Public Key Encryption with Authorized Equality Test on Outsourced Ciphertexts for Cloud-Assisted IoT in Dual Server Model

Guangxi Key Laboratory of Cryptography and Information Security, School of Computer Science and Information Security, Guilin University of Electronic Technology, Guilin, China Cyberspace Security Research Center, Pengcheng Laboratory, Shenzhen, China School of Electronic Engineering and Automation, Guilin University of Electronic Technology, Guilin, China School of Mathematics and Computing Science, Guilin University of Electronic Technology, Guilin, China


Introduction
In recent years, the cloud computing and Internet of Things (IoT) technologies have developed rapidly and become widely used. By leveraging the powerful computing capability and massive storage resources of cloud servers, the collected IoT data can be outsourced to cloud servers to save local storage and computing resources [1]. However, to guarantee the privacy of the user's sensitive information, the data should be encrypted before being outsourced, so that only the data in ciphertext format would be stored at the cloud server [2,3]. Data encrypted with classic cryptographic schemes does not support equality test, keyword search, calculation, and other operations on ciphertexts, so that users need to download their outsourced data to the local and then complete the corresponding operations after decryption. Thus, this process would bring huge computing and communication burdens to users, while failing to reflect the advantages of cloud computing services [4,5].
To enable equality test on outsourced ciphertexts, many public key encryption schemes [6][7][8] and identity-based encryption schemes [9][10][11][12] have been proposed in the single server model. After the cloud server received the authorization from the user, it is able to perform the equality test on outsourced ciphertexts or some related operations such as encrypted data classification [13,14] based on the equality test, without decryption. However, since these solutions were proposed in the single cloud server model, the authorized cloud server would be able to launch keyword guessing attacks on outsourced ciphertexts to infer user data [4,15], which causes damage to the privacy of users. Specifically, the cloud server is able to generate ciphertexts on many messages using the public keys of some users. Note that the cloud server should hold the authentication from these users. In this way, the cloud server can compare the generated ciphertexts with the stored ones, which would leak the message information if some pairs of ciphertexts are matched.
To resist the above-mentioned keyword guessing attacks faced by outsourced ciphertexts under the single server model, Wu et al. [15] proposed an identity-based encryption scheme under the dual server model for data classification in the mobile health social network. With their scheme, the user can authorize the primary server to generate relevant intermediate parameters, and the secondary server can further determine whether the two ciphertexts encrypted the same plaintext according to these intermediate parameters. These two servers would not collude to launch the attacks on outsourced user data. During the execution of their solution, the secondary server without obtaining the legal authorization of the user can perform the equality test on ciphertexts from the intermediate results generated by the primary server.
1.1. Our Contributions. This paper proposes a public key encryption scheme supporting the authorized equality test on outsourced ciphertexts (PKE-AUT) in the dual server mode. Similar to [15], the primary server and secondary server would not collude for compromising the confidentiality of outsourced data. Without authorization from the data user, both servers are unable to perform any operation on outsourced ciphertexts. After obtaining the same authorization from the data user, the primary server and secondary server sequentially perform the equality test on outsourced ciphertexts; that is, the authorized primary server produces and sends the intermediate parameters to the secondary server, then the authorized secondary server can complete the equality test procedure.
In the proposed PKE-AUT scheme, the authorizations generated for two servers are the same. The authorization is encrypted by the data user, so that only the primary server and secondary server are able to decrypt the authorization with their privacy keys, respectively; in this way, the computing costs for producing authorization can be reduced and the privacy of authentication can be protected during transmission. Security analysis shows that the proposed PKE-AUT scheme can guarantee the privacy of outsourced ciphertexts in two phases before and after the primary and secondary servers are authorized. Efficiency analysis demonstrates that the proposed PKE-AUT scheme is suitable for IoT-related applications.

