A secure and efficient data sharing and searching scheme in wireless sensor networks

Wireless sensor networks (WSN) generally utilize cloud computing to store and process sensing data in real time, namely, cloud-assisted WSN. However, the cloud-assisted WSN faces new security challenges, particularly outsourced data confidentiality. Data Encryption is a fundamental approach but it limits target data retrieval in massive encrypted data. Public key encryption with keyword search (PEKS) enables a data receiver to retrieve encrypted data containing some specific problem, namely, the keyword guessing attack (KGA). KGA includes off-line KGA and on-line KGA. To date, the existing literature on PEKS cannot simultaneously resist both off-line KGA and on-line KGA performed by an external adversary and an internal adversary. In this work, we propose a secure and efficient data sharing and searching scheme to address the aforementioned problem such that our scheme is secure against both off-line KGA and on-line KGA performed by external and internal adversaries. We would like to stress that our scheme simultaneously achieves document encryption/decryption and keyword search functions. We also prove our scheme achieves keyword security and document security. Furthermore, our scheme is more efficient than previous schemes by eliminating the pairing computation

Dynamic Searchable Public-Key Ciphertexts with Fast Performance and Practical Security

Public-key encryption with keyword search (PEKS) allows a sender to generate keyword-searchable ciphertexts using a receiver’s public key and upload them to a server. Upon receiving a keyword-search trapdoor from the receiver, the server finds all matching ciphertexts. Due to the characteristics of public-key encryption, PEKS is inherently suitable for the application of numerous senders. Hence, PEKS is a well-known method to achieve secure keyword search over the encrypted email system. However, we find that without a keyword-search trapdoor, the traditional concept of PEKS still allows the server to have the obvious advantage to distinguish ciphertexts in practice. In other words, the traditional PEKS cannot guarantee the well-recognized semantic security in practice. To solve this problem, this paper defines a new concept called dynamic searchable public-key encryption (DSPE). It can hide the relationships between keyword-searchable ciphertexts and their corresponding encrypted files, and guarantee semantic security in both theory and practice. In addition, it allows the server to delete the intended ciphertexts according to the receiver’s requirement. Then, we construct a DSPE instance with provable semantic security in the random oracle model. In terms of performance, the proposed instance also has the advantage that it only requires sublinear complexity to determine all matching ciphertexts or to delete the intended ciphertexts. Finally, we experimentally demonstrate the practicability of the instance

An Efficient Public-Key Searchable Encryption Scheme Secure against Inside Keyword Guessing Attacks

How to efficiently search over encrypted data is an important and interesting problem in the cloud era. To solve it, Boneh et al. introduced the notion of public key encryption with keyword search (PEKS), in 2004. However, in almost all the PEKS schemes an inside adversary may recover the keyword from a given trapdoor by exhaustively guessing the keywords offline. How to resist the inside keyword guessing attack in PEKS remains a hard problem. In this paper we propose introduce the notion of Public-key Authenticated Encryption with Keyword Search (PAEKS) to solve the problem, in which the data sender not only encrypts a keyword, but also authenticates it, so that a verifier would be convinced that the encrypted keyword can only be generated by the sender. We propose a concrete and efficient construction of PAEKS, and prove its security based on simple and static assumptions in the random oracle model under the given security models. Experimental results show that our scheme enjoys a comparable efficiency with Boneh et al.\u27s scheme

Generic Construction of Public-key Authenticated Encryption with Keyword Search Revisited: Stronger Security and Efficient Construction

