inverted index based multi-keyword public-key searchable encryption with strong privacy guarantee

Click here to load reader

Post on 15-Apr-2017

206 views

Category:

Technology

3 download

Embed Size (px)

TRANSCRIPT

  • Inverted Index BasedMulti-Keyword Public-key

    Searchable Encryption withStrong Privacy Guarantee

    Bing Wang, Wei Song, Wenjing Lou, Y. Thomas Hou

    INFOCOM 2015

    SWIM SeminarOctober 21, 2016

    Mateus Cruz

  • Introduction Preliminaries Proposal Experiments Conclusion

    OUTLINE

    1 Introduction

    2 Preliminaries

    3 Proposal

    4 Experiments

    5 Conclusion

  • Introduction Preliminaries Proposal Experiments Conclusion

    OUTLINE

    1 Introduction

    2 Preliminaries

    3 Proposal

    4 Experiments

    5 Conclusion

  • Introduction Preliminaries Proposal Experiments Conclusion

    OVERVIEW

    Search encrypted dataUse of inverted indexPreserve query privacyEfficiency using cheap operations

    1 / 21

  • Introduction Preliminaries Proposal Experiments Conclusion

    CONTRIBUTIONS

    Use the same index more than onceSupport conjunctive multi-keyword queriesTrapdoor unlinkability

    The same query have multiple trapdoorsEfficiency

    Only use multiplication and exponentiation No use of pairing

    2 / 21

  • Introduction Preliminaries Proposal Experiments Conclusion

    RELATED WORK

    Bloom filter index Only supports single keyword search

    Self-designed indices Not compatible with each other

    One-time-only search limitation Leaks query information from trapdoor

    No support for multi-keyword search

    3 / 21

  • Introduction Preliminaries Proposal Experiments Conclusion

    OUTLINE

    1 Introduction

    2 Preliminaries

    3 Proposal

    4 Experiments

    5 Conclusion

  • Introduction Preliminaries Proposal Experiments Conclusion

    INVERTED INDEX

    Multiple inverted lists: I = (Iw1, Iw2, . . . , Iwm) The list Iwi has all documents containing wi

    Efficient for large datasetsCan be extended

    Result ranking Phrase search

    4 / 21

  • Introduction Preliminaries Proposal Experiments Conclusion

    PRIVATE SET INTERSECTION

    Only reveals the intersection No other information is leaked

    FNP protocol1 Uses Paillier cryptosystem

    E(a1 +a2) = E(a1)E(a2)

    1Freedman, Nissim and Pinkas: Efficient private matching and setintersection (EUROCRYPT 2004)

    5 / 21

  • Introduction Preliminaries Proposal Experiments Conclusion

    FNP PROTOCOL

    1 Alice represents her set A as a polynomial f (x) =aiA (xai)

    2 Alice encrypts the coefficients using Paillier3 Alice sends f (x) = Enc(f (x)) to Bob4 Bob calculates R : {rj = f (bj)+h bj}

    bj B5 Bob sends R to Alice6 Alice decrypts R as R

    7 Alice obtains A B from calculating A R

    6 / 21

  • Introduction Preliminaries Proposal Experiments Conclusion

    OUTLINE

    1 Introduction

    2 Preliminaries

    3 Proposal

    4 Experiments

    5 Conclusion

  • Introduction Preliminaries Proposal Experiments Conclusion

    SYSTEM ARCHITECTURE

    Honest-but-curious cloud serverTrusted users

    7 / 21

  • Introduction Preliminaries Proposal Experiments Conclusion

    THREAT MODEL

    Confidentiality of documentsIndex privacyTrapdoor privacyAccess pattern privacy

    8 / 21

  • Introduction Preliminaries Proposal Experiments Conclusion

    NOTATIONS

    Document collection: = (1,2, . . . ,n)Keyword collection: D = (w1,w2, . . . ,wm)Inverted index: I = (Iw1, Iw2, . . . , Iwm)

    Iwi contains i = (i1,i2, . . . ,ip) i wi ij,1 j p

    Encrypted index I based on IQuery: Q DTrapdoor for query Q: TQ

    9 / 21

  • Introduction Preliminaries Proposal Experiments Conclusion

    STEPS OVERVIEW

    10 / 21

  • Introduction Preliminaries Proposal Experiments Conclusion

    SYSTEM INITIALIZATION

    Done by the data ownerReceives security parameter kGenerate key pair for the Paillier algorithm

    Secret key sk Public key pk

    Output master key MK = {sk, f ,M} f : Pseudorandom permutation M: Invertible matrix of degree m

    11 / 21

  • Introduction Preliminaries Proposal Experiments Conclusion

    ENCRYPTED INDEX GENERATION

    Done by the data ownerReceives master key MK and index ITransform inverted lists into polynomialsEncrypt coefficients using pk

    I = Enc(I)Construct a dictionary matrix MD

    Encrypt MD as M D = M MDSend M D and I to the server

    12 / 21

  • Introduction Preliminaries Proposal Experiments Conclusion

    ENCRYPTED INDEX GENERATION

    12 / 21

  • Introduction Preliminaries Proposal Experiments Conclusion

    TRAPDOOR GENERATION

    Pre-compute a polynomial for all keywords

    m1 (xwi)

