Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography for Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan CRYPTOLOGY 2012, 4-6 June, Langkawi, Malaysia.

Published byBethanie Richards Modified over 9 years ago

Similar presentations

Presentation on theme: "Cryptography for Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan CRYPTOLOGY 2012, 4-6 June, Langkawi, Malaysia."— Presentation transcript:

1 Cryptography for Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan CRYPTOLOGY 2012, 4-6 June, Langkawi, Malaysia

2 Cloud Storage Service (or online storage service) is now available on the commercial basis. Big Internet enterprises such as Google, Amazon, Yahoo are providing these services. 2

3 The Advantages are Companies need only pay for the storage they actually use Companies do not need to install physical storage devices in their own data center Storage maintenance tasks, such as backup, are offloaded to the responsibility of a service provider 3

4 In Japan After the big earthquake last year, many local governments are considering using cloud storage service to store their important data which includes the original copy of family registers. 4

5 But Potential Threats The number of people with access to the data who could be compromised (bribed, or coerced) increases dramatically. It is possible for other customers to access your data. Sometimes because of human error, faulty equipment, a bug or criminal intent. 5

6 In such systems The role of cryptography is crucial. 6

7 A Searchable Symmetric Encryption (SSE) scheme Consists of a store phase and a search phase 7

8 In the store phase, A client stores encrypted files (or documents) on a server Client Server E(D 1 ), ⋯, E(D N ) 8

9 In the search phase, The client sends an encrypted keyword to the server Client Server E(keyword) 9

10 The server somehow returns The encrypted files E(D 3 ), E(D 6 ), E(D 10 ) which contains the keyword Client Server E(keyword) E(D 3 ), E(D 6 ), E(D 10 ) 10

11 So the client can retrieve some of the encrypted files which contains a specific keyword, keeping the keyword secret Client Server E(keyword) E(D 3 ), E(D 6 ), E(D 10 ) 11

12 By Passive Attack A malicious server breaks the privacy She tries to find the keyword and the documents Client Server E(keyword) E(D 3 ), E(D 6 ), E(D 10 ) Malicious 12

13 By Active Attack A malicious server breaks the reliability She tries to forge/delete some files. or replace E(D 3 ) with another E(D 100 ). Client Server E(keyword) E(D 3 ), E(D 6 ), E(D 10 ) E(D 100 ) Malicious 13

14 The security against passive attacks has been studied by several researchers. Song, Wagner, Perrig Goh Bellovin and Cheswick Chang and Mitzenmacher 14

15 Finally Curtmola, Garay, Kamara and Ostrovsky showed a rigorous definition of security against passive attacks. They also gave a scheme which satisfies their definition. 15

16 However The security against active attacks has not been considered so far. 16

17 In this talk (1)Extend the model of SSE to verifiable SSE (2)Define the security against active attacks. (3)Next formulate the UC-security (4)Then prove the equivalence between (2) and (3) (5) Finally show a UC-secure scheme 17

18 In this talk (1)Extend the model of SSE to verifiable SSE (2)Define the security against active attacks. (3)Next formulate the UC-security (4)Then prove the equivalence between (2) and (3) (5) Finally show a UC-secure scheme 18

19 In this talk (1)Extend the model of SSE to verifiable SSE (2)Define the security against active attacks. (3)Next formulate the UC-security (4)Then prove the equivalence between (2) and (3) (5) Finally show a UC-secure scheme 19

20 In this talk (1)Extend the model of SSE to verifiable SSE (2)Define the security against active attacks. (3)Next formulate the UC-security (4)Then prove the equivalence between (2) and (3) (5) Finally show a UC-secure scheme 20

21 In this talk (1)Extend the model of SSE to verifiable SSE (2)Define the security against active attacks. (3)Next formulate the UC-security (4)Then prove the equivalence between (2) and (3) (5) Finally show a UC-secure scheme 21