Public-key encryption with keyword search (PEKS) does not provide trapdoor privacy, i.e., keyword information is leaked through trapdoors. To prevent this information leakage, public key authenticated encryption with keyword search (PAEKS) has been proposed, where a sender\u27s secret key is required for encryption, and a trapdoor is associated with not only a keyword but also the sender. Liu et al. (ASIACCS 2022) proposed a generic construction of PAEKS based on word-independent smooth projective hash functions (SPHFs) and PEKS. In this paper, we propose a new generic construction of PAEKS. The basic construction methodology is the same as that of the Liu et al. construction, where each keyword is converted into an extended keyword using SPHFs, and PEKS is used for extended keywords. Nevertheless, our construction is more efficient than Liu et al.\u27s in the sense that we only use one SPHF, but Liu et al. used two SPHFs. In addition, for consistency we considered a security model that is stronger than Liu et al.\u27s. Briefly, Liu et al. considered only keywords even though a trapdoor is associated with not only a keyword but also a sender. Thus, a trapdoor associated with a sender should not work against ciphertexts generated by the secret key of another sender, even if the same keyword is associated. Our consistency definition considers a multi-sender setting and captures this case. In addition, for indistinguishability against chosen keyword attack (IND-CKA) and indistinguishability against inside keyword guessing attack (IND-IKGA), we use a stronger security model defined by Qin et al. (ProvSec 2021), where an adversary is allowed to query challenge keywords to the encryption and trapdoor oracles. We also highlight several issues associated with the Liu et al. construction in terms of hash functions, e.g., their construction does not satisfy the consistency that they claimed to hold

Privacy-preserving alert correlation and report retrieval

Intrusion Detection Systems (IDSs) have been widely deployed on both hosts and networks and serve as a second line of defense. Generally, an IDS flags malicious activates as IDS alerts and forwards them to security officers for further responses. The core issue of IDSs is to minimize both false positives and false negatives. Previous research shows that alert correlation is an effective solution. Moreover, alert correlation (in particular, under the cross-domain setting) can fuse distributed information together and thus be able to detect large-scale attacks that local analysis fails to handle. However, in practice the wide usage of alert correlation is hindered by the privacy concern. In this thesis, we propose the TEIRESIAS protocol, which can ensure the privacy-preserving property during the whole process of sharing and correlating alerts, when incorporated with anonymous communication systems. Furthermore, we also take the fairness issue into consideration when designing the procedure of retrieving the results of correlation. More specifically, a contributor can privately retrieve correlated reports in which she involved. The TEIRESIAS protocol is based mainly on searchable encryption, including both symmetric-key encryption with keyword search (SEKS) and public-key encryption with keyword search (PEKS). While designing TEIRESIAS, we identify a new statistical guessing attack against PEKS. To address this problem, we propose the PEKSrand scheme, which is an extension of PEKS and can mitigate both brute-force guessing attacks and statistical guessing attacks. The PEKSrand scheme can either be used independently or be combined with TEIRESIAS to further improve its privacy protection

Verifiable key-aggregate searchable encryption with a designated server in multi-owner setting

Key-aggregate searchable encryption (KASE) schemes support selective data sharing and keyword-based ciphertext searching by using the constant-size shared key and trapdoor, making these schemes attractive for resource-constrained users to store, share, and search encrypted data in public clouds. However, most previously proposed KASE schemes suffer from our proposed "off-line keyword guessing attack (KGA)" and some other weaknesses. Consequently, they fail to gain the keyword ciphertext indistinguishability and trapdoor indistinguishability, which are vital security goals of searchable encryption. Inspired by the relationship of public key encryption with keyword search (PEKS) and KASE, we design a new KASE scheme called key-aggregate searchable encryption with a designated server (dKASE). The dKASE scheme achieves our proposed keyword ciphertext indistinguishability against chosen keyword attack (KC-IND-CKA) and keyword trapdoor indistinguishability against keyword guessing attack (KT-IND-KGA) security models, where the latter model captures off-line KGA. Then, we extend the dKASE scheme to verifiable dKASE in multi-owner setting (dVKASEM) scheme. With dVKASEM, when multiple data owners authorize a user to access data, the user merely needs to store his single key and generate a single trapdoor to query these owners’ data. Besides, the adoption of the aggregate signature significantly reduces the overhead of verifying whether data has been tampered with. Performance analysis illustrates that our schemes are efficient

