how to keyword-search securely in cloud storage service kaoru kurosawa ibaraki university, japan...
TRANSCRIPT
![Page 1: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/1.jpg)
How to Keyword-Search Securely in Cloud Storage Service
Kaoru Kurosawa Ibaraki University, Japan
ICISC 2014, Dec. 3-5, Chung-Ang University, Korea
![Page 2: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/2.jpg)
Cloud Storage Serviceis now available
Service Provider
Amazon S3/Cloud Drive Amazon
Google Drive Google
OneDrive Microsoft
iCloud Apple
Dropbox Dropbox
and many more
![Page 3: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/3.jpg)
We know that
• we should store encrypted documents.• Then, we cannot even do keyword search.
3
![Page 4: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/4.jpg)
A Searchable Symmetric Encryption(SSE) scheme
• solves this problem.• It consists of a store phase and a search phase.
4
![Page 5: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/5.jpg)
In the store phase,
• A client stores the encrypted files (or documents) and the encrypted Index on the server
Client Server
E(D1), , E(D⋯ N) E(Index)
5
![Page 6: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/6.jpg)
In the search phase,
• The client sends an encrypted keyword to the server
Client Server
E(keyword)
6
![Page 7: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/7.jpg)
The server somehow returns
• The encrypted files E(D3), E(D6), E(D10)
which contain the keyword
Client Server
E(keyword)
E(D3), E(D6), E(D10)
7
![Page 8: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/8.jpg)
So the client can
• retrieve some of the encrypted files• which contain a specific keyword,• keeping the keyword secret
Client Server
E(keyword)
E(D3), E(D6), E(D10)
8
![Page 9: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/9.jpg)
SSE has been studied by
• D.Song, D.Wagner, A.Perrig (2000)• Eu-Jin Goh (2003)• Golle, Staddon, Waters (2004)• Y.Chang and M.Mitzenmacher (2005)• Curtmola, Garay, Kamara and Ostrovsky (2006)• Peishun Wang, Huaxiong Wang, Josef Pieprzyk (2008)• Kamara, Papamanthou an Roeder (2012)• Cash, Jarecki, Jutla, Krawczyk, Rosu, Steiner (2013)• Cash and Tessaro (2014)
9
![Page 10: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/10.jpg)
In this talk,
• UC-Secure Searchable Symmetric Encryption
• How to Update Documents Verifiably in Searchable Symmetric Encryption
• Garbled Searchable Symmetric Encryption
10
![Page 11: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/11.jpg)
First
• UC-Secure Searchable Symmetric Encryption, Kaoru Kurosawa and Yasuhiro Ohtaki (FC 2012)
11
![Page 12: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/12.jpg)
By Passive Attack
• A server tries to break the privacy:• she tries to find • the keyword and the documents
Client Server
E(keyword)
E(D3), E(D6), E(D10)
Malicious
12
![Page 13: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/13.jpg)
By Active Attack• A server tries to break the reliability:• she tries to forge and delete some files,• or replace E(D3) with another E(D100).
Client Server
E(keyword)
E(D3), E(D6), E(D10)E(D100)
Malicious
13
![Page 14: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/14.jpg)
Curtmola, Garay, Kamara and Ostrovsky (2006)
• showed a rigorous definition of security against passive attacks (privacy.)• They also presented a scheme which satisfies their definition.
14
![Page 15: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/15.jpg)
At FC 2012
Privacy Curtmola et al.Reliability Our paperUC security Our paper
15
We studied
and proved that Privacy + Reliability = UC security
![Page 16: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/16.jpg)
Curtmola et al.
keyword DocumentsAustin D3, D6, D10
Boston D8, D10
Washington D1, D4, D8
Showed an SSE scheme such as follows.
Consider the following “Index”
Index16
![Page 17: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/17.jpg)
The client first constructs E(Index) • as follows.• He chooses a pseudorandom permutation π.
= E(Index)
17
π(1)π(2)π(3)
…
![Page 18: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/18.jpg)
He next computes • π(Austin, 1), π(Austin, 2) and π(Austin, 3),• Writes the indexes (3, 6, 10) in these addresses
3
6
10
Address
π(Austin, 1)
π(Austin, 2)
π(Austin, 3) E(Index)
18
![Page 19: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/19.jpg)
Do the same for each keyword
3
6
10
8
10
Address
π(Austin, 1)
π(Austin, 2)
π(Austin, 3)
π(Boston, 1)
π(Boston, 2)
E(Index)
19
![Page 20: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/20.jpg)
In the store phase,
• The client stores this E(Index) and the ciphertext of each file to the server
Client Server
E(Index) E(D1), , E(D⋯ N)
20
![Page 21: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/21.jpg)
In the search phase,
• The client sends a trapdoor information
Client Server
t(Austin)=( π(Austin, 1), π(Austin, 2), π(Austin, 3) )
3
6
10
8
10
E(Index)
21
![Page 22: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/22.jpg)
The server findsthe corresponding indexes
Client Server
π(Austin, 1), π(Austin, 2), π(Austin, 3)
3
6
10
8
10
E(Index)22
![Page 23: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/23.jpg)
and returns
Client Server
π(Austin, 1), π(Austin, 2), π(Austin, 3)
E(D3), E(D6), E(D10)
3
6
10
8
10
E(Index)23
![Page 24: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/24.jpg)
This scheme
• Is secure against passive attacks.• But it is not secure against active attacks.
24
![Page 25: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/25.jpg)
This scheme
• Is secure against passive attacks.• But it is not secure against active attacks.
• We will show how to make this scheme verifiable.