Related Works.
Many studies have been conducted on the authorized equality test on ciphertexts in different application scenarios. Yang et al. [6] introduced the first probabilistic public key encryption scheme with equality test on ciphertexts (PKEET), where anyone without authorization was able to check whether the ciphertexts generated with different public keys encrypt the same data. Thus, when deployed in cloud computing, their scheme allows an unauthorized cloud server to compare the outsourced ciphertexts of different users.
Since Yang et al.'s work [6], many encryption schemes supporting the authorized equality test on ciphertexts in the single server model have been proposed [7,16], such that the cloud server can only compare the ciphertexts after being authorized. In [17], Tang designed an all-or-nothing encryption scheme, where the cloud can test the ciphertexts only after being independently authorized by their owners. In [18], Lee et al. analyzed the security of Huang et al.'s construction [19] and presented a security-enhanced scheme. An identity-based encryption scheme with equality test on ciphertexts (IBEET) was constructed in [20], which combines the PKEET and identity-based encryption technologies. Lee et al. [21] studied the semigeneric constructions of PKEET and IBEET and proved their security under the Computational Diffie-Hellman (CDH) and Computational Bilinear Diffie-Hellman (CBDH) assumptions, respectively.
The mechanism of the equality test on ciphertexts has been used in equi-join in relational databases and secure deduplication of encrypted data. Pang and Ding [22] investigated equi-join across encrypted tables in the database in private key setting, where for an outsourced database, the user is able to control which data tables the cloud server can perform equi-join according to some data fields by issuing authorization. Then, controlled equi-join for encrypted databases in the public key setting was considered in [23]. Also, the technology of the equality test on ciphertexts was employed by Cui et al. [24] and Yan et al. [25] in achieving secure deduplication on outsourced data in clouds, without sacrificing data privacy.
Postquantum encryption schemes supporting the equality test on ciphertexts have also received attention from researchers. Le et al. [26] proposed the first lattice-based signcryption scheme with equality test on ciphertexts in the standard model, which was proven secure against insider attacks. Susilo et al. [27] designed an efficient postquantum IBEET scheme with smaller ciphertext and public key size, which enjoys CCA2 security. Nguyen et al. [10] presented a latticebased IBEET scheme in the standard model, which supports flexible authorization for equality test so that the user is able to control the comparison of their ciphertexts with others.
1.3. Paper Organization. The remainder of this paper is organized as follows. Section 2 introduces the preliminaries for the proposed PKE-AUT scheme. Section 3 describes the system model and security requirements for the PKE-AUT system in the dual server model. A description of our PKE-AUT scheme is presented in Section 4, followed by the security and performance analysis in Section 5. Section 6 concludes the paper.

Preliminaries
This section reviews the bilinear groups, the Computational Diffie-Hellman (CDH) problem and the Computational Bilinear Diffie-Hellman (CBDH) problem. 2 Wireless Communications and Mobile Computing 2.1. Bilinear Groups. Let G = hgi and G T be two cyclic groups of prime order q. The mapê : G × G ⟶ G T is a bilinear pairing if it satisfies the following conditions: (i) Bilinearity: for any g 1 , g 2 ∈ R G and a, b∈ R Z * q , we havê e g a 1 , g b (ii) Nondegeneracy: there exists g 1 , g 2 ∈ G such that (iii) Computability: for g 1 , g 2 ∈ R G, there is an efficient algorithm to computeêðg 1 , g 2 Þ

Complexity
Assumptions. The security of our construction relies on the following two assumptions. CDH assumption. Let G = hgi be a cyclic group of prime order q. Given a tuple ðg, g a , g b Þ where a, b∈ R Z * q , there is no probabilistic ploynomial-time algorithm A to compute g ab with nonnegligible probability.
CBDH assumption. Let G = hgi and G T be two cyclic groups of prime order q and satisfy bilinear pairingê : G × G ⟶ G T . Given a tuple ðg, g a , g b , g c Þ where a, b, c∈ R Z * q , there is no probabilistic ploynomial-time algorithm A to computeêðg, gÞ abc with nonnegligible probability.

