1 efficient conjunctive keyword-searchable encryption,2007 author: eun-kyung ryu and tsuyoshi takagi...

Click here to load reader

Post on 19-Dec-2015

220 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • Slide 1
  • 1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter:
  • Slide 2
  • 2 Outline Motivating Scenario and model of document Conjunctive Keyword Searchable Encryption (CKSE) Definition Assumption Construction Security Notion Secutity Analysis
  • Slide 3
  • 3 Motivating Scenario Alice has a large amount of data Which is private Which she wants to access any time and from anywhere Example: emails Alice stores her data on a remote server Good connectivity Low administration overhead Cheaper cost of storage But untrusted
  • Slide 4
  • 4 Alice may not trust the server Data must be stored encrypted Alice wants ability to search her data Keyword search: All emails from Bob Alice wants powerful, efficient search She wants to ask conjunctive queries E.g. ask for All emails from Bob AND received last Sunday
  • Slide 5
  • 5 Single keyword search Limited to queries for a single keyword Cant do boolean combinations of queries Example: emails from Bob AND (received last week OR urgent) We focus on conjunctive queries Documents D i which contains keywords W 1 and W 2 and W m More restrictive than full boolean combinations
  • Slide 6
  • 6 Model of Documents We assume structured documents where keywords are organized by fields AliceBob06/01/2004Urgent AliceCharlie05/28/2004Secret DaveAlice06/04/2004Non-urgent From To Date Status m fields n docs D1D1 D2D2 DnDn The documents are the rows of the matrix D i = (W i, 1, , W i, m ) J i
  • Slide 7
  • 7 Outline Motivating Scenario and model of document Conjunctive Keyword Searchable Encryption (CKSE) Definition Assumption Construction Security Notion Secutity Analysis
  • Slide 8
  • 8 Definition1 we say that a scheme of conjunctive keyword searchable encryption is semantically secure against adaptive chosen-keyword attacks if is a negligible function in for any polynomial attacker A.
  • Slide 9
  • 9 Definition2 Bilinear Map: a map is a bilinear map if the following conditions hold : 1. and are cyclic groups of the same prime order p and Is efficiently computable; 2. For all and then 3. is non-degenerate. That is, if generates and generates, the generates
  • Slide 10
  • 10 Definition3 XDH Assumption: Let and be two disjoint cyclic sub groups of a prime order of elliptic curves and let be a bilinear map The XDH states that the decision Diffie-Hellman problem in This implies that there does not exist an efficiently computable isomorphism
  • Slide 11
  • 11 Definition4 coXDH Assumption: Let and be the XDH group and let be a bilinear map Let the mixed decisional Diffie-Hellman problem to distinguish between the tuples of the form and where are random elements of The coXDH assumption means that the mixed DDH problem is intractable in the XDH setting.
  • Slide 12
  • 12 Search on Encrypted Data Alice Storage Server D 1, D 2, , D n C 1,C 2,C i Encryption(K,D i ={W i,1 W i,m }) Later, Alice wants to retrieve only some of documents containing some specific keywords. Trapdoor(K,{ j 1,..},{W 1,}) Test(T, C i ) = True if Ci contains W Test(T,C i ) = False otherwise Alice decrypts C i
  • Slide 13
  • 13 CKSE algorithm: keyGen : run by the user to setup the scheme take a security parameter,it determines XDH group and of a prime order p, where is kept in private. return a secret key
  • Slide 14
  • 14 Enc : run by the user to generate searchable ciphertexts take a secret key and a document. Let for Let be a value chosen uniformly at random from, return a ciphertext as follow:
  • Slide 15
  • 15 Trapdoor : run by the user to generate a trapdoor take a secret key,keyword field Indices and keywords as inputs.Let be a value chosen uniformly at random from return a trapdoor vale
  • Slide 16
  • 16 Test : run by the server in order to search for the documents containing some specific keywords take a trapdoor and a ciphertext Let and For all,the algorithm checks if the following equality holds: If so, it return true. Otherwise, it return false