25
![Page 26: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/26.jpg)
A naive approach is to add MAC to each E(Di)
Client Server
π(Austin, 1), π(Austin, 2), π(Austin, 3)
E(D3), MAC(E(D3)),E(D6), MAC(E(D6)),E(D10), MAC(E(D10))
The server returnsthese files together with their MACs 26
![Page 27: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/27.jpg)
But a malicious server will
Client
π(Austin, 1), π(Austin, 2), π(Austin, 3)
E(D3), MAC(E(D3)),E(D6), MAC(E(D6)),E(D10), MAC(E(D10))
Malicious
Replace some pair with another pairof (file, MAC)
E(D100), MAC(E(D100))
27
![Page 28: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/28.jpg)
The client cannot detect this cheating
Client
π(Austin, 1), π(Austin, 2), π(Austin, 3)
E(D3), MAC(E(D3)),E(D6), MAC(E(D6)),E(D10), MAC(E(D10))
Malicious
Because this is a valid pairof MAC
E(D100), MAC(E(D100))
28
![Page 29: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/29.jpg)
In our verifiable scheme
π(Austin, 1)
So the server returns E(D3), Tag3=MAC(π(Austin, 1), E(D3))
We include π(Austin, 1) in the input of MAC
29
![Page 30: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/30.jpg)
This method works
π(Austin, 1)
E(D3),
Tag3=MAC(π(Austin, 1), E(D3))
Because the MAC authenticates the whole communication
30
![Page 31: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/31.jpg)
At the store phase,• The client writes such MAC values in E(Index)
3, tag3=MAC( π(Austin, 1), E(D3) )
6, tag6=MAC( π(Austin, 2) , E(D6) )
10, tag10=MAC( π(Austin, 3) , E(D10) )
π(Austin, 1)
π(Austin, 2)
π(Austin, 3)
E(Index)
31
![Page 32: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/32.jpg)
For a query π(Austin, 1)E(Index)
π(Austin, 1)
π(Austin, 1)
The server returns E(D3) and Tag3
3, tag3=MAC( π(Austin, 1), E(D3) )
6, tag6=MAC( π(Austin, 2) , E(D6) )
10, tag10=MAC( π(Austin, 3) , E(D10) )
32
![Page 33: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/33.jpg)
The client checks the validity of
π(Austin, 1)
tag3=MAC( π(Austin, 1), E(D3) )
E(D3)
33
![Page 34: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/34.jpg)
We next consider
• the definition of security.• The security against active attacks consists of privacy and reliability• We define privacy similarly to Curtmola et al. as follows.
34
![Page 35: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/35.jpg)
Minimum Leakage
In the store phase,
E(D1), , E(D⋯ N), E(Index)
the server learns |D1|, …, |DN| and |{keywords}|
35
![Page 36: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/36.jpg)
In the search phase,
This means that the server knows the corresponding indexes {3, 6, 10}
For t(keyword),the server returns
t(keyword)
C(keyword)=( E(D3), E(D6), E(D10) )Tag
36
![Page 37: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/37.jpg)
We call
these information• |D1|, …, |DN| and |{keywords}|• corresponding indexes {3, 6, 10}
The minimum leakage
37
![Page 38: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/38.jpg)
The Privacy definition
• requires that the server should not be able to learn any more information
38
![Page 39: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/39.jpg)
The Privacy definition
• requires that the server should not be able to learn any more information• To formulate this, we consider a real game and a simulation game
39
![Page 40: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/40.jpg)
In the Real Game
D = {D1, …, DN}W={set of keywords}Index
Distinguisher
C= { E(D1), , E(D⋯ N) } I= E{ Index }
Challenger
40
![Page 41: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/41.jpg)
In the search phase
keyword
Distinguisher
t(keyword)
Challenger
41
![Page 42: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/42.jpg)
Repeat
keyword
Distinguisher
t(keyword)
Challenger
42
![Page 43: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/43.jpg)
Finally
keyword
Distinguisher
t(keyword)
Challenger
b=0 or 1
43
![Page 44: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/44.jpg)
In the Simulation Game
D = {D1, …, DN}W={set of keywords}Index
Distinguisher
Somehow computes the ciphertexts C= { E(D1), , E(D⋯ N) } I= E{ Index }
ChallengerSimulator
the minimum leakage|D1|, …, |DN| and |{keywords}|
44
![Page 45: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/45.jpg)
In the search phase,
keyword
Distinguisher
Somehow computes t(keyword)
ChallengerSimulator
the minimum leakage {3, 6, 10}
45
![Page 46: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/46.jpg)
Repeat
keyword
Distinguiher
Somehow computes t(keyword)
ChallengerSimulator
{3, 6, 10}
46
![Page 47: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/47.jpg)
Finally
keyword
Distinguisher
t(keyword)
ChallengerSimulator
{3, 6, 10}
b=0 or 1
47
![Page 48: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/48.jpg)
We say that
• Privacy is satisfied if• there exists a simulator such that
the real game ≈ the simulation game
48
![Page 49: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/49.jpg)
This Def. of privacy
• Was given by Curtmola et al.
• But it looks artificial.• Who is the distinguisher ?
49
![Page 50: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/50.jpg)
Server ? No. Client ? No.
D = {D1, …, DN}W={set of keywords}Index
Distinguisher
C= { E(D1), , E(D⋯ N) } I= E{ Index }
Challenger
50
![Page 51: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/51.jpg)
This question will be resolved
• When we consider UC security.
• From a view point of UC security, this is a very natural Def. of privacy.• We will come back to this point later.
51
![Page 52: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/52.jpg)
The client sends
t(keyword)
The honest server returns C(keyword)={E(D3), E(D6), E(D10)} Tag
Next Reliability
52
![Page 53: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/53.jpg)
We say that
Reliability is satisfied if no server can forge (C(keyword)*, Tag*)such that C(keyword)* ≠ C(keyword)
53
![Page 54: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/54.jpg)
By the way,
Even if a protocol Σ is secure in stand-alone,it may not be secure • if Σ is executed concurrently,
• Or if Σ is a part of a large protocol
Client 1
Client 2
Server
54
Σ
Σ
![Page 55: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/55.jpg)
Universal Composability (UC)
Is a framework which guarantees that • A protocol Σ is secure• Even if it is executed concurrently, and• Even if it is a part of a large protocol
55
![Page 56: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/56.jpg)
The notion of UC
• was introduced by Canetti.• He proved that UC-security is maintained under a general protocol composition.
56
![Page 57: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/57.jpg)
We formulated the UC security
• of verifiable SSE scheme.• To do so, we defined the ideal functionality FvSSE
as follows.
