1 / 33

Efficient Conjunctive Keyword-Searchable Encryption,2007

Efficient Conjunctive Keyword-Searchable Encryption,2007. Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍 . Outline. Motivating Scenario and model of document Conjunctive Keyword Searchable Encryption (CKSE) Definition Assumption Construction Security Notion

alima
Télécharger la présentation

Efficient Conjunctive Keyword-Searchable Encryption,2007

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍

  2. Outline • Motivating Scenario and model of document • Conjunctive Keyword Searchable Encryption (CKSE) • Definition • Assumption • Construction • Security Notion • Secutity Analysis

  3. Motivating Scenario • Alice has a large amount of data • Which is private • Which she wants to access any time and from anywhere • Example: emails • Alice stores her data on a remote server • Good connectivity • Low administration overhead • Cheaper cost of storage • But untrusted

  4. Alice may not trust the server • Data must be stored encrypted • Alice wants ability to search her data • Keyword search: “All emails from Bob” • Alice wants powerful, efficient search • She wants to ask conjunctive queries • E.g. ask for “All emails from Bob AND received last Sunday”

  5. Single keyword search • Limited to queries for a single keyword • Can’t do boolean combinations of queries • Example: “emails from Bob AND (received last week OR urgent)” • We focus on conjunctive queries • Documents Di which contains keywords W1 and W2 … and Wm • More restrictive than full boolean combinations

  6. m fields From To Date Status D1 D2 n docs Dn Model of Documents • We assume structured documents where keywords are organized by fields J i The documents are the rows of the matrix Di = (Wi, 1, …, Wi, m)

  7. Outline • Motivating Scenario and model of document • Conjunctive Keyword Searchable Encryption (CKSE) • Definition • Assumption • Construction • Security Notion • Secutity Analysis

  8. Definition1 we saythat a scheme of conjunctive keyword searchable encryption is semantically secure against adaptive chosen-keyword attacks if is a negligible function in for any polynomial attacker A .

  9. Definition2 Bilinear Map: a map is a bilinear map if the following conditions hold : • and are cyclic groups of the same prime order p and Is efficiently computable; • For all and then • is non-degenerate. That is, if generates and generates , the generates

  10. Definition3 XDH Assumption: Let and be two disjoint cyclic sub groups of a prime order of elliptic curves and let be a bilinear map The XDH states that the decision Diffie-Hellman problem in This implies that there does not exist an efficiently computable isomorphism

  11. Definition4 coXDH Assumption: Let and be the XDH group and let be a bilinear map Let the mixed decisional Diffie-Hellman problem to distinguish between the tuples of the form and where are random elements of The coXDH assumption means that the mixed DDH problem is intractable in the XDH setting.

  12. Encryption(K,Di ={Wi,1,…,Wi,m}) C1,C2,…Ci Later, Alice wants to retrieve only some of documents containing some specific keywords. Trapdoor(K,{ j1,..},{W1,…}) Search on Encrypted Data Storage Server Alice D1, D2, …, Dn Test(T, Ci) = True if Ci contains W Test(T,Ci) = False otherwise 傳回滿足條件的資料 Alice decrypts Ci

  13. CKSE algorithm: keyGen : • run by the user to setup the scheme • take a security parameter ,it determines XDH group and of a prime order p, where is kept in private. • return a secret key

  14. Enc: • run by the user to generate searchable ciphertexts • take a secret key and a document. • Let for Let be a value chosen uniformly at random from , return a ciphertextas follow:

  15. Trapdoor: • run by the user to generate a trapdoor • take a secret key ,keyword field Indices and keywords as inputs .Let be a value chosen uniformly at random from • return a trapdoor vale

  16. Test : • run by the server in order to search for the documents containing some specific keywords • take a trapdoor and a ciphertext Let and For all ,the algorithm checks if the following equality holds: If so, it return true. Otherwise, it return false

  17. Outline • Motivating Scenario and model of document • Conjunctive Keyword Searchable Encryption (CKSE) • Definition • Assumption • Construction • Security Notion • Secutity Analysis

  18. Security Notion Define the security notion of CKSE in the sense of semantic-security using the following experiment: • Challenger chooses a set of secret keys for the user by executing KeyGen algorithm. • Attacker A can ask challenger for the trapdoor and encryption of its own choice. • A chooses two documents D0 ,D1 ,(none of trapdoor for D0 ,D1 is given in the step 2). The challenger generates a random coin and gives A a challenge The goal of A is to decide such that

  19. A may ask continuously for the trapdoor and the encryption of its choice. (not allowed to ask for the trapdoor and the encryption of D0,D1 , as before ) • A output The advantage of A in breaking the CKSE scheme is defined as in a security parameter

  20. Outline • Motivating Scenario and model of document • Conjunctive Keyword Searchable Encryption (CKSE) • Definition • Assumption • Construction • Security Notion • Secutity Analysis

  21. Secutity Analysis Theorem1 The CKSE scheme for conjunctive keyword searchable encryption is semantically secure against adaptive chosen-keyword attacks in the random oracle model under the external co-Diffie-Hellman assumption (coXDH).

  22. Secutity Analysis (proof) Suppose: A breaks the CKSE scheme with advantage by making at most hash queries , trapdoor queries , and encryption queries. Goal: We then show a construction of an algorithm O that uses A as a subroutine and breaks coXDH assumption with non-negligible advantage where is the base of natural logarithm. Let be an instance of coXDH problem. O is to decide whether c= ab

  23. (step) • KeyGen • HashQueries • TrapdoorQueries • EncQueries • ChallengeQueries • MoreQueries • Output

  24. KeyGen: O chooses a random value and sets as its own secret key. HashQueries: • O maintains a list of tuples called the H-list. The list is initially empty. • When A issues a hash query for a keyword O responds as follows:

  25. If exists on the H-list then O responding with the previous queries • Otherwise ,O generates a random coin so that ,and then O chooses a random value • If O computes • If O computes O adds the tuple to the H-list and answers with

  26. TrapdoorQueries: A issues a trapdoor query of some keyword and then O execute the above H algorithm. O responds as follows: • If all on the tuple are not 1,termminate. • Otherwise ,O chooses a random value and answer with a trapdoor as follow:

  27. ChallengeQueries : • A submits a pair of challenge documents and • O execute the above random oracle algorithm, then O produces a challenge as follows: • If both and for all are not 0 ,terminate. • If both and for all are equal to 0 ,O generate a random coin • If only one is equal to 0 then no randomness is needed. O responds with the challenge

  28. EncQueries : • A issues a document • O execute above H algorithm. O responds as follow: • If all on the tuples are not 1, then terminates. • Otherwise, O chooses a random value and then answers with

  29. MoreQueries: Aperforms additional trapdoor queries or Enc queries after the challengequery, O responds to these queries in the same way before.

  30. Output: • A output a bit of its guess . • If , O guesses that is an instance of mixed DDH tuple . • Otherwise, O guesses it is a random tuple.

  31. The probability of O against the mixed DHH challenge Let NF be the event of that O does not fail during the above experiment. • NFT, O does not fail during the TrapdoorQueries • NFE, O does not fail during the EncQueries • NFC, O does not fail during the ChallengeQueries NF=NFT NFE NFC

  32. Pr[NFT] = • Pr[NFE] = • Pr[NFC] = for b = 0,1 and both and are independent of A’sview. Pr[ NF = NFT NFE NEC ] = • The advantage of A against our CKSE scheme is The success probability of the O is

More Related