, Xi’an, Shaanxi, China

Xiaoqing Sun

Roles Writing – review & editing

Affiliation: School of Science, Xi’an University of Technology, Xi’an, Shaanxi, China

Abstract

Most recently, Kan Yang et al. proposed an attribute-keyword based encryption scheme for data publish-subscribe service(AKPS), which is highly useful for cloud storage scenario. Unfortunately, we discover that there is a flaw in the security proof of indistinguishability of the tag and trapdoor against chosen keyword attack under the Bilinear Diffie-Hellman (BDH) assumption. As the security proof is a key component for a cryptographic scheme, based on the Decisional Diffie-Hellman (DDH) assumption, we improve the security proof method and give a new security proof of the AKPS scheme for indistinguishability of the tag and trapdoor in our proposal, which is more rigorous than the original one. Furthermore, we also demonstrate that the AKPS scheme is secure against data Replayable Chosen Ciphertext Attack (RCCA).

Figures

Fig 3

Fig 1

Table 1

Fig 2

Fig 3

Fig 1

Table 1

Fig 2

Citation: Wang S, Zhang Q, Zhang Y, Sun J, Chen J, Sun X (2019) Improving the proof of “Privacy-preserving attribute-keyword based data publish-subscribe service on cloud platforms”. PLoS ONE 14(2): e0212761. https://doi.org/10.1371/journal.pone.0212761

Editor: Mehmet Hadi Gunes, University of Nevada, UNITED STATES

Received: June 19, 2018; Accepted: February 7, 2019; Published: February 25, 2019

Copyright: © 2019 Wang et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

Data Availability: All relevant data can be found within the paper and its Supporting Information files.

Funding: This research is supported by the National Natural Science Foundation of China (No. 61572019 http://www.nsfc.gov.cn), the Key Project of Research Foundation of Natural Science Foundation of Shaanxi Province of China (NO.2016JZ001. http://www.sninfo.gov.cn/).

Competing interests: The authors have declared that no competing interests exist.

I. Introduction

Data publish-subscribe system [1, 2] is an appropriate mode for data users to receive data for interest. Cloud server, owing to considerable resources on storage and calculation, has been proven to be the most applicable platform for this service [3–5].

To realize fine-grained access control of data on cloud storage, the concept of the attribute-based encryption (ABE) was proposed. Generally ABE can be divided into two categories: Ciphertext- Policy Attribute-based Encryption (CP-ABE) [6, 7] and Key-Policy Attribute-based Encryption (KP-ABE) [8], both are intended for one-to-many access mode. Attribute-based encryption is an extension of public-key cryptography and identity-based cryptography. Compared with traditional cryptography, attribute-based encryption provides a more flexible encryption and decryption relationship. For example, in an attribute-based encryption mechanism, both the ciphertext and the secret key are associated with a set of attributes, and the data owner can specify an encryption policy consisting of attributes, and the resulting ciphertext can be decrypted only by the data user whose attributes satisfies the encryption policy. The non-interactive access control with fine-grained can be realized effectively by attribute-based encryption, which greatly enriches the flexibility of encryption policy and the description of user's rights. Due to its high efficiency, dynamic, flexibility and privacy, attribute-based encryption has a good application foreground in distributed file management, third party data storage and pay-TV system. With the development and popularization of cloud computing technology, more and more enterprises and users are outsourcing their data to cloud service providers, which providing a good way to protect data security and privacy by applying attribute-based encryption.