57
![Page 58: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/58.jpg)
In the ideal world,
dummyClient
Ideal Functionality
FvSSE
Environment
Z
D={D1, …, DN} W={set of keywords}Index
58
![Page 59: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/59.jpg)
The dummy client relays them to FvSSE
dummyClient
Ideal Functionality
FvSSE
Environment
Z
D={D1, …, DN} W={set of keywords}Index
D={D1, …, DN} W={set of keywords}Index 59
![Page 60: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/60.jpg)
FvSSE keeps them
dummyClient
Ideal Functionality
FvSSE
Environment
Z
D={D1, …, DN} W={set of keywords}Index
UC adversary
S
60
![Page 61: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/61.jpg)
and sends the minimum leakage
dummyClient
Ideal Functionality
FvSSE
Environment
Z
D={D1, …, DN} W={set of keywords}Index
UC adversary
S
|D1|, …, |DN||{keywords}|
61
![Page 62: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/62.jpg)
In the search phase
dummyClient
Ideal Functionality
FvSSE
Environment
Z
keyword
UC adversary
S
62
![Page 63: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/63.jpg)
The dummy client relays it to FvSSE
dummyClient
Ideal Functionality
FvSSE
Environment
Z
keyword
keyword
UC adversary
S
63
![Page 64: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/64.jpg)
FvSSE sends the minimum leakage
dummyClient
Ideal Functionality
FvSSE
Environment
Z
keyword
keyword
UC adversary
S
{3,6,10}
64
D={D1, …, DN} W={set of keywords}Index
![Page 65: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/65.jpg)
The UC adversary S returns
dummyClient
Ideal Functionality
FvSSE
Environment
Z
keyword
keyword
UC adversary
S
{3,6,10} Accept or Reject
65
D={D1, …, DN} W={set of keywords}Index
![Page 66: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/66.jpg)
If S returns Reject,
dummyClient
Ideal Functionality
FvSSE
Environment
Z
keyword
keyword
UC adversary
S
{3,6,10} Reject
66
![Page 67: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/67.jpg)
FvSSE sends Reject to the dummy client
dummyClient
Ideal Functionality
FvSSE
Environment
Z
keyword
keyword
UC adversary
S
{3,6,10} Reject
Reject
67
![Page 68: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/68.jpg)
The dummy client relays it to Z
dummyClient
Ideal Functionality
FvSSE
Environment
Z
keyword
keyword
UC adversary
S
{3,6,10} Reject
Reject
Reject
68
![Page 69: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/69.jpg)
If S returns Accept,
dummyClient
Ideal Functionality
FvSSE
Environment
Z
keyword
keyword
UC adversary
S
{3,6,10} Accept
69
D={D1, …, DN} W={set of keywords}Index
![Page 70: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/70.jpg)
FvSSE sends {D3,D6,D10}
dummyClient
Ideal Functionality
FvSSE
Environment
Z
keyword
keyword
UC adversary
S
{3,6,10} Accept
{D3,D6,D10}
70
D={D1, …, DN} W={set of keywords}Index
![Page 71: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/71.jpg)
The dummy client relays them to Z
dummyClient
Ideal Functionality
FvSSE
Environment
Z
keyword
keyword
UC adversary
S
{3,6,10} Accept
{D3,D6,D10}
{D3,D6,D10}
71
![Page 72: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/72.jpg)
This is an ideal world
Because(Correctness.) The dummy client receives {D3,D6,D10} correctly,
or outputs Reject.(Security.) The UC adversary S learns only the minimum leakage.
72
![Page 73: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/73.jpg)
Further S can corrupt
dummyClient
Ideal Functionality
FvSSE
Environment
ZUC adversary
S
dummyServer
73
corruptcorrupt
![Page 74: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/74.jpg)
Also Z can interact with S freely
dummyClient
Ideal Functionality
FvSSE
Environment
ZUC adversary
S
dummyServer
74
corruptcorrupt
![Page 75: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/75.jpg)
Z finally outputs 0 or 1
dummyClient
Ideal Functionality
FvSSE
Environment
ZUC adversary
S
dummyServer
75
corruptcorrupt
![Page 76: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/76.jpg)
In the real world
Client Server
Environment
Z
D={set of documents} W={set of keywords}Index
76
![Page 77: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/77.jpg)
Client Server
Environment
Z
D, W, Index
Then the client and the server runthe store phase.
77
![Page 78: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/78.jpg)
In the search phase
Client Server
Environment
Z
keyword
78
![Page 79: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/79.jpg)
Client Server
Environment
Z
keyword The client and the server run the search phase
79
![Page 80: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/80.jpg)
Then the client sends D3, D6, D10 to Z
Client Server
Environment
Z
keywordD3, D6, D10
80
![Page 81: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/81.jpg)
An adversary A can corrupt
Client Server
Environment
ZAdversary
A
81
corruptcorrupt
![Page 82: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/82.jpg)
Further Z can interact with A freely
Client Server
Environment
ZAdversary
A
82
corruptcorrupt
![Page 83: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/83.jpg)
Z finally outputs 0 or 1
Client Server
Environment
ZAdversary
A
83
corruptcorrupt
![Page 84: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/84.jpg)
We say that
• A verifiable SSE scheme is UC-secure if for any adversary A, there exists a UC-adversary S such that the real world ≈ the ideal world.
84
![Page 85: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/85.jpg)
Equivalence
(Our Theorem) A verifiable SSE scheme is UC-secure if and only if it satisfies privacy and reliability
Herewe consider non-adaptive adversaries.
