Abstract
Security and privacy are the key issues for the Internet of Things (IoT) systems. Especially, secure search is an important functionality for cooperation among users’ devices and non-trusted servers. Public-key encryption with keyword search (PEKS) enables us to search encrypted data and is expected to be used between a cloud server and users’ mobile devices or IoT devices. However, those mobile devices might be lost or stolen. For IoT devices, it might be difficult to store keys in a tamper-proof manner due to prohibitive costs. In this paper, we deal with such a key-exposure problem on PEKS and introduce the concept of PEKS with key-updating functionality, which we call key-updatable PEKS (KU-PEKS). Specifically, we propose two models of KU-PEKS: the key-evolution model and the key-insulation model. In the key-evolution model, a pair of public and secret keys can be updated if needed (e.g., the secret key is exposed). In the key-insulation model, the public key remains fixed while the secret key can be updated if needed. The former model makes a construction simple and more efficient than the latter. On the other hand, the latter model is preferable for practical use since a user never updates their public key. We show constructions in each model in a black-box manner. We also give implementation results on Raspberry Pi 3, which can be regarded as a reasonable platform of IoT devices.
Similar content being viewed by others
Notes
A cryptoperiod [26] means the time span during which a specific key is authorized for use or in which the keys for a given system or application may remain in effect.
For simplicity, we assume that the information of i, j, and k is attached to \(\textsf {t}_{w',i}\) and \(\textsf {c}_{w,j}^{(k)}\).
For simplicity, we assume \(\mathcal {A}\) issues \(i\in \mathcal {T}\) to \(\mathcal {O}_{\textsc {rk}}\) after \(\mathcal {A}\) issues i to \(\mathcal {O}_{\textsc {kl}}\) except \(\L =\{\star \}\) (i.e., \(\mathcal {A}\) obtains \(\textsf {hk}\) from \(\mathcal {O}_{\textsc {kl}}\)).
If \(\textsf {mk}_\texttt {T}\) is not stored, \(\mathcal {O}_{\textsc {leak}}\) generates it by \(\mathsf {MKUpd}(\textsf {mk}_{0}, \mathsf {UpdGen}(\textsf {mhk},\texttt {T}))\) and stored it.
References
Abdalla, M., Bellare, M., Catalano, D., Kiltz, E., Kohno, T., Lange, T., Malone-Lee, J., Neven, G., Paillier, P., Shi, H.: Searchable encryption revisited: consistency properties, relation to anonymous IBE, and extensions. In: Shoup, V. (ed.) Advances in Cryptology—CRYPTO 2005. vol. 3621, pp. 205–222. Springer (2005)
Abdalla, M., Bellare, M., Catalano, D., Kiltz, E., Kohno, T., Lange, T., Malone-Lee, J., Neven, G., Paillier, P., Shi, H.: Searchable encryption revisited: consistency properties, relation to anonymous IBE, and extensions. J. Cryptol. 21(3), 350–391 (2008)
Anada, H., Kanaoka, A., Matsuzaki, N., Watanabe, Y.: Key-updatable public-key encryption with keyword search: models and generic constructions. In: Susilo, W., Yang, G. (eds.) Information Security and Privacy, ACISP 2018, pp. 341–359. Springer, Cham (2018)
Baek, J., Safavi-Naini, R., Susilo, W.: Public key encryption with keyword search revisited. In: ICCSA 2008, Part I. pp. 1249–1259 (2008)
Blaze, M., Bleumer, G., Strauss, M.: Divertible protocols and atomic proxy cryptography. In: Nyberg, K. (ed.) Advances in Cryptology—EUROCRYPT’98, vol. 1403, pp. 127–144. Springer Berlin Heidelberg (1998)
