Cryptography for Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan CRYPTOLOGY 2012, 4-6 June, Langkawi, Malaysia

Cloud Storage Service (or online storage service) is now available on the commercial basis. Big Internet enterprises such as Google, Amazon, Yahoo are providing these services. 2

The Advantages are Companies need only pay for the storage they actually use Companies do not need to install physical storage devices in their own data center Storage maintenance tasks, such as backup, are offloaded to the responsibility of a service provider 3

In Japan After the big earthquake last year, many local governments are considering using cloud storage service to store their important data which includes the original copy of family registers. 4

But Potential Threats The number of people with access to the data who could be compromised (bribed, or coerced) increases dramatically. It is possible for other customers to access your data. Sometimes because of human error, faulty equipment, a bug or criminal intent. 5

In such systems The role of cryptography is crucial. 6

A Searchable Symmetric Encryption (SSE) scheme Consists of a store phase and a search phase 7

In the store phase, A client stores encrypted files (or documents) on a server Client Server E(D 1 ), ⋯, E(D N ) 8

In the search phase, The client sends an encrypted keyword to the server Client Server E(keyword) 9

The server somehow returns The encrypted files E(D 3 ), E(D 6 ), E(D 10 ) which contains the keyword Client Server E(keyword) E(D 3 ), E(D 6 ), E(D 10 ) 10

So the client can retrieve some of the encrypted files which contains a specific keyword, keeping the keyword secret Client Server E(keyword) E(D 3 ), E(D 6 ), E(D 10 ) 11

By Passive Attack A malicious server breaks the privacy She tries to find the keyword and the documents Client Server E(keyword) E(D 3 ), E(D 6 ), E(D 10 ) Malicious 12

By Active Attack A malicious server breaks the reliability She tries to forge/delete some files. or replace E(D 3 ) with another E(D 100 ). Client Server E(keyword) E(D 3 ), E(D 6 ), E(D 10 ) E(D 100 ) Malicious 13

The security against passive attacks has been studied by several researchers. Song, Wagner, Perrig Goh Bellovin and Cheswick Chang and Mitzenmacher 14

Finally Curtmola, Garay, Kamara and Ostrovsky showed a rigorous definition of security against passive attacks. They also gave a scheme which satisfies their definition. 15

However The security against active attacks has not been considered so far. 16

In this talk (1)Extend the model of SSE to verifiable SSE (2)Define the security against active attacks. (3)Next formulate the UC-security (4)Then prove the equivalence between (2) and (3) (5) Finally show a UC-secure scheme 17

In this talk (1)Extend the model of SSE to verifiable SSE (2)Define the security against active attacks. (3)Next formulate the UC-security (4)Then prove the equivalence between (2) and (3) (5) Finally show a UC-secure scheme 18

In this talk (1)Extend the model of SSE to verifiable SSE (2)Define the security against active attacks. (3)Next formulate the UC-security (4)Then prove the equivalence between (2) and (3) (5) Finally show a UC-secure scheme 19

In this talk (1)Extend the model of SSE to verifiable SSE (2)Define the security against active attacks. (3)Next formulate the UC-security (4)Then prove the equivalence between (2) and (3) (5) Finally show a UC-secure scheme 20

In this talk (1)Extend the model of SSE to verifiable SSE (2)Define the security against active attacks. (3)Next formulate the UC-security (4)Then prove the equivalence between (2) and (3) (5) Finally show a UC-secure scheme 21

Overview PrivacyCurtmola et al. ReliabilityOur paper UC securityOur paper 22

Outline of this talk (1) Curtmola et al. ‘s scheme (2) Our UC-secure scheme (3) Our theoretical results 23

Curtmola et al. keywordDocuments AustinD 3, D 6, D 10 BostonD 8, D 10 WashingtonD 1, D 4, D 8 Showed a scheme such as follows. (It is secure against passive attacks.) Consider the following “Index” Index 24

The client first constructs E(Index) as follows. He first chooses a pseudorandom permutation π. E(Index) = 25

He next computes π(Austin, 1), π(Austin, 2) and π(Austin, 3), Writes the indexes (3, 6, 10) in these addresses Address π(Austin, 1) π(Austin, 2) π(Austin, 3) E(Index) 26

Do the same for each keyword Address π(Austin, 1) π(Austin, 2) π(Austin, 3) π(Boston, 1) π(Boston, 2) E(Index) 27

