Generating Searchable Public-Key Ciphertexts with Hidden Structures for Fast Keyword Search

Existing semantically secure public-key searchable encryption schemes take search time linear with the total number of the ciphertexts. This makes retrieval from large-scale databases prohibitive. To alleviate this problem, this paper proposes Searchable Public-Key Ciphertexts with Hidden Structures (SPCHS) for keyword search as fast as possible without sacrificing semantic security of the encrypted keywords. In SPCHS, all keyword-searchable ciphertexts are structured by hidden relations, and with the search trapdoor corresponding to a keyword, the minimum information of therelations is disclosed to a search algorithm as the guidance to find all matching ciphertexts efficiently. We construct a simple SPCHS scheme from scratch in which the ciphertexts have a hidden star-like structure. We prove our scheme to be semantically secure based on the decisional bilinear Diffie-Hellman assumption in the Random Oracle (RO) model. The search complexity of our scheme is dependent on the actual number of the ciphertexts containing the queried keyword, rather than the number of all ciphertexts. Finally, we present a generic SPCHS construction from anonymous identity-based encryption and collision-free full-identity malleable Identity-Based Key Encapsulation Mechanism (IBKEM) with anonymity. We illustrate two collision-free full-identity malleable IBKEM instances, which are semantically secure and anonymous, respectively, in the RO and standard models. The latter instance enables us to construct an SPCHS scheme with semantic security in the standard model.

💡 Research Summary

The paper addresses a fundamental scalability problem of public‑key searchable encryption (PEKS): every search operation requires scanning all stored ciphertexts, leading to linear‑time complexity with respect to the database size. This makes PEKS impractical for large‑scale cloud storage, especially when the keyword space has low min‑entropy and deterministic encryption cannot be safely used.

Core Idea – SPCHS
The authors introduce “Searchable Public‑Key Ciphertexts with Hidden Structures” (SPCHS). In SPCHS, ciphertexts are not independent; they are linked by secret relations that are invisible to the server unless the appropriate keyword trapdoor is presented. The concrete construction uses a hidden star‑like topology: all ciphertexts belonging to the same keyword form a chain, and a public “Head” node points to the first element of each chain via a concealed edge. When a client issues a trapdoor for keyword w, the server can use the Head to locate the first ciphertext of the w‑chain, then follow the hidden pointers embedded in each found ciphertext to retrieve the next one, and so on. Consequently, the search cost becomes proportional to the number of matching ciphertexts |C_w| rather than the total number N of stored ciphertexts.

Security Model
The paper formalizes a semantic security notion for SPCHS that simultaneously protects (i) the encrypted keywords and (ii) the hidden structure. Two security games are defined: (1) without any trapdoor, all ciphertexts and their inter‑connections must be indistinguishable; (2) with a trapdoor for a specific keyword, the adversary may learn only the relations that belong to that keyword, while the rest of the structure remains hidden. This notion extends the classic SS‑CKA (semantic security against chosen‑keyword attacks) used for PEKS.

Concrete Scheme in the Random Oracle Model
A first construction is given from scratch. It relies on bilinear groups and the Decisional Bilinear Diffie‑Hellman (DBDH) assumption in the random‑oracle (RO) model. The sender, using the receiver’s public key and a keyword w, creates a ciphertext that contains (a) an encryption of w and (b) a hidden pointer to the next ciphertext of the same keyword. The pointer is derived from a hash of the current ciphertext and the keyword, ensuring that without the trapdoor the server cannot compute it. The search algorithm, given the trapdoor for w, can verify the pointer and iteratively retrieve all matching ciphertexts. The authors prove that this scheme satisfies the SPCHS security definition under DBDH.

Generic Construction via Collision‑Free Full‑Identity Malleable IBKEM
To obtain a more modular design, the authors identify a new primitive: a collision‑free full‑identity malleable Identity‑Based Key Encapsulation Mechanism (IBKEM). Such an IBKEM has two crucial properties: (1) collision‑freeness – for a given encapsulation, different receiver identities derive independent keys; (2) full‑identity malleability – the sender, knowing the encapsulation, can compute the key that any identity would obtain after decapsulation. By pairing this IBKEM with an anonymous Identity‑Based Encryption (IBE), they build a generic SPCHS where the hidden star structure is realized through the malleable keys: each keyword is mapped to an identity, and the chain of ciphertexts is formed by successive re‑encapsulations under that identity. If both the IBKEM and IBE are semantically secure and the IBE is anonymous, the resulting SPCHS inherits semantic security for both keywords and hidden structure.

Instantiations
Two concrete IBKEM instances are presented:

1. An RO‑model instance derived from Abdalla et al.’s VRF‑based IBKEM, shown to be anonymous, collision‑free, and fully malleable.
2. A standard‑model instance built from Freire et al.’s multilinear‑map‑based IBE (an adaptation of the Boneh‑Franklin scheme). The authors transform this IBE into a collision‑free full‑identity malleable IBKEM that is semantically secure and anonymous without random oracles.

Both instantiations enable SPCHS constructions that achieve the same O(|C_w|) search complexity while offering security in either the RO model or the standard model.

Performance and Applications
The search algorithm’s runtime depends only on the number of ciphertexts containing the queried keyword, a dramatic improvement over traditional PEKS. The additional storage overhead consists of a constant‑size hidden pointer per ciphertext; generation overhead is a single extra hash and encapsulation operation. The paper also discusses broader uses of collision‑free full‑identity malleable IBKEM, such as batch identity‑based key distribution (a single encapsulation can deliver distinct keys to many receivers) and anonymous identity‑based broadcast encryption with constant decryption cost plus logarithmic index lookup.

Conclusion
By introducing hidden relational structures among searchable ciphertexts, the authors break the linear‑time barrier of public‑key searchable encryption without sacrificing semantic security. The SPCHS framework is instantiated both from scratch (RO model) and generically via advanced identity‑based primitives, with rigorous security proofs. The work opens a new design space for efficient, privacy‑preserving search over encrypted data and demonstrates that the same techniques can be leveraged for other identity‑based cryptographic applications.