1 / 45

Public Key Encryption with keyword search

Public Key Encryption with keyword search. Author: Dan Boneh, Giovanni Di Crescenzo, Rafail Ostrovsky, Giuseppe Persiano. Presenter: 紀銘偉. Problem. User1(Alice). User2(Bob). No interactive. send. receive. Untrusted mail server. outline. Public key encryption keyword search(PEKS)

garry
Télécharger la présentation

Public Key Encryption with keyword search

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Public Key Encryption with keyword search Author: Dan Boneh, Giovanni Di Crescenzo, Rafail Ostrovsky, Giuseppe Persiano. Presenter: 紀銘偉

  2. Problem User1(Alice) User2(Bob) No interactive send receive Untrusted mail server

  3. outline • Public key encryption keyword search(PEKS) • PEKS Security game • PEKS implies Identity Based Encryption • Construction • Construction using bilinear maps • Construction using any trapdoor permutation (two method) • Source-indistinguishability security game

  4. Public key encryption with search: definitions (1/4) • Bob wants to send mail to Alice, then he sends the following message: • Our goal is to enable Alice to send Tw to mail server that will enable the server to all mails containing the keyword W. And server simply sends the relevant email back to Alice.

  5. Public key encryption with search: definitions (2/4) User1(Alice) User2(Bob) retrieve Send Search mails with word W Untrusted mail server

  6. Public key encryption with search: definitions (3/4) • Definition 2.1.: A non-interactive public key encryption with keyword search scheme consists of the following polynomial time randomized algorithms:

  7. Public key encryption with search: definitions (4/4)

  8. PEKS Security game • The challenger C runs the KeyGen(s) algorithm to generate PK and SK. It gives PK to the attacker A. • A can adaptively ask C for the trapdoor Twfor any keyword W {0, 1}* of his choice. • Asends W0, W1on which it wants to challenge. 唯一的限制是step2時不能得到 或 . Cgives Aciphertext=PEKS(PK, Wb), where b {0, 1}. • A can continue to ask for trapdoors for any keyword as long as W ≠ W0, W1. • Then, A outputs b’ {0, 1} and wins the game if b=b’. AdvA(s)=|Pr[b=b’ ]-1/2|

  9. PEKS security • PEKS is semantically secure against an adaptive chosen keyword attack if AdvA(s) is negligible. • PEKS is not chosen ciphertext secure.

  10. PEKS implies Identity Based Encryption(1/4) • Constructing a secure PEKS is at least a harder problem than constructing an IBE. • Lemma 2.3 A non-interactive searchable encryption scheme (PEKS) that is semantically secure against an adaptive chosen keyword attack gives rise to a chosen ciphertext secure IBE system (IND-ID-CCA).

  11. PEKS implies Identity Based Encryption(2/4) • Proof sketch: Given a PEKS (KeyGen, PEKS, Trapdoor, Test) the IBE system is as follow: • 1. Setup: Run the PEKS KeyGen algorithm to generate PK/SK. The IBE system parameter are PK. The master-key is SK. • 2.KeyGen: the IBE private key associated with a public key is

  12. PEKS implies Identity Based Encryption(3/4) • 3.Encrypt: Encrypt a bit using a public key as: • 4.Decrypt: To decrypt using the private . Output ‘0’ if and output ‘1’ if

  13. PEKS implies Identity Based Encryption(4/4) • The resulting system is IND-ID-CCA assuming the PEKS is semantically secure against an adaptive chosen message attack.(once can send a bit?) • Building non-interactive public-key searchable encryption is at least as hard as building an IBE system.

  14. Constructions • Two constructions for public-key searchable encryption: • (1) an efficient system based on a variant of Decision Diffie-Hellman assumption . (assuming a random oracle) • (2) a limited system based on general trapdoor permutations, but less efficient. (without assuming the random oracle)

  15. Diffie-Hellman 鑰匙交換的運作程序 • n 與 g 為公開值 • 雙方各選一個較大的數值 x 與 y • 計算出『秘密鑰匙』:gxymod n

  16. Construction using bilinear maps(1/4) • Using two groups of prime order p and a bilinear map . • The map satisfies : 1.Computable:given there is a polynomial time algorithms to compute 2.Bilinear: for any integer then 3.Non-degenerate: if g is a generator of then is a generator of

  17. Construction using bilinear maps(2/4) • We need two hash functions H1 : {0, 1}*→ G1 and H2 : G2 → . • KeyGen: Picking a random value and generator g of G1. Output

  18. Construction using bilinear maps(3/4) • PEKS : compute for a random . Output PEKS = • Trapdoor • Test Test if (hence )If so, output ‘yes’ ; otherwise, output ‘no’.

  19. Construction using bilinear maps(4/4) • Compute , where TW=H1(W)α • if Test outputs ‘yes’ means W=W’ then the mail server sends the Bob’s mail to Alice.

  20. Bilinear Diffie-Hellman Problem (BDH) • Fix a generator g of G1. The BDH problem is as follows: given g, ga, gb, gcG1 as input, compute e(g, g)abcG2. We say that BDH is intractable if all polynomial time algorithms have a negligible advantage in solving BDH.

  21. PEKS using bilinear maps security (Theorem) • Theorem 3.1: The non-interactive searchable encryption scheme(PEKS) above is semantically secure against a chosen keyword attack in the random oracle model assuming Bilinear Diffie-Hellman(BDH) is intractable.

