New Efficient Searchable Encryption Schemes from Bilinear Pairings Author:Chunxiang Gu and Yuefei Zhu International Journal of Network Security, 2007 Presenter: 李宗諺
Outline Introduction Preliminaries PEKS IND-CKA A New PEKS Scheme from Pairing Conclusion
Introduction
Outline Introduction Preliminaries PEKS IND-CKA A New PEKS Scheme from Pairing Conclusion
Preliminaries (1/4) In 2004, Boneh et.al Public Key Encryption with Keyword Search four polynomial-time algorithms: KeyGen Trapdoor PEKS Test
Preliminaries (2/4) KeyGen : Take as input a security parameter λ, generate a public/private key pair (pk,sk). (pk,sk)=KeyGen(λ) Trapdoor : Take as input the receiver ’ s private key sk and a word W, produce a trapdoor Tw. Tw=Trapdoor(sk,W)
Preliminaries (3/4) PEKS: Take as input the receiver ’ s public key pk and a word W, produce a searchable encryption of W. C = PEKS( pk, W) Test: Take as input the receiver ’ s public key pk, a searchable encryption C = PEKS(pk,W ’ ), and a trapdoor Tw = Trapdoor(sk,W), output 1 ( “ yes ” ) if W = W ’ and 0 ( “ no ” ) otherwise. Test( pk,PEKS(pk,W),Tw )=1
Preliminaries (4/4) Sever Tw 加密過的訊息 傳回使用者 所需的文件 Alice Bob 1.λ KeyGan (pk,sk)2.C=PEKS( A pk,W ) 3.Tw= Trapdoor(A sk , W) 4. Test(Apk , C , Tw) ?= 1
Outline Introduction Preliminaries PEKS IND-CKA A New PEKS Scheme from Pairing Conclusion
Preliminaries Indistinguishability of PEKS against chosen keyword attack (IND-CKA) KeyGen Phase 1 Challenge Phase 2 Guess
IND-CKA (1/6) KeyGen The challenger runs the KeyGen(λ) algorithm to generate(pk,sk). It gives pk to the attacker. challengerattacker λ KeyGen (pk,sk) pk
IND-CKA (2/6) Phase 1 The attacker ask the challengger for the trapdoor Tw for any keyword W ∈ {0,1}* Challenge The attacker A sends the challenger two words W 0,W 1. The challenger picks a random b ∈ {0,1} and gives the attacker C = PEKS( pk, W)
IND-CKA (3/6) challengerattacker λ KeyGen (pk,sk) pk W 0,W 1 b ∈ {0,1} C = PEKS( pk, W b )
IND-CKA (4/6) Phase 2 The attacker can continue to ask for trapdoors Tw for any keyword W of his choice as long as W≠W 0,W 1 Guess The attacker A outputs b ’ ∈ {0,1} and wins the game if b = b ’
IND-CKA (5/6) challengerattacker λ KeyGen (pk,sk) pk W 0,W 1 b ∈ {0,1} C = PEKS( pk, W b ) b ‘ ∈ {0,1} b?=b ’ b’b’
Preliminaries ( G 1, + ) and ( G 2, ‧ ) be two cyclic groups of prime order q e : G 1 × G 1 → G 2 be a map which satisfies the following properties Bilinear Pairings Bilinear: Non-degenerate: If P is a generator of G 1,then e(P,P) is a generator of G 2 Computable: There is an efficient algorithm to compute e(P,Q) for any P,Q ∈ G 1
Preliminaries BDH problem: P,aP,bP,cP ∈ G 1 P,aP,bP,cP = e(P,P) abc k – BDHI problem:
Outline Introduction Preliminaries PEKS IND-CKA A New PEKS Scheme from Pairing Conclusion
A New PEKS Scheme from Pairings (1/5) The Scheme ( G 1, + ) and ( G 2, ‧ ) be two cyclic groups of prime order q e : G 1 × G 1 → G 2 be an admissible bilinear pairing H 1 :{0,1}* → Z q * and H 2 : G 2 →{0,1} log q P is a generator of G 1 μ = e ( p, p )
A New PEKS Scheme from Pairings (2/5) KeyGen : Pick a random x ∈ Z q * compute X = xP Output pk =X and sk = x.
A New PEKS Scheme from Pairings (3/5) Trapdoor: Take as input secret key x and keyword W Output Tw = (H 1 (W)+x) -1 P PEKS : Take as input public key X and a keyword W Select randomly r ∈ Z q * compute U = rH 1 (W)P+rX, c = H 2 (μ r ) Output (U,c)
A New PEKS Scheme from Pairings (4/5) Test Input public key X, searchable encryption cipher- text(U,c) and trapdoor Tw Test if H 2 (e(Tw,U)) = c If so,output 1 Otherwise,out put 0.
A New PEKS Scheme from Pairings (5/5) Consistency H 2 (e(Tw,U)) = H 2 (e((H 1 (W)+x) -1 P, rH 1 (W)P+rX)) = H 2 (e((H 1 (W)+x) -1 P, r(H 1 (W)+x)P) = H 2 (e((P,P) r ) = c Tw = (H 1 (W)+x) -1 P U = rH 1 (W)P+rX X = xP μ = e ( p, p ) c = H 2 (μ r )
Outline Introduction Preliminaries PEKS IND-CKA A New PEKS Scheme from Pairing Conclusion
Conclusion In this paper, we propose a new PEKS scheme based on bilinear pairings. There is no pairing operation involved in the encryption, so new PEKS scheme is more efficient than the scheme of Boneh et.al.