22 Overview PrivacyCurtmola et al. ReliabilityOur paper UC securityOur paper 22

23 Outline of this talk (1) Curtmola et al. ‘s scheme (2) Our UC-secure scheme (3) Our theoretical results 23

24 Curtmola et al. keywordDocuments AustinD 3, D 6, D 10 BostonD 8, D 10 WashingtonD 1, D 4, D 8 Showed a scheme such as follows. (It is secure against passive attacks.) Consider the following “Index” Index 24

25 The client first constructs E(Index) as follows. He first chooses a pseudorandom permutation π. E(Index) = 25

26 He next computes π(Austin, 1), π(Austin, 2) and π(Austin, 3), Writes the indexes (3, 6, 10) in these addresses 3 6 10 Address π(Austin, 1) π(Austin, 2) π(Austin, 3) E(Index) 26

27 Do the same for each keyword 3 6 10 8 Address π(Austin, 1) π(Austin, 2) π(Austin, 3) π(Boston, 1) π(Boston, 2) E(Index) 27

28 In the store phase, The client stores Client Server E(D 1 ), ⋯, E(D N ), and E(Index) 28

29 In the search phase, The client sends Client Server t(Austin)= ( π(Austin, 1), π(Austin, 2), π(Austin, 3) ) 3 6 10 8 E(Index) 29

30 The server sees that the corresponding indexes are Client Server π(Austin, 1), π(Austin, 2), π(Austin, 3) 3 6 10 8 E(Index) 30

31 Hence the server can return Client Server π(Austin, 1), π(Austin, 2), π(Austin, 3) E(D 3 ), E(D 6 ), E(D 10 ) 3 6 10 8 E(Index) 31

32 This scheme Is secure against passive attacks. But it is not secure against active attacks. 32

33 A naive approach is to add MAC to each E(D i ) ClientServer π(Austin, 1), π(Austin, 2), π(Austin, 3) E(D 3 ), MAC(E(D 3 )), E(D 6 ), MAC(E(D 6 )), E(D 10 ), MAC(E(D 10 )) The server returns these files together with their MACs 33

34 But a malicious server will Client π(Austin, 1), π(Austin, 2), π(Austin, 3) E(D 3 ), MAC(E(D 3 )), E(D 6 ), MAC(E(D 6 )), E(D 10 ), MAC(E(D 10 )) Malicious Replace some pair with another pair E(D 100 ), MAC(E(D 100 )) 34

35 The client cannot detect this cheating Client π(Austin, 1), π(Austin, 2), π(Austin, 3) E(D 3 ), MAC(E(D 3 )), E(D 6 ), MAC(E(D 6 )), E(D 10 ), MAC(E(D 10 )) Malicious Because this is a valid pair of MAC E(D 100 ), MAC(E(D 100 )) 35

36 The proposed scheme Client π(Austin, 1) E(D 3 ), Tag 3 =MAC(π(Austin, 1), E(D 3 )) We include π(Austin, 1) in the input of MAC So the server returns 36

37 This method works Client π(Austin, 1) E(D 3 ), Tag 3 =MAC(π(Austin, 1), E(D 3 )) Because the MAC binds the query and the answer pair 37

38 More precisely, The client writes such MAC values in E(Index), and stores it on the server 3, tag3=MAC( π(Austin, 1), E(D 3 ) ) 6, tag6=MAC( π(Austin, 2), E(D 6 ) ) 10, tag10=MAC( π(Austin, 3), E(D 10 ) ) π(Austin, 1) π(Austin, 2) π(Austin, 3) E(Index) 38

39 For a query π(Austin, 1) E(Index) π(Austin, 1) The server returns E(D 3 ) and tag3=MAC( π(Austin, 1), E(D 3 ) ) 3, tag3=MAC( π(Austin, 1), E(D 3 ) ) 6, tag6=MAC( π(Austin, 2), E(D 6 ) ) 10, tag10=MAC( π(Austin, 3), E(D 10 ) ) 39

40 The client checks the validity of π(Austin, 1) tag3=MAC( π(Austin, 1), E(D 3 ) ) E(D 3 ) The details are written in the paper. 40

