pith. sign in

arxiv: 2606.07319 · v1 · pith:LRC3OK6Dnew · submitted 2026-06-05 · 💻 cs.CR

Authorized and Verifiable Searchable Encryption Based on Public Key Equality Test for Cloud Storage

Pith reviewed 2026-06-27 21:56 UTC · model grok-4.3

classification 💻 cs.CR
keywords searchable encryptionpublic key encryption with equality testauthorizationverifiabilitycloud storagePKEETtoken security
0
0 comments X

The pith

AVPKEET enables non-transferable authorized verifiable PKEET without trusted third parties.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper proposes AVPKEET, a public-key encryption with equality test construction that supports ciphertext-file-level authorization through non-transferable and non-replayable tokens while adding public verifiability, all without trusted third parties. It then builds the AVSE searchable encryption scheme on this foundation, incorporating one-time tokens bound to users and nonces, batch operations, and fine-grained access controls such as ALL, PARTIAL, or SINGLE. A sympathetic reader would care because existing PKEET-based searchable encryption lacks these authorization and verification features, leaving cloud storage users unable to control searches at the file level or verify operations publicly. The authors prove OW-CCA2 security, token unforgeability, and verification soundness under standard assumptions and report the smallest token size of 168 bytes with acceptable overhead.

Core claim

AVPKEET achieves authorized and verifiable equality tests on ciphertexts by enabling non-transferable and non-replayable authorization of specific files without trusted third parties, while AVSE extends this to searchable encryption with one-time tokens bound to users and nonces, batch processing, and fine-grained access levels, all proven secure under standard assumptions with a token size of 168 bytes.

What carries the argument

The AVPKEET scheme, which uses authorization tokens bound to users and nonces to restrict equality tests on ciphertexts while supporting public verification of those tokens.

If this is right

  • Specific ciphertext files can be authorized for search without allowing token reuse across users or sessions.
  • Public verification of authorizations becomes possible without relying on a trusted third party.
  • Fine-grained access levels enable precise control over which files are searchable by which users.
  • Batch operations support efficient handling of multiple search requests in cloud deployments.
  • The 168-byte token size reduces communication overhead compared to prior schemes while adding the new features.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The token binding approach could be adapted to other equality-test applications such as secure deduplication or data sharing protocols.
  • If the non-replayability holds under real network conditions, it may reduce the need for additional session management layers in cloud systems.
  • The public verifiability feature opens the possibility of third-party auditing of search authorizations in multi-tenant environments.
  • Implementation in a prototype cloud storage system could test whether the reported overhead remains acceptable at scale with concurrent users.

Load-bearing premise

Authorization tokens bound only to users and nonces remain non-transferable and non-replayable in practice, and the security model fully captures real-world cloud storage threats without additional trusted setup.

What would settle it

An adversary successfully transfers or replays an authorization token to perform an unauthorized equality test on a ciphertext file, or breaks the OW-CCA2 security of the scheme in the defined model.

Figures

Figures reproduced from arXiv: 2606.07319 by Kaiwen Wang, Xiaolin Chang, Xiuping Li.

Figure 1
Figure 1. Figure 1: Scheme Framework for Implementing SE Based on PKEET [PITH_FULL_IMAGE:figures/full_fig_p001_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: System Model of AVSE • T4: CS–DU Collusion. We additionally consider col￾lusion attacks in which the malicious CS shares all of its internal state and intermediate computation results with a subset of potentially malicious DUs. The coalition’s goal is to bypass authorization controls and obtain access to documents or decryption capabilities beyond the scopes explicitly granted by honest DOs. Like most effi… view at source ↗
Figure 3
Figure 3. Figure 3: AVPKEET Primitive Performance Evaluation: (a) Encryption Time, (b) Authorization Time, (c) Authorized Test Time, (d) Proof Generation Time, [PITH_FULL_IMAGE:figures/full_fig_p013_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: AVSE Scheme Performance Evaluation: (a) Index Building Time, (b) Token Generation Time, (c) Search Time, (d) Decryption Time, (e) Index Storage [PITH_FULL_IMAGE:figures/full_fig_p013_4.png] view at source ↗
read the original abstract