System Model and Security Requirements
3.1. System Model. As shown in Figure 1, the PKE-AUT system under the dual server model consists of four types of entities, namely, trusted authority, primary server, secondary server, and users. The trusted authority is responsible for initializing the system, picking the security parameter, and producing public system parameters. Both data sender and data receiver are system users. Before being uploaded to the primary server, the data is encrypted using the public keys of the data receiver and two servers, so that only the data in the ciphertext format is outsourced. The data receiver is able to retrieve the data from the primary server for decryption with his private key and issue the same authorization to the primary and secondary servers, so that the two servers can jointly perform equality test on ciphertexts.
In the PKE-AUT system, the primary server and secondary server are assumed not to collude. All outsourced data are stored at the primary server in ciphertext format to protect their privacy. After being authorized, the primary server can perform the partial equality test procedure on outsourced ciphertexts, where the intermediate results would be produced and sent to the secondary server for processing. The second server further determines whether the ciphertexts encrypt the same data according to the intermediate results and gives the final equality test result to the data user. This equality test procedure with two phases can be executed in multiuser setting; that is, the primary and secondary servers can perform the equality test on ciphertexts of multiple users according to their authorization.

Security Requirements.
In the PKE-AUT system under the dual server model, the primary server and the secondary server are independent and would not collude to attack the outsourced data. A secure PKE-AUT system has to satisfy the following requirements.
(i) Data privacy against the primary server: user data are stored at the primary server. Although the primary server is authorized to perform the equality test on ciphertexts, it cannot obtain the plaintexts from ciphertexts.
(ii) Data privacy against the secondary server: after obtaining the authorization for conducting equality test from users, the secondary server cannot deduce the plaintext information of outsourced data from the received intermediate results.
(iii) Privacy protection on authentication: the authentication generated by the data user can only be decrypted by the primary server and secondary server.

System Framework.
A PKE-AUT scheme is composed of nine procedures, namely, the system setup, user key generation, server key generation, data encryption, data decryption, authentication generation, authentication recovery, primary server equality test, and secondary server equality test. System setup: on input of the security parameter 1 λ , which is carried out by the trusted authority, outputs the system public parameters Para. We denote Para ⟵ Setupð1 λ Þ.
User key generation: on input of the system public parameters Para, the user key generation procedure, which is carried out by each user U i , generates a pair of public key pk i and secret key sk i . We denote ðpk i , sk i Þ ⟵ UKeyGenðParaÞ.
Server key generation: on input of the system public parameters Para, the server key generation procedure, which is carried out by each server S j including the primary server S 1 and secondary server S 2 , generates a pair of public key spk j and secret key ssk j . We denote ðspk j , ssk j Þ ⟵ SKey GenðParaÞ.
Data encryption: on input of the public keys pk i , spk 1 , s pk 2 of data receiver U i , primary server S 1 and secondary server S 2 , and a message m, the data encryption procedure, which is run by the data sender, generates a ciphertext C and outsources it to the primary server S 1 . We denote C ⟵ Encryptðpk i , spk 1 , spk 2 , mÞ.
Data decryption: on input of the secret key sk i of user U i , the public keys spk 1 , spk 2 of primary server S 1 and secondary server S 2 , and a ciphertext C, the data decryption procedure, which is run by the data receiver, outputs a plaintext m or ⊥ that signifies an error in decryption. We denote m/⊥ ⟵ Decryptðsk i , spk 1 , spk 2 , CÞ.
Authentication generation: on input of the secret key sk i of user U i and the public keys spk 1 , spk 2 of primary server S 1 3 Wireless Communications and Mobile Computing and secondary server S 2 , the authentication generation procedure, which is run by user U i , generates a ciphertext authentication Z i for two servers. Note that two servers have the same ciphertext authentication Z i . We denote Z i ⟵ AuthGenðsk i , spk 1 , spk 2 Þ.
Authentication recovery: on input of a ciphertext authentication Z i , the secret key ssk 1 of primary server S 1 (resp., ssk 2 of secondary server S 2 ), and the public key spk 2 of secondary server S 2 (resp., spk 1 of primary server S 1 ), the authentication recovery procedure, which is run by the primary server S 1 (resp., secondary server S 2 ), outputs a plaintext authentication r i or ⊥ that signifies an error in recovery. We denote r i /⊥ ⟵ AuthRecðZ i , ssk 1 , Primary server equality test: on input of the authentications r i and r ℓ of two users U i and U ℓ , respectively, their public keys pk i and pk ℓ , their ciphertexts C and C ′ , and the secret key ssk 1 of the primary server S 1 , the first equality test procedure, which is run by the primary server S 1 , outputs an intermediate result Θ and gives it to the secondary server S 2 . We denote Θ ⟵ TestS 1 ðr i , r ℓ , pk i , pk ℓ , C, C′, ssk 1 Þ.
Secondary server equality test: on input of the authentications r i and r ℓ of two users U i and U ℓ , respectively, their public keys pk i and pk ℓ , an intermediate result Θ, and the secret key ssk 2 of the secondary server S 2 , the second equality test procedure, which is run by the secondary server S 2 , outputs 1 if C and C ′ encrypt the same message or 0 otherwise. We denote 1/0 ⟵ TestS 2 ðr i , r ℓ , pk i , pk ℓ , Θ, ssk 2 Þ.
A PKE-AUT scheme must be sound in the sense that (1) each ciphertext produced by the data encryption procedure is decryptable by the data decryption procedure; (2) the ciphertext authentication produced by the authentication generation procedure can be recovered by the authentication recovery procedure; (3) for any two ciphertexts that encrypt the same message, which may be generated by different users, the two equality test procedures must finally output 1; and (4) for any two ciphertexts that encrypt different messages, which may be generated by different users, the two equality test procedures must finally output 0 with overwhelming probability.
The frequently used symbols are summarized in Table 1.

