Searchable Symmetric Encryption :Improved Definitions and Efficient Constructions Reza Curtmola Juan Garay Seny Kamara Rafail Ostrovsky

OUTLINE Searchable Symmetric Encryption Revisiting SSE security definitions SEE-1(non-adaptive) SEE-2(adaptive) Multi-user Searchable Encryption 證明

Revisiting SSE security definitions “ A secure SSE scheme should not leak anything beyond the outcome of a search ” – “ search outcome ” : memory addresses of documents that contain a hidden keyword – Important to note: different keyword requests may lead to the same search outcome – “ search pattern ” : whether two queries were for the same keyword or not A (slightly) better intuition – “ A secure SSE scheme should not leak anything beyond the outcome and the pattern of a search ”

SSE Algorithms Keygen(1 k ): outputs symmetric key K (by user) BuildIndex(K, {D 1,..., D n }): outputs secure index I (by user) Trapdoor(K, w): outputs a trapdoor T w (by user) Search(I, T w ): outputs identifiers of documents containing w (id 1,..., id m ) (by server)

SSE client can upload additional “ encrypted ” data structures to help search Index Keyword server

Our model History: documents and keywords View: encrypted documents, index, trapdoors Trace: length of documents, search outcomes, search pattern

Our intuition Previous intuition – “A secure SSE scheme should not leak anything beyond the outcome and the pattern of a search” A more “formal intuition” – “any function about the documents and the keywords that can be computed from the encrypted documents, the index and the trapdoors can be computed from the length of the documents, the search outcomes and the search pattern

What is adaptiveness? Non-adaptive :adversaries make search queries without seeing the outcome of previous searches Adaptive :adversaries can make search queries as a function of the outcome of previous searches (Note)The user may or may not generate its word queries depending on the outcome of previous searches We call queries that do depend on previous search outcomes adaptive

Non-Adaptive Adaptive (new) [SWP00,Goh03,CM05,...] SI w1w1 w2w2 w3w3 w4w4 w2w2 w1w1 w3w3

Non-adaptive SSE construction Server Index KeywordTrapdoor D id

Index 是由 2 種 data structure 製作 -Array A and look-up table T D id L i T |△||△| |D(w)|

一些符號定義 Let △ = {w 1,...,w d } be a dictionary of d words, and 2 △ be the set of all possible documents. let D ⊆ 2 △ be a collection of n documents D = (D 1,...,D n ) and 2 2 △ be the set of all possible document collections. Let id(D) be the identifier of document D D(w) (the set of identifiers of documents containing w) as the outcome of a search for w and to the sequence (D(w 1 ),...,D(w n )) as the access pattern of a client

Example D={D 1,D 2,D 3 },w={w 1,w 2, …,w 5 } 假設 D(w 1 )={D 1,D 3 },D(w 2 )={D 1,D 2 }, D(w 3 )={D 2,D 3 },D(w 4 )={D 1 },D(w 5 )={D 2 } 建立 index A: T: W 5 W 2 W 4 W 3 W D 3 ||null D 2 ||4 D 2 ||null D 2 ||null D 1 ||null D 1 ||2 D3||null D 1 ||7

Seaching: P: Pseudo Random Permutation F: Pseudo Random Function addr = P(w3) key = F(w3) Trapdoor = (addr, key)=(4,5) => D 2,D 3

Adaptive SSE construction

比較

Secure updates 新舊 document collection combine 後重新 建立 index, 因此得到新的 document collection and 新的 index

Multi-user Searchable Encryption 由 6 個 polynomial-time algorithms 組成 MKeygen(1 k ) is a probabilistic key generation algorithm that is run by the owner O to setup the scheme.It takes a security parameter k, and returns an owner secret key, K O. MBuildIndex(K O,D) is run by O to construct indexes. It takes the owner ’ s secret key K O and a document collection D as inputs, and returns an index I.

N:a set of users G  N:the set of users allowed to search AddUser(K O,U) is run by O whenever it wishes to add a user to the group G. It takes the owner ’ s secret key K O and a user U as inputs, and returns U ’ s secret key, K U RevokeUser(K O,U) is run by O whenever it wishes to revoke a user from G. It takes the owner ’ s secret key K O and a user U as inputs, and revokes the user ’ s searching privileges

MTrapdoor(K U,w) is run by a user (including O) in order to generate a trapdoor for a given word. It takes a user U ’ s secret key K U and a word w as inputs, and returns a trapdoor T U, w MSearch(ID, T U, w ) is run by the server S in order to search for the documents in D that contain word w. It takes the index ID for collection D and the trapdoor T U, w for word w as inputs, and returns D(w) if user U  G and  if user U  G

證明

proof: 由紀銘偉大大白板講解