41 Another Subtle Point If 3 appears many times in E(Index), the adversary sees that D 3 includes more keywords than the other documents. 3 3, tag3=MAC( π(Austin, 1), E(D 3 ) ) 3 6, tag6=MAC( π(Austin, 2), E(D 6 ) ) 3 10, tag10=MAC( π(Austin, 3), E(D 10 ) ) E(Index) = 41

42 Hence the index i of each D i should appear the same number of times. Curtmola et al. didn’t show such a method. 3, tag3=MAC( π(Austin, 1), E(D 3 ) ) 6, tag6=MAC( π(Austin, 2), E(D 6 ) ) 10, tag10=MAC( π(Austin, 3), E(D 10 ) ) E(Index) = 42

43 We solve this problem as follows keywordDocuments AustinD 1, D 2 BostonD 3, D 4 WashingtonD5D5 Suppose that there are 5 documents and Index 43

44 1,1, 2,2, dummy, Since Austin ∈ {D 1, D 2 }. we consider a list such that 44

45 1,1, 2,2, dummy, We consider another list which includes (3,4,5) dummy, 3 4 5 45

46 π(0, Austin, 1)1 π(0, Austin, 2)2 π(0, Austin, 3)dummy π(0, Austin, 4)dummy π(0, Austin, 5)dummy π(1, Austin, 1)dummy π(1, Austin, 2)dummy π(1, Austin, 3)3 π(1, Austin, 4)4 π(1, Austin, 5)5 address E(Index) is constructed by permuting them randomly by using a PRP π as follows. 46

47 π(0, Austin, 1)1 π(0, Austin, 2)2 π(0, Austin, 3)dummy π(0, Austin, 4)dummy π(0, Austin, 5)dummy π(1, Austin, 1)dummy π(1, Austin, 2)dummy π(1, Austin, 3)3 π(1, Austin, 4)4 π(1, Austin, 5)5 address In the search phase, the client sends π(0, Austin, *) to the server 47

48 π(0, Austin, 1)1 π(0, Austin, 2)2 π(0, Austin, 3)dummy π(0, Austin, 4)dummy π(0, Austin, 5)dummy π(1, Austin, 1)dummy π(1, Austin, 2)dummy π(1, Austin, 3)3 π(1, Austin, 4)4 π(1, Austin, 5)5 address The server returns the corresponding contents 48

49 π(0, Austin, 1)1 π(0, Austin, 2)2 π(0, Austin, 3)dummy π(0, Austin, 4)dummy π(0, Austin, 5)dummy π(1, Austin, 1)dummy π(1, Austin, 2)dummy π(1, Austin, 3)3 π(1, Austin, 4)4 π(1, Austin, 5)5 address Now each i ∈ {1,2,3,4,5} appears once for each keyword E(Index) 49

50 Later We will prove that our scheme is UC-secure Hence it is secure against active attacks. 50

51 Our theoretical results (1)Extend the model of SSE to verifiable SSE (2)Define the security against active attacks. (3)Next formulate the UC-security (4)Then prove the equivalence between (1) and (2) (4) Finally show a UC-secure scheme 51

52 A verifiable SSE consists of 6 algorithms: KeyGen Enc Trapdoor Search Verify Dec 52

53 In the store phase, The client first generates a key K ← KeyGen(1 k ) and keeps it secret. 53

54 The client next chooses D={set of documents} = {D 1, …, D N } W={set of keywords} Enc K And computes C= { E(D 1 ), ⋯, E(D N ) } I= E{ Index } 54

55 D={set of documents} = {D 1, …, D N } W={set of keywords} Enc K Then the client sends C= { E(D 1 ), ⋯, E(D N ) } I= E{ Index } 55

56 In the search phase, keyword Trapdoor K and computes t(keyword) =[π(0,Austin,1), …, π(0,Austin,1)] By using Trapdoor algorithm The client chooses 56

57 keyword Trapdoor K Then the client sends t(keyword) 57

58 and computes C(keyword)= { E(D 3 ), E(D 6 ), E(D 10 ) } Tag Search The server receives t(keyword) C= { E(D 1 ), ⋯, E(D N ) } I= E{ Index } Ex. the keyword is included in D 3, D 6 and D 10. 58

