View
228
Download
0
Embed Size (px)
Citation preview
1
Efficient Conjunctive Keyword-Searchable Encryption,2007
Author:Eun-Kyung Ryu and Tsuyoshi Takagi
Presenter: 顏志龍
2
Outline Motivating Scenario and model of document Conjunctive Keyword Searchable Encryption (C
KSE) Definition Assumption Construction
Security Notion Secutity Analysis
3
Motivating Scenario Alice has a large amount of data
Which is private Which she wants to access any time and from anywh
ere Example: emails
Alice stores her data on a remote server Good connectivity Low administration overhead Cheaper cost of storage But untrusted
4
Alice may not trust the server Data must be stored encrypted
Alice wants ability to search her data Keyword search: “All emails from Bob”
Alice wants powerful, efficient search She wants to ask conjunctive queries E.g. ask for “All emails from Bob AND received last
Sunday”
5
Single keyword search Limited to queries for a single keyword Can’t do boolean combinations of queries
Example: “emails from Bob AND (received last week OR urgent)”
We focus on conjunctive queries Documents Di which contains keywords W1
and W2 … and Wm
More restrictive than full boolean combinations
6
Model of Documents We assume structured documents where keywords are
organized by fields
Alice Bob 06/01/2004 Urgent
Alice Charlie 05/28/2004 Secret
… … … …
Dave Alice 06/04/2004 Non-urgent
From To Date Status
m fields
n docs
D1
D2
Dn
The documents are the rows of the matrix Di = (Wi, 1, …, Wi, m)
J i
7
Outline Motivating Scenario and model of document Conjunctive Keyword Searchable Encryption (C
KSE) Definition Assumption Construction
Security Notion Secutity Analysis
8
Definition1
we say that a scheme of conjunctive keyword searchable encryption is semantically secure against adaptive chosen-keyword attacks if
is a negligible function in for any polynomial attacker A .
)(kAdvCKSEA k
9
Definition2
Bilinear Map:
a map is a bilinear map if the following conditions hold :
1. and are cyclic groups of the same prime order p and Is efficiently computable;
2. For all and
then 3. is non-degenerate. That is, if generates
and generates ,
the generates
TGGGe 21:
21,GG TG),( e
,,, 11 Ggba p ,22 Gg abba ggegge ),(),( 2121
),( e 1g
1G 2g 2G
),( 21 ggeTG
10
Definition3
XDH Assumption:
Let and be two disjoint cyclic sub groups of a prime order of elliptic curves and let be a bilinear map
The XDH states that the decision Diffie-Hellman problem
in This implies that there does not exist an efficiently computable isomorphism
.: 21 TGGGe
1G 2G
p e
.1G.: 21 GG
11
Definition4
coXDH Assumption:
Let and be the XDH group and let
be a bilinear map Let the mixed decisional Diffie-Hellman problem to distinguish
between the tuples of the form
and where are random elements of
The coXDH assumption means that the mixed DDH problem is intractable in the XDH setting.
11 gG 22 gG e
TGGGe 21:
abba gggg 111 ,,,2
,,,, 1211cba gggg cba ,,*p
12
Search on Encrypted Data
Alice Storage Server
D1, D2, …, Dn C1,C2,…Ci
Encryption(K,Di ={Wi,1,…,Wi,m})
Later, Alice wantsto retrieve only some of documents containing some specific keywords.
Trapdoor(K,{ j1,..},{W1,…})
Test(T, Ci) = Trueif Ci contains W
Test(T,Ci) = FalseotherwiseAlice decrypts Ci
傳回滿足條件的資料
13
CKSE algorithm:
keyGen : run by the user to setup the scheme take a security parameter ,it determines XD
H
group and of a prime order p, where is kept in private.
return a secret key
k
)1( k
11 gG 22 gG2g
1G
14
Enc : run by the user to generate searchable ciphert
exts take a secret key and a document. Let for
Let be a value chosen uniformly at random from , return a ciphertext as follow:
}),...,{,( ,1, miii WWD
)( ., jiji WHh .,...,1 mj
ir*Z p iC
))(,...,)(,),,(( ,1,22iiii r
mir
irr
i hhggeC
1, Gh ji
15
Trapdoor : run by the user to generate a trapdoor take a secret key ,keyword field
Indices and keywords as inputs .Let be a value chosen uniformly at random from
return a trapdoor vale
)1(,...,1 mljj l
}),...,{},,...,{,( 1 jmjli WWjj
l
jmj WW ,...,1
s*p
T
),))((( 21
ssl
t jt gWHT
16
Test : run by the server in order to search for the docu
ments containing some specific keywords take a trapdoor and a ciphertext
Let and
For all ,the algorithm checks if the following equality holds:
),( iCT
T iC
),( 21 TTT ),...,,,( ,1,0, miiiii CCCVC ni 1
i
l
t jtii VTCeCTe ),(),(
1 2,0,1
If so, it return true. Otherwise, it return false
17
Outline Motivating Scenario and model of document Conjunctive Keyword Searchable Encryption (C
KSE) Definition Assumption Construction
Security Notion Secutity Analysis
18
Security Notion
Define the security notion of CKSE in the sense of semantic-security using the following experiment:
