Public Key Encryption with Keyword Search

Slides:

Advertisements

Similar presentations

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Advertisements

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

ElGamal Security Public key encryption from Diffie-Hellman

1. Breaking the Adaptivity Barrier for Deterministic Public-Key Encryption Ananth Raghunathan (joint work with Gil Segev and Salil Vadhan)

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.

Introduction to Practical Cryptography Lecture 9 Searchable Encryption.

New Efficient Searchable Encryption Schemes from Bilinear Pairings Author:Chunxiang Gu and Yuefei Zhu International Journal of Network Security, 2007 Presenter:

Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.

1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.

Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.

Identity Based Encryption

1 Conjunctive, Subset, and Range Queries on Encrypted Data Presenter: 陳國璋 Lecture Notes in Computer Science, 2007 Dan Boneh and Brent Waters.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

1 Identity-Based Encryption form the Weil Pairing Author ： Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date ：

Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.

1 Queries on Encrypted Data Dan Boneh Brent Waters Stanford UniversitySRI.

Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

1 Conjunctive, Subset, and Range Queries on Encrypted Data Dan Boneh Brent Waters Stanford University SRI International.

1 Pseudorandom-Permutation Index. 2 Outline Introduction Goh’s Z-IDX PRP-Index Secure game.

Practical Techniques for Searches on Encrypted Data Author:Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀汶承.

Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group

1 Secure Indexes Author ： Eu-Jin Goh Presented by Yi Cheng Lin.

Improved Searchable Public Key Encryption with Designated Tester Author : Hyun Sook Rhee, Jong Hwan Park, Willy Susilo, Dong Hoon Lee Presenter: Li-Tzu.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

Public Key Encryption that Allows PIR Queries Dan Boneh 、 Eyal Kushilevitz 、 Rafail Ostrovsky and William E. Skeith Crypto 2007.

Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.

1 Collusion Resistant Broadcast Encryption With Short Ciphertexts and Private Keys Dan Boneh, Craig Gentry, and Brent Waters.

Dan Boneh Public Key Encryption from trapdoor permutations RSA in practice Online Cryptography Course Dan Boneh.

0x1A Great Papers in Computer Security

Dan Boneh Public Key Encryption from trapdoor permutations Public key encryption: definitions and security Online Cryptography Course Dan Boneh.

Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig.

Rennes, 15/10/2014 Cristina Onete Message authenticity: Digital Signatures.

Cryptography Lecture 8 Stefan Dziembowski

Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.

Dan Boneh Public key encryption from Diffie-Hellman The ElGamal Public-key System Online Cryptography Course Dan Boneh.

The Dual Receiver Cryptosystem and its Applications Presented by Brijesh Shetty.

1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems  RSA is the first public key cryptosystem  Proposed in.

Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.

Cryptography for Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan CRYPTOLOGY 2012, 4-6 June, Langkawi, Malaysia.

Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻.

On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.

1 Common Secure Index for Conjunctive Keyword-Based Retrieval over Encrypted Data Peishun Wang, Huaxiong Wang, and Josef Pieprzyk: SDM LNCS, vol.

Secure Conjunctive Keyword Search Over Encrypted Data Philippe Golle Jessica Staddon Palo Alto Research Center Brent Waters Princeton University.

Identity based signature schemes by using pairings Parshuram Budhathoki Department of Mathematical Science FAU 02/21/2013 Cyber Security Seminar, FAU.

CS555Spring 2012/Topic 71 Cryptography CS 555 Topic 7: Stream Ciphers and CPA Security.

Tae-Joon Kim Jong yun Jun

1 Efficient Selective-ID IBE Without Random Oracle Dan Boneh Stanford University Xavier Boyen Voltage Security.

1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.

EE 122: Lecture 24 (Security) Ion Stoica December 4, 2001.

Keyword search on encrypted data. Keyword search problem  Linux utility: grep  Information retrieval Basic operation Advanced operations – relevance.

Public Key Encryption with Conjunctive Keyword Search and Its Extension to a Multi-user System Source: Pairing 2007, LNCS 4575, pp.2-22, 2007 Author: Yong.

Cryptography Lecture 3 Arpita Patra © Arpita Patra.

Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.

SSE-2 Step1: keygen(1 k ):s {0,1} k,output K=s Step2:Buildindex(K,D): 建立 table T, p=word bit+max bit R 假設 w 1 出現在 D 1,D 3 T[π s (w 1 ||1)]=D 1 T[π s (w.

Searchable Encryption in Cloud

Some slides borrowed from Philippe Golle, Markus Jacobson

Digital Signature Schemes and the Random Oracle Model

Cryptography Lecture 25.