Cloud storage revolutionizes data management but raises conflicts between functionality and privacy. Public Key Encryption with Equality Test (PKEET), an advanced cryptographic technique, can enable multi-user searchable encryption (SE) through cross-key ciphertext comparison without shared keys. However, existing PKEET-based SE schemes lack ciphertext-file-level authorization, public verifiability, or SE-level support. This paper first proposes a novel PKEET scheme, AVPKEET (Authorized and Verifiable PKEET). It enables non-transferable and non-replayable authorization of ciphertext files, while supporting public verifiability, all without the need for trusted third parties. Then we propose an AVPKEET-based SE scheme, denoted as AVSE (Authorized and Verifiable SE), featuring one-time non-transferable tokens bound to users and nonces, batch operations, and fine-grained access control (ALL, PARTIAL, SINGLE). We prove OW-CCA2 security, token unforgeability, and verification soundness under standard assumptions. Experiment results demonstrate that AVSE achieves the most compact token size (168 bytes) while uniquely providing both ciphertext-file-level authorization and public verification, with acceptable overhead for cloud storage deployment.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper proposes AVPKEET, a novel PKEET scheme enabling non-transferable and non-replayable ciphertext-file-level authorization with public verifiability and no trusted third party, and AVSE, an AVPKEET-based searchable encryption scheme supporting one-time tokens bound to users and nonces, batch operations, and fine-grained access control (ALL, PARTIAL, SINGLE). It claims OW-CCA2 security, token unforgeability, and verification soundness under standard assumptions, with experiments showing the most compact token size (168 bytes) and acceptable overhead.

Significance. If the security definitions and proofs hold, the work provides a distinctive combination of features—ciphertext-file-level authorization, public verification, and compact one-time tokens—absent from prior PKEET-based SE schemes, offering a practical advance for privacy-preserving cloud storage with fine-grained control.

major comments (2)
  1. [Abstract, §3] Abstract and §3 (token generation): tokens are explicitly described as 'one-time non-transferable tokens bound to users and nonces.' The token unforgeability definition and game must be checked to determine whether it includes a cross-file replay attack (adversary obtains token for file A under user U and attempts use on challenge file B); without explicit binding to a ciphertext or file identifier in the token, the ciphertext-file-level authorization claim is at risk.
  2. [§4] §4 (security model): the OW-CCA2 and token unforgeability games are asserted under standard assumptions, but the model for non-replayability must be verified against the skeptic concern that nonce+user binding alone permits transfer to a different file; if the game does not model this, the proof does not establish the central authorization property.
minor comments (2)
  1. [Experimental results] Table comparing token sizes should explicitly list the 168-byte figure against prior schemes with the same security level for direct comparison.
  2. [§3] Notation for batch operations and access control levels (ALL/PARTIAL/SINGLE) should be defined at first use with a small example.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the careful review and for identifying potential gaps in how the security model captures non-replayability across files. We address each major comment below and commit to revisions that strengthen the ciphertext-file-level authorization claims.

read point-by-point responses
  1. Referee: [Abstract, §3] Abstract and §3 (token generation): tokens are explicitly described as 'one-time non-transferable tokens bound to users and nonces.' The token unforgeability definition and game must be checked to determine whether it includes a cross-file replay attack (adversary obtains token for file A under user U and attempts use on challenge file B); without explicit binding to a ciphertext or file identifier in the token, the ciphertext-file-level authorization claim is at risk.

    Authors: The referee is correct that the current description in the abstract and §3 binds tokens only to users and nonces. The manuscript does not explicitly include a file or ciphertext identifier in the token, which means the unforgeability game as written does not model cross-file replay. To support the claimed ciphertext-file-level authorization, the token generation must incorporate a file identifier and the security game must be updated to capture an adversary attempting to replay a token on a different file. We will revise §3 to add the file identifier to token generation and update the token unforgeability definition and game in the next version. revision: yes

  2. Referee: [§4] §4 (security model): the OW-CCA2 and token unforgeability games are asserted under standard assumptions, but the model for non-replayability must be verified against the skeptic concern that nonce+user binding alone permits transfer to a different file; if the game does not model this, the proof does not establish the central authorization property.