85
![Page 86: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/86.jpg)
Proof
86
Client Server
Environment
ZAdversary
Akeyword Documents
Austin D3, D6, D10
Boston D8, D10
Washington D1, D4, D8
D, W,
In the real world,
![Page 87: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/87.jpg)
The client sends
Client Server
Environment
ZAdversary
A
87
keyword Documents
Austin D3, D6, D10
Boston D8, D10
Washington D1, D4, D8
These ciphertexts E(D1), …, E(D10), E(Index)
D, W,
![Page 88: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/88.jpg)
Suppose that the adversary A
Client Server
Environment
ZAdversary
A
88
keyword Documents
Austin D3, D6, D10
Boston D8, D10
Washington D1, D4, D8
E(D1), …, E(D10), E(Index)
corruptsD, W,
![Page 89: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/89.jpg)
And sends these ciphertexts to Z
Client Server
Environment
ZAdversary
A
89
keyword Documents
Austin D3, D6, D10
Boston D8, D10
Washington D1, D4, D8
E(D1), …, E(D10), E(Index)
corrupts
E(D1), …, E(D10), E(Index)
D, W,
![Page 90: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/90.jpg)
In the Real Game of Privacy
D, W, Index
Distinguisher
C= { E(D1), , E(D⋯ N) } I= E{ Index }
Challenger
90
![Page 91: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/91.jpg)
In the UC framework, let
Client Server
Environment ZAdversary
A
91
E(D1), …, E(D10), E(Index)
corrupts
E(D1), …, E(D10), E(Index)
challenger
D, W, Index
distinguisher
![Page 92: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/92.jpg)
Equivalent to the real game of privacy
Client Server
Environment ZAdversary
A
92
E(D1), …, E(D10), E(Index)
corrupts
E(D1), …, E(D10), E(Index)
challenger
D, W, Index
distinguisher
![Page 93: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/93.jpg)
In the ideal world
dummyClient
Ideal Functionality
FvSSE
Environment
ZUC adversary
S
|D1|, …, |DN||{keywords}|
93
relay
D, W, Index
![Page 94: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/94.jpg)
S must be able to send
dummyClient
Ideal Functionality
FvSSE
Environment
ZUC adversary
S
|D1|, …, |DN||{keywords}|
94
relay
E(D1), …, E(D10), E(Index)
D, W, Index
![Page 95: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/95.jpg)
In the Simulation Game of Privacy
D = {D1, …, DN}W={set of keywords}Index
Distinguisher
Somehow computes C= { E(D1), , E(D⋯ N) } I= E{ Index }
ChallengerSimulator
the minimum leakage|D1|, …, |DN| and |{keywords}|
95
![Page 96: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/96.jpg)
In the UC framework, let
dummyClient
Ideal Functionality
FvSSE
Environment Z UC adversary S
|D1|, …, |DN||{keywords}|
96
relay
E(D1), …, E(D10), E(Index)
challenger
D, W, Index
distinguisher simulator
![Page 97: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/97.jpg)
Equivalent to the Sim. game of privacy
dummyClient
Ideal Functionality
FvSSE
Environment Z UC adversary S
|D1|, …, |DN||{keywords}|
97
relay
E(D1), …, E(D10), E(Index)
challenger
D, W, Index
distinguisher simulator
![Page 98: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/98.jpg)
The proof of the equivalence
• proceeds in this way.
98
![Page 99: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/99.jpg)
The proof of the equivalence
• proceeds in this way.
• At the first glance, the Def. of privacy looked artificial.• But as we have seen now, it is very natural from a view point of UC
99
![Page 100: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/100.jpg)
Lesson
• SSE is a good example to understand the notion of UC security.
100
![Page 101: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/101.jpg)
Theorem
• Our scheme satisfies privacy and reliability• if E is CPA secure and MAC is unforgeable
101
![Page 102: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/102.jpg)
Corollary
• Our scheme is UC-secure.
102
![Page 103: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/103.jpg)
Next
• How to Update Documents Verifiably in Searchable Symmetric Encryption,
Kaoru Kurosawa and Yasuhiro Ohtaki (CANS 2013)
103
![Page 104: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/104.jpg)
Kamara, Papamanthou and Roeder (2012)
• showed a dynamic SSE scheme such that
the client can add, delete and modify the documents.
• However, their scheme is not verifiable.
![Page 105: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/105.jpg)
Our contribution
Verifiabile DynamicCurtmola et al. X XOur FC 2012 scheme O XKamara et al. X OOur scheme of CANS 2013
O O
![Page 106: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/106.jpg)
First we show
• A more efficient SSE cheme than Curtmola et al. and• A more efficient verifiable SSE scheme than our FC 2012 scheme
![Page 107: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/107.jpg)
Consider this example
D1 D2 D3 D4 D5Austin 1 0 1 0 1Boston 0 1 0 1 0Washington
1 1 1 0 0
![Page 108: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/108.jpg)
In our SSE scheme
E(D1) E(D2) E(D3) E(D4) E(D5)PRF(Austin) ( 1 0 1 0 1)PRF(Boston) ( 0 1 0 1 0)PRF(Washington)
( 1 1 1 0 0)
The client computes
where PRF means pseudorandom function.