1. Challenger chooses a set of secret keys for the user by executing KeyGen algorithm.
2. Attacker A can ask challenger for the trapdoor and encryption of its own choice.
3. A chooses two documents D0 ,D1 ,(none of trapdoor for D0 ,D1 is given in the step 2).
The challenger generates a random coin
and gives A a challenge
The goal of A is to decide such that
}1,0{b
).,( bDKEncC 'b bb '
19
4. A may ask continuously for the trapdoor and the encryption of its choice. (not allowed to ask for the trapdoor and the encryption of D0,D1 , as before )
5. A output
The advantage of A in breaking the CKSE scheme is defined as
in a security parameter
}1,0{'b
|]'Pr[|)( 21 bbkAdvCKSE
A
.k
20
Outline Motivating Scenario and model of document Conjunctive Keyword Searchable Encryption (C
KSE) Definition Assumption Construction
Security Notion Secutity Analysis
21
Secutity Analysis
Theorem1
The CKSE scheme for conjunctive keyword searchable encryption is semantically secure against adaptive chosen-keyword attacks in the random oracle model under the external co-Diffie-Hellman assumption (coXDH).
22
Secutity Analysis (proof)
Suppose: A breaks the CKSE scheme with advantage by making at most hash queries , trapdoor queries , and encryption queries.
Goal:We then show a construction of an algorithm O that uses A as a subroutine and breaks coXDH assumption with non-negligible advantage
where is the base of natural logarithm.
Let be an instance of coXDH problem. O is to decide whether c= ab
Hq Tq
Eq
,))1((' 1 EqTqe
e
cba gugugug 1322111 ,,,
23
(step)
KeyGen HashQueries TrapdoorQueries EncQueries ChallengeQueries MoreQueries Output
24
KeyGen:
O chooses a random value and sets
as its own secret key.
HashQueries: O maintains a list of tuples called
the H-list. The list is initially empty. When A issues a hash query for a keyword
O responds as follows:
1G
jijijiji dxhW ,,,, ,,,
*}1,0{, jiW
25
If exists on the H-list then O responding with the previous queries
Otherwise ,O generates a random coin
so that ,and then O chooses a random value
1. If O computes
2. If O computes
O adds the tuple to the H-list and answers
with
jiW ,
jiji hWH ,, )(
}1,0{, jid
)1(1]0,Pr[ Tqjdi.*, pji Zx
,1, jid .)( ,
1,jix
ji uh
,0, jid .)( ,
3,jix
ji uh
jiji hWH ,, )(
26
TrapdoorQueries:
A issues a trapdoor query of some keyword
and then O execute the above H algorithm. O responds as follows:
If all on the tuple are not 1,termminate.
Otherwise ,O chooses a random value
and answer with a trapdoor as follow:
),1(,...,1 mlWW jlj
)1(, ltd jti
*pZs
),)(...)(((2,1,ss
jtis
ji gWHWHT
T
27
ChallengeQueries : A submits a pair of challenge documents
and O execute the above random oracle algorithm,
then O produces a challenge as follows: If both and for all are not 0 ,ter
minate. If both and for all are equal to
0 ,O generate a random coin If only one is equal to 0 then no randomness is nee
ded. O responds with the challenge
},...,{ ,01,00 mWWD },...,{ ,11,11 mWWD
C
jc ,0 jc ,1 mj 1
jc ,0 jic , mj 1}1,0{b
).,...,,),,(( ,1,22 mbb hhuueC
28
EncQueries : A issues a document O execute above H algorithm. O responds as f
ollow: If all on the tuples are not 1, the
n terminates. Otherwise, O chooses a random value
and then answers with
},...{ ,1, miii WWD
)1(, mjd ji
*pi Zr
).),...()(,,),(( ,1,22iiii r
mir
irr
i hhggeC
29
MoreQueries:
A performs additional trapdoor queries or Enc queries after the challenge query, O responds to these queries in the same way before.
30
Output: A output a bit of its guess . If , O guesses that is an in
stance of mixed DDH tuple . Otherwise, O guesses it is a random tuple.
}1,0{'b
bb ' 3211 ,,, uuug
31
The probability of O against the mixed DHH challengeLet NF be the event of that O does not fail during t
he above experiment.
NFT, O does not fail during the TrapdoorQueries NFE, O does not fail during the EncQueries NFC, O does not fail during the ChallengeQueries
NF=NFT NFE NFC
32
Pr[NFT] = Pr[NFE] = Pr[NFC] =
for b = 0,1 and both and are independent of A’s view.
Pr[ NF = NFT NFE NEC ] = The advantage of A against our CKSE scheme
is
The success probability of the O is
eq TqT 1))1(11(
EE qT
qT qq ))1(1())1(11(
)1(1]0Pr[ Tbj qd
jd0 jd1
))1((1 1 EqTqe
.
.))1(( 1 EqTqe
33