  • Slide 17
  • 17 Outline Motivating Scenario and model of document Conjunctive Keyword Searchable Encryption (CKSE) Definition Assumption Construction Security Notion Secutity Analysis
  • Slide 18
  • 18 Security Notion Define the security notion of CKSE in the sense of semantic-security using the following experiment : 1. Challenger chooses a set of secret keys for the user by executing KeyGen algorithm. 2. Attacker A can ask challenger for the trapdoor and encryption of its own choice. 3. A chooses two documents D 0,D 1, (none of trapdoor for D 0,D 1 is given in the step 2). The challenger generates a random coin and gives A a challenge The goal of A is to decide such that
  • Slide 19
  • 19 4. A may ask continuously for the trapdoor and the encryption of its choice. (not allowed to ask for the trapdoor and the encryption of D 0,D 1, as before ) 5. A output The advantage of A in breaking the CKSE scheme is defined as in a security parameter
  • Slide 20
  • 20 Outline Motivating Scenario and model of document Conjunctive Keyword Searchable Encryption (CKSE) Definition Assumption Construction Security Notion Secutity Analysis
  • Slide 21
  • 21 Secutity Analysis Theorem1 The CKSE scheme for conjunctive keyword searchable encryption is semantically secure against adaptive chosen-keyword attacks in the random oracle model under the external co- Diffie-Hellman assumption (coXDH).
  • Slide 22
  • 22 Secutity Analysis (proof) Suppose: A breaks the CKSE scheme with advantage by making at most hash queries, trapdoor queries, and encryption queries. Goal: We then show a construction of an algorithm O that uses A as a subroutine and breaks coXDH assumption with non-negligible advantage where is the base of natural logarithm. Let be an instance of coXDH problem. O is to decide whether c= ab
  • Slide 23
  • 23 (step) KeyGen HashQueries TrapdoorQueries EncQueries ChallengeQueries MoreQueries Output
  • Slide 24
  • 24 KeyGen: O chooses a random value and sets as its own secret key. HashQueries: O maintains a list of tuples called the H-list. The list is initially empty. When A issues a hash query for a keyword O responds as follows:
  • Slide 25
  • 25 If exists on the H-list then O responding with the previous queries Otherwise,O generates a random coin so that,and then O chooses a random value 1. If O computes 2. If O computes O adds the tuple to the H-list and answers with
  • Slide 26
  • 26 TrapdoorQueries: A issues a trapdoor query of some keyword and then O execute the above H algorithm. O responds as follows: If all on the tuple are not 1,termminate. Otherwise,O chooses a random value and answer with a trapdoor as follow:
  • Slide 27
  • 27 ChallengeQueries : A submits a pair of challenge documents and O execute the above random oracle algorithm, then O produces a challenge as follows: If both and for all are not 0,terminate. If both and for all are equal to 0,O generate a random coin If only one is equal to 0 then no randomness is needed. O responds with the challenge
  • Slide 28
  • 28 EncQueries : A issues a document O execute above H algorithm. O responds as follow: If all on the tuples are not 1, then terminates. Otherwise, O chooses a random value and then answers with
  • Slide 29
  • 29 MoreQueries: A performs additional trapdoor queries or Enc queries after the challenge query, O responds to these queries in the same way before.
  • Slide 30
  • 30 Output: A output a bit of its guess. If, O guesses that is an instance of mixed DDH tuple. Otherwise, O guesses it is a random tuple.
  • Slide 31
  • 31 The probability of O against the mixed DHH challenge Let NF be the event of that O does not fail during the above experiment. NFT, O does not fail during the TrapdoorQueries NFE, O does not fail during the EncQueries NFC, O does not fail during the ChallengeQueries NF=NFT NFE NFC
  • Slide 32
  • 32 Pr[NFT] = Pr[NFE] = Pr[NFC] = for b = 0,1 and both and are independent of As view. Pr[ NF = NFT NFE NEC ] = The advantage of A against our CKSE scheme is The success probability of the O is
  • Slide 33
  • 33