![Page 109: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/109.jpg)
and adds
E(D1) E(D2) E(D3) E(D4) E(D5)PRF(Austin) ( 1 0 1 0 1)PRF(Boston) ( 0 1 0 1 0)PRF(Washington)
( 1 1 1 0 0)
+PRF’(Austin)+PRF’(Boston)
+PRF’(Washington)
![Page 110: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/110.jpg)
The client stores this table
E(D1) E(D2) E(D3) E(D4) E(D5)PRF(Austin) ( 1 0 1 0 1)PRF(Boston) ( 0 1 0 1 0)PRF(Washington)
( 1 1 1 0 0)
+PRF’(Austin)+PRF’(Boston)
+PRF’(Washington)
The server
![Page 111: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/111.jpg)
In the search pahse,
E(D1) E(D2) E(D3) E(D4) E(D5)PRF(Austin) ( 1 0 1 0 1)PRF(Boston) ( 0 1 0 1 0)PRF(Washington)
( 1 1 1 0 0)
+PRF’(Austin)+PRF’(Boston)
+PRF’(Boston)
The client sends
![Page 112: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/112.jpg)
The server decrypts (10101)
E(D1) E(D2) E(D3) E(D4) E(D5)PRF(Austin) ( 1 0 1 0 1)PRF(Boston) ( 0 1 0 1 0)PRF(Washington)
( 1 1 1 0 0)
+PRF’(Austin)+PRF’(Boston)
+PRF’(Boston)
![Page 113: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/113.jpg)
and returns E(D1), E(D3) and E(D5)
E(D1) E(D2) E(D3) E(D4) E(D5)PRF(Austin) ( 1 0 1 0 1)PRF(Boston) ( 0 1 0 1 0)PRF(Washington)
( 1 1 1 0 0)
+PRF’(Austin)+PRF’(Boston)
+PRF’(Boston)
![Page 114: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/114.jpg)
In our verifiable SSE scheme,
E(D1) E(D2) E(D3) E(D4) E(D5)PRF(Austin) ( 1 0 1 0 1)PRF(Boston) ( 0 1 0 1 0)PRF(Washington)
( 1 1 1 0 0)
+PRF’(Austin)+PRF’(Boston)
+PRF’(Boston)
the client stores this table
together with TagA=MAC( PRF(Austin), E(D1), E(D3), E(D5) ) TagB=MAC(PRF(Boston), E(D2), E(D4)) TagW=MAC(PRF(Washington), E(D1), E(D2), E(D3))
![Page 115: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/115.jpg)
In our verifiable SSE scheme,
E(D1) E(D2) E(D3) E(D4) E(D5)PRF(Austin) ( 1 0 1 0 1)PRF(Boston) ( 0 1 0 1 0)PRF(Washington)
( 1 1 1 0 0)
+PRF’(Austin)+PRF’(Boston)
+PRF’(Boston)
the client stores this table
where TagA=MAC( PRF(Austin), E(D1), E(D3), E(D5) )
and so on
![Page 116: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/116.jpg)
In the search phase,
E(D1), E(D3), E(D5 ), TagA
PRF(Austin) and PRF’(Austin)
![Page 117: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/117.jpg)
The client accepts if
E(D1), E(D3), E(D5 ),
TagA=MAC(PRF(Austin), E(D1), E(D3), E(D5 ))
PRF(Austin) and PRF’(Austin)
![Page 118: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/118.jpg)
Theorem
• The above verifiable SSE scheme satisfies privacy and reliability if E is CPA-secure, PRF and PRF’ are psuedorandom functions and MAC is unforgeable.
![Page 119: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/119.jpg)
Now suppose that
E(D1) E(D2) E(D3) E(D4) E(D5)PRF(Austin) ( 1 0 1 0 1)PRF(Boston) ( 0 1 0 1 0)PRF(Washington)
( 1 1 1 0 0)
+PRF’(Austin)+PRF’(Boston)
+PRF’(Boston)
The client wants to modify D1 to D′1
D1 contains Austin and Washington
![Page 120: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/120.jpg)
Therefore in the update phase
E(D1) E(D2) E(D3) E(D4) E(D5)PRF(Austin) ( 1 0 1 0 1)PRF(Boston) ( 0 1 0 1 0)PRF(Washington)
( 1 1 1 0 0)
+PRF’(Austin)+PRF’(Boston)
+PRF’(Boston)
the client must update E(D1) TagA
TagW
![Page 121: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/121.jpg)
We want to do this more efficiently
• In the proposed scheme,• we break this part (PRF(Austin), E(D1), E(D3), E(D5))
down to (PRF(Austin), 1,3,5) (1, E(D1)) … (5, E(D5))
![Page 122: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/122.jpg)
The client authenticates
• each piece separately
(PRF(Austin), 1,3,5) (1, E(D1)) … separately (5, E(D5))
![Page 123: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/123.jpg)
The last problem is
• How to timestamp on these (1, E(D1))
… (5, E(D5))
Remember that the client wants to update files.
![Page 124: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/124.jpg)
We can solve this problem by
• using any authentication scheme which has the timestamp functionality
such as– Merkle hash tree– Authenticated skip list– RSA accumulator (in this talk)
![Page 125: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/125.jpg)
Letx1 = H(1, E(D1)) x2 = H(2, E(D2)) x3 = H(3, E(D3)) x4 = H(4, E(D4)) x5 = H(5, E(D5))
A = g mod N(=pq)x1 x2 x3 x4 x5
For simplicity, suppose that x1 ~ x5 are primes.Then the client computes
and keeps A.
![Page 126: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/126.jpg)
In the search phase
Tag1 =MAC(PRF(Austin), 1,3,5)
y= gx2 ・ x4 mod N
(1,E(D1)), (3,E(D3)), (5,E(D5)),
PRF(Austin) and PRF’(Austin)
![Page 127: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/127.jpg)
In the search phase
Tag1 =MAC(PRF(Austin), 1,3,5)
y= gx2 ・ x4 mod N
(1,E(D1)), (3,E(D3)), (5,E(D5)),
PRF(Austin) and PRF’(Austin)
The client verifies that Tag1 =MAC(PRF(Austin), 1,3,5) A= yx1 ・ x3 ・ x5 mod N
![Page 128: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/128.jpg)
In the search phase
Tag1 =MAC(PRF(Austin), 1,3,5)
y= gx2 ・ x4 mod N
(1,E(D1)), (3,E(D3)), (5,E(D5)),
PRF(Austin) and PRF’(Austin)
The client verifies that Tag1 =MAC(PRF(Austin), 1,3,5) A= yx1 ・ x3 ・ x5 mod N ( = g x1 … x5 mod N )
![Page 129: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/129.jpg)
In the update phase,
• To modify D1 to D1’
• the client sends only (1, E(D1’))
to the server.
![Page 130: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/130.jpg)
He then updates A to
• where x1’= H(1, E(D1’))
A’= g mod N(=pq)x1’x2 x3 x4 x5
![Page 131: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/131.jpg)
To delete D1
• Modify D1 to D1’=delete.
![Page 132: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/132.jpg)
How to add files
• Please see the paper.
![Page 133: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/133.jpg)
We defined the UC security
• of verifiable dynamic SSE schemes
![Page 134: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/134.jpg)
We then proved that
• The proposed scheme is UC-secure against non-adaptive adversaries
• under the strong RSA assumption if
– E is CPA-secure– PRF and PRF’ are pseudorandom functions– H is a collision-resistant hash function
![Page 135: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/135.jpg)
Finally
• Garbled Searchable Symmetric Encryption Kaoru Kurosawa (FC 2014)
135
![Page 136: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/136.jpg)
So far,
• I have talked about single keyword search SSE schemes.
