searchable symmetric encryption :improved definitions and efficient constructions reza curtmola juan...

Searchable Symmetric Encryption :Improved Definitions

and Efficient ConstructionsReza Curtmola Juan Garay

Seny Kamara Rafail Ostrovsky

OUTLINE

• Searchable Symmetric Encryption

• Revisiting SSE security definitions

• SEE-1(non-adaptive)

• SEE-2(adaptive)

• Multi-user Searchable Encryption

• 證明

Revisiting SSE security definitions

• “A secure SSE scheme should not leak anything beyond the outcome of a search”– “search outcome”: memory addresses of documents

that contain a hidden keyword– Important to note: different keyword requests may lead

to the same search outcome– “search pattern”: whether two queries were for the

same keyword or not

• A (slightly) better intuition– “A secure SSE scheme should not leak anything

beyond the outcome and the pattern of a search”

SSE Algorithms

• Keygen(1k): outputs symmetric key K (by user)• BuildIndex(K, {D1, ..., Dn}): outputs secure index

I (by user)• Trapdoor(K, w): outputs a trapdoor Tw (by user)• Search(I, Tw): outputs identifiers of documents

containing w (id1, ..., idm) (by server)

SSE

• client can upload additional “encrypted” data structures to help search

Index

Keyword server

Our model

• History: documents and keywords

• View: encrypted documents, index, trapdoors

• Trace: length of documents, search outcomes, search pattern

Our intuition• Previous intuition

– “A secure SSE scheme should not leak anything beyond the outcome and the pattern of a search”

• A more “formal intuition”– “any function about the documents and the

keywords that can be computed from the encrypted documents, the index and the trapdoors can be computed from the length of the documents, the search outcomes and the search pattern

What is adaptiveness?• Non-adaptive :adversaries make search

queries without seeing the outcome of previous searches

• Adaptive :adversaries can make search queries as a function of the outcome of previous searches

• (Note)The user may or may not generate its word queries depending on the outcome of previous searches

• We call queries that do depend on previous search outcomes adaptive

Non-Adaptive Adaptive (new)

[SWP00,Goh03,CM05,...]

SI

w1 w2 w3 w4

SI

w2

w1

w3

Non-adaptive SSE construction

Server

Index

Keyword Trapdoor

DidDid

• Index是由 2 種 data structure製作 -Array A and look-up table T

Did• Li

• T

<address,value>

|△|

|D(w)|

一些符號定義• Let △= {w1, . . . ,wd} be a dictionary of d

words, and 2△ be the set of all possible documents.

• let ⊆2 △be a collection of n documents = (D1, . . . ,Dn) and 2 2△

be the set of all possible document collections. Let id(D) be the identifier of document D

• D(w) (the set of identifiers of documents containing w) as the outcome of a search for w and to the sequence (D(w1), . . . ,D(wn)) as the access pattern of a client

Example• D={D1,D2,D3},w={w1,w2,…,w5}

• 假設 D(w1)={D1,D3},D(w2)={D1,D2},

D(w3)={D2,D3},D(w4)={D1},D(w5)={D2}

• 建立 index

• A: T:

W5 <1,6>

W2 <2,3>

W4 <3,0>

W3 <4,5>

W1 <5,1>

0 1 2 3

4 5 6 7

D3||null D2||4 D2||null D2||null

D1||null D1||2 D3||null D1||7

• Seaching:

• P: Pseudo Random Permutation

• F: Pseudo Random Function

addr = P(w3)

key = F(w3)

Trapdoor = (addr, key)=(4,5) => D2,D3

Adaptive SSE construction

比較

Secure updates

• 新舊 document collection combine後重新建立 index,因此得到新的 document collection and 新的 index

Multi-user Searchable Encryption• 由 6 個 polynomial-time algorithms組成• MKeygen(1k) is a probabilistic key generation

algorithm that is run by the owner O to setup the scheme.It takes a security parameter k, and returns an owner secret key, KO.

• MBuildIndex(KO,D) is run by O to construct indexes. It takes the owner’s secret key KO and a document collection D as inputs, and returns an index I.

• N:a set of users GN:the set of users allowed to search

• AddUser(KO,U) is run by O whenever it wishes to add a user to the group G. It takes the owner’s secret key KO and a user U as inputs, and returns U’s secret key, KU

• RevokeUser(KO,U) is run by O whenever it wishes to revoke a user from G. It takes the owner’s secret key KO and a user U as inputs, and revokes the user’s searching privileges

• MTrapdoor(KU,w) is run by a user (including O) in order to generate a trapdoor for a given word. It takes a user U’s secret key KU and a word w as inputs, and returns a trapdoor TU,w

• MSearch(ID, TU,w) is run by the server S in order to search for the documents in D that contain word w. It takes the index ID for collection D and the trapdoor TU,w for word w as inputs, and returns D(w) if user U G and if user U G

證明

• proof:由紀銘偉大大白板講解