In the store phase, The client stores Client Server E(D 1 ), ⋯, E(D N ), and E(Index) 28

In the search phase, The client sends Client Server t(Austin)= ( π(Austin, 1), π(Austin, 2), π(Austin, 3) ) E(Index) 29

The server sees that the corresponding indexes are Client Server π(Austin, 1), π(Austin, 2), π(Austin, 3) E(Index) 30

Hence the server can return Client Server π(Austin, 1), π(Austin, 2), π(Austin, 3) E(D 3 ), E(D 6 ), E(D 10 ) E(Index) 31

This scheme Is secure against passive attacks. But it is not secure against active attacks. 32

A naive approach is to add MAC to each E(D i ) ClientServer π(Austin, 1), π(Austin, 2), π(Austin, 3) E(D 3 ), MAC(E(D 3 )), E(D 6 ), MAC(E(D 6 )), E(D 10 ), MAC(E(D 10 )) The server returns these files together with their MACs 33

But a malicious server will Client π(Austin, 1), π(Austin, 2), π(Austin, 3) E(D 3 ), MAC(E(D 3 )), E(D 6 ), MAC(E(D 6 )), E(D 10 ), MAC(E(D 10 )) Malicious Replace some pair with another pair E(D 100 ), MAC(E(D 100 )) 34

The client cannot detect this cheating Client π(Austin, 1), π(Austin, 2), π(Austin, 3) E(D 3 ), MAC(E(D 3 )), E(D 6 ), MAC(E(D 6 )), E(D 10 ), MAC(E(D 10 )) Malicious Because this is a valid pair of MAC E(D 100 ), MAC(E(D 100 )) 35

The proposed scheme Client π(Austin, 1) E(D 3 ), Tag 3 =MAC(π(Austin, 1), E(D 3 )) We include π(Austin, 1) in the input of MAC So the server returns 36

This method works Client π(Austin, 1) E(D 3 ), Tag 3 =MAC(π(Austin, 1), E(D 3 )) Because the MAC binds the query and the answer pair 37

More precisely, The client writes such MAC values in E(Index), and stores it on the server 3, tag3=MAC( π(Austin, 1), E(D 3 ) ) 6, tag6=MAC( π(Austin, 2), E(D 6 ) ) 10, tag10=MAC( π(Austin, 3), E(D 10 ) ) π(Austin, 1) π(Austin, 2) π(Austin, 3) E(Index) 38

For a query π(Austin, 1) E(Index) π(Austin, 1) The server returns E(D 3 ) and tag3=MAC( π(Austin, 1), E(D 3 ) ) 3, tag3=MAC( π(Austin, 1), E(D 3 ) ) 6, tag6=MAC( π(Austin, 2), E(D 6 ) ) 10, tag10=MAC( π(Austin, 3), E(D 10 ) ) 39

The client checks the validity of π(Austin, 1) tag3=MAC( π(Austin, 1), E(D 3 ) ) E(D 3 ) The details are written in the paper. 40

Another Subtle Point If 3 appears many times in E(Index), the adversary sees that D 3 includes more keywords than the other documents. 3 3, tag3=MAC( π(Austin, 1), E(D 3 ) ) 3 6, tag6=MAC( π(Austin, 2), E(D 6 ) ) 3 10, tag10=MAC( π(Austin, 3), E(D 10 ) ) E(Index) = 41

Hence the index i of each D i should appear the same number of times. Curtmola et al. didn’t show such a method. 3, tag3=MAC( π(Austin, 1), E(D 3 ) ) 6, tag6=MAC( π(Austin, 2), E(D 6 ) ) 10, tag10=MAC( π(Austin, 3), E(D 10 ) ) E(Index) = 42

We solve this problem as follows keywordDocuments AustinD 1, D 2 BostonD 3, D 4 WashingtonD5D5 Suppose that there are 5 documents and Index 43

1,1, 2,2, dummy, Since Austin ∈ {D 1, D 2 }. we consider a list such that 44

1,1, 2,2, dummy, We consider another list which includes (3,4,5) dummy,

π(0, Austin, 1)1 π(0, Austin, 2)2 π(0, Austin, 3)dummy π(0, Austin, 4)dummy π(0, Austin, 5)dummy π(1, Austin, 1)dummy π(1, Austin, 2)dummy π(1, Austin, 3)3 π(1, Austin, 4)4 π(1, Austin, 5)5 address E(Index) is constructed by permuting them randomly by using a PRP π as follows. 46