![Page 137: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/137.jpg)
Next
• I will talk about multiple keyword search SSE schemes.
![Page 138: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/138.jpg)
Golle, Staddon and Waters (2004)• showed a multiple keyword SSE scheme which has keyword fields.
From To SubjectD1 Keyword 1 Keyword 2 Keyword 4D2 Keyword 2 Keyword 1 Keyword 5D3 Keyword 3 Keyword 2 Keyword 6
![Page 139: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/139.jpg)
Golle, Staddon and Waters (2004)• A client can specify at most one keyword in each keyword field.
From To SubjectD1 Keyword 1 Keyword 2 Keyword 4D2 Keyword 2 Keyword 1 Keyword 5D3 Keyword 3 Keyword 2 Keyword 6
![Page 140: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/140.jpg)
In such a scheme, however,
• It’s hard to retrieve files which contain both Alice and Bob somewhere in the keyword fields
From To SubjectD1 Alice Bob Keyword 4D2 Bob Keyword 5 AliceD3 Keyword 3 Keyword 2 Keyword 6
![Page 141: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/141.jpg)
Wang et al. (2008)
• Showed a keyword field free SSE scheme• But it works only for AND search.
![Page 142: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/142.jpg)
Cash et al. (CRYPTO 2013)
• showed a keyword field free SSE scheme• which can support any search formula (in the random oracle model).
![Page 143: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/143.jpg)
However,
• the search formula is revealed to the server and• the search phase requires 2 rounds.
Search formula
Search phase Search formula secrecy
Wang et al. only AND 1 round No
Cash et al. Any 2 rounds No
![Page 144: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/144.jpg)
At FC 2014,
• I showed an SSE scheme such that even the search formula is kept secret.
Search formula
Search phase
Search formula secrecy
Wang et al. only AND 1 round NoCash et al. Any 2 rounds No Proposed Any 1 round Yes
![Page 145: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/145.jpg)
Also,
• it can support any search formula and• the search phase requires only 1 round.
Search formula
Search phase
Search formula secrecy
Wang et al. only AND 1 round NoCash et al. Any 2 rounds No Proposed Any 1 round Yes
![Page 146: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/146.jpg)
The proposed SSE scheme
• is based on Yao’s garbled circuit.
![Page 147: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/147.jpg)
Yao (1982) constructed
• A secure two-party protocol by using• a garbled circuit and an oblivious transfer.
Alice Bob
GC + OT
x y
f(x,y)
![Page 148: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/148.jpg)
Since then,
garbled circuits have found many applications: • multi-party secure protocols, • one-time programs,• KDM-security, • verifiable computation, • homomorphic computations• and others.
![Page 149: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/149.jpg)
The proposed scheme
• is the first application of garbled circuits to SSE
![Page 150: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/150.jpg)
A garbled circuit of f
• is an encoding garble(f) such that• one can compute f(X) • from garble(f) and label(X) without learning anything on f and X.
garble(f)label(X) f(X)
![Page 151: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/151.jpg)
However, if
• garble(f) or label(X) is reused, then some information on (f, X) is leaked.
garble(f)label(X) f(X)
![Page 152: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/152.jpg)
Recently
• Goldwasser et al. constructed a scheme such that garble(f) can be reused• I constructed a scheme such that label(X) can be reused and applied it to multiple keyword SSE
![Page 153: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/153.jpg)
High level overview of the proposed scheme
w1 w2 w3
D1 1 1 1D2 1 0 0
keywords
files
Consider this example.
![Page 154: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/154.jpg)
Let
w1 w2 w3
D1 (1 1 1)=X1
D2 (1 0 0)=X2
![Page 155: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/155.jpg)
The client computes
w1 w2 w3
D1 label(X1)D2 label(X2)
![Page 156: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/156.jpg)
The client also computes
PRF(w1) PRF(w2) PRF(w3)E(D1) label(X1)E(D2) label(X2)
![Page 157: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/157.jpg)
and sends
PRF(w1) PRF(w2) PRF(w3)E(D1) label(X1)E(D2) label(X2)
Server
![Page 158: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/158.jpg)
In the 1st search phase,
• Suppose that the client wants to search on f(w1,w2,w3)=w1 w⋀ 2 w⋀ 3
• He computes the garbled circuits of f: Γ1 for D1 and
Γ2 for D2.
![Page 159: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/159.jpg)
PRF(w1), …, PRF(w3) Γ1
Γ2
counter=1
The client sends
![Page 160: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/160.jpg)
PRF(w1), …, PRF(w3) Γ1
Γ2
counter=1
The server has this tablePRF(w1) PRF(w2) PRF(w3)
E(D1) label(X1)E(D2) label(X2)
![Page 161: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/161.jpg)
PRF(w1), …, PRF(w3) Γ1
Γ2
counter=1
The server computes f(X1) fromPRF(w1) PRF(w2) PRF(w3)
E(D1) label(X1)E(D2) label(X2)
counter=1, label(X1) Γ1 f(X1)=1
garbled circuit
![Page 162: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/162.jpg)
PRF(w1), …, PRF(w3) Γ1
Γ2
counter=1
Similarly she computes f(X2)PRF(w1) PRF(w2) PRF(w3)
E(D1) label(X1)E(D2) label(X2)
Γ2
counter=1 label(X2)
f(X2)=0
garbled circuit
![Page 163: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/163.jpg)
The server returns E(D1)
Since f(X1)=1 and f(X2)=0,
![Page 164: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/164.jpg)
In the 2nd search phase,
• Suppose that the client wants to search on g(w1,w2,w3)=w1 w⋁ 2 w⋁ 3
• He computes the garbled circuits of g: Δ1 for D1 and
Δ2 for D2.