Secure Channel Free Certificate-Based Searchable Encryption Withstanding Outside and Inside Keyword Guessing Attacks

Accessible public key encryption (SPKE) is helpful public key cryptographic crude that permits a client to perform catchphrase look over freely scrambled messages on an untrusted stockpiling worker while ensuring the security of the first messages just as the pursuit watchwords. Notwithstanding, the greater part of the recently proposed SPKE systems experience the ill effects of the security weakness brought about by the catchphrase speculating assault and some different shortcomings. Enlivened by the thoughts of testament based cryptography and signcryption, we present another SPKE system called endorsement based accessible encryption. The new system not just gives protection from the current known sorts of catchphrase speculating assaults, yet in addition appreciates some engaging benefits, for example, verifiable verification, no key escrow and no safe channel. Under this new system, we devise a solid accessible authentication based encryption conspire. In the irregular prophet model, it is demonstrated to meet the watchword cipher text vagary, the catchphrase cipher text enforceability and the watchword secret entrance lack of definition under the versatile picked catchphrase assault. The correlations show that it is secure and practicable

Searchable Encryption for Cloud and Distributed Systems

The vast development in information and communication technologies has spawned many new computing and storage architectures in the last two decades. Famous for its powerful computation ability and massive storage capacity, cloud services, including storage and computing, replace personal computers and software systems in many industrial applications. Another famous and influential computing and storage architecture is the distributed system, which refers to an array of machines or components geographically dispersed but jointly contributes to a common task, bringing premium scalability, reliability, and efficiency. Recently, the distributed cloud concept has also been proposed to benefit both cloud and distributed computing. Despite the benefits of these new technologies, data security and privacy are among the main concerns that hinder the wide adoption of these attractive architectures since data and computation are not under the control of the end-users in such systems. The traditional security mechanisms, e.g., encryption, cannot fit these new architectures since they would disable the fast access and retrieval of remote storage servers. Thus, an urgent question turns to be how to enable refined and efficient data retrieval on encrypted data among numerous records (i.e., searchable encryption) in the cloud and distributed systems, which forms the topic of this thesis. Searchable encryption technologies can be divided into Searchable Symmetric Encryption (SSE) and Public-key Encryption with Keyword Search (PEKS). The intrinsical symmetric key hinders data sharing since it is problematic and insecure to reveal one’s key to others. However, SSE outperforms PEKS due to its premium efficiency and is thus is prefered in a number of keyword search applications. Then multi-user SSE with rigorous and fine access control undoubtedly renders a satisfactory solution of both efficiency and security, which is the first problem worthy of our much attention. Second, functions and versatility play an essential role in a cloud storage application but it is still tricky to realize keyword search and deduplication in the cloud simultaneously. Large-scale data usually renders significant data redundancy and saving cloud storage resources turns to be inevitable. Existing schemes only facilitate data retrieval due to keywords but rarely consider other demands like deduplication. To be noted, trivially and hastily affiliating a separate deduplication scheme to the searchable encryption leads to disordered system architecture and security threats. Therefore, attention should be paid to versatile solutions supporting both keyword search and deduplication in the cloud. The third problem to be addressed is implementing multi-reader access for PEKS. As we know, PEKS was born to support multi-writers but enabling multi-readers in PEKS is challenging. Repeatedly encrypting the same keyword with different readers’ keys is not an elegant solution. In addition to keyword privacy, user anonymity coming with a multi-reader setting should also be formulated and preserved. Last but not least, existing schemes targeting centralized storage have not taken full advantage of distributed computation, which is considerable efficiency and fast response. Specifically, all testing tasks between searchable ciphertexts and trapdoor/token are fully undertaken by the only centralized cloud server, resulting in a busy system and slow response. With the help of distributed techniques, we may now look forward to a new turnaround, i.e., multiple servers jointly work to perform the testing with better efficiency and scalability. Then the intractable multi-writer/multi-reader mode supporting multi-keyword queries may also come true as a by-product. This thesis investigates searchable encryption technologies in cloud storage and distributed systems and spares effort to address the problems mentioned above. Our first work can be classified into SSE. We formulate the Multi-user Verifiable Searchable Symmetric Encryption (MVSSE) and propose a concrete scheme for multi-user access. It not only offers multi-user access and verifiability but also supports extension on updates as well as a non-single keyword index. Moreover, revocable access control is obtained that the search authority is validated each time a query is launched, different from existing mechanisms that once the search authority is granted, users can search forever. We give simulation-based proof, demonstrating our proposal possesses Universally Composable (UC)-security. Second, we come up with a redundancy elimination solution on top of searchable encryption. Following the keyword comparison approach of SSE, we formulate a hybrid primitive called Message-Locked Searchable Encryption (MLSE) derived in the way of SSE’s keyword search supporting keyword search and deduplication and present a concrete construction that enables multi-keyword query and negative keyword query as well as deduplication at a considerable small cost, i.e., the tokens are used for both search and deduplication. And it can further support Proof of Storage (PoS), testifying the content integrity in cloud storage. The semantic security is proved in Random Oracle Model using the game-based methodology. Third, as the branch of PEKS, the Broadcast Authenticated Encryption with Keyword Search (BAEKS) is proposed to bridge the gap of multi-reader access for PEKS, followed by a scheme. It not only resists Keyword Guessing Attacks (KGA) but also fills in the blank of anonymity. The scheme is proved secure under Decisional Bilinear Diffie-Hellman (DBDH) assumption in the Random Oracle Model. For distributed systems, we present a Searchable Encryption based on Efficient Privacy-preserving Outsourced calculation framework with Multiple keys (SE-EPOM) enjoying desirable features, which can be classified into PEKS. Instead of merely deploying a single server, multiple servers are employed to execute the test algorithm in our scheme jointly. The refined search, i.e., multi-keyword query, data confidentiality, and search pattern hiding, are realized. Besides, the multi-writer/multi-reader mode comes true. It is shown that under the distributed circumstance, much efficiency can be substantially achieved by our construction. With simulation-based proof, the security of our scheme is elaborated. All constructions proposed in this thesis are formally proven according to their corresponding security definitions and requirements. In addition, for each cryptographic primitive designed in this thesis, concrete schemes are initiated to demonstrate the availability and practicality of our proposal