59 Search t(keyword) Then the server returns C(keyword)={ E(D 3 ), E(D 6 ), E(D 10 ) } Tag C= { E(D 1 ), ⋯, E(D N ) } I= E{ Index } 59

60 Client Server t(keyword) C(keyword)={E(D 3 ), E(D 6 ), E(D 10 )} Tag 60

61 Then the client computes Verify algorithm on input t(keyword) C(keyword)={E(D 3 ), E(D 6 ), E(D 10 )} Tag Verify Accept / Reject K 61

62 If Accept, the clients decrypts C(keyword)={E(D 3 ), E(D 6 ), E(D 10 )} Dec K and obtains the documents D 3, D 6, D 10 which contain the keyword 62

63 Our theoretical results (1)Extend the model of SSE to verifiable SSE (2)Define the security against active attacks. (3)Next formulate the UC-security (4)Then prove the equivalence between (1) and (2) (4) Finally show a UC-secure scheme 63

64 The security against active attacks Consists of privacy and reliability We define privacy similarly to Curtmola et al. That is, 64

65 In the store phase, Client Server E(D 1 ), ⋯, E(D N ), E(Index) The server will learn |D 1 |, …, |D N | and |{keywords}| from what she received 65

66 In the search phase, This means that the server knows the corresponding indexes {3, 6, 10} For t(keyword) the server returns C(keyword). t(keyword) C(keyword)=( E(D 3 ), E(D 6 ), E(D 10 ) ) Tag 66

67 To summarize The server learns |D 1 |, …, |D N | and |{keywords}| the indexes {3, 6, 10} which corresponds to a queried keyword 67

68 The Privacy definition requires that the server should not be able to learn any more information 68

69 The Privacy definition requires that the server should not be able to learn any more information To formulate this, we consider a real game and a simulation game 69

70 In the Real Game D = {D 1, …, D N } W={set of keywords} Distinguisher C= { E(D 1 ), ⋯, E(D N ) } I= E{ Index } Client 70

71 Next keyword Distinguisher t(keyword) Client 71

72 Next keyword Distinguisher t(keyword) Client 72

73 Finally keyword Distinguisher t(keyword) Client b=0 or 1 73

74 In the Simulation Game D = {D 1, …, D N } W={set of keywords} Distinguisher Somehow computes C= { E(D 1 ), ⋯, E(D N ) } I= E{ Index } ClientSimulator |D 1 |, …, |D N | and |{keywords}| 74

75 Next keyword Distinguisher Somehow computes t(keyword) ClientSimulator The corresponding indexes {3, 6, 10} 75

76 Next keyword Distinguiher Somehow computes t(keyword) ClientSimulator The corresponding indexes {3, 6, 10} 76

77 Finally keyword Distinguisher t(keyword) ClientSimulator {3, 6, 10} b=0 or 1 77

78 Definition of Privacy We say that a verifiable SSE satisfies privacy if there exists a simulator such that |Pr( b=1 in Real)- Pr( b=1 in Simulation)| is negligible for any distinguisher. 78

79 The Def. of Curtmola et al. Requires that for any distinguisher, there exists a simulator such that |Pr( b=1 in Real)- Pr( b=1 in Simulation)| is negligible. In this definition, the simulator depends on the distinguisher. 79

80 Our definition is slightly stronger than that of Curtmola et al. because in our definition, the simulator is independent of the distinguisher. 80

81 Our definition is slightly stronger than that of Curtmola et al. because in our definition, the simulator is independent of the distinguisher. This small change is important when we prove the equivalence with the UC-security. 81

82 The client sends The honest server returns t(keyword) C(keyword)={E(D 3 ), E(D 6 ), E(D 10 )} Tag Next Reliability 82

83 The honest server returns Client sends t(keyword) C(keyword)={E(D 3 ), E(D 6 ), E(D 10 )} Tag We say that C(keyword)* is invalid for t(keyword) if C(keyword)* ≠ C(keyword) 83

