inverted index based multi-keyword public-key searchable encryption with strong privacy guarantee

Inverted Index BasedMulti-Keyword Public-key

Searchable Encryption withStrong Privacy Guarantee

Bing Wang, Wei Song, Wenjing Lou, Y. Thomas Hou

INFOCOM 2015

SWIM SeminarOctober 21, 2016

Mateus Cruz

Introduction Preliminaries Proposal Experiments Conclusion

OUTLINE

1 Introduction

2 Preliminaries

3 Proposal

4 Experiments

5 Conclusion

Introduction Preliminaries Proposal Experiments Conclusion

OUTLINE

1 Introduction

2 Preliminaries

3 Proposal

4 Experiments

5 Conclusion

Introduction Preliminaries Proposal Experiments Conclusion

OVERVIEW

Search encrypted dataUse of inverted indexPreserve query privacyEfficiency using cheap operations

1 / 21

Introduction Preliminaries Proposal Experiments Conclusion

CONTRIBUTIONS

Use the same index more than onceSupport conjunctive multi-keyword queriesTrapdoor unlinkability

The same query have multiple trapdoorsEfficiency

Only use multiplication and exponentiation No use of pairing

2 / 21

Introduction Preliminaries Proposal Experiments Conclusion

RELATED WORK

Bloom filter index Only supports single keyword search

Self-designed indices Not compatible with each other

One-time-only search limitation Leaks query information from trapdoor

No support for multi-keyword search

3 / 21

Introduction Preliminaries Proposal Experiments Conclusion

OUTLINE

1 Introduction

2 Preliminaries

3 Proposal

4 Experiments

5 Conclusion

Introduction Preliminaries Proposal Experiments Conclusion

INVERTED INDEX

Multiple inverted lists: I = (Iw1, Iw2, . . . , Iwm) The list Iwi has all documents containing wi

Efficient for large datasetsCan be extended

Result ranking Phrase search

4 / 21

Introduction Preliminaries Proposal Experiments Conclusion

PRIVATE SET INTERSECTION

Only reveals the intersection No other information is leaked

FNP protocol1 Uses Paillier cryptosystem

E(a1 +a2) = E(a1)E(a2)

1Freedman, Nissim and Pinkas: Efficient private matching and setintersection (EUROCRYPT 2004)

5 / 21

Introduction Preliminaries Proposal Experiments Conclusion

FNP PROTOCOL

1 Alice represents her set A as a polynomial f (x) =aiA (xai)

2 Alice encrypts the coefficients using Paillier3 Alice sends f (x) = Enc(f (x)) to Bob4 Bob calculates R : {rj = f (bj)+h bj}

bj B5 Bob sends R to Alice6 Alice decrypts R as R

7 Alice obtains A B from calculating A R

6 / 21

Introduction Preliminaries Proposal Experiments Conclusion

OUTLINE

1 Introduction

2 Preliminaries

3 Proposal

4 Experiments

5 Conclusion

Introduction Preliminaries Proposal Experiments Conclusion

SYSTEM ARCHITECTURE

Honest-but-curious cloud serverTrusted users

7 / 21

Introduction Preliminaries Proposal Experiments Conclusion

THREAT MODEL

Confidentiality of documentsIndex privacyTrapdoor privacyAccess pattern privacy

8 / 21

Introduction Preliminaries Proposal Experiments Conclusion

NOTATIONS

Document collection: = (1,2, . . . ,n)Keyword collection: D = (w1,w2, . . . ,wm)Inverted index: I = (Iw1, Iw2, . . . , Iwm)

Iwi contains i = (i1,i2, . . . ,ip) i wi ij,1 j p

Encrypted index I based on IQuery: Q DTrapdoor for query Q: TQ

9 / 21

Introduction Preliminaries Proposal Experiments Conclusion

STEPS OVERVIEW

10 / 21

Introduction Preliminaries Proposal Experiments Conclusion

SYSTEM INITIALIZATION

Done by the data ownerReceives security parameter kGenerate key pair for the Paillier algorithm

Secret key sk Public key pk

Output master key MK = {sk, f ,M} f : Pseudorandom permutation M: Invertible matrix of degree m

11 / 21

Introduction Preliminaries Proposal Experiments Conclusion

ENCRYPTED INDEX GENERATION

Done by the data ownerReceives master key MK and index ITransform inverted lists into polynomialsEncrypt coefficients using pk

I = Enc(I)Construct a dictionary matrix MD

Encrypt MD as M D = M MDSend M D and I to the server

12 / 21

Introduction Preliminaries Proposal Experiments Conclusion

ENCRYPTED INDEX GENERATION

12 / 21

Introduction Preliminaries Proposal Experiments Conclusion

TRAPDOOR GENERATION

Pre-compute a polynomial for all keywords

m1 (xwi)