    Authors: We agree that the existing games in §4 do not explicitly include a cross-file replay query. Without this, the proofs cannot rigorously establish non-replayability at the ciphertext-file level. We will extend both the OW-CCA2 and token unforgeability games to allow the adversary to obtain tokens for one file and attempt to use them on a different challenge file, and we will update the corresponding proofs. These changes will be made in the revised manuscript. revision: yes

Circularity Check

0 steps flagged

No circularity: security proofs rely on standard assumptions independent of the construction

full rationale

The paper presents a new PKEET-based SE scheme (AVSE) with claimed properties including non-transferable tokens, public verifiability, and fine-grained access control. It states that security (OW-CCA2, token unforgeability, verification soundness) is proved under standard assumptions. No equations, parameter fittings, or self-citations are shown in the provided text that would reduce any central claim to a definition or prior self-result by construction. The authorization and verification properties are defined and proved separately from the token generation mechanism, with no renaming of known results or ansatz smuggling indicated. This is a standard cryptographic construction paper whose claims rest on external hardness assumptions rather than self-referential inputs.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

Abstract-only review provides no explicit free parameters, axioms, or invented entities beyond standard cryptographic assumptions referenced for the security proofs.

axioms (1)
  • domain assumption OW-CCA2 security, token unforgeability, and verification soundness hold under standard assumptions
    Stated as the basis for the security proofs in the abstract.

pith-pipeline@v0.9.1-grok · 5744 in / 1100 out tokens · 23121 ms · 2026-06-27T21:56:25.578016+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

34 extracted references

  1. [1]

    Muses: Efficient multi- user searchable encrypted database,

    T. Le, R. Behnia, J. Guajardo, and T. Hoang, “Muses: Efficient multi- user searchable encrypted database,”Conference of USENIX Security Symposium, 2024

  2. [2]

    Multi-client boolean file retrieval with adaptable authorization switching for secure cloud search services,

    K. Zhang, X. Wang, J. Ning, M. Wen, and R. Lu, “Multi-client boolean file retrieval with adaptable authorization switching for secure cloud search services,”IEEE Transactions on Dependable and Secure Computing, vol. 20, no. 6, pp. 4621–4636, 2022

  3. [3]

    Rose: Robust searchable encryption with forward and backward security,

    P. Xu, W. Susilo, W. Wang, T. Chen, Q. Wu, K. Liang, and H. Jin, “Rose: Robust searchable encryption with forward and backward security,” IEEE transactions on information forensics and security, vol. 17, pp. 1115–1130, 2022

  4. [4]

    Pcse: Privacy-preserving collaborative searchable encryption for group data sharing in cloud computing,

    Y . Xu, H. Cheng, X. Liu, C. Jiang, X. Zhang, and M. Wang, “Pcse: Privacy-preserving collaborative searchable encryption for group data sharing in cloud computing,”IEEE Transactions on Mobile Computing, vol. 24, no. 5, pp. 4558–4572, 2025

  5. [5]

    Dynamic searchable symmetric encryption with efficient and complete access control for multi-user cloud computing,

    L. Yang, Y . Yang, D. Niyato, Z. Li, W. Xia, and L. Sun, “Dynamic searchable symmetric encryption with efficient and complete access control for multi-user cloud computing,”IEEE Transactions on Mobile Computing, 2025

  6. [6]

    Verifiable searchable symmetric encryption over additive homomorphism,

    L. Ji, J. Li, Y . Zhang, and Y . Lu, “Verifiable searchable symmetric encryption over additive homomorphism,”IEEE Transactions on Infor- mation Forensics and Security, vol. 20, pp. 1320–1332, 2025

  7. [7]

    Response-hiding and volume-hiding verifiable searchable encryption with conjunctive key- word search,

    J. Li, L. Ji, Y . Zhang, Y . Lu, and J. Ning, “Response-hiding and volume-hiding verifiable searchable encryption with conjunctive key- word search,”IEEE Transactions on Computers, vol. 74, no. 2, pp. 455–467, 2024

  8. [8]

    Bpvse: Publicly verifiable searchable encryption for cloud-assisted electronic health records,

    B. Chen, T. Xiang, D. He, H. Li, and K.-K. R. Choo, “Bpvse: Publicly verifiable searchable encryption for cloud-assisted electronic health records,”IEEE Transactions on Information Forensics and Security, vol. 18, pp. 3171–3184, 2023

  9. [9]

    Secure data integrity check based on verified public key encryption with equality test for multi-cloud storage,