84 We say that Server* wins If she can return (C(keyword)*, Tag*) for some t(keyword) such that (1) C(keyword)* is invalid and (2) The client accepts (C(keyword)*, Tag*) 84

85 Definition of Reliability We say that a verifiable SSE satisfies reliability if Pr(Server* wins) is negligible for any Server*, any D={set of documents}, any W={set of keywords} and any queried keyword. 85

86 Our theoretical results (1)Extend the model of SSE to verifiable SSE (2)Define the security against active attacks. (3)Next formulate the UC-security (4)Then prove the equivalence between (1) and (2) (4) Finally show a UC-secure scheme 86

87 In General Even if a protocol π is secure, it may not be secure if π is executed concurrently, Or if π is a part of a larger protocol Client 1 Client 2 Server 87

88 Universal Composability (UC) Is a framework which guarantees that A protocol π is secure Even if π is executed concurrently, and Even if π is a part of a larger protocol 88

89 The notion of UC was introduced by Canetti. He proved that UC-security is maintained under a general protocol composition. 89

90 In the UC framework A Real worldAn Ideal world A protocol πAn Ideal Functionality F π We consider a real world and an ideal world. In the ideal world, there exists an ideal functionality A protocol π is UC-secure if the real world is indistinguishable from the ideal world. 90

91 We define An ideal functionality F vSSE of verifiable SSE as follows. 91

92 In our case, the ideal world looks like this dummy Client Ideal Functionality F vSSE Environment Z UC adversary S dummy Server 92

93 First in the store phase dummy Client Ideal Functionality F vSSE Environment Z D={D 1, …, D N } W={set of keywords} 93

94 The dummy client relays them to F vSSE dummy Client Ideal Functionality F vSSE Environment Z D={D 1, …, D N } W={set of keywords} D={D 1, …, D N } W={set of keywords} 94

95 Our F vSSE sends dummy Client Ideal Functionality F vSSE Environment Z D={D 1, …, D N } W={set of keywords} D={D 1, …, D N } W={set of keywords} UC adversary S |D 1 |, …, |D N | |{keywords}| 95

96 Next in the search phase dummy Client Ideal Functionality F vSSE Environment Z keyword UC adversary S 96

97 The dummy client relays it to F vSSE dummy Client Ideal Functionality F vSSE Environment Z keyword UC adversary S 97

98 Our F vSSE sends dummy Client Ideal Functionality F vSSE Environment Z keyword UC adversary S The corresponding indexes {3,6,10} 98

99 The UC adversary S returns dummy Client Ideal Functionality F vSSE Environment Z keyword UC adversary S {3,6,10} Accept or Reject 99

100 If S returns Reject, dummy Client Ideal Functionality F vSSE Environment Z keyword UC adversary S {3,6,10} Reject 100

101 Our F vSSE sends Reject to the dummy client dummy Client Ideal Functionality F vSSE Environment Z keyword UC adversary S {3,6,10} Reject 101

102 The dummy client relays it to Z dummy Client Ideal Functionality F vSSE Environment Z keyword UC adversary S {3,6,10} Reject 102

103 If S returns Accept, dummy Client Ideal Functionality F vSSE Environment Z keyword UC adversary S {3,6,10}Accept 103

104 Our F vSSE sends {D 3,D 6,D 10 } dummy Client Ideal Functionality F vSSE Environment Z keyword UC adversary S {3,6,10}Accept {D 3,D 6,D 10 } 104

105 The dummy client relays them to Z dummy Client Ideal Functionality F vSSE Environment Z keyword UC adversary S {3,6,10}Accept {D 3,D 6,D 10 } 105

106 So Z receives {D 3,D 6,D 10 } correctly or Reject dummy Client Ideal Functionality F vSSE Environment Z keyword UC adversary S {3,6,10}Accept /Reject {D 3,D 6,D 10 }/Reject {D 3,D 6,D 10 } /Reject 106

107 This is an ideal world Because (1)The dummy client receives {D 3,D 6,D 10 } which contains the keyword correctly, or receives Reject (2) UC adversary S learns only |D 1 |, …, |D N |, |{keywords}| and the indexes {3,6,10} for a queried keyword 107

