Security Proof for the Conjunctive PEKS Scheme S 1

We dedicate this section to the proof of Theorem 3.24. As in [65], security is proved in the random oracle model by means of a sequence of hybrid games.

Given two documents D0 = (w0,1, . . . , w0,m) and D1 = (w1,1, . . . , w1,m), let ∆ ⊆ [m]

denote the positions corresponding to keywords in D0∆D1. For j ∈ [m] let ∆j denote

the first min(j, |∆|) elements of ∆.

Let G0 be the security game defined in Section 3.2.2.5. Given j ∈ [m] we define a hybrid

game Gj, differring from G0 only in that the keywords in positions in ∆j of the challenge

index are chosen uniformly at random by the challenger.

Specifically, we introduce the security game Gj for j ∈ [m], consisting of the following

five phases:

• Setup. The challenger runs Gen, hands over the public parameters and the public key pk to the adversary, and keeps the private key sk secret.

• Query Phase 1. The adversary adaptively asks the challenger for q_T trapdoors of its own choice, where qT is a polynomial value in the security parameter λ. We

denote the set of all keywords queried in this phase by W1.

• Challenge. The adversary outputs two challenge candidate documents D0, D1,

subject to the restriction that keywords appearing in D0∆D1 have not been

queried in Query Phase 1. That is, (D0∆D1) ∩ W1 = ∅. The challenger throws

a fair coin b ∈ {0, 1} and computes the index I = (I0, I1, . . . , Im) corresponding

to Db. Then, for every i ∈ ∆j, the challenger replaces Ii with uniformly sampled

random elements from G1 and hands over this modified index to the adversary as

the challenge.

• Query Phase 2. The adversary proceeds just as in Query Phase 1, but it is not allowed to ask for trapdoors containing keywords in D0∆D1. That is, if the set of

all keywords queried in this phase is W2, we impose (D0∆D1) ∩ W2= ∅.

• Guess. The adversary outputs a guess b0_{∈ {0, 1} for b.}

Let AdvA,Gj(λ) denote the advantage of the PPT adversary A in guessing b in the game

Gj. It is clear that AdvA,Gm(λ) is negligible in λ for every PPT adversary A because

in Gm the two challenge candidate documents share the same information with the

challenge index.

Note that G0 is the security game defined in Section 3.2.2.5. We prove through Proposi-

tion 3.26 that the proposed conjunctive PEKS scheme S1 is semantically secure against

adaptive chosen keyword attacks provided the DBDH assumption holds.

Proposition 3.26. Assume that the DBDH assumption holds. For any j ∈ {0, . . . , m − 1} and for any PPT adversary A, the advantages of A in the games Gj and Gj+1, when

using the scheme S1, are negligibly close in λ. That is,

|AdvA,Gj(λ) − AdvA,Gj+1(λ)|

is negligible in λ.

Proof. Let A be a PPT adversary. For every j ∈ {0, . . . , m − 1}, we build a PPT DBDH distinguisher Bj taking a DBDH challenge tuple (g, ga, gb, h, ha, hc, v) as input

and interacting with A as the challenger in the security game of the scheme.

The distinguisher Bj is built in such a way that, for tuples with v = e (g, g)abc, A is

playing the game Gj, and for tuples with v random A is playing the game Gj+1. The

output of the DBDH distinguisher Bj depends on the output of A.

• Setup. The challenger Bj runs S1.Gen(λ) to obtain the public parameters of the

scheme params = {G1, G2, q, e, g, h, H, m}, where H is the hash oracle described

below. Bj hands over the public parameters and the public key ha to A.

• Hash Oracle. The hash oracle H is operated by Bj, and it maintains a list of tuples

of the form hw, s, ci with w ∈ {0, 1}∗, s ∈ Fq and c ∈ {0, 1}. The list is initially

empty. On input a keyword w ∈ {0, 1}∗, the oracle H operates as follows:

1. If there is an item in the list whose first element is keyword w, denote it by hw, s, ci. Then:

(a) If c = 0, the oracle returns gs. (b) If c = 1, the oracle returns gb
s.