  22. PEKS using bilinear maps security (parameter) • Parameters:

  23. PEKS using bilinear maps security (step) • H1, H2-queries. • Trapdoor queries. • Challenge. • More trapdoor queries. • Output. • Claim 1 • Claim 2 • Claim 3

  24. PEKS using bilinear maps security (H1, H2-queries 1/2) • H1-list: each tuple=<Wj, hj, aj, cj> maintains by B for initially empty. • A queries H1 with Wi {0,1}*and B responds as follows: • If Wi appears on H1-list then B returns H1(Wi)=hi • Otherwise, B generates a random coin ci {0,1} so that Pr[ci=0]=1/(qT+1). • B picks a random ai • If ci = 0, B computes • If ci = 1, B computes

  25. PEKS using bilinear maps security (H1, H2-queries 2/2) • B adds <Wi, hi, ai, ci> to the H1-list and responds to A by setting H1(Wi)=hi. Note that hi is uniform in G1 and is independent of A’s current view as required. Similarly, A queries to H2. B responds to H2(t) by picking a new random V{0,1}log p for each new t and setting H2(t)=V. Then, B adds (t, V) to H2-list for initially empty.

  26. PEKS using bilinear maps security (Trapdoor queries) • When A queries a trapdoor corresponding to the word Wi then B responds as follows: • B runs H1-queries to obtain an hiG1 such that H1(Wi)=hi. If ci=0 then B reports failure.

  27. PEKS using bilinear maps security (Challenge 1/2) • A wants to challenge W0 and W1. B generates the challenge PEKS as follows: • B runs H1-queries twice to obtain h0, h1G1 such that H1(W0)=h0 and H1(W1)=h1. If both c0=1 and c1=1 then B reports failure. • We know that at least one of c0, c1 is equal to 0. B randomly picks b {0,1} such that cb=0. • B responds with the challenge PEKSfor a random J {0,1}log p.

  28. PEKS using bilinear maps security (Challenge 2/2) • Note that this challenge implicitly defines • With this definition, C is a valid PEKS for Wb as required.

  29. PEKS using bilinear maps security (More trapdoor queries) • A can continue to issue trapdoor queries for keywords Wi where the only restriction is that Wi ≠W0, W1. B responds to these queries as before.

  30. PEKS using bilinear maps security (output) • A outputs its guess b’ {0,1} for whether C is the result of PEKS(PK,W0) or PEKS(PK,W1). B picks a random pair (t,V) from H2-list and outputs as its guess for , where ab is the value used in the Challenge step.

  31. PEKS using bilinear maps security (define events) • E1: B does not abort as a result of any of A’s trapdoor queries. • E2: B does not abort during the challenge phase. • E3: In the real attack A does not issue a query for either one of

  32. PEKS using bilinear maps security (claim 1) • The probability that B does not abort as a result of A’s trapdoor queries is at least 1/e. Hence, Pr[E1] ≧ 1/e. Pf: B will abort only when ci=0 and Pr[ci=0]=1/(qT+1), and the other parameters are independent with ci. Since A makes at most qT trapdoor queries, B does not abort as a result of all trapdoor queries is at least

  33. PEKS using bilinear maps security (claim 2) • The probability that B does not abort during the challenge phase is at least 1/qT. Hence, Pr[E2] ≧1/qT. Pf: B will abort only when c0=c1=1 and the other parameters are independent with c0, c1. Since Pr[ci=0]=1/(qT+1) for all i, and ci is independent with cj for all i≠j. We have that B does not abort during the challenge phase is

  34. PEKS using bilinear maps security (claim 3 1/4) • Suppose that in a real attack game A is given the public key and A asks to be challenged on words W0 and W1. In response, A is given a challenge Then, in the real attack game A issues an H2 query for either

  35. PEKS using bilinear maps security (claim 3 2/4) Pf: When E3 occurs, we know that A’s output b’ will satisfy b=b’ with probability at most ½. By definition of A, we know that in the real attack |Pr[b=b’]-1/2|≧ε.

  36. PEKS using bilinear maps security (claim 3 3/4) It follows that Therefore, in the real attack, as required.

  37. PEKS using bilinear maps security (claim 3 4/4) • Now, assuming B does not abort. A will query for either or with probability at least 2ε. The value Will appear in the H2-list. B will choose correctly at least and therefore, B will produce correct answer with probability at least . Since B does not abort with probability at least , we see that B’s success probability is at least

  38. Construction using any trapdoor permutation(1/5) • KeyGen:

  39. Construction using any trapdoor permutation(2/5) • PEKS(PK, W): Pick a random M {0,1}s and output PEKS(PK, W)=(M, EPKw(M)). • Trapdoor(SK, W): The trapdoor for W is Tw=SKw. • Test(PK, S, Tw): Test if D[Tw, S]=0s, output “yes” if so and “no” otherwise. S=[A,B]=[M,EPKw(M)], D[Tw,S]=D(B)⊕A.

  40. Source-indistinguishability security game • The challenger Cruns algorithm G(s) two times to generate two public/private key pairs (PK0, SK0) and (PK1, SK1). • C picks a random M {0,1}s and a random b {0,1} and compute Cipher=PKb(M). Then C gives (M, Cipher) to the attacker A. • A outputs b’ and wins the game if b=b’. AdvSIA(s)=|Pr[b=b’ ]-1/2|

  41. Cover-free families • Definition 3.5.:

  42. Lemma • There exists a deterministic algorithm that, for any fixed t, k, constructs a q-uniform t-cover free family F over a ground set of size d, for

  43. Construction using any trapdoor permutation(reducing the public key)(3/5) • KeyGen:

  44. Construction using any trapdoor permutation(reducing the public key)(4/5) • PEKS(PK,Wi):

  45. Construction using any trapdoor permutation(reducing the public key)(5/5) • Trapdoor(SK,Wi): Let SiF be the subset associated with WiΣ. The trapdoor for Wi is the set of SKi corresponding to PKi in the set Si. • Test(PK,R,TW):

More Related