1. Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉

2. Outline (1/1) What is the problem? What do we want to achieve? Definition. One solution. Conclusion.

3. Problem (1/1) Alice Bob( untrusted server) Search Ciphertext Pre-stored data Where the pre-stored data is some set of documents encrypted from Alice (or others).

4. Properties Query isolation: The un-trusted server can not learn anything more about the plaintext than the search result. Controlled searching: The un-trusted server can not search for an arbitrary word without the user’s authorization. Hidden queries: The user may ask the un- trusted server to search for a secret word without revealing the word to the server.

5. Background and Definitions (1/4) Def : Let A : {0, 1} n  {0, 1} be an arbitrary algorithm and let X and Y be random variables distributed on {0, 1} n. The distinguishing probability of A --- sometimes called the advantage of A --- for X and Y is Adv A = | Pr[ A(X) = 1] - Pr[ A(Y) = 1] |.

6. Background and Definitions (2/4) Def : A pseudorandom generator G, i.e., a stream cipher. We say that G: κ G  S is a (t, e)- secure pseudorandom generator if every algorithm A with running time at most t has advantage Adv A < e. The advantage of an adversary A is defined as Adv A = | Pr[ A(U κ G ) = 1] - Pr[ A(U s ) = 1] |, where U κ G,, U s are random variables distributed uniformly on κ G, S.

7. Background and Definitions (3/4) Def : A pseudorandom function F. We say that F: κ F × X  Y is a (t, q, e)- secure pseudorandom function if every oracle algorithm A making at most q oracle queries and with running time at most t has advantage Adv A < e. The advantage is defined as Adv A = | Pr[ A F k = 1] - Pr[ A R = 1] |, where R represents a random function selected uniformly from the set of all maps from X to Y, and where the probabilities are taken over the choice of k and R.

8. Background and Definitions (4/4) Def : A pseudorandom permutation E, i.e., a block cipher. We say that E: κ E × Z  Z is a (t, q, e)- secure pseudorandom permutation if every oracle algorithm A making at most q oracle queries and with running time at most t has advantage Adv A < e. The advantage is defined as Adv A = | Pr[ A E k, E k -1 = 1] - Pr[ A π, π -1 = 1] |, where π represents a random permutation selected uniformly from the set of all bijections on Z, and where the probabilities are taken over the choice of k and π. Notice that the adversary is given an oracle for encryption as well as for decryption; this corresponds to the adaptive chosen-plaintext/ ciphertext attack model.

9. Our solution with sequential scan Where S i are pseudorandom values generated by pseudorandom generator, F is a pseudorandom function. Scheme I: The basic scheme A ⊕ B=C, B ⊕ C=A, C ⊕ A=B. n bits n-m bitsm bits Alice produces S i and k i. When decryption, Alice gets W i = C i ⊕

10. Our solution with sequential scan Scheme II: Controlled searching Let k i = f k’ (W i ), where k’ be chosen uniformly randomly by Alice and never be revealed. If Alice wish to allow Bob to search for the word W, she reveals f k’ (W), and W to him. Alice produces S i and k’.

11. Our solution with sequential scan Scheme III: Support for hidden searches Alice produces S i, k’ and k’’. We let X i = E k’’ (W i ) Let k i = f k’ (X i ), where k’ be chosen uniformly randomly by Alice and never be revealed. If Alice wish to allow Bob to search for the word W, she reveals f k’ (E k’’ ( W)), and E k’’ (W) to him.

12. Our solution with sequential scan Scheme IV: The final scheme Alice produces S i, k’ and k’’. We let X i = E k’’ (W i ) Let k i = f k’ (L i ), where k’ be chosen uniformly randomly by Alice and never be revealed. If Alice wish to allow Bob to search for the word W, she reveals f k’ (E k’’ ( W)), and E k’’ (W) to him.

13. Conclusion How to know that which S i we should use? If we know W, why do we search? An solution: public key encryption? (naïve thought). Issue: 1) The scheme is too slow in searching for a large number of documents. 2) If we search too often, Bob may be able to learning some information. 3) We must trust Bob return all the match results.