108 Further S can corrupt dummy Client Ideal Functionality F vSSE Environment Z UC adversary S dummy Server 108

109 Also Z can interact with S freely dummy Client Ideal Functionality F vSSE Environment Z UC adversary S dummy Server 109

110 Z finally outputs 0 or 1 dummy Client Ideal Functionality F vSSE Environment Z UC adversary S dummy Server 110

111 In the real world Client Server Environment Z D={set of documents} W={set of keywords} 111

112 Client Server Environment Z D={set of documents} W={set of keywords} Then the client and the server runs the store phase of a verifiable SSE protocol 112

113 In the search phase Client Server Environment Z keyword 113

114 Client Server Environment Z keyword The client and the server runs the search phase of the verifiable SSE protocol 114

115 The client sends his output to Z Client Server Environment Z keyword D 3, D 6, D 10 115

116 An adversary A can corrupt Client Server Environment Z Adversary A 116

117 Further Z can interact with A freely Client Server Environment Z Adversary A 117

118 Z finally outputs 0 or 1 Client Server Environment Z Adversary A 118

119 We say that A verifiable SSE protocol is UC-secure if for any adversary A, there exists a UC-adversary S such that no environment Z can distinguish the real world from the ideal world. 119

120 Our theoretical results (1)Extend the model of SSE to verifiable SSE (2)Define the security against active attacks. (3)Next formulate the UC-security (4)Then prove the equivalence between (2) and (3) (4) Finally show a UC-secure scheme 120

121 Equivalence (Theorem) A verifiable SSE protocol is UC-secure if and only if it satisfies our definition of privacy and reliability Here we consider static adversaries. 121

122 This means that The security of a verifiable SSE protocol is maintained under a general protocol composition if it satisfies our privacy and reliability Client 1 Client 2 Server 122

123 Our theoretical results (1)Extend the model of SSE to verifiable SSE (2)Define the security against active attacks. (3)Next formulate the UC-security (4)Then prove the equivalence between (2) and (3) (5) Finally prove our scheme is UC-secure 123

124 We assume that The encryption algorithm E is CPA secure MAC is unforgeable against chosen message attack. 124

125 Theorem Our scheme satisfies privacy and reliability of our definition. 125

126 Proof of privacy Suppose that there are 5 documents, and 3 keywords. We must show a simulator such that 126

127 ClientSimulator |D 1 |, …, |D 5 | and |{keywords}|=3 In the store phase, Sim receives |D 1 |, …, |D 5 | and |{keywords}|=3 127

128 Then it must compute C= { E(D 1 ), ⋯, E(D 5 ) } E(Index) ClientSimulator |D 1 |, …, |D 5 | and |{keywords}|=3 128

129 Our Sim computes C as C= { E(random), ⋯, E(random) } E(Index) ClientSimulator |D 1 |, …, |D 5 | and |{keywords}|=3 129

130 If E is secure, { E(D 1 ), ⋯, E(D 5 ) } ≈ { E(random), ⋯, E(random) } 130

131 Next Sim constructs E(Index) as a random permutation of this table π(1)1π(11)1π(21)1 π(2)2π(12)2π(22)2 π(3)3π(13)3π(23)3 π(4)4π(14)4π(24)4 π(5)5π(15)5π(25)5 π(6)dummyπ(16)dummyπ(26)dummy π(7)dummyπ(17)dummyπ(27)dummy π(8)dummyπ(18)dummyπ(28)dummy π(9)dummyπ(19)dummyπ(29)dummy π(10)dummyπ(20)dummyπ(30)dummy address 131

132 Since π is a PRP, This Index ≈ the real Index 132

133 In the search phase, suppose that t(keyword) ClientSimulator {1,3,5} 133

134 In the 1 st column, Sim finds {1,3,5,dummy,dummy} π(1)1π(11)1π(21)1 π(2)2π(12)2π(22)2 π(3)3π(13)3π(23)3 π(4)4π(14)4π(24)4 π(5)5π(15)5π(25)5 π(6)dummyπ(16)dummyπ(26)dummy π(7)dummyπ(17)dummyπ(27)dummy π(8)dummyπ(18)dummyπ(28)dummy π(9)dummyπ(19)dummyπ(29)dummy π(10)dummyπ(20)dummyπ(30)dummy address 134