    W. Li, W. Susilo, C. Xia, L. Huang, F. Guo, and T. Wang, “Secure data integrity check based on verified public key encryption with equality test for multi-cloud storage,”IEEE transactions on dependable and secure computing, vol. 21, no. 6, pp. 5359–5373, 2024

  10. [10]

    Cloud storage auditing and data sharing with data deduplication and private information protection for cloud- based emr,

    J. Yu, W. Shen, and x. Zhang, “Cloud storage auditing and data sharing with data deduplication and private information protection for cloud- based emr,”Computer Security, vol. 144, p. 103932, 2024

  11. [11]

    Efficient public key encryption with equality test supporting flexible authorization,

    S. Ma, Q. Huang, M. Zhang, and B. Yang, “Efficient public key encryption with equality test supporting flexible authorization,”IEEE Transactions on Information Forensics and Security, vol. 10, no. 3, pp. 458–470, 2014

  12. [12]

    Probabilistic public key encryption with equality test,

    G. Yang, C. H. Tan, Q. Huang, and D. S. Wong, “Probabilistic public key encryption with equality test,” inCryptographers’ track at the RSA conference. Springer, 2010, pp. 119–131

  13. [13]

    Towards public key encryption scheme supporting equality test with fine-grained authorization,

    Q. Tang, “Towards public key encryption scheme supporting equality test with fine-grained authorization,” inAustralasian conference on information security and privacy. Springer, 2011, pp. 389–406. JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2021 15

  14. [14]

    Authorized equality test of encrypted data for secure cloud databases,

    S. Ma, “Authorized equality test of encrypted data for secure cloud databases,” in2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/12th IEEE International Conference On Big Data Science And Engineering (Trust- Com/BigDataSE). IEEE, 2018, pp. 223–230

  15. [15]

    Tightly secure public key encryption with equality test in setting with adaptive corruptions,

    Y . Ling, “Tightly secure public key encryption with equality test in setting with adaptive corruptions,”IEEE Access, vol. 12, pp. 115 268– 115 276, 2024

  16. [16]

    Public-key encryption with tester verifiable equality test for cloud computing,

    Z. Zhao, W. Susilo, B. Wang, and K. Zeng, “Public-key encryption with tester verifiable equality test for cloud computing,”IEEE Transactions on Cloud Computing, vol. 11, no. 4, pp. 3396–3406, 2023

  17. [17]

    Tightly secure public- key encryption with equality test supporting flexible authorization in the standard model,

    Y .-F. Tseng, Y .-J. Lu, T.-L. Tsai, and Z.-Y . Liu, “Tightly secure public- key encryption with equality test supporting flexible authorization in the standard model,”Cryptology ePrint Archive, 2025

  18. [18]

    New rsa- based public key encryption with authorized equality test,

    C. Park, S. Choi, Y . Son, J. Paek, S. Cho, and H. T. Lee, “New rsa- based public key encryption with authorized equality test,” in2024 International Conference on Information Networking (ICOIN). IEEE, 2024, pp. 299–304

  19. [19]

    Lattice-based public-key encryption with equality test supporting flexible authorization in standard model,

    P. S. Roy, D. H. Duong, W. Susilo, A. Sipasseuth, K. Fukushima, and S. Kiyomoto, “Lattice-based public-key encryption with equality test supporting flexible authorization in standard model,”Theoretical Computer Science, vol. 929, pp. 124–139, 2022

  20. [20]

    Efficient public key encryption with outsourced equality test for cloud-based iot environments,

    S. Ma, Y . Zhong, and Q. Huang, “Efficient public key encryption with outsourced equality test for cloud-based iot environments,”IEEE Transactions on Information Forensics and Security, vol. 17, pp. 3758– 3772, 2022

  21. [21]

    Lightweight searchable and equality-testable certificateless authenticated encryption for encrypted cloud data,

    J. Tian, Y . Lu, and J. Li, “Lightweight searchable and equality-testable certificateless authenticated encryption for encrypted cloud data,”IEEE Transactions on Mobile Computing, vol. 23, no. 8, pp. 8431–8446, 2024

  22. [22]

    Pattern hiding and authorized searchable encryption for data sharing in cloud storage,