π(0, Austin, 1)1 π(0, Austin, 2)2 π(0, Austin, 3)dummy π(0, Austin, 4)dummy π(0, Austin, 5)dummy π(1, Austin, 1)dummy π(1, Austin, 2)dummy π(1, Austin, 3)3 π(1, Austin, 4)4 π(1, Austin, 5)5 address In the search phase, the client sends π(0, Austin, *) to the server 47

π(0, Austin, 1)1 π(0, Austin, 2)2 π(0, Austin, 3)dummy π(0, Austin, 4)dummy π(0, Austin, 5)dummy π(1, Austin, 1)dummy π(1, Austin, 2)dummy π(1, Austin, 3)3 π(1, Austin, 4)4 π(1, Austin, 5)5 address The server returns the corresponding contents 48

π(0, Austin, 1)1 π(0, Austin, 2)2 π(0, Austin, 3)dummy π(0, Austin, 4)dummy π(0, Austin, 5)dummy π(1, Austin, 1)dummy π(1, Austin, 2)dummy π(1, Austin, 3)3 π(1, Austin, 4)4 π(1, Austin, 5)5 address Now each i ∈ {1,2,3,4,5} appears once for each keyword E(Index) 49

Later We will prove that our scheme is UC-secure Hence it is secure against active attacks. 50

Our theoretical results (1)Extend the model of SSE to verifiable SSE (2)Define the security against active attacks. (3)Next formulate the UC-security (4)Then prove the equivalence between (1) and (2) (4) Finally show a UC-secure scheme 51

A verifiable SSE consists of 6 algorithms: KeyGen Enc Trapdoor Search Verify Dec 52

In the store phase, The client first generates a key K ← KeyGen(1 k ) and keeps it secret. 53

The client next chooses D={set of documents} = {D 1, …, D N } W={set of keywords} Enc K And computes C= { E(D 1 ), ⋯, E(D N ) } I= E{ Index } 54

D={set of documents} = {D 1, …, D N } W={set of keywords} Enc K Then the client sends C= { E(D 1 ), ⋯, E(D N ) } I= E{ Index } 55

In the search phase, keyword Trapdoor K and computes t(keyword) =[π(0,Austin,1), …, π(0,Austin,1)] By using Trapdoor algorithm The client chooses 56

keyword Trapdoor K Then the client sends t(keyword) 57

and computes C(keyword)= { E(D 3 ), E(D 6 ), E(D 10 ) } Tag Search The server receives t(keyword) C= { E(D 1 ), ⋯, E(D N ) } I= E{ Index } Ex. the keyword is included in D 3, D 6 and D

Search t(keyword) Then the server returns C(keyword)={ E(D 3 ), E(D 6 ), E(D 10 ) } Tag C= { E(D 1 ), ⋯, E(D N ) } I= E{ Index } 59

Client Server t(keyword) C(keyword)={E(D 3 ), E(D 6 ), E(D 10 )} Tag 60

Then the client computes Verify algorithm on input t(keyword) C(keyword)={E(D 3 ), E(D 6 ), E(D 10 )} Tag Verify Accept / Reject K 61

If Accept, the clients decrypts C(keyword)={E(D 3 ), E(D 6 ), E(D 10 )} Dec K and obtains the documents D 3, D 6, D 10 which contain the keyword 62

Our theoretical results (1)Extend the model of SSE to verifiable SSE (2)Define the security against active attacks. (3)Next formulate the UC-security (4)Then prove the equivalence between (1) and (2) (4) Finally show a UC-secure scheme 63

The security against active attacks Consists of privacy and reliability We define privacy similarly to Curtmola et al. That is, 64

In the store phase, Client Server E(D 1 ), ⋯, E(D N ), E(Index) The server will learn |D 1 |, …, |D N | and |{keywords}| from what she received 65

In the search phase, This means that the server knows the corresponding indexes {3, 6, 10} For t(keyword) the server returns C(keyword). t(keyword) C(keyword)=( E(D 3 ), E(D 6 ), E(D 10 ) ) Tag 66

To summarize The server learns |D 1 |, …, |D N | and |{keywords}| the indexes {3, 6, 10} which corresponds to a queried keyword 67

The Privacy definition requires that the server should not be able to learn any more information 68

The Privacy definition requires that the server should not be able to learn any more information To formulate this, we consider a real game and a simulation game 69