In [9, 10], a Dual-policy ABE was created to achieve CP-ABE and KP-ABE simultaneously, and it was appropriate for data publish-subscribe system as it enables the publishers and the subscribers to define individual policy according to the feature. A publish-subscribe system should meet the following requirements. (i) The publisher publishes data and specifies which subscribers can access his/her data and the subscriber may specify the data he/she is interested in; (ii) Allow subscribers to perform multiple keyword search; (iii) Search queries that allow multiple users to retrieve data. Considering data privacy, the keyword privacy in the tag and trapdoor and the decryption overhead from the subscriber, Kan Yang proposed a privacy-preserving attribute-keyword based data publish-subscribe (AKPS) scheme [1]. Firstly, the AKPS scheme implemented the access policy and subscription policy respectively by using dual policy attribute-based encryption, which could make the subscriber's attributes satisfy the publisher's access policy and the data released by the publisher also satisfied subscription policy specified by the subscriber. In this way, the AKPS scheme could achieve the fine-grained two-way access control. Secondly, by using the concept of attribute-keyword, the subscriber's subscription policy was constructed, which was designed to avoid the leaking of keywords information and realized the multi-keyword search and the expression of subscription policy. Thirdly, attribute-keyword based data publish-subscribe scheme supported multiple publishers and multiple subscribers, and could be used to data sharing with access control in publish-subscribe system on cloud platforms. Finally, the decryption overhead was transferred from the subscribers’ devices to the cloud supporter to reduce the subscriber’s computational burden by using outsourcing decryption technology [11–13], which was a practical tool for lightening the computational load on the subscriber side in reality result from that mobile devices have become primary computing device for many users and enterprises.

Unfortunately, we discovered that the security proof of the AKPS scheme [1] was not enough rigorous and adequate after carefully researching it. According to the security proof of the AKPS scheme[1], we find with random guessing, the adversary can solve the Bilinear Diffie-Hellman (BDH) problem with a probability of 1/2, and their security proof actually has nothing to do with the adversary’s attacking of the scheme (the detail is refer to section IV). Through analyzing the security of the original AKPS scheme [1], we also find it is hard to apply the BDH assumption to the security proof of the AKPS scheme. Therefore in order to prove the security of the chosen keyword attack for indistinguishability of the tag and the trapdoor for the AKPS scheme, we carry out a detailed analysis of the AKPS scheme and study the basic steps of the provable security method. Through careful analysis and research, we discover that the Decisional Diffie-Hellman (DDH) assumption can be used to prove the security of the AKPS scheme.

In view of this, we improve the proof method and design a new security proof of the AKPS scheme for indistinguishability of the tag and trapdoor based on the DDH assumption, our new security proof is more rigorous than their original proof. In addition, Chosen Ciphertext Attack (CCA) security [12, 14] was regarded as the appropriate security notion for encryption schemes used as components in general protocols and applications. Whereas, there exists a weaker secure notion called Replayable Chosen Ciphertext Attack (RCCA) [15] security than the CCA security, and has been proven to be sufficient for most actual intention. In this paper we prove that the data security of the AKPS scheme is of RCCA security, which is not presented in [1].

Our Contributions

(1) We show that the security proof of the AKPS scheme [1] is not enough rigorous and adequate, and we give a detail analysis about it in section IV.

(2) We improve the security proof method and present a new security proof of the AKPS scheme for indistinguishability of the tag and trapdoor based on the DDH assumption.

(3) Using the conclusion that the Waters’s scheme in [6] is the selectively CPA-secure, we can prove that the AKPS scheme realizes data security against replayable chosen ciphertext attack (RCCA).

In order to make the overall layout of the system clearer, the flaw-chart of the system is shown in Fig 1.

[Figure omitted. See PDF.]

Fig 1. Flaw-chart in the system.

https://doi.org/10.1371/journal.pone.0212761.g001

II. Preliminaries

In this section, we present the basics of mathematics and cryptography required in the scheme, including the deterministic assumptions used in the proof, system model of the AKPS scheme and the security definition of the AKPS scheme.

A. Decisional Diffie-Hellman (DDH) assumption

Definition 1 (DDH [16]).Let x,y,z∈Zp be chosen at random and g be a generator of G. The Decisional DH assumption is that there is no probabilistic polynomial time algorithm P can distinguish the tuple (A = gx,B = gy,C = gxy) from the tuple (A = gx,B = gy,C = gz) with more than a negligible advantage ε. The advantage of P is defined as |Pr[(A,B,gxy) = 0]−Pr[A,B,gz] = 0| = ε.