System Setup.
With security parameter 1 λ , the trusted authority picks two cyclic groups G = hgi and G T of prime order q, which satisfy bilinear mappingê : G × G ⟶ G T . It also chooses four cryptographic hash functions H 1 : G × G T ⟶ G, H 2 : G × G ⟶ f0, 1g τ G +log q , H 3 : G T ⟶ f0, 1g log q , and H 4 : f0, 1g τ m ⟶ G, where τ G denotes the element size in group G and τ m represents the size of messages. The system public parameters are Para = ðλ, G, G T , q,ê, g, H 1 , H 2 , H 3 , H 4 Þ.

User Key Generation.
Each user U i randomly picks three elements x i,1 , x i,2 , x i,3 ∈ Z * q and computes Thus, the public key and secret key of user U i are pk i = ðχ i,1 , χ i,2 , χ i,3 Þ and sk i = ðx i,1 , x i,2 , x i,3 Þ, respectively.

Data Encryption.
For a message m ∈ f0, 1g τ m , the data sender randomly picks δ ∈ Z * q and computes the ciphertext C = ðc 1 , c 2 , c 3 Þ as follows:  where ∥ denotes the concatenation of strings and ⊕ represents the XOR operation. Then, the ciphertext C = ðc 1 , c 2 , c 3 Þ is sent to the primary server S 1 .

Data Decryption.
Given a ciphertext C = ðc 1 , c 2 , c 3 Þ, the data receiver computes where then verifies If both equalities hold, then the data receiver outputs m ′ , otherwise ⊥. 4.1.6. Authentication Generation. Data user U i randomly picks an element β ∈ Z * q and computes the ciphertext authentication Z i = ðz i,1 , z i,2 Þ as follows: Data user U i sends the ciphertext authentication Z i = ðz i,1 , z i,2 Þ to two servers S 1 and S 2 .
4.1.7. Authentication Recovery. The primary server S 1 computes and verifies If the equality in (12) is satisfied, then the primary server S 1 outputs plaintext authentication r i = x i, 1 ′ , otherwise outputs symbol ⊥. The secondary server can run the recovery procedure to obtain the same plaintext authentication r i = x i, 1 ′ in the similar way.
It continues to compute The intermediate result Θ = ðc 1 , c 1 ′ , ωÞ is sent to the secondary server S 2 .
4.1.9. Secondary Server Equality Test. For the received intermediate result Θ = ðc 1 , c 1 ′ , ωÞ, the secondary server S 2 verifies If the equality in (15) is satisfied, then the secondary server S 2 outputs 1; otherwise, it outputs 0.