J. Byun et al. In Secure Data Management, LNCS 4165,

Verifiable Attribute Based Keyword Search with Fine-Grained Owner-Enforced Search Authorization in the Cloud They really need a shorter title.

Presentation transcript:

Public Key Encryption with Keyword Search Authors: D. Boneh, G. Di Crescenzo, R. Ostrovsky, and G. Persiano -Presented by Brijesh

Mobile People Architecture (Stanford) MPA – focuses on people (and not devices) as endpoints of communication. A personal proxy maintains a list of devices, a person is currently reachable on and routes based on urgency/ keywords etc..

MPA (simple example) Mail server Devices (A is currently reachable on) pager M To A, M,”urgent” Proxy manager To A, M,”lunch” Email(desktop) M Server gets to read all messages and the keywords! How to secure email without violating User privacy?

Basic Problem $~?@$ (trapdoor for keyword w) Tw Email encrypted Under Apub Yes/no B A Mail server / Gateway (stores only encrypted emails) Now, server cant read the messages. Problem : How does server check for keywords in the encrypted mail?

Basics Mail server B [EApub[msg], PEKS(Apub,W1),PEKS(Apub,W2), ….PEKS(Apub,Wk)] Encrypted mail for A PEKS for each keyword

Goals Given a searchable encryption of the keyword w’ by B and a trapdoor for w by A, the server should be able to find out all messages having keyword w’ (if w’ = w) and learn nothing more about the keywords. Also, the server shouldn’t learn anything about the encrypted email itself.

PEKS Definitions Polynomial time randomised algorithms KeyGen(s)  Apub, Apriv PEKS(Apub,W)  searchble enc of W Trapdoor(Apriv,W)  trapdoor Tw Test(Apub,S,Tw)  Yes if W=W’ No, otherwise

Sample Application Mail server – stores all incoming mails M1 [Search mail with keyword “urgent”]enc M2 M2, M5, M13 Mn Server doesn’t learn anything about the messages!

Construction using Bilinear Maps e(gx, gy) = [e(g,g)]xy If g is generator in G1, e(g,g) is generator in G2 e is a polynomial time algorithm.

Construction using Bilinear Maps KeyGen: random α Apub = [g, gα] Apriv = α PEKS(Apub,w): Sender picks a random r t = e(H1(w), hr) H1:{0,1}*G1 Output S=[A,B] = [gr, H2(t)]

Construction using Bilinear Maps Trapdoor(Apriv, w): Output Tw = H1(w)α Є G1 Test if H2(e(Tw,A)) = B Or H2(e(Tw,A)) = H2(t) Or e(Tw,A) = t Or e(Tw,gr) = t Receiver sender

Construction using Bilinear Maps - Testing e(Tw,gr) = e(H1(w)α,gr) = e(gm1.α,gr) = e(g,g)m1.αr t = e(H1(w),hr) = e(gm2, gαr) = e(g,g)m2.αr H1 : {0,1}*  G1 We can write H1(w) as gm We have managed to check for keywords in encrypted messages, without allowing the server to learn anything about the messages or the keywords If the Tw and PEKS correspond to same w, there is a match (as m1 = m2)

Construction using Bilinear Maps We need H1 as it maps keywords onto G1 Sender chooses a random r each time for each keyword. Choice of r is independent of receiver. Does H2 provide any benefit? It wasn’t included in the original construction.

Construction using any trapdoor permutation Assumptions Number of keywords is bounded by some polynomial function in the security parameter We need a public key system that is source indistinguishable. It should be computationally hard to say which public key a ciphertext is associated with.

Construction using any trapdoor permutation For each keyword w Generate PKw and Privw PEKS : output(M,E[PKw,M]) , M is random for keyword w. Trapdoor : for keyword w, Tw = Privw If Decryption gives M again, output yes else No Hence, the number of keywords have to be limited It relies on source indistinguishability of the encryptions

PEKS security Game Semantically secure against adaptive chosen keyword attack. W0, W1 Attacker PEKS(Apub,Wb) Random b Є {0,1} Guess b’ If b’=b, Attacker wins Can have many rounds AdvA(s) = | Pr[b’=b] – 1/2 | is very small

Issues The sender of the mail needs to explicitly mention what the keywords are. Also keywords may not be relevant to the message at all. Ideally, we need a system, in which we can query the encrypted mail itself for keywords! i.e without wanting to append PEKS for each keyword, along with the mail. Can we do away with PEKS values!

Issues The same trapdoor can be used many times in the future as well by the mail server ? Can an attacker reuse the trapdoor to get some information about the message or the keyword?

Open problem I m not sure if this has been done before or if it is possible. We want to be able to search the encrypted message itself for any word, given some trapdoor information.

Questions