Public Key Encryption with Conjunctive Keyword Search and Its Extension to a Multi-user System Source: Pairing 2007, LNCS 4575, pp.2-22, 2007 Author: Yong Ho Hwang and Pil Joong Lee Presenter: Li-Tzu Chang

Outline Introduction Preliminaries Proposed PECK Scheme Multi-user PECK System Conclusion

Introduction B A [E A pub [M], PECK (A pub, (W 1, W 2, …, W m ))] 傳回 Alice 的文件 搜尋包含關鍵字 的文件， 產生一個暗門 T w TwTw 傳送文件 S A2A2 A3A3 AnAn B B BnBn

Outline Introduction Preliminaries  Generic Model for PECK  Adversarial Models for PECK Proposed PECK Scheme Multi-user PECK System Conclusion

Generic Model for PECK KeyGen ( security parameter ) : pk, sk  Takes as input a security parameter and returns params (system parameters) and the public/private key pair (pk, sk). PECK(pk,W ) : S  Executed by the sender to encrypt a keyword set W = {w 1,..., w}.It produces a searchable keyword encryption S of W with the public key pk. Trapdoor (sk,Q i ):T Qi  Takes as input the secret key sk and the keyword query Q ={I 1,..., I m, w I1,..., w Im } for m ≤ where I i is an index to denote a location of w Ii, and returns a trapdoor T Q for the conjunctive search of a given keyword query. Test (pk,S) : 0,1  Executed by the server to search the documents with the keywords of a trapdoor T Q. It takes as input the public key pk, the searchable keyword encryption S, Then output ‘1’ if S includes Q and ‘0’ otherwise.

Outline Introduction Preliminaries  Generic Model for PECK  Adversarial Models for PECK IND-CC-KA IND-CR-KA Proposed PECK Scheme Multi-user PECK System Construction

Adversarial Models for PECK C C A Setup Keygen(1 k ):pk,sk ( 保有 ) pk,params Phase 1 queries a number of keyword sets Q 1,…Q d Trapdoor (sk,Q i ) T Qi Trapdoor Queries (Qi) Trapdoor Oracles IND-CC-KA game

Adversarial Models for PECK Challenger C C A select w 0,w 1 w 0, w 1 ( 無法區別來自哪個 trapdoor) pick β ∈ R {0,1} S β =PECK(pk,W β ) SβSβ Phase 2 queries keyword sets Q d+1,…Q r Trapdoor (sk,Q i ): T Qi if T Qi 無法區別 w 0,w 1 T Qi Guess output β’ ∈ R {0,1} if β =β’ win the game Trapdoor Oracles Trapdoor Queries (Q i ≠w 0,w 1 )

Outline Introduction Preliminaries  Generic Model for PECK  Adversarial Models for PECK IND-CC-KA IND-CR-KA Proposed PECK Scheme Multi-user PECK System Construction

Adversarial Models for PECK C C A Setup Keygen(1 k ):pk,sk ( 保有 ) pk,params Phase 1 queries a number of keyword sets Q 1,…Q d Trapdoor (sk,Q i ) T Qi Trapdoor Queries (Qi) Trapdoor Oracles IND-CR-KA game

Adversarial Models for PECK Challenger C C A select W* W* select random keyword set R (W* 無法區別來自哪個 trapdoor) pick β ∈ R {0,1} S β =PECK(pk,w β ), where w 0 =W*,w 1 =R SβSβ Phase 2 queries keyword sets Q d+1,…Q r Trapdoor (sk,Q i ): T Qi if T Qi 無法區別 w 0,w 1 T Qi Guess output β’ ∈ R {0,1} if β =β’ win the game Trapdoor Oracles Trapdoor Queries (Q i ≠w 0,w 1 )

Adversarial Models for PECK Adversary of adversary A  IC-CC-CKA  IC-CR-CKA In the IND-CC-CKA game the adversary A selects two target keyword sets, w 0 and w 1, and gives them to the challenger C. In the IND-CR-CKA game A selects a target keyword set w 0 and gives it to C.