B. Decision q-parallel Bilinear Diffie-Hellman Exponent (BDHE) assumption

Definition 2 (Decision q-parallel BDHE [11]). Let a,s,b1,⋯,bq∈Zp be chosen randomly and g be a generator of G. If an adversary is given by

It must be hard to distinguish a valid tuple from a random element R in GT. An algorithm has advantage ε in solving q-parallel BDHE in G if .

C. System model of AKPS

At the beginning, we give some notations that will appear in the AKPS scheme as shown in Table 1.

[Figure omitted. See PDF.]

Table 1. Notations.

https://doi.org/10.1371/journal.pone.0212761.t001

The system model of the data publish-subscribe service on cloud platforms as shown in Fig 2. It consists mainly of four entities: Authority, data publishers, data subscribers, and cloud server. The authority is responsible for establishing the system and generating private keys for data publishers and data subscribers, respectively. The publisher, on the one hand, encrypts data under an access policy about attributes and obtains data ciphertext; on the other hand, encrypts a set of keywords with his/her private key to generate the data tags. The data ciphertext and data tags are then uploaded to the cloud server. The subscriber defines a subscription policy for a set of keywords and uses it to generate search trapdoor, and uses his/her private key to generate the pre-decryption key. The search trapdoor and pre-decryption key are then uploaded to the cloud server. The cloud servers can provide storage and computing services for users because of their considerable storage and computing resources. After receiving the data ciphertext and data tags from the publisher and the search trapdoor and pre-decryption key from the subscriber, the cloud server first conducts the access policy test and the subscription policy test, if and only if the subscriber's attributes satisfy the publisher's access policy and the publisher's tags satisfies the subscriber's subscription policy, the cloud server uses the subscriber's pre-decryption key to pre-decrypt the ciphertext, and sends the pre-decrypted data to the subscriber. The subscriber then decrypts the pre-decrypted data using his/her private key to get the plaintext data.

[Figure omitted. See PDF.]

Fig 2. System model of data publish-subscribe service on cloud platforms.

https://doi.org/10.1371/journal.pone.0212761.g002

D. Security definition of AKPS

Definition 3 (Td-IND-CKA-Game).Trapdoor indistinguishability security against chosen keyword attacks (Td-IND-CKA) is described in detail in Definition 6 of [1].

Definition 4 (Tag-IND-CKA-Game). Tag indistinguishability security against chosen keyword attacks (Tag-IND-CKA) is described in detail in Definition 7 of [1].

Definition 5 (Data-RCCA [11]). The AKPS scheme is Data-RCCA secure if there is no probabilistic polynomial-time adversary who can win in Data-RCCA-Game.

Definition 6 (Data-RCCA-Game [11]).The Data-RCCA-Game involves a challenger CΛ and an adversary A as follows.

Setup: The challenger CΛ runs the setup algorithm and gives the public key pk to the adversary A, but does not divulge master secret key msk.

Phase 1: The challenger CΛ initializes an empty set D and an empty table T respectively, setting an integer j = 0. The adversary A makes the following adaptive query to CΛ.

The challenger CΛ sets j≔j+1. It runs the key generation algorithm and pre-decryption algorithm on to obtain the pair and stores the entry in table T, it then returns to the adversary A the pre-decryption key . Note that is decrypt key and is pre-decrypt key about attribute set subj.

Corrupt(i): If there is an ith entry in T, then CΛ sets and returns to the adversary A the . Otherwise, it returns the symbol ⊥ meaning that there is no such entry.

If there is an ith entry in T, then CΛ returns the outcome of decryption to the adversary A on takes the tuple as input. If no such entry exists, then it returns ⊥.

Challenge: The adversary A submits two equal-length messages m0 and m1. In addition A submits (M*,ρ*) as the challenge access structure, where no queried from phase 1 fulfill it. The challenger CΛ then flips a random coin b, and encrypts mb under M*, gives the adversary with .

Phase 2: The response is the same as Phase 1 with the following restrictions:

* A cannot conduct a corrupt query that satisfies (M*,ρ*).

* no decryption queries on the message m0 or m1.

Guess: The adversary A outputs a guess b′ of b.

We define A′s advantage in Data-RCCA-Game as Advdata = |Pr[b′ = b]−1/2|.