Boldyreva, A., Goyal, V., Kumar, V.: Identity-based encryption with efficient revocation. In: Proceedings of CCS’08, pp. 417–426. ACM, New York, NY, USA (2008)
Boneh, D., Crescenzo, G.D., Ostrovsky, R., Persiano, G.: Public key encryption with keyword search. In: Advances in Cryptology—EUROCRYPT 2004, pp. 506–522 (2004)
Boneh, D., Franklin, M.K.: Identity-based encryption from the weil pairing. In: Advances in Cryptology—CRYPTO 2001, pp. 213–229. Springer (2001)
Boneh, D., Kushilevitz, E., Ostrovsky, R., Skeith III, W.E.: Public key encryption that allows PIR queries. In: Advances in Cryptology—CRYPTO 2007, pp. 50–67 (2007)
Byun, J.W., Rhee, H.S., Park, H.A., Lee, D.H.: Off-line keyword guessing attacks on recent keyword search schemes over encrypted data. In: Jonker, W., Petković, M. (eds.) Secure Data Management, pp. 75–83. Springer Berlin Heidelberg, Berlin (2006)
Canetti, R., Halevi, S., Katz, J.: A forward-secure public-key encryption scheme. In: Biham, E. (ed.) Advances in Cryptology–EUROCRYPT 2003. LNCS, vol. 2656, pp. 255–271. Springer Berlin Heidelberg (2003)
Cheon, J.H., Hopper, N., Kim, Y., Osipkov, I.: Provably secure timed-release public key encryption. ACM Trans. Inf. Syst. Secur. 11(2), 4:1–4:44 (2008)
Chor, B., Goldreich, O., Kushilevitz, E., Sudan, M.: Private information retrieval. In: FOCS’95. pp. 41–50 (1995)
Dodis, Y., Franklin, M., Katz, J., Miyaji, A., Yung, M.: A generic construction for intrusion-resilient public-key encryption. In: Okamoto, T. (ed.) Topics in Cryptology—CT-RSA 2004, vol. 2964, pp. 81–98. Springer Berlin Heidelberg (2004)
Dodis, Y., Katz, J., Xu, S., Yung, M.: Key-insulated public key cryptosystems. In: Knudsen, L. (ed.) Advances in Cryptology—EUROCRYPT 2002, vol. 2332, pp. 65–82. Springer Berlin Heidelberg (2002)
Dodis, Y., Katz, J., Xu, S., Yung, M.: Strong key-insulated signature schemes. In: Desmedt, Y. (ed.) PKC 2003. vol. 2567, pp. 130–144. Springer (2003)
ElGamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakley, G., Chaum, D. (eds.) Advances in Cryptology—CRYPTO’84, vol. 196, pp. 10–18. Springer Berlin Heidelberg (1985)
Emura, K., Phong, L.T., Watanabe, Y.: Keyword revocable searchable encryption with trapdoor exposure resistance and re-generateability. In: 2015 IEEE Trustcom/BigDataSE/ISPA. vol. 1, pp. 167–174 (Aug 2015)
Green, M., Ateniese, G.: Identity-based proxy re-encryption. ACNS 2007, 288–306 (2007)
Hanaoka, Y., Hanaoka, G., Shikata, J., Imai, H.: Identity-based hierarchical strongly key-insulated encryption and its application. In: Roy, B. (ed.) Advances in Cryptology—ASIACRYPT 2005. vol. 3788, pp. 495–514. Springer (2005)
Jutla, C.S., Roy, A.: Shorter quasi-adaptive NIZK proofs for linear subspaces. In: Sako, K., Sarkar, P. (eds.) Advances in Cryptology—ASIACRYPT 2013. LNCS, vol. 8269, pp. 1–20. Springer Berlin Heidelberg (2013)
Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Advances in Cryptology—CRYPTO’96. pp. 104–113 (1996)
Lewko, A.B.: Tools for simulating features of composite order bilinear groups in the prime order setting. In: Pointcheval, D., Johansson, T. (eds.) Advances in Cryptology—EUROCRYPT 2012. vol. 7237, pp. 318–335. Springer (2012)
Libert, B., Vergnaud, D.: Adaptive-id secure revocable identity-based encryption. In: Fischlin, M. (ed.) Topics in Cryptology—CT-RSA 2009, vol. 5473, pp. 1–15. Springer Berlin Heidelberg (2009)