In the Real Game D = {D 1, …, D N } W={set of keywords} Distinguisher C= { E(D 1 ), ⋯, E(D N ) } I= E{ Index } Client 70

Next keyword Distinguisher t(keyword) Client 71

Next keyword Distinguisher t(keyword) Client 72

Finally keyword Distinguisher t(keyword) Client b=0 or 1 73

In the Simulation Game D = {D 1, …, D N } W={set of keywords} Distinguisher Somehow computes C= { E(D 1 ), ⋯, E(D N ) } I= E{ Index } ClientSimulator |D 1 |, …, |D N | and |{keywords}| 74

Next keyword Distinguisher Somehow computes t(keyword) ClientSimulator The corresponding indexes {3, 6, 10} 75

Next keyword Distinguiher Somehow computes t(keyword) ClientSimulator The corresponding indexes {3, 6, 10} 76

Finally keyword Distinguisher t(keyword) ClientSimulator {3, 6, 10} b=0 or 1 77

Definition of Privacy We say that a verifiable SSE satisfies privacy if there exists a simulator such that |Pr( b=1 in Real)- Pr( b=1 in Simulation)| is negligible for any distinguisher. 78

The Def. of Curtmola et al. Requires that for any distinguisher, there exists a simulator such that |Pr( b=1 in Real)- Pr( b=1 in Simulation)| is negligible. In this definition, the simulator depends on the distinguisher. 79

Our definition is slightly stronger than that of Curtmola et al. because in our definition, the simulator is independent of the distinguisher. 80

Our definition is slightly stronger than that of Curtmola et al. because in our definition, the simulator is independent of the distinguisher. This small change is important when we prove the equivalence with the UC-security. 81

The client sends The honest server returns t(keyword) C(keyword)={E(D 3 ), E(D 6 ), E(D 10 )} Tag Next Reliability 82

The honest server returns Client sends t(keyword) C(keyword)={E(D 3 ), E(D 6 ), E(D 10 )} Tag We say that C(keyword)* is invalid for t(keyword) if C(keyword)* ≠ C(keyword) 83

We say that Server* wins If she can return (C(keyword)*, Tag*) for some t(keyword) such that (1) C(keyword)* is invalid and (2) The client accepts (C(keyword)*, Tag*) 84

Definition of Reliability We say that a verifiable SSE satisfies reliability if Pr(Server* wins) is negligible for any Server*, any D={set of documents}, any W={set of keywords} and any queried keyword. 85

Our theoretical results (1)Extend the model of SSE to verifiable SSE (2)Define the security against active attacks. (3)Next formulate the UC-security (4)Then prove the equivalence between (1) and (2) (4) Finally show a UC-secure scheme 86

In General Even if a protocol π is secure, it may not be secure if π is executed concurrently, Or if π is a part of a larger protocol Client 1 Client 2 Server 87

Universal Composability (UC) Is a framework which guarantees that A protocol π is secure Even if π is executed concurrently, and Even if π is a part of a larger protocol 88

The notion of UC was introduced by Canetti. He proved that UC-security is maintained under a general protocol composition. 89

In the UC framework A Real worldAn Ideal world A protocol πAn Ideal Functionality F π We consider a real world and an ideal world. In the ideal world, there exists an ideal functionality A protocol π is UC-secure if the real world is indistinguishable from the ideal world. 90

We define An ideal functionality F vSSE of verifiable SSE as follows. 91

In our case, the ideal world looks like this dummy Client Ideal Functionality F vSSE Environment Z UC adversary S dummy Server 92

First in the store phase dummy Client Ideal Functionality F vSSE Environment Z D={D 1, …, D N } W={set of keywords} 93

The dummy client relays them to F vSSE dummy Client Ideal Functionality F vSSE Environment Z D={D 1, …, D N } W={set of keywords} D={D 1, …, D N } W={set of keywords} 94

Our F vSSE sends dummy Client Ideal Functionality F vSSE Environment Z D={D 1, …, D N } W={set of keywords} D={D 1, …, D N } W={set of keywords} UC adversary S |D 1 |, …, |D N | |{keywords}| 95

Next in the search phase dummy Client Ideal Functionality F vSSE Environment Z keyword UC adversary S 96

The dummy client relays it to F vSSE dummy Client Ideal Functionality F vSSE Environment Z keyword UC adversary S 97

Our F vSSE sends dummy Client Ideal Functionality F vSSE Environment Z keyword UC adversary S The corresponding indexes {3,6,10} 98