Definition 7 (AKPS Security) The AKPS scheme is secure if it is Td-IND-CKA secure, Tag-IND-CKA secure and Data-RCCA secure.

The security of the AKPS scheme (Fig 3) encompasses the following two facets. On the one hand, Td-IND-CKA security and Tag-IND-CKA security can be reduced to the DDH assumption. On the other hand, regarding Data-RCCA security, this can be reduced to the security of Waters scheme [6].

[Figure omitted. See PDF.]

Fig 3. Security proof of the AKPS.

https://doi.org/10.1371/journal.pone.0212761.g003

III. Brief Review of AKPS

We briefly review the AKPS scheme below, which mainly contains five phases: System initialization, Trapdoor generation, Data publication, Policy checking and Pre-decryption, and Data decryption. For a detailed introduction to the scheme, please refer to [1].

Setup(1k)→(msk,pk). The authority initializes the system by running the setup algorithm. It chooses two multiplicative groups G and GT. Let g is a generator of G. Chooses two hash functions H1,H2:{0,1}*→G and . Then, it sets respectively the master key msk and public key pk as msk = (ga,α,β,γ) and pk = (p,g,G, GT,e,e(g,g)a,gα,gβ,gγ,H1,H2).

SKeyGen(msk,pk,{Ssub},{pub})→(sksub,skpub). For each subscriber sub who has the attribute set Ssub and each publisher pub, the authority chooses random numbers respectively, and respectively generates the secret key sksub and skpub for each of subscribers and each of publishers as

TdGen(sksub,pk,(Mt,ρt))→(Tdsub,pkdsub,dksub). To subscribe some interested data, the subscriber first defines an access structure as (Mt,ρt), where Mt is a nt×lt subscription matrix with ρt mapping its rows to keywords. The subscriber first generates a decryption key dksub = zt by selecting a random number . It then selects and a random vector , For j = 1 to nt, it computes λt,j = Mt,j⋅vt, where Mt,j is the vector corresponding to the jth row of Mt. It then computes tj = λt,j⋅zt. Using it, subscriber designs the trapdoor as In order to protect the keyword leakage from the subscription policy, only Mt of the subscription policy (Mt,ρt) will be sent to the cloud together with the trapdoor, while ρt is kept secret against the cloud server. The pre-decryption key pdksub is generated as .

Encrypt(m,Sm,pk,skpub, (M,ρ))→(Cm,Tm). To publish data, the publisher first defines an access policy over attributes of subscribers. The access policy is also described by an LSSS structure as (M,ρ), where M is an n×l access matrix and ρ maps the rows of M to attributes. The publisher then runs the following encryption algorithm to encrypt the data, which contains part of the two.

∙DataEnc(m,pk,(M,ρ))→Cm. First, the publisher chooses random values with two vectors and . For i = 1 to n, it computes λi = Mi⋅v1 and μi = Mi⋅v2, where Mi is the vector corresponding to the ith row of M. It outputs the ciphertext Cm as

∙TagGen(Sm,pk,skpub,S2)→Tm. The publisher takes the same random number S2 as input, and outputs the tags as .

The policy test algorithm consists of both access policy test and subscription policy test, and if and only if both policies are satisfied, the algorithm continues to pre-decrypt the data, otherwise it terminates.

∙Access policy test. Access policy test is easier than the subscription policy test, because the attributes are not hidden in both the access policy and the pre-decryption key, while the keywords are hidden in both trapdoors and tags. Therefore, algorithm first evaluates whether the attributes of the subscriber can satisfy the access policy associated with data. If the access policy is not satisfied, the policy test algorithm will terminate.

∙Subscription policy test. If the access policy is satisfied, it continues to test whether the tags can satisfy the subscription policy in the trapdoor by running the following subroutine:

−KwdLocate(Tm,Tdsub)→It. Due to the obfuscation of keyword in both the trapdoor and the tags, the algorithm first locates the row number in Mt for each tag. When finished search for all the tags, it outputs an index set It = {j|ρt(j) = wi, ∀wi∈Sm}. To test whether the tag Wi and the trapdoor Tdj are corresponding to the same keyword, it checks whether the following equation is equal.