Naor, D., Naor, M., Lotspiech, J.: Revocation and tracing schemes for stateless receivers. In: Kilian, J. (ed.) Advances in Cryptology—CRYPTO 2001, vol. 2139, pp. 41–62. Springer Berlin Heidelberg (2001)
National Institute of Standards and Technology: NIST special publication 800-57 part 1, revision 4, recommendation for key management part 1: General (2013)
Seo, J.H., Emura, K.: Revocable identity-based encryption revisited: security model and construction. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013, vol. 7778, pp. 216–234. Springer Berlin Heidelberg (2013)
Shikata, J., Watanabe, Y.: Identity-based encryption with hierarchical key-insulation in the standard model. Des. Codes Cryptogr. 87(5), 1005–1033 (2018)
Tang, Q.: Towards forward security properties for PEKS and IBE. In: Foo, E., Stebila, D. (eds.) ACISP 2015. vol. 9144, pp. 127–144. Springer (2015)
Watanabe, Y., Shikata, J.: Identity-based hierarchical key-insulated encryption without random oracles. In: Cheng, C.M., Chung, K.M., Persiano, G., Yang, B.Y. (eds.) PKC 2016, Part I. LNCS, vol. 9614, pp. 255–279. Springer Berlin Heidelberg, Berlin, Heidelberg (2016)
Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi, S. (ed.) Advances in Cryptology—CRYPTO 2009, vol. 5677, pp. 619–636. Springer Berlin Heidelberg (2009)
Acknowledgements
We would like to thank the anonymous reviewers for useful comments. The first, second, and third authors were supported by Grant-in-Aid for Scientific Research (C) Grant Number JP17K00189. The last author was supported by JSPS Research Fellowship for Young Scientists, Grant-in-Aid for JSPS Fellows Grant Number JP16J10532, and Grant-in-Aid for Young Scientists (B) Grant Number JP17K12697.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The authors declare that they have no conflict of interest.
Ethical approval
This article does not contain any studies with human participants or animals performed by any of the authors.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
The preliminary version of this paper was published in the proceedings of the 23rd Australasian Conference on Information Security and Privacy (ACISP 2018) [3]. This is the full version.
Appendices
Proof of Lemma 1
We construct a PPT adversary \(\mathcal {B}\) which breaks the \(\mathsf{IND}\text {-}\mathsf{CPA}\) security of \(\mathcal {PKE}\) using a PPT adversary \(\mathcal {A}\) which wins \(\mathsf{G}_2\) or \(\mathsf{G}_3\).
Setup\(\mathcal {B}\) guesses \(i^*\) such that \(i^*\) is a time period when computing the challenge ciphertext, and the guess is correct since \(\mathsf{Fail}\) does not occur. Without loss of generality, we here assume \(i^*\ne 1\). When receiving \((\textsf {par}_{\textsc {pke}},\textsf {ek}^*)\), \(\mathcal {B}\) computes \((\textsf {ek}_1,\textsf {dk}_1)\leftarrow \mathsf{G}(\textsf {par}_{\textsc {pke}})\), \({\textsf {par}_{\textsc {peks}}}\leftarrow {\mathsf{Setup}_{\textsc {peks}}}(1^\lambda )\), and \(({\textsf {mpk}}_1,\textsf {msk}_1)\leftarrow {\mathsf{KeyGen}_{\textsc {peks}}}({\textsf {par}_{\textsc {peks}}})\), and chooses \(\mathsf{H}\overset{\tiny {\$}}{\leftarrow }\mathcal {H}\), \(\mathcal {A}\) then sends \(\textsf {pk}_1:=(\textsf {par}_{\textsc {pke}}, {\textsf {par}_{\textsc {peks}}},\mathsf{H},\textsf {ek}_1,{\textsf {mpk}}_1)\) to \(\mathcal {A}\). \(\mathcal {B}\) stores \(\textsf {sk}_1:=(\textsf {dk}_1,\textsf {msk}_1)\).
Oracle simulation\(\mathcal {B}\) simulates each oracle as follows.