2. If there is no item in the list whose first element is keyword w, then the oracle flips a coin c ∈ {0, 1} with Pr(c = 1) = 1/(2qTm + 1), samples s ∈ Fq

uniformly at random and inserts hw, s, ci into the list. Then, it proceeds to give an output as in the previous point.

• Query Phase 1. When A requests a trapdoor for keywords L = (w1, . . . , wl) in

keyword fields J = {j1, . . . , jl}, the algorithm Bj first calls the oracle on input

each keyword wi and retrieves the associated oracle list tuples hwi, si, cii. Then,

if some coin flip ci = 1, Bj halts. Otherwise, Bj hands over to A the trapdoor T

consisting of T0=Ql_i=1(ga)si and J .

• Challenge. In this phase, the adversary A outputs a couple of documents D0 =

(w0,1, . . . , w0,m) and D1 = (w1,1, . . . , w1,m) with the restrictions stated in the secu-

rity game defined in Section 3.2.2.5 and above, and Bj throws a fair coin b ∈ {0, 1}.

Then, Bj calls the hash oracle on every keyword wb,i to fill the H-list with tuples

hwb,i, sb,i, cb,ii. The algorithm Bj halts if:

– For some i ∈ [m]\∆j+1 we have cb,i = 1, or

– cb,t= 0, where {t} = ∆j+1\∆j.

Then Bj samples a value r ∈ Fq uniformly at random, and computes the challenge

I = (I0, I1, . . . , Im) in the following way

I0 = hr,

Ii =

  

unif. sampled from GT if i ∈ ∆j

vrsb,i _{if i ∈ ∆}

j+1\∆j 6= ∅

e ((ga)r, (hc)sb,i_{) if i ∈ [m]\∆}

j+16= ∅

and hands over I to A.

• Query Phase 2. B_j proceeds as in Query Phase 1.

• Guess. The adversary A outputs a guess b0∈ {0, 1} for b. If b = b0, Bj outputs 1,

and if b 6= b0, Bj outputs 0.

Since the DBDH assumption holds, AdvBj(λ) must be negligible in λ. But

AdvBj(λ) =|Pr(Bj(X) = 1|X = 1) − Pr(Bj(X) = 1|X = 0)|

=Pr(Bj does not halt) · |AdvA,Gj(λ) − AdvA,Gj+1(λ)|.

By Lemma 3.27, Pr(Bj does not halt) is non-negligible in λ, and the result is proved.

As a consequence of this result, we conclude the proof of Theorem 3.24. We next state and prove the lemma referenced in the proof of Proposition 3.26, which is an adaptation of a result in [38].

Lemma 3.27 ([38]). The probability that algorithm Bj does not halt is non-negligible in

Proof. We split the calculations between the query phases and the challenge phase. In each of the query phases, we allow A to ask for a polynomial amount qT (in λ) of

trapdoor queries. This amounts to throwing at most 2mqT coins c with Pr(c = 1) =

1/(2qTm + 1). Since Bj does not halt exactly when each and every one of these throws

outcome is 0, we have

Pr(Bj does not halt in query phases)

≥  1 − 1 2mqT + 1 2mqT ≥ 1/e, which is non-negligible in λ.

For the challenge phase, B does not halt exactly when the coin throw corresponding to the keyword in position ∆j+1\∆j (if nonempty) of the chosen challenge document is

1 and the coin throws corresponding to the keywords in positions in [m]\∆j+1 of the

chosen challenge document are all 0. Since, if D0 6= D1 then |[m]\∆j+1| ≤ m − 1, we

have:

Pr(Bj does not halt in the challenge phase)

≥  1 − 1 2mqT + 1 m−1 1 2mqT + 1 ≥ 1 e· 1 2mqT + 1 ,

which is non-negligible in λ since m is constant in λ and qT is polynomial in λ, and we

get the stated lemma.