∙Data pre−decryption. If both access policy and subscription policy are satisfied, the algorithm pre-decrypts the data as follows.

The cloud server computes TK1 from the trapdoor and the data tag asSimilarly, it further computes TK2 from the ciphertext by using the pre-decryption key asWhen obtaining both TK1 and TK2, it computes the token as The pre-decrypted data is denoted in an Elgamal encryption form [17] as

Upon receiving the pre-decrypted data, the data can be easily decrypted by the subscriber as .

IV. Analysis on the security proof of AKPS

In this section, we give a detail analysis about the security proof of the AKPS scheme [1], and point out the flaw of their security proof in [1]. In order to make it clearer, we will name the theorems in the AKPS scheme as Theorem 1, Theorem 2, Theorem 3, and name the security proof of our theorems in section V as Theorem 1', Theorem 2', and Theorem 3'.

The security proof of the AKPS scheme [1] is based on the hardness of the BDH problem, and we find that the security proof of the AKPS scheme is not rigorous and adequate. In the AKPS scheme, Theorem 1 is about the Td-IND-CKA security of the AKPS scheme, it is proved in the random oracle model under the BDH assumption. The BDH assumption and assumption 1 in [1] are as follows.

BDH assumption: Let A be an attacker whose running time is polynomial in a security parameter k. Given a tuple (g,ga,gb,gc), where . The attacker A tries to compute the answer of the BDH problem. We define A′s advantage in work out the BDH problem as

Assumption 1: The BDH problem is said to be computationally intractable if is negligible in k.

In their proof, the challenger interacts with the adversary A to conduct the security game. Let’s recall the proof procedure of Theorem 1 about Td-IND-CKA.

Firstly, the challenger sets master key msk = (ga,α,β,γ) and public key pk = (g,G,GT, gα,gβ,gγ). Then it generates a private key for a subscriber by selecting a random number rsub. Then adversary A submits two equal- length keyword vectors and In addition, A also submits a challenge access policy which can be satisfied by both of the two keyword vectors. flips a random binary coin b∈{0,1}, then selects randomly and computes share component and tj = λt,j⋅zt. Using generated private key sksub, generates the challenge trapdoor as

In the challenge phase, the challenger conducts the simulation of trapdoor corresponding the keyword vectors are submitted by the adversary A. Subsequently, the adversary A needs to compute as the solution to the BDH problem, where given the BDH tuple as .

After challenger gives the challenge trapdoor and the input of BDH problem to adversary A, the adversary A needs to calculate the solution of the BDH problem as:The adversary A then outputs a random guess b′ of b, if b′ = b, it means that the adversary A calculates the solution of the BDH problem. Since it is a random guess, the guessing probability of this case is 1/2. If b′ ≠ b, it means that the adversary A does not calculate the solution of the BDH problem, and the probability of this case is also 1/2. Therefore, the adversary A can solve the BDH problem with a probability of 1/2, but did not attack the real AKPS scheme. In other words, the adversary A has no advantage in the attack of the scheme and it does not need to interact with . The only thing that needs the adversary A to do is just a random guess b′ of b. From the above analysis, we can obtain the conclusion that the security proof of the AKPS scheme is not adequate.

Similarly, it’s the same as theorem 1 in theorem 2, which is about the security of the Tag-IND-CKA.

The theorem 3 of the AKPS scheme [1] is that the AKPS is Data-CPA secure in the random oracle if the decision q-parallel BDHE assumption holds. In Theorem 3, the outsourcing decryption technology of the AKPS scheme is based on the technique in [11]. Specifically, to enable the cloud server to pre-decrypt the data, the pre-decryption key generation algorithm is constructed by employing the technique from [11], which is proven to be semantic security against chosen plaintext attacks by using literature [6]. Similarly, the AKPS scheme can be proven to be Data-CPA secure, nevertheless the original AKPS scheme [1] dose not gives specific proof. Through researching the literature [11], we conclude that the security proof in [11] is reduced to Waters scheme [6], which is proven to be Data-RCCA secure. Therefore, using the proof method in [6], we demonstrate Data-RCCA security on the AKPS scheme, and the specific proof can be found in Theorem 3' of Part V.