- \(\mathcal {O}_{\textsc {kg}}\)::
If \(\mathsf{ctr}\in \{1,\ldots ,i^*-2\}\), \(\mathcal {B}\) computes \((\textsf {ek}_{\mathsf{ctr}+1},\textsf {dk}_{\mathsf{ctr}+1})\leftarrow \mathsf{G}(\textsf {par}_{\textsc {pke}})\) and \(({\textsf {mpk}}_{\mathsf{ctr}+1},\textsf {msk}_{\mathsf{ctr}+1})\leftarrow {\mathsf{KeyGen}_{\textsc {peks}}}({\textsf {par}_{\textsc {peks}}})\), and returns \(\textsf {pk}_{\mathsf{ctr}+1}:{=}(\textsf {par}_{\textsc {pke}},{\textsf {par}_{\textsc {peks}}}, \mathsf{H}, \textsf {ek}_{\mathsf{ctr}+1},{\textsf {mpk}}_{\mathsf{ctr}+1})\) and \(\textsf {rk}_{\mathsf{ctr}\rightarrow \mathsf{ctr}+1}:=\textsf {dk}_{\mathsf{ctr}}\) to \(\mathcal {A}\). It stores \(\textsf {sk}_{\mathsf{ctr}+1}:=(\textsf {dk}_{\mathsf{ctr}+1},\)\(\textsf {msk}_{\mathsf{ctr}+1})\) and sets \(\mathsf{ctr}:=\mathsf{ctr}+1\). If \(\mathsf{ctr}=i^*-1\), \(\mathcal {B}\) computes \(({\textsf {mpk}}_{i^*},\textsf {msk}_{i^*})\leftarrow {\mathsf{KeyGen}_{\textsc {peks}}}({\textsf {par}_{\textsc {peks}}})\), and returns \(\textsf {pk}_{i^*}:=(\textsf {par}_{\textsc {pke}},{\textsf {par}_{\textsc {peks}}}, \mathsf{H}, \textsf {ek}^*,{\textsf {mpk}}_{i^*})\) and \(\textsf {rk}_{i^*-1 \rightarrow i^*}:=\textsf {dk}_{i^*-1}\) to \(\mathcal {A}\). \(\mathcal {B}\) stores only \(\textsf {msk}_{i^*}\) and sets \(\mathsf{ctr}:=i^*\). Note that \(\mathcal {B}\) does not know \(\textsf {dk}_{i^*}\).
- \(\mathcal {O}_{\textsc {kl}}\)::
For a query \(j\in \{1,\ldots ,\mathsf{ctr}-1\}\), \(\mathcal {B}\) returns \(\textsf {sk}_j\).
- \(\mathcal {O}_{\textsc {td}}\)::
For \((w,j)\in \mathcal {W}\times \{1,\ldots ,\mathsf{ctr}\}\), \(\mathcal {B}\) returns \({{\mathsf {Trapdoor}}_{\textsc {peks}}}(\textsf {msk}_j,\)\(\mathsf{H}(w))\).
Challenge\(\mathcal {B}\) receives \((w_0^*,w_1^*)\) from \(\mathcal {A}\) and randomly chooses \(\beta \leftarrow \{0,1\}\). \(\mathcal {B}\) chooses a zero-bit string \(0^{\log |\mathcal {Y}|}\) whose length is the same as the output of \(\mathsf{H}\) (we assume \(0^{\log |\mathcal {Y}|}\) can be efficiently encoded into an element of \(\mathcal {Y}\)). \(\mathcal {B}\) sends \((\hat{w}_0^*,\hat{w}_1^*):=(\mathsf{H}(w_{\beta }^*),0^{\log |\mathcal {Y}|})\) to the challenger of \(\mathcal {PKE}\) as challenge plaintexts. The challenger chooses \(b\overset{\tiny {\$}}{\leftarrow }\{0,1\}\), and returns \(\textsf {ct}_{\mathsf{ctr}}\leftarrow \mathsf{E}(\textsf {ek}^*,\hat{w}_b^*)\) to \(\mathcal {B}\). \(\mathcal {B}\) computes \(\textsf {ct}_{w_{\beta }^*,\mathsf{ctr}}\leftarrow {{\mathsf{Enc}}_{\textsc {peks}}}({\textsf {mpk}}_{\mathsf{ctr}},\mathsf{H}(w_\beta ^*))\), and returns \(\textsf {c}_{w_\beta ^*,\mathsf{ctr}}^{(0)}:=(\textsf {ct}_{\mathsf{ctr}},\textsf {ct}_{w_{\beta }^*,\mathsf{ctr}})\) to \(\mathcal {A}\).
Output If \(\mathcal {A}\)’s output \(\beta '\) satisfies \(\beta '=\beta \), \(\mathcal {B}\) outputs \(b'=0\). Otherwise, \(\mathcal {B}\) outputs \(b'=1\).