135 Sim returns their addresses π(1)1π(11)1π(21)1 π(2)2π(12)2π(22)2 π(3)3π(13)3π(23)3 π(4)4π(14)4π(24)4 π(5)5π(15)5π(25)5 π(6)dummyπ(16)dummyπ(26)dummy π(7)dummyπ(17)dummyπ(27)dummy π(8)dummyπ(18)dummyπ(28)dummy π(9)dummyπ(19)dummyπ(29)dummy π(10)dummyπ(20)dummyπ(30)dummy address 135

136 That is, t(keyword)= [π(1),π(3),π(5),π(6),π(7)] ClientSimulator {1,3,5} 136

137 Next suppose that t(keyword) ClientSimulator {2,4} 137

138 In the 2nd column, Sim finds {2,4,dummy,dummy,dummy} π(1)1π(11)1π(21)1 π(2)2π(12)2π(22)2 π(3)3π(13)3π(23)3 π(4)4π(14)4π(24)4 π(5)5π(15)5π(25)5 π(6)dummyπ(16)dummyπ(26)dummy π(7)dummyπ(17)dummyπ(27)dummy π(8)dummyπ(18)dummyπ(28)dummy π(9)dummyπ(19)dummyπ(29)dummy π(10)dummyπ(20)dummyπ(30)dummy address 138

139 Sim returns their addresses π(1)1π(11)1π(21)1 π(2)2π(12)2π(22)2 π(3)3π(13)3π(23)3 π(4)4π(14)4π(24)4 π(5)5π(15)5π(25)5 π(6)dummyπ(16)dummyπ(26)dummy π(7)dummyπ(17)dummyπ(27)dummy π(8)dummyπ(18)dummyπ(28)dummy π(9)dummyπ(19)dummyπ(29)dummy π(10)dummyπ(20)dummyπ(30)dummy address 139

140 That is, t(keyword)= [π(12), π(14), π(16),π(17), π(18)] ClientSimulator {2,4} 140

141 This is indistinguishable from the real game t(keyword)= [π(12), π(14), π(16),π(17), π(18)] ClientSimulator {2,4} 141

142 Hence Our scheme satisfies privacy. 142

143 Proof of reliability Suppose that there exists a server* who can forge ClientServer* C(keyword)* Tag* 143

144 Proof of reliability We show a forger A who can break MAC by chosen message attack ClientServer* C(keyword)* Tag* 144

145 A runs Server* by playing the role of the client A uses his MAC oracle to compute X ClientServer* C(keyword)* Tag* MAC oracle A X 145

146 We can show that A never queried C(keyword)* to the MAC oracle. ClientServer* C(keyword)* Tag* MAC oracle A 146

147 This means that A succeeds in breaking MAC ClientServer* C(keyword)* Tag* MAC oracle A 147

148 Hence Our scheme satisfies reliability. 148

149 Corollary Our scheme is UC-secure. 149

150 Summary PrivacyCurtmola et al. ReliabilityOur paper UC securityOur paper 150

151 Preliminary version was presented at Financial Cryptography 2012 The paper is available from the homepage of FC 2012 151

152 Thank you !! 152

Download ppt "Cryptography for Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan CRYPTOLOGY 2012, 4-6 June, Langkawi, Malaysia."

Similar presentations

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa.

Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
Introduction to Practical Cryptography Lecture 9 Searchable Encryption.

Introduction to Practical Cryptography Lecture 9 Searchable Encryption.
How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea.

How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea.
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.

1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.

Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
Overview of Cryptography Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy.

Overview of Cryptography Anupam Datta CMU Fall A: Foundations of Security and Privacy.
Practical Techniques for Searches on Encrypted Data Author:Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀汶承.

Practical Techniques for Searches on Encrypted Data Author:Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀汶承.

Similar presentations

Ads by Google