    Generate a polynomial for user query Q PQ(x) = PD/wiQ(xwi)

    Apply padding to hide the query lengthSend trapdoor TQ to the server

    TQ = {(am,am1, . . . ,a1) M1,Enc(a0)}

    13 / 21

  • Introduction Preliminaries Proposal Experiments Conclusion

    TRAPDOOR GENERATION

    13 / 21

  • Introduction Preliminaries Proposal Experiments Conclusion

    QUERYING

    Calculate V = TQ[1] M D = (v1,v2, ,vm)For each vi, calculate v i = Enc(vi)+h TQ[2]

    V = (v 1,v 2, . . . ,v m)Calculate result polynomial PR(x) = V ITReturn PR(x) to the user

    14 / 21

  • Introduction Preliminaries Proposal Experiments Conclusion

    QUERYING

    14 / 21

  • Introduction Preliminaries Proposal Experiments Conclusion

    RESULT DECRYPTION

    Requires assistance of data ownerFind the roots of PR(x)

    The roots are the IDs of the result documents

    15 / 21

  • Introduction Preliminaries Proposal Experiments Conclusion

    OUTLINE

    1 Introduction

    2 Preliminaries

    3 Proposal

    4 Experiments

    5 Conclusion

  • Introduction Preliminaries Proposal Experiments Conclusion

    SETUP

    Environment Intel Core i3 3.3GHz 4GB RAM Windows 8.1 Python

    Dataset Enron emails

    16 / 21

  • Introduction Preliminaries Proposal Experiments Conclusion

    SYSTEM INITIALIZATION

    Generation of public and private keys 512-bit: 0.40s 1024-bit: 3.03s

    17 / 21

  • Introduction Preliminaries Proposal Experiments Conclusion

    ENCRYPTED INDEX GENERATIONOne-time process

    1 Calculate polynomials for keyword lists2 Encrypt polynomials

    Cost increases with dictionary size

    18 / 21

  • Introduction Preliminaries Proposal Experiments Conclusion

    TRAPDOOR GENERATION

    Matrix multiplication is the most expensive Can be optimized

    19 / 21

  • Introduction Preliminaries Proposal Experiments Conclusion

    QUERYING

    Multiply trapdoor with the dictionary matrixEncryption is expensive

    Can be parallelized

    20 / 21

  • Introduction Preliminaries Proposal Experiments Conclusion

    OUTLINE

    1 Introduction

    2 Preliminaries

    3 Proposal

    4 Experiments

    5 Conclusion

  • Introduction Preliminaries Proposal Experiments Conclusion

    SUMMARY

    Searchable encryption scheme Public key Based on inverted index Multi-keyword queries

    Prevents trapdoor linking Hides the number of keywords in query

    Efficiency Uses only multiplication and exponentiation

    21 / 21

  • EXTRA SLIDES

  • PAILLIER CRYPTOSYSTEM

    Key generation pk = (n,g)

    n = pq,GCD(pq, (p1)(q1)) = 1 g Z

    n2

    sk = (,) = LMC(p1,q1) = ( g mod n21n )1 mod n

    Encrypt message m into ciphertext c c = gm rn mod n2,r Zn

    Decrypt ciphertext c into message m m = c mod n21n mod n

  • ENCRYPTED INDEX GENERATION [1/2]

    For each keyword wi and its list Iwi Generate tags for keywords: twi = f (wi) Generate tags for documents: ti = f (i)

    Generate random numbers Ri = {rj} for Iwi rj Zn,rj f (D)

    Generate polynomial Pwi(x) for Iwi Pwi (x) =

    jIwi

    (x tj )

    rjRi(x rj)

    Calculate a polynomial vector I = (Pw1 ,Pw2 , . . . ,Pwm )T

  • ENCRYPTED INDEX GENERATION [2/2]

    Encrypt coefficients of each Pwi I = Enc(n,g)(I)

    Construct dictionary matrix MD

    MD =

    tmw1 t

    mw2 tmwm

    tm1w1 tm1w2 tm1wm... ... . . . ...

    tw1 tw2 twm

    Encrypt M as M D = M MDOutsource M D and I to the cloud

  • TRAPDOOR GENERATION

    Encrypt all keywords as PD(x) =

    wiD(x twi)

    Receive a query request QConstruct PQ(x) = PD/wiQ(xwi)Generate P Q(x) by padding random terms

    P Q(x) = PQ(x)m

    q+1(x rj),q = |Q|,rj f (D)

    Send trapdoor to user TQ = {(am,amq, . . . ,a1)M1,Enc(n,g)(a0)}

    (am,amq, . . . ,a1) are the coefficients of P Q(x)

  • COMPARISON WITH OTHER WORKS

    P: Map-to-point hashM: MultiplicationE: Exponentiatione: Pairing

    IntroductionPreliminariesProposalExperimentsConclusion

View more