Soundness
Theorem 1. The proposed PKE-AUT scheme in the dual server model is sound. Proof.

Wireless Communications and Mobile Computing
(2) For authentication recovery, since the equality in (12) is satisfied.
(3) For equality test on ciphertexts, since we have Also, we know It can be seen that if and only if m = m ′ , the equality in (15) is satisfied.
Therefore, the proposed PKE-AUT scheme in the dual server model is sound.

Security Analysis
Theorem 2. The proposed PKE-AUT scheme in the dual server model can protect the privacy of outsourced data against the primary server.
Proof. The ciphertext in the proposed PKE-AUT scheme has the similar form in Lee et al.'s scheme [18]. The difference lies in that for generating the second element c 2 in ciphertext, all the public keys of the data receiver and two servers should be used in the proposed PKE-AUT scheme; in this way, these two servers after being authorized are allowed to jointly perform the equality test on ciphertexts with their private keys. The proof is similar to that of Theorem 4. 1 in [18], except for a small difference in the simulation on the decryption oracle; that is, the proposed PKE-AUT scheme offers the indistinguishability under adaptive chosen ciphertext attacks (IND-CCA) against the primary server assuming the CDH and CBDH assumptions hold. Theorem 3. The proposed PKE-AUT scheme in the dual server model can protect the privacy of outsourced data against the secondary server.
Proof. In the proposed PKE-AUT scheme, all outsourced ciphertexts are stored at the primary server. During the process of equality test on ciphertexts, only the intermediate result Θ = ðc 1 , γ, c 1 ′ , γ ′ Þ is delivered to the secondary server by the primary server. Note that the pairs ðc 1 , γÞ and ðc 1 ′ , γ′Þ have the similar form of Lee et al.'s scheme [18], where the difference lies in that their scheme also has another element for enabling decryption by the user. Thus, the proof is similar to that of Theorem 4.1 in [18]; that is, the proposed PKE-AUT scheme is IND-CCA secure against the secondary server under the CDH and CBDH assumptions. Proof. The ciphertext authentication generated by the proposed PKE-AUT scheme has the similar format as the ciphertexts in Boneh and Franklin's identity-based encryption scheme (Section 4 of [28]). The difference is that in the input to the hash function H 3 , the public keys of two servers are both used in evaluatingêð·, · Þ, whereas the user identity and public parameters are used in Boneh and Franklin's scheme [28]. Thus, the proof is similar to that of Theorem 4.1 in [28]; that is, the authentication in the proposed PKE-AUT scheme enjoys the indistinguishability under chosen plaintext attacks (IND-CPA) assuming the CBDH assumption holds.  [15] is shown in Table 2, where Pair, E xpo, Hash denote the evaluation costs of a bilinear pairinĝ eð·, · Þ, an exponentiation in group G, and a map-to-point hash function, respectively.
It can be seen from Table 2 that, for producing a pair of public and secret keys for each user, our UKeyGen procedure requires 3 exponentiations in group G. Although our UKey Gen procedure has one more exponentiation than Wu et al.'s scheme [15], it does not take any map-to-point hash evaluation. The SKeyGen procedure in our PKE-AUT scheme is executed by the primary server and secondary server, respectively, for generating their public and secret keys. Thus, their key pairs have the same form, where each takes 2 exponentiations in group G. While in Wu et al.'s scheme [15], the two servers run different key generation procedures, which implies their key pairs are in different form and take two and one exponentiation in group G, respectively.
In the data encryption phase, the exponentiations in group G T in our PKE-AUT scheme and Wu et al.'s scheme [15] can be transformed into exponentiations in group G; in this way, the corresponding parameters can be used in multiple steps and the efficiency can be improved. In this case, the Encrypt of our PKE-AUT scheme takes one less bilinear pairing operation than that in Wu et al.'s scheme [15] for encrypting a message. Note that our PKE-AUT scheme is able to concurrently authorize the primary server and secondary server to perform the equality test on ciphertexts, which makes the ciphertext contain more elements than that of Wu et al.'s scheme [15]. Thus, for data decryption, our PKE-AUT scheme should take more computations than Wu et al.'s scheme [15].