![Page 165: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/165.jpg)
PRF(w1), …, PRF(w3)Δ1
Δ2
counter=2
The client sends
![Page 166: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/166.jpg)
and returns E(D1), E(D2)
The server computes g(X1)=g(X2)=1,
![Page 167: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/167.jpg)
Note that
• label(X1) is reused for Γ1 and Δ1
label(X1)Γ1
Δ1
f(X1)=1
g(X1)=1
![Page 168: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/168.jpg)
and
• label(X2) is reused for Γ2 and Δ2
label(X2)Γ2
Δ2
f(X2)=0
g(X2)=1
![Page 169: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/169.jpg)
More details
Bellare et al. (2012)defined Kurosawa( 2014)
extended them togarbling schemes extended garbling
schemesInput-circuit privacy label reusable privacy
![Page 170: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/170.jpg)
The difference is that
• counter is included • in the extended GC generation algorithm
(eGC.gen) and• in the extended GC evaluation algorithm
(eGC.eval)
![Page 171: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/171.jpg)
XOR
AND
1
OR
4
2
3
This is a Boolean circuit f
![Page 172: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/172.jpg)
1
4
2
3
This is the topological circuit f-
![Page 173: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/173.jpg)
Label.gen algorithm chooses
• 2 random strings (vi0, vi
1) for each wire i• such that the lsbs are different: • lsb(vi
0) ≠ lsb(vi1)
XOR
AND v1
0, v11
OR
v20, v2
1
v30, v3
1
v40, v4
1
![Page 174: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/174.jpg)
label(0000) is
XOR
AND v1
0, v11
OR
v20, v2
1
v30, v3
1
v40, v4
1
this vector.
![Page 175: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/175.jpg)
label(1111) is
XOR
AND v1
0, v11
OR
v20, v2
1
v30, v3
1
v40, v4
1
this vector.
![Page 176: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/176.jpg)
eGC.gen algorithm takes
XOR
AND v1
0, v11
OR
v20, v2
1
v30, v3
1
v40, v4
1
eGC.gen
counter
a boolean circuit fAll the strings
![Page 177: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/177.jpg)
and outputs a garbled circuit Γ
XOR
AND v1
0, v11
OR
v20, v2
1
v30, v3
1
v40, v4
1
eGC.gen
counter
Γa boolean circuit fAll the strings
![Page 178: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/178.jpg)
eGC.eval algorithm takes
v1
0
v20
v31
v41
eGC.eval
counter
the topological circuit f-label(0011),for example
GC Γ
![Page 179: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/179.jpg)
and outputs f(0,0,1,1)
v1
0
v20
v31
v41
eGC.eval
counter
the topological circuit f-label(0011),for example
GC Γ
f(0,0,1,1)
![Page 180: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/180.jpg)
Label reusable privacy (informal)
• Even if label(x1, …, xn) = (v1
x1, …, vnxn)
is reused for multiple garbled circuits Γ1, Γ2, …. ,
• no information on (x1, …, xn) and (f1,f2, … )
are leaked, where Γi is a garbled circuit of fi
![Page 181: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/181.jpg)
Our construction
• of the extended garbling scheme which satisfies label reusable privacy is the same as the usual construction of the garbling scheme except for that counter is included in the hash function H.
![Page 182: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/182.jpg)
For simplicity, consider f(x1,x2)
f(x1,x2)
v10, v1
1
v20, v2
1
Each input wire has two labels
![Page 183: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/183.jpg)
eGC.gen algorithm
computes• y00=H(counter, v1
0, v20) f(⊕ 0,0)
• y01=H(counter, v10, v2
1) f(⊕ 0,1)
• y10=H(counter, v11, v2
0) f(⊕ 1,0)
• y11=H(counter, v11, v2
1) f(⊕ 1,1)
![Page 184: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/184.jpg)
Note that
this part works as one-time pad
• y00=H(counter, v10, v2
0) f(⊕ 0,0)
• y01=H(counter, v10, v2
1) f(⊕ 0,1)
• y10=H(counter, v11, v2
0) f(⊕ 1,0)
• y11=H(counter, v11, v2
1) f(⊕ 1,1)
![Page 185: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/185.jpg)
Roughly speaking,
• the garbled circuit Γ is a random permutation of (y00, …, y11).
y00=H(counter, v10, v2
0) f(0,0)⊕
y01=H(counter, v10, v2
1) f(0,1)⊕
y10=H(counter, v11, v2
0) f(1,0)⊕
y11=H(counter, v11, v2
1) f(1,1)⊕
![Page 186: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/186.jpg)
More precisely
lsb(v10) lsb(v2
0) y00
lsb(v10) lsb(v2
1) y01
lsb(v11) lsb(v2
0) y10
lsb(v11) lsb(v2
1) y11
Construct this table
![Page 187: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/187.jpg)
If lsb(v10)=0,
0 lsb(v20) y00
0 lsb(v21) y01
1 lsb(v20) y10
1 lsb(v21) y11
then the 1st column is
![Page 188: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/188.jpg)
If lsb(v20)=1
0 1 y00
0 0 y01
1 1 y10
1 0 y11
then the 2nd column is
![Page 189: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/189.jpg)
Then permute the rows in such a way that (00) ~ (11) appear here
![Page 190: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/190.jpg)
0 0 y01
0 1 y00
1 0 y11
1 1 y10
The garbled circuit Γ is these 4 bits
![Page 191: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/191.jpg)
eGC.eval algorithm takes
counter
eGC.eval
label(11)= (v11, v2
1)
y01 =H(counter,v10, v2
1) f(01)⊕
y00 =H(counter, v10, v2
0) f(00)⊕
y11 =H(counter, v11, v2
1) f(11)⊕
y10 =H(counter, v11, v2
0) f(10)⊕
T he garbled circuit Γ
![Page 192: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/192.jpg)
Since lsb(v11)= 1 , lsb(v2
1)=0
counter
eGC.eval
y01 =H(counter,v10,v2
1) 0⊕
y00 =H(counter, v10, v2
0) 0⊕
y11 =H(counter, v11, v2
1) f(11)⊕
y10 =H(counter, v11, v2
0) 0⊕
00
01
10
11
look at the 3rd row of Γ(v1
1, v21)
![Page 193: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/193.jpg)
Then we can compute f(1,1)from the given inputs
counter
eGC.eval
y01 =H(counter,v10,v2
1) 0⊕
y00 =H(counter, v10, v2
0) 0⊕
y11 =H(counter, v11, v2
1) f(⊕ 11)
y10 =H(counter, v11, v2
0) 0⊕
garbled circuit Γ
00
01
10
11f(1,1)
label(11)= (v11, v2
1)
![Page 194: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/194.jpg)
Theorem
• The above construction satisfies label reusable privacy in the random oracle model
![Page 195: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/195.jpg)
How to Apply Extended Garbling Scheme to Multiple Keyword SSE
w1 w2 w3
D1 e11=1 e12=1 e13=1D2 e21=1 e22=0 e23=0
Consider this example
![Page 196: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/196.jpg)
The client computes
v110=AESk(1,1,0)
v111=AESk(1,1,1)
w1 w2 w3
D1 e11=1 e12=1 e13=1D2 e21=1 e22=0 e23=0
![Page 197: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/197.jpg)
Since e11=1, let
v110=AESk(1,1,0)
v11= v111=AESk(1,1,1)
w1 w2 w3
D1 e11=1 e12=1 e13=1D2 e21=1 e22=0 e23=0
![Page 198: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/198.jpg)
In this way,
w1 w2 w3
D1 v11=v111 v12=v12
1 v13=v131
D2 v21=v211 v22=v22
0 v23=v230
the client computes each entry of this table.
