inverted index based multi-keyword public-key searchable encryption with strong privacy guarantee
TRANSCRIPT
Inverted Index BasedMulti-Keyword Public-key
Searchable Encryption withStrong Privacy Guarantee
Bing Wang, Wei Song, Wenjing Lou, Y. Thomas Hou
INFOCOM 2015
SWIM SeminarOctober 21, 2016
Mateus Cruz
Introduction Preliminaries Proposal Experiments Conclusion
OUTLINE
1 Introduction
2 Preliminaries
3 Proposal
4 Experiments
5 Conclusion
Introduction Preliminaries Proposal Experiments Conclusion
OUTLINE
1 Introduction
2 Preliminaries
3 Proposal
4 Experiments
5 Conclusion
Introduction Preliminaries Proposal Experiments Conclusion
OVERVIEW
Search encrypted dataUse of inverted indexPreserve query privacyEfficiency using cheap operations
1 / 21
Introduction Preliminaries Proposal Experiments Conclusion
CONTRIBUTIONS
Use the same index more than onceSupport conjunctive multi-keyword queriesTrapdoor unlinkability
Ï The same query have multiple trapdoorsEfficiency
Ï Only use multiplication and exponentiationÏ No use of pairing
2 / 21
Introduction Preliminaries Proposal Experiments Conclusion
RELATED WORK
Bloom filter indexÏ Only supports single keyword search
Self-designed indicesÏ Not compatible with each other
One-time-only search limitationÏ Leaks query information from trapdoor
No support for multi-keyword search
3 / 21
Introduction Preliminaries Proposal Experiments Conclusion
OUTLINE
1 Introduction
2 Preliminaries
3 Proposal
4 Experiments
5 Conclusion
Introduction Preliminaries Proposal Experiments Conclusion
INVERTED INDEX
Multiple inverted lists: I = (Iw1, Iw2, . . . , Iwm)Ï The list Iwi has all documents containing wi
Efficient for large datasetsCan be extended
Ï Result rankingÏ Phrase search
4 / 21
Introduction Preliminaries Proposal Experiments Conclusion
PRIVATE SET INTERSECTION
Only reveals the intersectionÏ No other information is leaked
FNP protocol1Ï Uses Paillier cryptosystem
– E(a1 +a2) = E(a1)E(a2)
1Freedman, Nissim and Pinkas: “Efficient private matching and setintersection” (EUROCRYPT 2004)
5 / 21
Introduction Preliminaries Proposal Experiments Conclusion
FNP PROTOCOL
1 Alice represents her set A as a polynomialÏ f (x) =∏
ai∈A (x−ai)
2 Alice encrypts the coefficients using Paillier3 Alice sends f ′(x) = Enc(f (x)) to Bob4 Bob calculates R : {rj = f ′(bj)+h bj}
Ï bj ∈B
5 Bob sends R to Alice6 Alice decrypts R as R ′
7 Alice obtains A ∩B from calculating A ∩R ′
6 / 21
Introduction Preliminaries Proposal Experiments Conclusion
OUTLINE
1 Introduction
2 Preliminaries
3 Proposal
4 Experiments
5 Conclusion
Introduction Preliminaries Proposal Experiments Conclusion
SYSTEM ARCHITECTURE
Honest-but-curious cloud serverTrusted users
7 / 21
Introduction Preliminaries Proposal Experiments Conclusion
THREAT MODEL
Confidentiality of documentsIndex privacyTrapdoor privacyAccess pattern privacy
8 / 21
Introduction Preliminaries Proposal Experiments Conclusion
NOTATIONS
Document collection: Σ= (σ1,σ2, . . . ,σn)
Keyword collection: D = (w1,w2, . . . ,wm)Inverted index: I = (Iw1, Iw2, . . . , Iwm)
Ï Iwi contains Σi = (σi1,σi2, . . . ,σip)– Σi ⊂Σ– wi ∈σij,1 ≤ j ≤ p
Encrypted index I based on I
Query: Q ⊂ D
Trapdoor for query Q: TQ
9 / 21
Introduction Preliminaries Proposal Experiments Conclusion
STEPS OVERVIEW
10 / 21
Introduction Preliminaries Proposal Experiments Conclusion
SYSTEM INITIALIZATION
Done by the data ownerReceives security parameter kGenerate key pair for the Paillier algorithm
Ï Secret key skÏ Public key pk
Output master key MK = {sk, f ,M}Ï f : Pseudorandom permutationÏ M: Invertible matrix of degree m
11 / 21
Introduction Preliminaries Proposal Experiments Conclusion
ENCRYPTED INDEX GENERATION
Done by the data ownerReceives master key MK and index I
Transform inverted lists into polynomialsEncrypt coefficients using pk
Ï I = Enc(I)
Construct a dictionary matrix MDÏ Encrypt MD as M ′
