Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.

Similar presentations


Presentation on theme: "1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍."— Presentation transcript:

1 1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍

2 2 Outline Motivating Scenario and model of document Conjunctive Keyword Searchable Encryption (CKSE)  Definition  Assumption  Construction Security Notion Secutity Analysis

3 3 Motivating Scenario Alice has a large amount of data  Which is private  Which she wants to access any time and from anywhere  Example: emails Alice stores her data on a remote server  Good connectivity  Low administration overhead  Cheaper cost of storage  But untrusted

4 4 Alice may not trust the server  Data must be stored encrypted Alice wants ability to search her data  Keyword search: “All emails from Bob” Alice wants powerful, efficient search  She wants to ask conjunctive queries  E.g. ask for “All emails from Bob AND received last Sunday”

5 5 Single keyword search  Limited to queries for a single keyword  Can’t do boolean combinations of queries Example: “emails from Bob AND (received last week OR urgent)” We focus on conjunctive queries  Documents D i which contains keywords W 1 and W 2 … and W m  More restrictive than full boolean combinations

6 6 Model of Documents We assume structured documents where keywords are organized by fields AliceBob06/01/2004Urgent AliceCharlie05/28/2004Secret ………… DaveAlice06/04/2004Non-urgent From To Date Status m fields n docs D1D1 D2D2 DnDn The documents are the rows of the matrix D i = (W i, 1, …, W i, m ) J i

7 7 Outline Motivating Scenario and model of document Conjunctive Keyword Searchable Encryption (CKSE)  Definition  Assumption  Construction Security Notion Secutity Analysis

8 8 Definition1 we say that a scheme of conjunctive keyword searchable encryption is semantically secure against adaptive chosen-keyword attacks if is a negligible function in for any polynomial attacker A.

9 9 Definition2 Bilinear Map: a map is a bilinear map if the following conditions hold : 1. and are cyclic groups of the same prime order p and Is efficiently computable; 2. For all and then 3. is non-degenerate. That is, if generates and generates, the generates

10 10 Definition3 XDH Assumption: Let and be two disjoint cyclic sub groups of a prime order of elliptic curves and let be a bilinear map The XDH states that the decision Diffie-Hellman problem in This implies that there does not exist an efficiently computable isomorphism

11 11 Definition4 coXDH Assumption: Let and be the XDH group and let be a bilinear map Let the mixed decisional Diffie-Hellman problem to distinguish between the tuples of the form and where are random elements of The coXDH assumption means that the mixed DDH problem is intractable in the XDH setting.

12 12 Search on Encrypted Data Alice Storage Server D 1, D 2, …, D n C 1,C 2,…C i Encryption(K,D i ={W i,1 , … , W i,m }) Later, Alice wants to retrieve only some of documents containing some specific keywords. Trapdoor(K,{ j 1,..},{W 1,…}) Test(T, C i ) = True if Ci contains W Test(T,C i ) = False otherwise Alice decrypts C i 傳回滿足條件的資料

13 13 CKSE algorithm: keyGen : run by the user to setup the scheme take a security parameter,it determines XDH group and of a prime order p, where is kept in private. return a secret key

14 14 Enc : run by the user to generate searchable ciphertexts take a secret key and a document. Let for Let be a value chosen uniformly at random from, return a ciphertext as follow:

15 15 Trapdoor : run by the user to generate a trapdoor take a secret key,keyword field Indices and keywords as inputs.Let be a value chosen uniformly at random from return a trapdoor vale

16 16 Test : run by the server in order to search for the documents containing some specific keywords take a trapdoor and a ciphertext Let and For all,the algorithm checks if the following equality holds: If so, it return true. Otherwise, it return false

17 17 Outline Motivating Scenario and model of document Conjunctive Keyword Searchable Encryption (CKSE)  Definition  Assumption  Construction Security Notion Secutity Analysis

18 18 Security Notion Define the security notion of CKSE in the sense of semantic-security using the following experiment : 1. Challenger chooses a set of secret keys for the user by executing KeyGen algorithm. 2. Attacker A can ask challenger for the trapdoor and encryption of its own choice. 3. A chooses two documents D 0,D 1, (none of trapdoor for D 0,D 1 is given in the step 2). The challenger generates a random coin and gives A a challenge The goal of A is to decide such that

19 19 4. A may ask continuously for the trapdoor and the encryption of its choice. (not allowed to ask for the trapdoor and the encryption of D 0,D 1, as before ) 5. A output The advantage of A in breaking the CKSE scheme is defined as in a security parameter

20 20 Outline Motivating Scenario and model of document Conjunctive Keyword Searchable Encryption (CKSE)  Definition  Assumption  Construction Security Notion Secutity Analysis

21 21 Secutity Analysis Theorem1 The CKSE scheme for conjunctive keyword searchable encryption is semantically secure against adaptive chosen-keyword attacks in the random oracle model under the external co- Diffie-Hellman assumption (coXDH).

22 22 Secutity Analysis (proof) Suppose: A breaks the CKSE scheme with advantage by making at most hash queries, trapdoor queries, and encryption queries. Goal: We then show a construction of an algorithm O that uses A as a subroutine and breaks coXDH assumption with non-negligible advantage where is the base of natural logarithm. Let be an instance of coXDH problem. O is to decide whether c= ab

23 23 (step) KeyGen HashQueries TrapdoorQueries EncQueries ChallengeQueries MoreQueries Output

24 24 KeyGen: O chooses a random value and sets as its own secret key. HashQueries: O maintains a list of tuples called the H-list. The list is initially empty. When A issues a hash query for a keyword O responds as follows:

25 25 If exists on the H-list then O responding with the previous queries Otherwise,O generates a random coin so that,and then O chooses a random value 1. If O computes 2. If O computes O adds the tuple to the H-list and answers with

26 26 TrapdoorQueries: A issues a trapdoor query of some keyword and then O execute the above H algorithm. O responds as follows: If all on the tuple are not 1,termminate. Otherwise,O chooses a random value and answer with a trapdoor as follow:

27 27 ChallengeQueries : A submits a pair of challenge documents and O execute the above random oracle algorithm, then O produces a challenge as follows: If both and for all are not 0,terminate. If both and for all are equal to 0,O generate a random coin If only one is equal to 0 then no randomness is needed. O responds with the challenge

28 28 EncQueries : A issues a document O execute above H algorithm. O responds as follow: If all on the tuples are not 1, then terminates. Otherwise, O chooses a random value and then answers with

29 29 MoreQueries: A performs additional trapdoor queries or Enc queries after the challenge query, O responds to these queries in the same way before.

30 30 Output: A output a bit of its guess. If, O guesses that is an instance of mixed DDH tuple. Otherwise, O guesses it is a random tuple.

31 31 The probability of O against the mixed DHH challenge Let NF be the event of that O does not fail during the above experiment. NFT, O does not fail during the TrapdoorQueries NFE, O does not fail during the EncQueries NFC, O does not fail during the ChallengeQueries NF=NFT NFE NFC

32 32 Pr[NFT] = Pr[NFE] = Pr[NFC] = for b = 0,1 and both and are independent of A’s view. Pr[ NF = NFT NFE NEC ] = The advantage of A against our CKSE scheme is The success probability of the O is

33 33


Download ppt "1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍."

Similar presentations


Ads by Google