Outline Introduction Preliminaries Proposed PECK Scheme Multi-user PECK System Conclusion

Proposed PECK Scheme KeyGen(1 k ): params=(G 1,G 2,ê,H 1 (·),H 2 (·),g),(pk,sk)  H 1 (·):{0,1} logw →G 1 ， H 2 (·):{0,1} logw →G 1 ， g is a generator of G 1  select x ∈ R Z p * ， compute y=g x ， (pk,sk)=(y,x) PECK(pk,W): S=(A,B,C 1,…,C l )  Sender select W={w 1,…,w 2 } ， s,r ∈ R Z p *  compute A=g r, B=y s, C i =h i r f i s, 1 ≦ i ≦ l,h i =H 1 (w i ), f i =H 2 (w i )

Proposed PECK Scheme Trapdoor (sk,Q): T Q =(T Q,1,T Q,2,T Q,3,I 1,…,I m )  select t ∈ R Z p *  compute T Q,1 =g t,T Q,2 =(h I1,…h Im ), T Q,3 =(f I1,…f Im ), where Q={I 1,…,I m } Test(pk,S,T Q ):  check

Outline Introduction Preliminaries  Generic Model for PECK  Adversarial Models for PECK Proposed PECK Scheme Multi-user PECK System Conclusion

mPECK scheme KeyGen(1 k ): params=(G 1,G 2,ê,H 1 (·),H 2 (·),g), (pk 1,sk 1 ),…,(pk n,sk n )  H 1 (·):{0,1} logw →G 1 ， H 2 (·):{0,1} logw →G 1 ， g is a generator of G 1  select x 1,…,x n ∈ R Z p * ， compute y i =g xi ， (pk i,sk i )=(y i,x i ) mPECK(pk 1,…,pk n,W): S=(A,B 1,…,B n,C 1,…,C l )  Sender select W={w 1,…,w 2 } ， s,r ∈ R Z p *  compute A=g r, B j =y j s, C i =h i r f i s, 1 ≦ i ≦ l, h i =H 1 (w i ), f i =H 2 (w i )

mPECK scheme Trapdoor (sk j,Q): T j,Q =(T j,Q,1,T j,Q,2,T j,Q,3,I 1,…,I m )  select t ∈ R Z p *  compute T j,Q,1 =g t,T j,Q,2 =(h I1,…h Im ) t, T j,Q,3 =(f I1,…f Im ) t/xj, where Q={I 1,…,I m } Test(pk j,S,T j,Q ):  check

Security game for mPECK C C A Setup Keygen(k):pk 1,,…,pk n sk 1,…, sk n ( 保有 ) pk 1,…,pk n, params Phase 1 queries a number of keyword sets Q 1,…Q d Trapdoor (sk j,Q i ) T j,Qi Trapdoor Queries (j,Q i ) Trapdoor Oracles

Adversarial Models for PECK Challenger C C A Select W* W* select random keyword set R (W* 無法區別來自哪個 trapdoor) pick β ∈ R {0,1} S β =PECK(pk 1,…,pk n,W β ), w 0 =W*,w 1 =R S β,w 0,w 1 Phase 2 queries keyword sets Q d+1,…Q r Trapdoor (sk j,Q i ): T j,Qi if T j,Qi 無法區別 w 0,w 1 T j,Qi Guess output β’ ∈ R {0,1} if β =β’ win the game Trapdoor Oracles Trapdoor Queries (j,Q i ≠w 0,w 1 )

Outline Introduction Preliminaries  Generic Model for PECK  Adversarial Models for PECK Proposed PECK Scheme Multi-user PECK System Conclusion

To send an encrypted message with conjunctive keyword search to n users, the sender has only to add B i from the recipient’s public keys. The server should separately store ciphertexts for each user. Introduce a new concept called a multi-user PECK scheme, which can achieve an efficient computation and communication overhead and effectively manage the storage in a server for a number of users.