V. Improving the security Proof of AKPS

In this section, we will give our new security proof of the AKPS scheme about the security of the trapdoor and tag. In addition, we give a new security proof of the Data-RCCA security for the AKPS scheme.

Loosely speaking, the security proof of a cryptographic scheme can be described as follows. A pre-defined difficult problem is deployed by the challenger, and the adversary is supposed to attack the constructed scheme in a security game. The challenger interacts with the adversary to conduct the security game, and inserts the difficulty problem into the scheme. Only if the adversary attacks the scheme successfully with a non-negligible advantage, then the challenger can figure out the difficulty problem correctly with a non-negligible advantage. So if the difficulty problem is really hard to solve then the constructed scheme is secure. Our security proof of the AKPS scheme is based on the DDH assumption in this section. The new security proofs are given as theorem 1' and theorem 2', where theorem 1' is about Td-IND-CKA secure, and theorem 2' is about Tag-IND-CKA secure. While theorem 3' is about Data-RCCA secure which is a complete new proof for the security of AKPS scheme [1]. Our security proof is different from the original one in [1], one of the main differences is that our proof is under the DDH assumption while their proof is BDH assumption, as we cannot apply the BDH assumption to the security proof of the AKPS scheme [1].

Td-IND-CKA Security

Theorem 1'.The AKPS scheme is Td-IND-CKA secure in the random oracle model if the DDH problem is intractable.

Proof. Suppose that there is an adversary A1 with non-negligible advantage ε1 in the Td-INK-CKA Game against the construction of AKPS scheme in [1]. We build a simulator S1 that can figure out the DDH problem with advantage ε1/2, the simulation proceeds as follows. Let the challenger C1 generates public parameter (e,g,G,GT) and G = <g>. C1 flips a fair binary coin φ∈{0,1} outside of view. if φ = 1, C1 sets (A,B,Z) = (gx,gy,gxy), else it sets (A,B,Z) = (gx,gy,gz), where given the values x,y,z are chosen randomly from

Setup: The simulator S1 runs Setup(k) algorithm, sets msk = (α,β,γ) for value β had known by S1 that chosen randomly from , where implicitly sets α = x,γ = y.Then S1 computes public key pk = (gα,gβ,gγ) and sends it to A1. In addition, S1 generates respectively private key skpub and sksub for publisher and subscriber asEach of which does not be divulged to A1, where .

Phase 1: The A1 can adaptively query, S1 answers queries as following.

H2 query. A1 can query the random oracle H2. To respond to H2 queries, S1 maintains a list of tuple called the H2 list, which is initially empty. When A1 queries H2 at a specific point wi∈{0,1}*, S1 responds as follows:

—If the query wi already appears on the H2 list in a tuple , then S1 responds A1 with the tuple .

—Else, S1 chooses a random value , sets and stores the tuple into H2 list.

Tag query. A1 is allowed to issue queries for the tag of a set of keywords kw = (w1,⋯,wn), S1 chooses randomly . For each keyword wi, using the publisher’s private key skpub, S1 makes the corresponding response as

Challenge: Let two equal-length keyword vectors , submitted by the adversary A1, which have not been queried in above phase. In addition, A1 submits a challenge access policy , which can be satisfied by both of the two vectors. S1 flips a random binary coin b∈{0,1}, selects randomly and a vector . Subsequently, it computes and tj = λt,j∙zt. Using subscriber’s private key sksub, S1 generates the challenge trapdoor as

is the correct trapdoor component only if Z = gxy, else is a random element.

Phase 2: It’s the same as Phase 1.

Guess: A1 outputs a guess b′ of b. if b′ = b, then S1 outputs φ = 1 to indicate that it is given a valid DDH tuple, otherwise it outputs φ = 0 to indicate that it is a random element. The advantage of S1 to solve DDH problem is

Therefore, if the A1 has a non-negligible advantage ε1 in the above game, then we can build a simulator S1 which can break the DDH problem with non-negligible advantage ε1/2, which is an intractable problem. Hence, the theorem 1.