![Page 199: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/199.jpg)
Let
w1 w2 w3
D1 (v11 v12 v13)=label(X1)D2 (v21 v22 v23)=label(X2)
![Page 200: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/200.jpg)
Namely for D1,
The client generates these strings by using AES (v11
0, v111), (v12
0, v121), (v13
0, v131)
![Page 201: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/201.jpg)
and
chooses each element of label(X1) from (111)
(v110, v11
1), (v120, v12
1), (v130, v13
1)
label(X1)=(v11, v22 , v33)
w1 w2 w3
D1 1 1 1D2 1 0 0
![Page 202: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/202.jpg)
Similarly for D2,
The client generates these strings by using AES (v21
0, v211), (v22
0, v221), (v23
0, v231)
![Page 203: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/203.jpg)
and
chooses each element of label(X2) from (100)
(v210, v21
1), (v220, v22
1), (v230, v23
1)
label(X2)=(v11, v22 , v33)
w1 w2 w3
D1 1 1 1D2 1 0 0
![Page 204: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/204.jpg)
The client further computes
PRF(w1) PRF(w2) PRF(w3)E(D1) label(X1)E(D2) label(X2)
![Page 205: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/205.jpg)
and sends
PRF(w1) PRF(w2) PRF(w3)E(D1) label(X1)E(D2) label(X2)
The server
![Page 206: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/206.jpg)
After the store phase,
• The clients keeps only the secret keys of AES, E, PRF and PRF’.
• He remembers nothing other than these.
![Page 207: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/207.jpg)
In the search phase,
• Suppose that the client searches on f(w1,w2,w3)=w1 w⋀ 2 w⋀ 3
![Page 208: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/208.jpg)
For D1,
• the client re-generates these strings (v11
0, v111), …, (v13
0, v131)
by using AES in the same way as in the store phase.
![Page 209: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/209.jpg)
f(w1,w2,w3)=w1 w⋀ 2 w⋀ 3
counter eGC.gen
and computes the garbled circuit Γ1
(v110, v11
1), …, (v130, v13
1)
Then the client runs eGC.gen on input
![Page 210: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/210.jpg)
For D2,
• The client computes the garbled circuit Γ2
similarly
![Page 211: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/211.jpg)
PRF(w1), …, PRF(w3) Γ1
Γ2
The topological circuit f- and counter
The client sends
![Page 212: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/212.jpg)
The server has this table
PRF(w1) PRF(w2) PRF(w3)E(D1) label(X1)E(D2) label(X2)
![Page 213: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/213.jpg)
The server runs eGC.eval on input
eGC.eval
and computes z1=f(X1)
label(X1)
the garbled circuit Γ1
the topological circuit f -counter
![Page 214: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/214.jpg)
E(D1) if z1=1
The server returns
The same for D2
![Page 215: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/215.jpg)
Theorem
In the proposed scheme,if the underlying extended garbling scheme satisfies label reusable privacy
Then only the following information is leaked to the server(other than the minimum leakage)
![Page 216: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/216.jpg)
• The topological circuit f- • (π(j1), …, π(jc)),
where π is a random permutation and {wj1, …, wjc} are the queried keywords
![Page 217: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/217.jpg)
In the scheme of Cash et al. (2013)
If 「 Japan AND Crypto 」 is searched,the following information is leaked to the server
the search formula = AND the search result of Japan or that of Crypto and some more information ( see Sec.5.3 of their paper )
![Page 218: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/218.jpg)
Communication overheadof the proposed scheme
• Let m = # of files c = # of search keywords s = # of gates of f• In the search phase, the com. overhead is |counter|+(c+4m(s-1))×128+4m bits
![Page 219: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/219.jpg)
If # of search keywords is 2
• The communication overhead is |counter|+256+ 4× ( # of files ) bits
![Page 220: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/220.jpg)
Computer simulation
• We used a computer such as follows. 2.4GHz CPU and 32G byte RAM OS = CentOS 6.5 C++ and NTL library
• The total # of keywords is 20.• We generated Index randomly
![Page 221: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/221.jpg)
The running time of the clientin the search phase
![Page 222: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/222.jpg)
The running time of the serverin the search phase
![Page 223: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/223.jpg)
In the proposed SSE scheme,Search
formulaSearch phase
Search formulasecrecy
Wang et al.(2008)
Only AND
1 round ---
Cash at al.(CRYPTO 2013)
Any 2 rounds leaked
Kurosawa(FC 2014)
Any 1 round secret
![Page 224: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/224.jpg)
Summary
• UC-Secure Searchable Symmetric Encryption
• How to Update Documents Verifiably in Searchable Symmetric Encryption
• Garbled Searchable Symmetric Encryption
224
![Page 225: How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea](https://reader031.vdocuments.net/reader031/viewer/2022032201/56649d0c5503460f949e0a54/html5/thumbnails/225.jpg)
Thank you !