Generate a polynomial for user query Q PQ(x) = PD/wiQ(xwi)

Apply padding to hide the query lengthSend trapdoor TQ to the server

TQ = {(am,am1, . . . ,a1) M1,Enc(a0)}

13 / 21

Introduction Preliminaries Proposal Experiments Conclusion

TRAPDOOR GENERATION

13 / 21

Introduction Preliminaries Proposal Experiments Conclusion

QUERYING

Calculate V = TQ[1] M D = (v1,v2, ,vm)For each vi, calculate v i = Enc(vi)+h TQ[2]

V = (v 1,v 2, . . . ,v m)Calculate result polynomial PR(x) = V ITReturn PR(x) to the user

14 / 21

Introduction Preliminaries Proposal Experiments Conclusion

QUERYING

14 / 21

Introduction Preliminaries Proposal Experiments Conclusion

RESULT DECRYPTION

Requires assistance of data ownerFind the roots of PR(x)

The roots are the IDs of the result documents

15 / 21

Introduction Preliminaries Proposal Experiments Conclusion

OUTLINE

1 Introduction

2 Preliminaries

3 Proposal

4 Experiments

5 Conclusion

Introduction Preliminaries Proposal Experiments Conclusion

SETUP

Environment Intel Core i3 3.3GHz 4GB RAM Windows 8.1 Python

Dataset Enron emails

16 / 21

Introduction Preliminaries Proposal Experiments Conclusion

SYSTEM INITIALIZATION

Generation of public and private keys 512-bit: 0.40s 1024-bit: 3.03s

17 / 21

Introduction Preliminaries Proposal Experiments Conclusion

ENCRYPTED INDEX GENERATIONOne-time process

1 Calculate polynomials for keyword lists2 Encrypt polynomials

Cost increases with dictionary size

18 / 21

Introduction Preliminaries Proposal Experiments Conclusion

TRAPDOOR GENERATION

Matrix multiplication is the most expensive Can be optimized

19 / 21

Introduction Preliminaries Proposal Experiments Conclusion

QUERYING

Multiply trapdoor with the dictionary matrixEncryption is expensive

Can be parallelized

20 / 21

Introduction Preliminaries Proposal Experiments Conclusion

OUTLINE

1 Introduction

2 Preliminaries

3 Proposal

4 Experiments

5 Conclusion

Introduction Preliminaries Proposal Experiments Conclusion

SUMMARY

Searchable encryption scheme Public key Based on inverted index Multi-keyword queries

Prevents trapdoor linking Hides the number of keywords in query

Efficiency Uses only multiplication and exponentiation

21 / 21

EXTRA SLIDES

PAILLIER CRYPTOSYSTEM

Key generation pk = (n,g)

n = pq,GCD(pq, (p1)(q1)) = 1 g Z

n2

sk = (,) = LMC(p1,q1) = ( g mod n21n )1 mod n

Encrypt message m into ciphertext c c = gm rn mod n2,r Zn

Decrypt ciphertext c into message m m = c mod n21n mod n

ENCRYPTED INDEX GENERATION [1/2]

For each keyword wi and its list Iwi Generate tags for keywords: twi = f (wi) Generate tags for documents: ti = f (i)

Generate random numbers Ri = {rj} for Iwi rj Zn,rj f (D)

Generate polynomial Pwi(x) for Iwi Pwi (x) =

jIwi

(x tj )

rjRi(x rj)

Calculate a polynomial vector I = (Pw1 ,Pw2 , . . . ,Pwm )T

ENCRYPTED INDEX GENERATION [2/2]

Encrypt coefficients of each Pwi I = Enc(n,g)(I)

Construct dictionary matrix MD

MD =

tmw1 t

mw2 tmwm

tm1w1 tm1w2 tm1wm... ... . . . ...

tw1 tw2 twm

Encrypt M as M D = M MDOutsource M D and I to the cloud

TRAPDOOR GENERATION

Encrypt all keywords as PD(x) =

wiD(x twi)

Receive a query request QConstruct PQ(x) = PD/wiQ(xwi)Generate P Q(x) by padding random terms

P Q(x) = PQ(x)m

q+1(x rj),q = |Q|,rj f (D)

Send trapdoor to user TQ = {(am,amq, . . . ,a1)M1,Enc(n,g)(a0)}

(am,amq, . . . ,a1) are the coefficients of P Q(x)

COMPARISON WITH OTHER WORKS

P: Map-to-point hashM: MultiplicationE: Exponentiatione: Pairing

IntroductionPreliminariesProposalExperimentsConclusion