1 efficient conjunctive keyword-searchable encryption,2007 author: eun-kyung ryu and tsuyoshi takagi...

1

Efficient Conjunctive Keyword-Searchable Encryption,2007

Author:Eun-Kyung Ryu and Tsuyoshi Takagi

Presenter: 顏志龍

2

Outline Motivating Scenario and model of document Conjunctive Keyword Searchable Encryption (C

KSE) Definition Assumption Construction

Security Notion Secutity Analysis

3

Motivating Scenario Alice has a large amount of data

Which is private Which she wants to access any time and from anywh

ere Example: emails

Alice stores her data on a remote server Good connectivity Low administration overhead Cheaper cost of storage But untrusted

4

Alice may not trust the server Data must be stored encrypted

Alice wants ability to search her data Keyword search: “All emails from Bob”

Alice wants powerful, efficient search She wants to ask conjunctive queries E.g. ask for “All emails from Bob AND received last

Sunday”

5

Single keyword search Limited to queries for a single keyword Can’t do boolean combinations of queries

Example: “emails from Bob AND (received last week OR urgent)”

We focus on conjunctive queries Documents Di which contains keywords W1

and W2 … and Wm

More restrictive than full boolean combinations

6

Model of Documents We assume structured documents where keywords are

organized by fields

Alice Bob 06/01/2004 Urgent

Alice Charlie 05/28/2004 Secret

… … … …

Dave Alice 06/04/2004 Non-urgent

From To Date Status

m fields

n docs

D1

D2

Dn

The documents are the rows of the matrix Di = (Wi, 1, …, Wi, m)

J i

7




8

Definition1

we say that a scheme of conjunctive keyword searchable encryption is semantically secure against adaptive chosen-keyword attacks if

is a negligible function in for any polynomial attacker A .

)(kAdvCKSEA k

9

Definition2

Bilinear Map:

a map is a bilinear map if the following conditions hold :

1. and are cyclic groups of the same prime order p and Is efficiently computable;

2. For all and

then 3. is non-degenerate. That is, if generates

and generates ,

the generates

TGGGe 21:

21,GG TG),( e

,,, 11 Ggba p ,22 Gg abba ggegge ),(),( 2121

),( e 1g

1G 2g 2G

),( 21 ggeTG

10

Definition3

XDH Assumption:

Let and be two disjoint cyclic sub groups of a prime order of elliptic curves and let be a bilinear map

The XDH states that the decision Diffie-Hellman problem

in This implies that there does not exist an efficiently computable isomorphism

.: 21 TGGGe

1G 2G

p e

.1G.: 21 GG

11

Definition4

coXDH Assumption:

Let and be the XDH group and let

be a bilinear map Let the mixed decisional Diffie-Hellman problem to distinguish

between the tuples of the form

and where are random elements of

The coXDH assumption means that the mixed DDH problem is intractable in the XDH setting.

11 gG 22 gG e

TGGGe 21:

abba gggg 111 ,,,2

,,,, 1211cba gggg cba ,,*p

12

Search on Encrypted Data

Alice Storage Server

D1, D2, …, Dn C1,C2,…Ci

Encryption(K,Di ={Wi,1，…，Wi,m})

Later, Alice wantsto retrieve only some of documents containing some specific keywords.

Trapdoor(K,{ j1,..},{W1,…})

Test(T, Ci) = Trueif Ci contains W

Test(T,Ci) = FalseotherwiseAlice decrypts Ci

傳回滿足條件的資料

13

CKSE algorithm:

keyGen : run by the user to setup the scheme take a security parameter ,it determines XD

H

group and of a prime order p, where is kept in private.

return a secret key

k

)1( k

11 gG 22 gG2g

1G

14

Enc : run by the user to generate searchable ciphert

exts take a secret key and a document. Let for

Let be a value chosen uniformly at random from , return a ciphertext as follow:

}),...,{,( ,1, miii WWD

)( ., jiji WHh .,...,1 mj

ir*Z p iC

))(,...,)(,),,(( ,1,22iiii r

mir

irr

i hhggeC

1, Gh ji

15

Trapdoor : run by the user to generate a trapdoor take a secret key ,keyword field

Indices and keywords as inputs .Let be a value chosen uniformly at random from

return a trapdoor vale

)1(,...,1 mljj l

}),...,{},,...,{,( 1 jmjli WWjj

l

jmj WW ,...,1

s*p

T

),))((( 21

ssl

t jt gWHT

16

Test : run by the server in order to search for the docu

ments containing some specific keywords take a trapdoor and a ciphertext

Let and

For all ,the algorithm checks if the following equality holds:

),( iCT

T iC

),( 21 TTT ),...,,,( ,1,0, miiiii CCCVC ni 1

i

l

t jtii VTCeCTe ),(),(

1 2,0,1

If so, it return true. Otherwise, it return false

17




18

Security Notion

Define the security notion of CKSE in the sense of semantic-security using the following experiment:

