340 likes | 583 Views
Efficient Conjunctive Keyword-Searchable Encryption,2007. Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍 . Outline. Motivating Scenario and model of document Conjunctive Keyword Searchable Encryption (CKSE) Definition Assumption Construction Security Notion
E N D
Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍
Outline • Motivating Scenario and model of document • Conjunctive Keyword Searchable Encryption (CKSE) • Definition • Assumption • Construction • Security Notion • Secutity Analysis
Motivating Scenario • Alice has a large amount of data • Which is private • Which she wants to access any time and from anywhere • Example: emails • Alice stores her data on a remote server • Good connectivity • Low administration overhead • Cheaper cost of storage • But untrusted
Alice may not trust the server • Data must be stored encrypted • Alice wants ability to search her data • Keyword search: “All emails from Bob” • Alice wants powerful, efficient search • She wants to ask conjunctive queries • E.g. ask for “All emails from Bob AND received last Sunday”
Single keyword search • Limited to queries for a single keyword • Can’t do boolean combinations of queries • Example: “emails from Bob AND (received last week OR urgent)” • We focus on conjunctive queries • Documents Di which contains keywords W1 and W2 … and Wm • More restrictive than full boolean combinations
m fields From To Date Status D1 D2 n docs Dn Model of Documents • We assume structured documents where keywords are organized by fields J i The documents are the rows of the matrix Di = (Wi, 1, …, Wi, m)
Outline • Motivating Scenario and model of document • Conjunctive Keyword Searchable Encryption (CKSE) • Definition • Assumption • Construction • Security Notion • Secutity Analysis
Definition1 we saythat a scheme of conjunctive keyword searchable encryption is semantically secure against adaptive chosen-keyword attacks if is a negligible function in for any polynomial attacker A .
Definition2 Bilinear Map: a map is a bilinear map if the following conditions hold : • and are cyclic groups of the same prime order p and Is efficiently computable; • For all and then • is non-degenerate. That is, if generates and generates , the generates
Definition3 XDH Assumption: Let and be two disjoint cyclic sub groups of a prime order of elliptic curves and let be a bilinear map The XDH states that the decision Diffie-Hellman problem in This implies that there does not exist an efficiently computable isomorphism
Definition4 coXDH Assumption: Let and be the XDH group and let be a bilinear map Let the mixed decisional Diffie-Hellman problem to distinguish between the tuples of the form and where are random elements of The coXDH assumption means that the mixed DDH problem is intractable in the XDH setting.
Encryption(K,Di ={Wi,1,…,Wi,m}) C1,C2,…Ci Later, Alice wants to retrieve only some of documents containing some specific keywords. Trapdoor(K,{ j1,..},{W1,…}) Search on Encrypted Data Storage Server Alice D1, D2, …, Dn Test(T, Ci) = True if Ci contains W Test(T,Ci) = False otherwise 傳回滿足條件的資料 Alice decrypts Ci
CKSE algorithm: keyGen : • run by the user to setup the scheme • take a security parameter ,it determines XDH group and of a prime order p, where is kept in private. • return a secret key
Enc: • run by the user to generate searchable ciphertexts • take a secret key and a document. • Let for Let be a value chosen uniformly at random from , return a ciphertextas follow:
Trapdoor: • run by the user to generate a trapdoor • take a secret key ,keyword field Indices and keywords as inputs .Let be a value chosen uniformly at random from • return a trapdoor vale
Test : • run by the server in order to search for the documents containing some specific keywords • take a trapdoor and a ciphertext Let and For all ,the algorithm checks if the following equality holds: If so, it return true. Otherwise, it return false
Outline • Motivating Scenario and model of document • Conjunctive Keyword Searchable Encryption (CKSE) • Definition • Assumption • Construction • Security Notion • Secutity Analysis
Security Notion Define the security notion of CKSE in the sense of semantic-security using the following experiment: • Challenger chooses a set of secret keys for the user by executing KeyGen algorithm. • Attacker A can ask challenger for the trapdoor and encryption of its own choice. • A chooses two documents D0 ,D1 ,(none of trapdoor for D0 ,D1 is given in the step 2). The challenger generates a random coin and gives A a challenge The goal of A is to decide such that
A may ask continuously for the trapdoor and the encryption of its choice. (not allowed to ask for the trapdoor and the encryption of D0,D1 , as before ) • A output The advantage of A in breaking the CKSE scheme is defined as in a security parameter
Outline • Motivating Scenario and model of document • Conjunctive Keyword Searchable Encryption (CKSE) • Definition • Assumption • Construction • Security Notion • Secutity Analysis
Secutity Analysis Theorem1 The CKSE scheme for conjunctive keyword searchable encryption is semantically secure against adaptive chosen-keyword attacks in the random oracle model under the external co-Diffie-Hellman assumption (coXDH).
Secutity Analysis (proof) Suppose: A breaks the CKSE scheme with advantage by making at most hash queries , trapdoor queries , and encryption queries. Goal: We then show a construction of an algorithm O that uses A as a subroutine and breaks coXDH assumption with non-negligible advantage where is the base of natural logarithm. Let be an instance of coXDH problem. O is to decide whether c= ab
(step) • KeyGen • HashQueries • TrapdoorQueries • EncQueries • ChallengeQueries • MoreQueries • Output
KeyGen: O chooses a random value and sets as its own secret key. HashQueries: • O maintains a list of tuples called the H-list. The list is initially empty. • When A issues a hash query for a keyword O responds as follows:
If exists on the H-list then O responding with the previous queries • Otherwise ,O generates a random coin so that ,and then O chooses a random value • If O computes • If O computes O adds the tuple to the H-list and answers with
TrapdoorQueries: A issues a trapdoor query of some keyword and then O execute the above H algorithm. O responds as follows: • If all on the tuple are not 1,termminate. • Otherwise ,O chooses a random value and answer with a trapdoor as follow:
ChallengeQueries : • A submits a pair of challenge documents and • O execute the above random oracle algorithm, then O produces a challenge as follows: • If both and for all are not 0 ,terminate. • If both and for all are equal to 0 ,O generate a random coin • If only one is equal to 0 then no randomness is needed. O responds with the challenge
EncQueries : • A issues a document • O execute above H algorithm. O responds as follow: • If all on the tuples are not 1, then terminates. • Otherwise, O chooses a random value and then answers with
MoreQueries: Aperforms additional trapdoor queries or Enc queries after the challengequery, O responds to these queries in the same way before.
Output: • A output a bit of its guess . • If , O guesses that is an instance of mixed DDH tuple . • Otherwise, O guesses it is a random tuple.
The probability of O against the mixed DHH challenge Let NF be the event of that O does not fail during the above experiment. • NFT, O does not fail during the TrapdoorQueries • NFE, O does not fail during the EncQueries • NFC, O does not fail during the ChallengeQueries NF=NFT NFE NFC
Pr[NFT] = • Pr[NFE] = • Pr[NFC] = for b = 0,1 and both and are independent of A’sview. Pr[ NF = NFT NFE NEC ] = • The advantage of A against our CKSE scheme is The success probability of the O is