If \(b=0\), \(\textsf {c}_{w_\beta ^*,i^*}^{(0)}\) is the challenge ciphertext in \(\mathsf{G}_2\) where \(\mathsf{Fail}\) does not occur. On the other hand, if \(b=1\), \(\textsf {c}_{w_\beta ^*,i^*}^{(0)}\) is the challenge ciphertext in \(\mathsf{G}_3\) where \(\mathsf{Fail}\) does not occur. Therefore, we have
Hence, we have
Proof of Lemma 2
We construct a PPT adversary \(\mathcal {B}\) which breaks the \(\mathsf{IND}\text {-}\mathsf{CKA}\) security of \(\mathcal {PEKS}\) using a PPT adversary \(\mathcal {A}\) which wins \(\mathsf{G}_3\) when \(\mathsf{Fail}\) does not occur.
Setup This procedure is almost the same as that in the proof of Lemma 1. \(\mathcal {B}\) guesses \(i^*\) such that \(i^*\) is a time period when generating the challenge ciphertext, and the guess is correct since \(\mathsf{Fail}\) does not occur. Without loss of generality, we here assume \(i^*\ne 1\). When receiving \(({\textsf {par}_{\textsc {peks}}},{\textsf {mpk}}^*)\), \(\mathcal {B}\) runs \(\textsf {par}_{\textsc {pke}}\leftarrow \mathsf{PG}(1^\lambda )\), \((\textsf {ek}_1,\textsf {dk}_1)\leftarrow \mathsf{G}(\textsf {par}_{\textsc {pke}})\), and \(({\textsf {mpk}}_1,\textsf {msk}_1)\leftarrow {\mathsf{KeyGen}_{\textsc {peks}}}({\textsf {par}_{\textsc {peks}}})\), and chooses \(\mathsf{H}\overset{\tiny {\$}}{\leftarrow }\mathcal {H}\). \(\mathcal {B}\) sends \(\textsf {pk}_1:=(\textsf {par}_{\textsc {pke}},{\textsf {par}_{\textsc {peks}}},\mathsf{H},\textsf {ek}_1,{\textsf {mpk}}_1)\) to \(\mathcal {A}\), and stores \(\textsf {sk}_1:=(\textsf {dk}_1,\textsf {msk}_1)\).
Oracle simulation\(\mathcal {B}\) simulates each oracle as follows.
- \(\mathcal {O}_{\textsc {kg}}\)::
If \(\mathsf{ctr}\in \{1,\ldots ,i^*-2\}\), \(\mathcal {B}\) computes \((\textsf {ek}_{\mathsf{ctr}+1},\textsf {dk}_{\mathsf{ctr}+1})\leftarrow \mathsf{G}(\textsf {par}_{\textsc {pke}})\) and \(({\textsf {mpk}}_{\mathsf{ctr}+1},\textsf {msk}_{\mathsf{ctr}+1})\leftarrow {\mathsf{KeyGen}_{\textsc {peks}}}({\textsf {par}_{\textsc {peks}}})\), and returns \(\textsf {pk}_{\mathsf{ctr}+1}:=(\textsf {par}_{\textsc {pke}},{\textsf {par}_{\textsc {peks}}}, \mathsf{H}, \textsf {ek}_{\mathsf{ctr}+1},{\textsf {mpk}}_{\mathsf{ctr}+1})\) and \(\textsf {rk}_{\mathsf{ctr}\rightarrow \mathsf{ctr}+1}:=\textsf {dk}_{\mathsf{ctr}}\) to \(\mathcal {A}\). It stores \(\textsf {sk}_{\mathsf{ctr}+1}:=(\textsf {dk}_{\mathsf{ctr}+1},\)\(\textsf {msk}_{\mathsf{ctr}+1})\) and sets \(\mathsf{ctr}:=\mathsf{ctr}+1\). If \(\mathsf{ctr}=i^*-1\), \(\mathcal {B}\) computes \((\textsf {ek}_{i^*},\textsf {dk}_{i^*})\leftarrow \mathsf{G}(\textsf {par}_{\textsc {pke}})\), and returns \(\textsf {pk}_{i^*}:=(\textsf {par}_{\textsc {pke}},{\textsf {par}_{\textsc {peks}}}, \mathsf{H}, \textsf {ek}_{i^*},{\textsf {mpk}}^*)\) and \(\textsf {rk}_{i^*-1 \rightarrow i^*}:=\textsf {dk}_{i^*-1}\) to \(\mathcal {A}\). \(\mathcal {B}\) stores only \(\textsf {dk}_{i^*}\) and sets \(\mathsf{ctr}:=i^*\). Note that \(\mathcal {B}\) does not know \(\textsf {msk}_{i^*}\).