1. Challenger chooses a set of secret keys for the user by executing KeyGen algorithm.

2. Attacker A can ask challenger for the trapdoor and encryption of its own choice.

3. A chooses two documents D0 ,D1 ,(none of trapdoor for D0 ,D1 is given in the step 2).

The challenger generates a random coin

and gives A a challenge

The goal of A is to decide such that

}1,0{b

).,( bDKEncC 'b bb '

19

4. A may ask continuously for the trapdoor and the encryption of its choice. (not allowed to ask for the trapdoor and the encryption of D0,D1 , as before )

5. A output

The advantage of A in breaking the CKSE scheme is defined as

in a security parameter

}1,0{'b

|]'Pr[|)( 21 bbkAdvCKSE

A

.k

20




21

Secutity Analysis

Theorem1

The CKSE scheme for conjunctive keyword searchable encryption is semantically secure against adaptive chosen-keyword attacks in the random oracle model under the external co-Diffie-Hellman assumption (coXDH).

22

Secutity Analysis (proof)

Suppose: A breaks the CKSE scheme with advantage by making at most hash queries , trapdoor queries , and encryption queries.

Goal:We then show a construction of an algorithm O that uses A as a subroutine and breaks coXDH assumption with non-negligible advantage

where is the base of natural logarithm.

Let be an instance of coXDH problem. O is to decide whether c= ab

Hq Tq

Eq

,))1((' 1 EqTqe

e

cba gugugug 1322111 ,,,

23

(step)

KeyGen HashQueries TrapdoorQueries EncQueries ChallengeQueries MoreQueries Output

24

KeyGen:

O chooses a random value and sets

as its own secret key.

HashQueries: O maintains a list of tuples called

the H-list. The list is initially empty. When A issues a hash query for a keyword

O responds as follows:

1G

jijijiji dxhW ,,,, ,,,

*}1,0{, jiW

25

If exists on the H-list then O responding with the previous queries

Otherwise ,O generates a random coin

so that ,and then O chooses a random value

1. If O computes

2. If O computes

O adds the tuple to the H-list and answers

with

jiW ,

jiji hWH ,, )(

}1,0{, jid

)1(1]0,Pr[ Tqjdi.*, pji Zx

,1, jid .)( ,

1,jix

ji uh

,0, jid .)( ,

3,jix

ji uh

jiji hWH ,, )(

26

TrapdoorQueries:

A issues a trapdoor query of some keyword

and then O execute the above H algorithm. O responds as follows:

If all on the tuple are not 1,termminate.

Otherwise ,O chooses a random value

and answer with a trapdoor as follow:

),1(,...,1 mlWW jlj

)1(, ltd jti

*pZs

),)(...)(((2,1,ss

jtis

ji gWHWHT

T

27

ChallengeQueries : A submits a pair of challenge documents

and O execute the above random oracle algorithm,

then O produces a challenge as follows: If both and for all are not 0 ,ter

minate. If both and for all are equal to

0 ,O generate a random coin If only one is equal to 0 then no randomness is nee

ded. O responds with the challenge

},...,{ ,01,00 mWWD },...,{ ,11,11 mWWD

C

jc ,0 jc ,1 mj 1

jc ,0 jic , mj 1}1,0{b

).,...,,),,(( ,1,22 mbb hhuueC

28

EncQueries : A issues a document O execute above H algorithm. O responds as f

ollow: If all on the tuples are not 1, the

n terminates. Otherwise, O chooses a random value

and then answers with

},...{ ,1, miii WWD

)1(, mjd ji

*pi Zr

).),...()(,,),(( ,1,22iiii r

mir

irr

i hhggeC

29

MoreQueries:

A performs additional trapdoor queries or Enc queries after the challenge query, O responds to these queries in the same way before.

30

Output: A output a bit of its guess . If , O guesses that is an in

stance of mixed DDH tuple . Otherwise, O guesses it is a random tuple.

}1,0{'b

bb ' 3211 ,,, uuug

31

The probability of O against the mixed DHH challengeLet NF be the event of that O does not fail during t

he above experiment.

NFT, O does not fail during the TrapdoorQueries NFE, O does not fail during the EncQueries NFC, O does not fail during the ChallengeQueries

NF=NFT NFE NFC

32

Pr[NFT] = Pr[NFE] = Pr[NFC] =

for b = 0,1 and both and are independent of A’s view.

Pr[ NF = NFT NFE NEC ] = The advantage of A against our CKSE scheme

is

The success probability of the O is

eq TqT 1))1(11(

EE qT

qT qq ))1(1())1(11(

)1(1]0Pr[ Tbj qd

jd0 jd1

))1((1 1 EqTqe

.

.))1(( 1 EqTqe