The UC adversary S returns dummy Client Ideal Functionality F vSSE Environment Z keyword UC adversary S {3,6,10} Accept or Reject 99

If S returns Reject, dummy Client Ideal Functionality F vSSE Environment Z keyword UC adversary S {3,6,10} Reject 100

Our F vSSE sends Reject to the dummy client dummy Client Ideal Functionality F vSSE Environment Z keyword UC adversary S {3,6,10} Reject 101

The dummy client relays it to Z dummy Client Ideal Functionality F vSSE Environment Z keyword UC adversary S {3,6,10} Reject 102

If S returns Accept, dummy Client Ideal Functionality F vSSE Environment Z keyword UC adversary S {3,6,10}Accept 103

Our F vSSE sends {D 3,D 6,D 10 } dummy Client Ideal Functionality F vSSE Environment Z keyword UC adversary S {3,6,10}Accept {D 3,D 6,D 10 } 104

The dummy client relays them to Z dummy Client Ideal Functionality F vSSE Environment Z keyword UC adversary S {3,6,10}Accept {D 3,D 6,D 10 } 105

So Z receives {D 3,D 6,D 10 } correctly or Reject dummy Client Ideal Functionality F vSSE Environment Z keyword UC adversary S {3,6,10}Accept /Reject {D 3,D 6,D 10 }/Reject {D 3,D 6,D 10 } /Reject 106

This is an ideal world Because (1)The dummy client receives {D 3,D 6,D 10 } which contains the keyword correctly, or receives Reject (2) UC adversary S learns only |D 1 |, …, |D N |, |{keywords}| and the indexes {3,6,10} for a queried keyword 107

Further S can corrupt dummy Client Ideal Functionality F vSSE Environment Z UC adversary S dummy Server 108

Also Z can interact with S freely dummy Client Ideal Functionality F vSSE Environment Z UC adversary S dummy Server 109

Z finally outputs 0 or 1 dummy Client Ideal Functionality F vSSE Environment Z UC adversary S dummy Server 110

In the real world Client Server Environment Z D={set of documents} W={set of keywords} 111

Client Server Environment Z D={set of documents} W={set of keywords} Then the client and the server runs the store phase of a verifiable SSE protocol 112

In the search phase Client Server Environment Z keyword 113

Client Server Environment Z keyword The client and the server runs the search phase of the verifiable SSE protocol 114

The client sends his output to Z Client Server Environment Z keyword D 3, D 6, D

An adversary A can corrupt Client Server Environment Z Adversary A 116

Further Z can interact with A freely Client Server Environment Z Adversary A 117

Z finally outputs 0 or 1 Client Server Environment Z Adversary A 118

We say that A verifiable SSE protocol is UC-secure if for any adversary A, there exists a UC-adversary S such that no environment Z can distinguish the real world from the ideal world. 119

Our theoretical results (1)Extend the model of SSE to verifiable SSE (2)Define the security against active attacks. (3)Next formulate the UC-security (4)Then prove the equivalence between (2) and (3) (4) Finally show a UC-secure scheme 120

Equivalence (Theorem) A verifiable SSE protocol is UC-secure if and only if it satisfies our definition of privacy and reliability Here we consider static adversaries. 121

This means that The security of a verifiable SSE protocol is maintained under a general protocol composition if it satisfies our privacy and reliability Client 1 Client 2 Server 122

Our theoretical results (1)Extend the model of SSE to verifiable SSE (2)Define the security against active attacks. (3)Next formulate the UC-security (4)Then prove the equivalence between (2) and (3) (5) Finally prove our scheme is UC-secure 123

We assume that The encryption algorithm E is CPA secure MAC is unforgeable against chosen message attack. 124

Theorem Our scheme satisfies privacy and reliability of our definition. 125

Proof of privacy Suppose that there are 5 documents, and 3 keywords. We must show a simulator such that 126

ClientSimulator |D 1 |, …, |D 5 | and |{keywords}|=3 In the store phase, Sim receives |D 1 |, …, |D 5 | and |{keywords}|=3 127

Then it must compute C= { E(D 1 ), ⋯, E(D 5 ) } E(Index) ClientSimulator |D 1 |, …, |D 5 | and |{keywords}|=3 128

Our Sim computes C as C= { E(random), ⋯, E(random) } E(Index) ClientSimulator |D 1 |, …, |D 5 | and |{keywords}|=3 129