- \(\mathcal {O}_{\textsc {kl}}\)::
For a query \(j\in \{1,\ldots ,\mathsf{ctr}-1\}\), \(\mathcal {B}\) returns \(\textsf {sk}_j\).
- \(\mathcal {O}_{\textsc {td}}\)::
If \(\mathsf{ctr}\ne i^*\), for a query \((w,j)\in \mathcal {W}\times \{1,\ldots ,\mathsf{ctr}\}\), \(\mathcal {B}\) returns \({{\mathsf {Trapdoor}}_{\textsc {peks}}}(\textsf {msk}_j,\mathsf{H}(w))\). If \(\mathsf{ctr}= i^*\), \(\mathcal {B}\) simulates the oracle as follows. For a query \((w,j)\in \mathcal {W}\times \{1,\ldots ,\mathsf{ctr}\}\), if \(j\ne i^*\), \(\mathcal {B}\) returns \({{\mathsf {Trapdoor}}_{\textsc {peks}}}(\textsf {msk}_j,\mathsf{H}(w))\). Otherwise, \(\mathcal {B}\) sends w to \(\mathcal {O}_{\textsc {td}}\) of \(\mathcal {PEKS}\) to get \(\textsf {t}_{w}^*\leftarrow {{\mathsf {Trapdoor}}_{\textsc {peks}}}(\textsf {msk}^*,\)\(\mathsf{H}(w))\), and transfers it to \(\mathcal {A}\).
Challenge When receiving \((w_0^*,w_1^*)\) from \(\mathcal {A}\), \(\mathcal {B}\) sends \((\mathsf{H}(w_0^*),\)\(\mathsf{H}(w_1^*))\) to the challenger of \(\mathcal {PEKS}\). The challenger randomly chooses \(b\overset{\tiny {\$}}{\leftarrow }\{0,1\}\), and returns \(\textsf {ct}_{w_b^*,\mathsf{ctr}}\leftarrow {{\mathsf{Enc}}_{\textsc {peks}}}({\textsf {mpk}}^*,\)\(\mathsf{H}(w_b^*))\) to \(\mathcal {B}\). \(\mathcal {B}\) computes \(\textsf {ct}_{\mathsf{ctr}}\leftarrow \mathsf{E}(\textsf {ek}_{\mathsf{ctr}},0^{\log |\mathcal {Y}|})\), and returns \(\textsf {c}_{w_\beta ^*,\mathsf{ctr}}^{(0)}:=(\textsf {ct}_{\mathsf{ctr}},\textsf {ct}_{w_{\beta }^*,\mathsf{ctr}})\) to \(\mathcal {A}\).
Output\(\mathcal {B}\) outputs \(b'\), the output of \(\mathcal {A}\) as is.
The success probability of \(\mathcal {B}\) for the \(\mathsf{IND}\text {-}\mathsf{CKA}\) game is the same as that of \(\mathcal {A}\) for \(\mathsf{G}_3\). Therefore, we have
\(\mathsf{DBDH}\) Assumption
The decisional bilinear Diffie–Hellman (DBDH) assumption is defined as follows. Let \(\mathcal {A}\) be a PPT adversary, and we consider the following game against \(\mathcal {A}\).
Definition 14
(\(\mathsf{DBDH}\)assumption) We say that the \(\mathsf{DBDH}\) assumption relative to a generator \(\mathcal {G}\) holds if for all PPT adversaries \(\mathcal {A}\), \(\mathsf{Adv}_{\mathcal {G},\mathcal {A}}^{\mathsf{DBDH}}(1^\lambda ):= |\Pr [\mathsf{Exp}_{\mathcal {G},\mathcal {A}}^{\mathsf{DBDH}}(1^\lambda )=1]-1/2|\) is negligible in \(\lambda \).
Rights and permissions
About this article
Cite this article
Anada, H., Kanaoka, A., Matsuzaki, N. et al. Key-updatable public-key encryption with keyword search (Or: How to realize PEKS with efficient key updates for IoT environments). Int. J. Inf. Secur. 19, 15–38 (2020). https://doi.org/10.1007/s10207-019-00441-2
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-019-00441-2