B.Tag-IND-CKA Security

Theorem 2'.The AKPS scheme is Tag-IND-CKA secure in the random oracle model if the DDH problem is intractable.

Proof. Suppose that the adversary A2 with non-negligible advantage ε2 in the Tag-INK-CKA Game against the construction of AKPS scheme in [1]. We build a simulator S2 that can solve the DDH problem with advantage ε2/2. The simulation proceeds as follows. Let the challenger C2 generates the parameter (e,g,G,GT) and G = <g>. Then it flips a fair binary coin ϕ∈{0,1}, outside of view. If ϕ = 1, C2 sets (A,B,Z) = (gx,gy,gxy), otherwise it sets (A,B,Z) = (gx,gy,gz) for values x,y,z chosen randomly from .

Setup: The simulator S2 runs Setup(k) algorithm, sets msk = (α,β,γ) for value α had known by S2 chosen randomly from , where implicitly sets (β = x,γ = y). Then S2 computes public key pk = (gα,gβ,gγ) and sends it to A2. In addition, S2 generates respectively private key skpub and sksub for publisher and subscriber asEach of which does not be divulged to A2, where .

Phase 1: The adversary A2 can adaptively query, S2 answers queries as following.

H2 query. A2 can query the random oracle H2. To respond to H2 queries, S2 maintains a list of tuple called the H2 list, which is initially empty. When A2 queries H2 at a specific point wi∈{0,1}*, S2 responds as follows:

—If the query wi already appears on the H2 list in a tuple , then S2 responds A2 with the tuple .

—Else, S2 chooses a random value , sets and stores the tuple into H2 list.

Trapdoor query: A2 is allowed to issue queries for the trapdoor of a set of keywords kw′ and a subscription policy SPkw′ (the subscription policy is described as ) constructed over kw′.

S2 chooses randomly , sets vector and computes and . Then, using subscriber’s private key sksub, S2 generates the corresponding challenge trapdoor as

Challenge: Let kw0 = (w0,1,⋯,w0,n), kw1 = (w1,1,⋯,w1,n) are two equal-length keyword vectors submitted by the adversary A2,which have not been queried in above phase. Then S2 flips a random coin b∈{0,1} and selects randomly . Using publisher’s private key skpub, S2 generates the challenge tag as and are the correct trapdoor component only if Z = gxy, else the component of both are random element.

Phase 2: It’s the same as Phase 1.

Guess: A2 outputs a guess b′ of b. if b′ = b,then S2 outputs ϕ = 1 to indicate that it is given a valid DDH tuple, else it outputs ϕ = 0 to indicate that it is a random element. The advantage of S2 to solve the DDH problem is

Therefore, if the A2 has a non-negligible advantage ε2 in the above game then we can build a simulator S2 which can break the DDH problem with non-negligible advantage ε2/2, which is an intractable problem. Hence, the theorem 2.

C.Data-RCCA Security

Theorem 3'. The AKPS scheme is RCCA secure in random oracle model assuming that the Waters scheme [6] is a selectively CPA-secure scheme.

Proof. Suppose there is a polynomial-time adversary A3 that can attack our scheme in the selective RCCA security model with advantage ε3. we build a simulator S3 that can attack the Waters scheme in the selective CPA-security model with advantage ε3 minus a negligible amount. Let C3 be the challenger of the Waters scheme.

Init: The simulator S3 runs A3. A3 chooses the challenge access structure (M*,ρ*), which S3 sends it to the Waters challenger C3.

Setup: S3 queries C3 to obtain the Waters public key pk = (g,e(g,g)a,gα) and a hash function H1. It sends these to A3 as the public parameters.

Phase 1: The simulator S3 initializes an empty table T, an empty set D and an integer j = 0. Then S3 responses to A3 as follows:

sets j≔j+1. It has the condition of the two.