    K. Zhang, B. Hu, J. Ning, J. Gong, and H. Qian, “Pattern hiding and authorized searchable encryption for data sharing in cloud storage,” IEEE Transactions on Knowledge and Data Engineering, vol. 37, no. 5, pp. 2802–2815, 2025

  23. [23]

    Ksf-oabe: Outsourced attribute- based encryption with keyword search function for cloud storage,

    J. Li, X. Lin, Y . Zhang, and J. Han, “Ksf-oabe: Outsourced attribute- based encryption with keyword search function for cloud storage,”IEEE Transactions on Services Computing, vol. 10, no. 5, pp. 715–725, 2016

  24. [24]

    Attribute-based searchable encryption with delegated equality test in cloud-assisted internet of things,

    Y . Hu, S. Niu, and H. Shao, “Attribute-based searchable encryption with delegated equality test in cloud-assisted internet of things,” in 2022 3rd International Conference on Electronics, Communications and Information Technology (CECIT). IEEE, 2022, pp. 328–333

  25. [25]

    Attribute-based data sharing scheme with flexible search functionality for cloud-assisted autonomous transportation system,

    H. Xiong, H. Wang, W. Meng, and K.-H. Yeh, “Attribute-based data sharing scheme with flexible search functionality for cloud-assisted autonomous transportation system,”IEEE Transactions on Industrial Informatics, vol. 19, no. 11, pp. 10 977–10 986, 2023

  26. [26]

    Multi-receiver data authorization with data search for data sharing in cloud-assisted iov,

    W. Li, “Multi-receiver data authorization with data search for data sharing in cloud-assisted iov,”IEEE Transactions on Intelligent Trans- portation Systems, vol. 25, no. 5, pp. 4233–4250, 2024

  27. [27]

    Fine-grained access control with privacy- preserving data retrieval for cloud-assisted iov,

    W. Li, C. Xia, S. Yang, K. Wang, G. Huang, L. Huang, F. Guo, W. Susilo, and T. Wang, “Fine-grained access control with privacy- preserving data retrieval for cloud-assisted iov,”IEEE Transactions on Vehicular Technology, 2025

  28. [28]

    Bldss: A blockchain- based lightweight searchable data sharing scheme in vehicular social networks,

    Y . Zhou, Z. Cao, X. Dong, and J. Zhou, “Bldss: A blockchain- based lightweight searchable data sharing scheme in vehicular social networks,”IEEE Internet of Things Journal, vol. 10, no. 9, pp. 7974– 7992, 2022

  29. [29]

    Identity-based encryption from the weil pairing,

    D. Boneh and M. Franklin, “Identity-based encryption from the weil pairing,”SIAM journal on computing, vol. 32, no. 3, pp. 586–615, 2003

  30. [30]

    Secure identity based encryption without ran- dom oracles,

    D. Boneh and X. Boyen, “Secure identity based encryption without ran- dom oracles,” inAnnual International Cryptology Conference. Springer, 2004, pp. 443–459

  31. [31]

    The one-more-rsa- inversion problems and the security of chaum’s blind signature scheme,

    Bellare, Namprempre, Pointcheval, and Semanko, “The one-more-rsa- inversion problems and the security of chaum’s blind signature scheme,” Journal of Cryptology, vol. 16, no. 3, pp. 185–215, 2003

  32. [32]

    Search pattern leakage in searchable encryption: Attacks and new construction,

    C. Liu, L. Zhu, M. Wang, and Y .-a. Tan, “Search pattern leakage in searchable encryption: Attacks and new construction,”Information Sciences, vol. 265, pp. 176–188, 2014

  33. [33]

    Hiding the access pattern is not enough: Exploiting search pattern leakage in searchable encryption,

    S. Oya and F. Kerschbaum, “Hiding the access pattern is not enough: Exploiting search pattern leakage in searchable encryption,” in30th USENIX security symposium (USENIX Security 21), 2021, pp. 127–142

  34. [34]

    Path oram: an extremely simple oblivious ram protocol,

    E. Stefanov, M. Van Dijk, E. Shi, C. Fletcher, L. Ren, X. Yu, and S. Devadas, “Path oram: an extremely simple oblivious ram protocol,” inProceedings of the 2013 ACM SIGSAC conference on Computer & communications security, 2013, pp. 299–310