In our PKE-AUT scheme, the data user is able to generate the ciphertext authentication for two servers; that is, the same ciphertext authentication can be recovered by both the primary server and the secondary server with their respective secret keys. Thus, the computing costs for authentication generation can be reduced compared to issuing an authentication for each server separately. Since the exponentiation in group G T can be converted to the one in group G, both AuthGen and AuthRec procedures have the same computing costs, that is, two exponentiations in group G and one map-to-point hash evaluation. In Wu et al.'s scheme [15], the privacy of authentication is not considered.
With authentication, the primary server and secondary server can cooperatively perform the equality test on ciphertexts. In our PKE-AUT scheme, both equality test procedures for two servers should take 4 more exponentiations in group G than Wu et al.'s scheme [15], since the generation of the second element c 2 in the ciphertext of our PKE-AUT scheme requires more input parameters for achieving the equality test on the ciphertext by two servers. It can be seen that the two servers in both schemes do not have the same computing costs, since the secondary server needs to run two bilinear pairings in generating the result of the equality test on a pair of ciphertexts.
The communication costs of our PKE-AUT scheme and Wu et al.'s scheme [15] are compared in Table 3. In our scheme, each ciphertext has three elements, while the ciphertext in Wu et al.'s scheme [15] contains five elements. Note that the message space of Wu et al.'s scheme [15] is cyclic group G. Thus, when both schemes have the same message space G, the ciphertext size of their scheme would be 2τ G more than our PKE-AUT scheme. The authentication token was not encrypted for protecting privacy in Wu et al.'s scheme [15], which only contains one element in group G. For the equality test procedure by the primary server, the generated intermediate result Θ = ðc 1 , c 1 ′ , ωÞ in our PKE-AUT scheme has three elements in group G, while Wu et al.'s scheme [15] requires six elements in G.
Moreover, we analyze the performance of our PKE-AUT scheme and compare with Wu et al.'s scheme [15] in the dual server model according to the experimental results of cryptographic operations in [29,30]. In [29], the experiments were conducted on a platform with Windows 7 operating system, Intel I7-4700@3.40 GHz CPU and 4 GB memory. Moreover, the MIRACL Cryptographic SDK [31] was invoked with log p = 512. The execution time of some cryptographic operations are summarized in Table 4.
The performance of all procedures of our PKE-AUT scheme and Wu et al.'s scheme [15] is depicted in Figures 3 and 4, respectively. The case where each procedure is executed once is considered for both schemes. It can be seen that the proposed PKE-AUT scheme is more efficient than Wu et al.'s scheme [15] in encrypting a message. Although the decryption and equality test procedures take more time than Wu et al.'s scheme [15], our PKE-AUT scheme supports strict and symmetric authorization for  Thus, to achieve this, the public keys of two servers have to be used in generating the ciphertext in our PKE-AUT scheme, which makes the efficiency of decryption and equality test reduced slightly.

Conclusion
To address the issues of privacy protection and resistance of keyword guessing attacks on outsourced ciphertexts in clouds, this paper presented a public key encryption scheme supporting the authorized equality test on ciphertexts in the dual server mode (PKE-AUT). User data can be only stored at the primary server to save local storage costs. With the same authentication, the primary server and secondary server can jointly carry out the equality test on ciphertexts of the corresponding users. The mechanism of the equality test on ciphertexts can be run in a multiuser setting, such that after being authorized, the two servers can compare the ciphertexts of these multiple users. Security analysis showed that the proposed PKE-AUT scheme guarantees the privacy of outsourced ciphertexts against two servers, as well as the privacy of authentication. Performance analysis and comparison demonstrated the practicality of the proposed PKE-AUT scheme.

Conflicts of Interest
The authors declare that they have no conflicts of interest.