—If (M*,ρ*) be satisfied by then it choose a “fake” pre-decryption key as follows. It chooses randomly and sends to C3 to query the corresponding user secret key , then set and implicitly set where secret key pairs is incomplete, but that is be fittingly distributed if d was substitute for the unknown value zt = d/a.

—Otherwise, S3 sends to C3 to request the corresponding secret key, and C3 replies with the secret key Note that we substitute the symbol of Waters scheme for the symbol of AKPS scheme, which represent the same meaning with it. The algorithm chooses random value where , and sets pre-decryption key as .

Finally, store in table T and return to A3.

Corrupt(i): A3 can adaptively queries any secret corresponding to the access structure expect (M*,ρ*). If there is an ith entry in table T, thent S3 sets D as It then returns to the adversary A3 with the , or ⊥ otherwise.

Thinking that S3 and A3 can obtain the pdksub values for all keys created, either can realize the pre-decryption algorithm. Therefore, we assume that ciphertexts which we obtain are already partially decrypted. Let CT = (C,TK) be associated with structure (Mχ,ρχ). Extract the entry from table T. If it is not exist there or unsatisfied (Mχ,ρχ), return ⊥ to A3.

—If ith does not satisfy the (M*,ρ*), obtain the records from table T, then parse it to output in response of A3 queries. If none exist, return ⊥ to A3.

—If ith satisfy the policy (M*,ρ*), obtain the records from table T, then parse it to output in response of A3 queries. If none exist, return ⊥ to A3.

Challenge: A3 submits two equal-length messages m0 and m1, S3 sends it to challenger C3, then the challenger C3 flips a random coin b∈{0,1} to obtain the challenge ciphertext under the access structure (M*,ρ*), then S3 sends the to A3.

Phase 2: The response is the same as Phase 1, expect that no decryption queries would be either m0 or m1.

Guess: Eventually, A3 outputs a guess b′∈{0,1}, then S3 outputs b′.

Hence, if the adversary A3 can break the AKPS scheme with the given advantage ε3, then S3 can break the Waters scheme with the same advantage. Hence, the theorem 3.

VI. Conclusion

We analyze the security proof of AKPS scheme [1] for indistinguishability of tag and trapdoor and show that the security proof of the AKPS scheme is not rigorous and adequate, although the construction of AKPS scheme is remarkable. Based on it, we give an improving security proof of AKPS scheme for its Tag-IND-CKA security and Td-IND-CKA security based on the DDH assumption. Furthermore, by using of the conclusion that the Waters scheme in [6] is selectively CPA-secure, we manifest that the AKPS scheme realizes data replayable secure against replayable chosen ciphertext attack (RCCA), which has a higher level of security than the security of the indistinguishability of the Data-CPA in original AKPS scheme, which is mentioned but not demonstrated. Moreover, there are a number of issues that need to be studied and solved for the attribute-keyword based data publish-subscribe scheme on the cloud platforms. Firstly, new AKPS scheme should be designed to cope with the situation that a subscription policy is spelled with mistakes of interesting words, for example, 'compute' may be spelled as 'compote' or 'compue'. Secondly, for the situations where the subscriber's attributes may have been changed, such as revoke, update, increase etc, how to design efficient attribute revocation and update algorithm to realize the dynamic management of attributes, and protect the forward and backward security of the algorithm is a promising study topics. Thirdly, in publish-subscribe system, how to add the concept of time into the access policy to avoid illegal data access in the case of private key is leaked. These three aspects will be the focus of our future work.

Supporting information

[Figure omitted. See PDF.]

S1 File. Computational cost in the AKPS scheme.

https://doi.org/10.1371/journal.pone.0212761.s001

(DOCX)

S2 File. The runtime of cryptographic operations.

https://doi.org/10.1371/journal.pone.0212761.s002

(DOCX)

Acknowledgments

Thanks for useful comments from anonymous reviewers.

Citation: Wang S, Zhang Q, Zhang Y, Sun J, Chen J, Sun X (2019) Improving the proof of “Privacy-preserving attribute-keyword based data publish-subscribe service on cloud platforms”. PLoS ONE 14(2): e0212761. https://doi.org/10.1371/journal.pone.0212761