1 / 23

Using secret sharing for searching in encrypted data

Using secret sharing for searching in encrypted data. Ring. F[x]/s(x) = {f(x) | deg(f(x)) < deg(s(x)) and coefficients of f(x)  F } F q [ x ]/( x q-1 −1) (where q is a prime power q = p e . For the reader’s convenience, all proofs will be given for q prime)

nathalie-dumont
Download Presentation

Using secret sharing for searching in encrypted data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Using secret sharing for searching in encrypted data

  2. Ring • F[x]/s(x) = {f(x) | deg(f(x)) < deg(s(x)) and coefficients of f(x)  F } • Fq[x]/(xq-1−1) (where q is a prime power q = pe. For the reader’s convenience, all proofs will be given for q prime) • ex: when q = 5 (x-3)((x-2)(x-4))2 ≡88x3-252x2+353x-207(mod x4-1) 3x3+3x2+3x+3

  3. Ring • Z[x]/(r(x)): (where r(x) is an irreducible polynomial) • If f(x)=g(x)h(x) ( f(x) has degree ≧2 ) ( g(x),h(x) has degree ≧1 ) we call f(x) reducible. • ex: when r(x) = x2+1 (x-3)((x-2)(x-4))2 ≡265x+45 (mod x2+1)

  4. Define a mapping function (map:tagnames → Z) • Transform the tree of tag names into a tree of polynomials • Using ring to reduce • Data sharing • Querying

  5. (x-3)((x-2)(x-4))2 customers tagname Z customers client name 3 2 4 (x-2)(x-4) (x-2)(x-4) client client (x-4) (x-4) name name (c) Data representation in non-compressed form (a) XML example (b) Mapping from tagname to numbers

  6. Data sharing = + Pseudorandom generator

  7. Querying • ex://client. This XPath expression means that we want to find ‘client’ elements somewhere in the tree.

  8. Querying tagname Z • translate ‘client’ to x = 2 • The server evaluates the polynomials in the given point (x = 2) and sent back to the client. customers client name 3 2 4

  9. Querying • The client does the same thing on its own side and calculates the sum of the client element and the server element. • sum = 0, i.e. the element contains a factor (x − 2) • sum ≠ 0, The branch is dead the client informs the server so that the server can stop evaluating polynomials for elements in the tree starting with that branch.

  10. Querying • Each zero element in the sum tree that does not have a zero sub element represents an answer to the query. 0 0 0 3 3 sum

  11. Querying • To reconstruct the element value, let f – sum of the polynomials q1, . . . , qn– the combined polynomials of all its direct children. i.e. f =(x-t)Πi=1n qi (mod r) f(x) = 0 solve t→ check thecorrectness (in example : t = 2)

  12. Theorem 2 proves that there is just a single solution for t. d = d(r) q1. . .qn(x − t) = 0 (mod r)  ad-1xd-1+ad-2xd-2+…+a1x+a0 = 0  ad-1(t) = 0 … a0(t) = 0

  13. advanced querying • More elaborate XPath queries can be performed. • ex: //a/b//c/d/e follow these steps and increase efficiency • from the root node find all ‘a’ elements that have b, c, d and e elements somewhere deeper in the tree • from the found nodes find all direct children ‘b’ that have elements c, d and e as descendants • …

  14. Fermat's little theorem • if p is a prime number, then for any integera, (ap − a) will be evenly divisible by p. i.e. ap ≡ a(mod p) ap-1 ≡ 1(mod p) (a,p)=1

  15. Lemma 1. • If p is prime then Πi=1p-1 (x − i) ≡ xp-1 − 1 (mod p). • Let f(x) = Πi=1p-1 (x − i) and g(x) = xp-1 − 1. All elements of F*p = {1, . . . , p − 1} are roots of f(x). By Fermat’s little theorem, for p prime all these p−1 roots of f(x) are also roots for g(x). Thus the two polynomials are equal.

  16. Lemma 2. • Let p be prime and f(x)  Fp[x]. ﹁q→ ﹁p If f(x) is non-zero mod x−(p−1)  p →q then f(x) is also non-zero modulo xp-1 − 1. • Since f(x) ≡ 0 (mod xp-1 −1)  (xp-1 −1)|f(x) and x−(p−1)| xp-1 −1 in Fp[x] (from lemma 1)  x−(p−1)|f(x)  f(x) ≡ 0 (mod x − (p − 1)).

  17. Lemma 3. • Let p be prime, and let f(x)  Fp[x] be defined as f(x) = Then f(x) 0 (mod xp-1 − 1). • Consider the evaluation of f(x) at p − 1: f(p − 1) = Because i  {1, . . . , p − 2} : i  p−1, f(p − 1)  0. Thus x − (p − 1) cannot be a factor of f(x), and we have that f(x) 0 (mod x − (p − 1)). By lemma 2 this implies that f(x) 0 (mod xp-1 − 1).

  18. Theorem 1. • Given a polynomial f(x) in Fp[x]/(xp-1 − 1) (p prime) of an element node and all polynomials (q1, . . . , qn) of its children, the mapped value map(node) can be retrieved uniquely.

  19. Proof • we know at least one solution exists for the equation f(x) ≡ q1(x) · · · qn(x)(x − t) ( t − mapped value ) Suppose there are two solutions t1 and t2 : f(x) ≡ q1(x) · · · qn(x)(x− t1) and f(x) ≡ q1(x) · · · qn(x)(x− t2) Then q1(x) · · · qn(x)(x− t1) ≡ q1(x) · · · qn(x)(x− t2)  q1(x) · · · qn(x)(t1 − t2) ≡ 0 (mod p).  q1(x) · · · qn(x) ≡ 0 (mod p) or (t1 − t2) ≡ 0 (mod p). Since we know that q1(x) · · · qn(x) 0 (mod p) by lemma 3 (the qi’s match the required form by construction), we can conclude that t1 ≡ t2 (mod p).

  20. Theorem 2. • Given a polynomial f(x) in Z[x]/(r(x)) of an element node and all polynomials (q1, . . . , qn) of its children, the mapped value map(node) can uniquely be retrieved.

  21. Proof • As in theorem 1 due to construction there exists at least one t that satisfies f(x) ≡ q1(x) · · ·qn(x)(x − t) (mod p). suppose there are two solutions t1 and t2. Then q1(x) · · ·qn(x)(t1−t2) ≡ 0 (mod r(x)). Since r(x) is irreducible, and none of the qi(x) are zero modulo r(x) (by construction), we have that t1 − t2 ≡ 0 (mod r(x)). Therefore t1 = t2.

  22. Conclusion • It has only a small penalty in storage space compared to the unencrypted case. • a branch can be marked as a dead-end in a very early stage and only a small portion of the tree has to be examined. • It cannot straightforwardly use the same method for the actual data.

  23. Comment • What kind of rings do we choose? • Which one can be more efficient in our situation?

More Related