FEASE: Fast and Expressive Asymmetric Searchable Encryption

Asymmetric Searchable Encryption (ASE) is a promising cryptographic mechanism that enables a semi-trusted cloud server to perform keyword searches over encrypted data for users. To be useful, an ASE scheme must support expressive search queries, which are expressed as conjunction, disjunction, or any Boolean formulas. In this paper, we propose a fast and expressive ASE scheme that is adaptively secure, called FEASE. It requires only 3 pairing operations for searching any conjunctive set of keywords independent of the set size and has linear complexity for encryption and trapdoor algorithms in the number of keywords. FEASE is based on a new fast Anonymous Key-Policy Attribute-Based Encryption (A-KP-ABE) scheme as our first proposal, which is of independent interest. To address optional protection against keyword guessing attacks, we extend FEASE into the first expressive Public-Key Authenticated Encryption with Keyword Search (PAEKS) scheme. We provide implementations and evaluate the performance of all three schemes, while also comparing them with the state of the art. We observe that FEASE outperforms all existing expressive ASE constructions and that our A-KP-ABE scheme offers anonymity with efficiency comparable to the currently fastest yet non-anonymous KP-ABE schemes FAME (ACM CCS 2017) and FABEO (ACM CCS 2022)

Multi-authority attribute-based keyword search over encrypted cloud data

National Research Foundation (NRF) Singapore; AXA Research Fun