170 likes | 329 Views
Practical Techniques for Searches on Encrypted Data. Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉. Outline (1/1). What is the problem? What do we want to achieve? Definition. One solution. Conclusion. Bob( untrusted server). Alice. Pre-stored data. Search.
E N D
Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉
Outline (1/1) • What is the problem? • What do we want to achieve? • Definition. • One solution. • Conclusion.
Bob( untrusted server) Alice Pre-stored data Search Ciphertext Problem (1/1) Where the pre-stored data is some set of documents encrypted from Alice (or others).
Properties • Query isolation: The un-trusted server can not learn anything more about the plaintext than the search result. • Controlled searching: The un-trusted server can not search for an arbitrary word without the user’s authorization. • Hidden queries: The user may ask the un-trusted server to search for a secret word without revealing the word to the server.
Background and Definitions (1/4) • Def : Let A : {0, 1}n {0, 1} be an arbitrary algorithm and let X and Y be random variables distributed on {0, 1}n . The distinguishing probability of A --- sometimes called the advantage of A --- for X and Y is Adv A = | Pr[ A(X) = 1] - Pr[ A(Y) = 1] |.
Background and Definitions (2/4) • Def : A pseudorandom generator G, i.e., a stream cipher. We say that G: κGS is a (t, e)- secure pseudorandom generator if every algorithm A with running time at most t has advantage Adv A < e. The advantage of an adversary A is defined as Adv A = | Pr[ A(UκG) = 1] - Pr[ A(Us) = 1] |, where UκG,, Us are random variables distributed uniformly on κG, S.
Background and Definitions (3/4) • Def : A pseudorandom function F. We say that F: κF×X Y is a (t, q, e)- secure pseudorandom function if every oracle algorithm A making at most q oracle queries and with running time at most t has advantage Adv A < e. The advantage is defined as Adv A = | Pr[ AFk = 1] - Pr[ AR = 1] |, where R represents a random function selected uniformly from the set of all maps from X to Y, and where the probabilities are taken over the choice of k and R.
Background and Definitions (4/4) • Def : A pseudorandom permutation E, i.e., a block cipher. We say that E: κE×Z Z is a (t, q, e)- secure pseudorandom permutation if every oracle algorithm A making at most q oracle queries and with running time at most t has advantage Adv A < e. The advantage is defined as Adv A = | Pr[ AEk, Ek-1 = 1] - Pr[ Aπ, π-1 = 1] |, where π represents a random permutation selected uniformly from the set of all bijections on Z, and where the probabilities are taken over the choice of k and π. Notice that the adversary is given an oracle for encryption as well as for decryption; this corresponds to the adaptive chosen-plaintext/ ciphertext attack model.
Our solution with sequential scan Scheme I: The basic scheme A⊕B=C, B⊕C=A, C⊕A=B. Alice produces Si and ki. n bits n-m bits m bits When decryption, Alice gets Wi= Ci⊕<Si,Fki(Si)> Where Siare pseudorandom values generated by pseudorandom generator, F is a pseudorandom function.
Our solution with sequential scan Scheme II: Controlled searching Alice produces Si and k’. Let ki = fk’(Wi), where k’ be chosen uniformly randomly by Alice and never be revealed. If Alice wish to allow Bob to search for the word W, she reveals fk’(W), and W to him.
Our solution with sequential scan Scheme III: Support for hidden searches Alice produces Si, k’ and k’’. We let Xi = Ek’’(Wi) Let ki = fk’(Xi), where k’ be chosen uniformly randomly by Alice and never be revealed. If Alice wish to allow Bob to search for the word W, she reveals fk’(Ek’’(W)), and Ek’’(W) to him.
Our solution with sequential scan Scheme IV: The final scheme Alice produces Si, k’ and k’’. We let Xi = Ek’’(Wi) Let ki = fk’(Li), where k’ be chosen uniformly randomly by Alice and never be revealed. If Alice wish to allow Bob to search for the word W, she reveals fk’(Ek’’(W)), and Ek’’(W) to him.
Conclusion • How to know that which Si we should use? • If we know W, why do we search? • An solution: public key encryption? (naïve thought). • Issue: • The scheme is too slow in searching for a large number of documents. • If we search too often, Bob may be able to learning some information. • We must trust Bob return all the match results.