D = M ·MD
Send M ′D and I to the server
12 / 21
Introduction Preliminaries Proposal Experiments Conclusion
ENCRYPTED INDEX GENERATION
12 / 21
Introduction Preliminaries Proposal Experiments Conclusion
TRAPDOOR GENERATION
Pre-compute a polynomial for all keywordsÏ
∏m1 (x−wi)
Generate a polynomial for user query QÏ PQ(x) = PD/
∏wi∈Q(x−wi)
Apply padding to hide the query lengthSend trapdoor TQ to the server
Ï TQ = {(am,am−1, . . . ,a1) ·M−1,Enc(a0)}
13 / 21
Introduction Preliminaries Proposal Experiments Conclusion
TRAPDOOR GENERATION
13 / 21
Introduction Preliminaries Proposal Experiments Conclusion
QUERYING
Calculate V = TQ[1] ·M ′D = (v1,v2, · · · ,vm)
For each vi, calculate v ′i = Enc(vi)+h TQ[2]
Ï V ′ = (v ′1,v ′
2, . . . ,v ′m)
Calculate result polynomial PR(x) = V ′ · IT
Return PR(x) to the user
14 / 21
Introduction Preliminaries Proposal Experiments Conclusion
QUERYING
14 / 21
Introduction Preliminaries Proposal Experiments Conclusion
RESULT DECRYPTION
Requires assistance of data ownerFind the roots of PR(x)
Ï The roots are the IDs of the result documents
15 / 21
Introduction Preliminaries Proposal Experiments Conclusion
OUTLINE
1 Introduction
2 Preliminaries
3 Proposal
4 Experiments
5 Conclusion
Introduction Preliminaries Proposal Experiments Conclusion
SETUP
EnvironmentÏ Intel Core i3 3.3GHz 4GB RAMÏ Windows 8.1Ï Python
DatasetÏ Enron emails
16 / 21
Introduction Preliminaries Proposal Experiments Conclusion
SYSTEM INITIALIZATION
Generation of public and private keysÏ 512-bit: 0.40sÏ 1024-bit: 3.03s
17 / 21
Introduction Preliminaries Proposal Experiments Conclusion
ENCRYPTED INDEX GENERATION
One-time process1 Calculate polynomials for keyword lists2 Encrypt polynomials
Cost increases with dictionary size
18 / 21
Introduction Preliminaries Proposal Experiments Conclusion
TRAPDOOR GENERATION
Matrix multiplication is the most expensiveÏ Can be optimized
19 / 21
Introduction Preliminaries Proposal Experiments Conclusion
QUERYING
Multiply trapdoor with the dictionary matrixEncryption is expensive
Ï Can be parallelized
20 / 21
Introduction Preliminaries Proposal Experiments Conclusion
OUTLINE
1 Introduction
2 Preliminaries
3 Proposal
4 Experiments
5 Conclusion
Introduction Preliminaries Proposal Experiments Conclusion
SUMMARY
Searchable encryption schemeÏ Public keyÏ Based on inverted indexÏ Multi-keyword queries
Prevents trapdoor linkingÏ Hides the number of keywords in query
EfficiencyÏ Uses only multiplication and exponentiation
21 / 21
EXTRA SLIDES
PAILLIER CRYPTOSYSTEM
Key generationÏ pk = (n,g)
– n = pq,GCD(pq, (p−1)(q−1)) = 1– g ∈Z∗
n2
Ï sk = (λ,µ)– λ= LMC(p−1,q−1)
– µ= ( gλ mod n2−1n )−1 mod n
Encrypt message m into ciphertext cÏ c = gm · rn mod n2,r ∈Zn
Decrypt ciphertext c into message mÏ m = cλ mod n2−1
n ·µ mod n
ENCRYPTED INDEX GENERATION [1/2]
For each keyword wi and its list Iwi
Ï Generate tags for keywords: twi = f (wi)Ï Generate tags for documents: tσi = f (σi)
Generate random numbers Ri = {rj} for Iwi
Ï rj ∈Z∗n,rj ∉ f (D)
Generate polynomial Pwi(x) for Iwi
Ï Pwi (x) = ∏σj∈Iwi
(x− tσj )∏
rj∈Ri
(x− rj)
Calculate a polynomial vectorÏ I = (Pw1 ,Pw2 , . . . ,Pwm )T
ENCRYPTED INDEX GENERATION [2/2]
Encrypt coefficients of each Pwi
Ï I = Enc(n,g)(I)
Construct dictionary matrix MD
MD =
tm
w1tm
w2· · · tm
wm
tm−1w1
tm−1w2
· · · tm−1wm... ... . . . ...
tw1 tw2 · · · twm
Encrypt M as M ′
D = M ·MD
Outsource M ′D and I to the cloud
TRAPDOOR GENERATION
Encrypt all keywords as PD(x) = ∏wi∈D
(x− twi)
Receive a query request Q
Construct PQ(x) = PD/∏
wi∈Q(x−wi)
Generate P ′Q(x) by padding random terms
Ï P ′Q(x) = PQ(x)
m∏q+1
(x− rj),q = |Q|,rj ∉ f (D)
Send trapdoor to userÏ TQ = {(am,am−q, . . . ,a1)∗M−1,Enc(n,g)(a0)}
– (am,am−q, . . . ,a1) are the coefficients of P ′Q(x)
COMPARISON WITH OTHER WORKS
P: Map-to-point hashM: MultiplicationE: Exponentiatione: Pairing