If E is secure, { E(D 1 ), ⋯, E(D 5 ) } ≈ { E(random), ⋯, E(random) } 130

Next Sim constructs E(Index) as a random permutation of this table π(1)1π(11)1π(21)1 π(2)2π(12)2π(22)2 π(3)3π(13)3π(23)3 π(4)4π(14)4π(24)4 π(5)5π(15)5π(25)5 π(6)dummyπ(16)dummyπ(26)dummy π(7)dummyπ(17)dummyπ(27)dummy π(8)dummyπ(18)dummyπ(28)dummy π(9)dummyπ(19)dummyπ(29)dummy π(10)dummyπ(20)dummyπ(30)dummy address 131

Since π is a PRP, This Index ≈ the real Index 132

In the search phase, suppose that t(keyword) ClientSimulator {1,3,5} 133

In the 1 st column, Sim finds {1,3,5,dummy,dummy} π(1)1π(11)1π(21)1 π(2)2π(12)2π(22)2 π(3)3π(13)3π(23)3 π(4)4π(14)4π(24)4 π(5)5π(15)5π(25)5 π(6)dummyπ(16)dummyπ(26)dummy π(7)dummyπ(17)dummyπ(27)dummy π(8)dummyπ(18)dummyπ(28)dummy π(9)dummyπ(19)dummyπ(29)dummy π(10)dummyπ(20)dummyπ(30)dummy address 134

Sim returns their addresses π(1)1π(11)1π(21)1 π(2)2π(12)2π(22)2 π(3)3π(13)3π(23)3 π(4)4π(14)4π(24)4 π(5)5π(15)5π(25)5 π(6)dummyπ(16)dummyπ(26)dummy π(7)dummyπ(17)dummyπ(27)dummy π(8)dummyπ(18)dummyπ(28)dummy π(9)dummyπ(19)dummyπ(29)dummy π(10)dummyπ(20)dummyπ(30)dummy address 135

That is, t(keyword)= [π(1),π(3),π(5),π(6),π(7)] ClientSimulator {1,3,5} 136

Next suppose that t(keyword) ClientSimulator {2,4} 137

In the 2nd column, Sim finds {2,4,dummy,dummy,dummy} π(1)1π(11)1π(21)1 π(2)2π(12)2π(22)2 π(3)3π(13)3π(23)3 π(4)4π(14)4π(24)4 π(5)5π(15)5π(25)5 π(6)dummyπ(16)dummyπ(26)dummy π(7)dummyπ(17)dummyπ(27)dummy π(8)dummyπ(18)dummyπ(28)dummy π(9)dummyπ(19)dummyπ(29)dummy π(10)dummyπ(20)dummyπ(30)dummy address 138

Sim returns their addresses π(1)1π(11)1π(21)1 π(2)2π(12)2π(22)2 π(3)3π(13)3π(23)3 π(4)4π(14)4π(24)4 π(5)5π(15)5π(25)5 π(6)dummyπ(16)dummyπ(26)dummy π(7)dummyπ(17)dummyπ(27)dummy π(8)dummyπ(18)dummyπ(28)dummy π(9)dummyπ(19)dummyπ(29)dummy π(10)dummyπ(20)dummyπ(30)dummy address 139

That is, t(keyword)= [π(12), π(14), π(16),π(17), π(18)] ClientSimulator {2,4} 140

This is indistinguishable from the real game t(keyword)= [π(12), π(14), π(16),π(17), π(18)] ClientSimulator {2,4} 141

Hence Our scheme satisfies privacy. 142

Proof of reliability Suppose that there exists a server* who can forge ClientServer* C(keyword)* Tag* 143

Proof of reliability We show a forger A who can break MAC by chosen message attack ClientServer* C(keyword)* Tag* 144

A runs Server* by playing the role of the client A uses his MAC oracle to compute X ClientServer* C(keyword)* Tag* MAC oracle A X 145

We can show that A never queried C(keyword)* to the MAC oracle. ClientServer* C(keyword)* Tag* MAC oracle A 146

This means that A succeeds in breaking MAC ClientServer* C(keyword)* Tag* MAC oracle A 147

Hence Our scheme satisfies reliability. 148

Corollary Our scheme is UC-secure. 149

Summary PrivacyCurtmola et al. ReliabilityOur paper UC securityOur paper 150

Preliminary version was presented at Financial Cryptography 2012 The paper is available from the homepage of FC

Thank you !! 152