Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Conjunctive Keyword Search Over Encrypted Data Philippe Golle Jessica Staddon Palo Alto Research Center Brent Waters Princeton University.

Published byRandell Henderson Modified over 8 years ago

Similar presentations

Presentation on theme: "Secure Conjunctive Keyword Search Over Encrypted Data Philippe Golle Jessica Staddon Palo Alto Research Center Brent Waters Princeton University."— Presentation transcript:

1 Secure Conjunctive Keyword Search Over Encrypted Data Philippe Golle Jessica Staddon Palo Alto Research Center Brent Waters Princeton University

2 Motivating Scenario Alice has a large amount of data –Which is private –Which she wants to access any time and from anywhere –Example: her emails Alice stores her data on a remote server –Good connectivity –Low administration overhead –Cheaper cost of storage –But untrusted 1.Alice may not trust the server Data must be stored encrypted 2.Alice wants ability to search her data Keyword search: “All emails from Bob” 3.Alice wants powerful, efficient search She wants to ask conjunctive queries E.g. ask for “All emails from Bob AND received last Sunday”

3 Search on Encrypted Data Alice Storage Server D 1, D 2, …, D n E(D 1 ), E(D 2 ), …, E(D n ) Encryption Later, Alice wants all D i which contain a keyword W She generates a capability for W Cap = GenCap(W) Verify(Cap, E(D i )) = True if D i contains W Verify(Cap, E(D i )) = False otherwise E(D i ) such that Verify(Cap,E(D i )) = T Alice decrypts E(D i )

4 Single Keyword Search Solution of Song, Wagner & Perrig –[2000 IEEE Security and Privacy] –Define a security model for single keyword search –Propose provably secure protocols Limitations –Limited to queries for a single keyword –Can’t do boolean combinations of queries Example: “emails from Bob AND (received last week OR urgent)” We focus on conjunctive queries –Documents D i which contains keywords W 1 and W 2 … and W n –More restrictive than full boolean combinations –But powerful enough! (see search engines)

5 Possible Approaches to Conjunctive Queries Alice wants all documents with keywords W 1 and W 2 … and W n Computing set intersections –She generates capabilities Cap 1, Cap 2 … Cap n for W 1,W 2 … W n –Storage server finds sets of documents S 1,S 2 … S n that match the capabilities Cap 1, Cap 2 … Cap n and returns the intersection ∩S i –Problem Server learns a lot of extra information on top of result of conjunctive query E.g. “Emails from Bob & Secret” Defining Meta-Keywords –Define a meta-keyword for every possible conjunction of keywords –E.g. “Email from Bob & Secret”  meta-keyword “From Bob || Secret” –Meta-keywords are associated with documents like regular keywords –Problem: with m keywords, we must define 2 m meta-keywords to allow for all possible conjunctive queries. “Emails from President & Non-secret” “Emails from President & Secret”

6 Outline Model and definitions –Model of documents –Define conjunctive keyword search –Security model for conjunctive queries Basic protocol –Size of capabilities is linear in the number of documents (n) Amortized Protocol –Size of capabilities is linear in n but linear cost is incurred offline before the query is asked –Standard security assumptions Constant-size Protocol –Size of capabilities is constant in n –But relies on new hardness assumption

7 Model of Documents We assume structured documents where keywords are organized by fields AliceBob06/01/2004Urgent AliceCharlie05/28/2004Secret ………… DaveAlice06/04/2004Non-urgent From To Date Status m fields n docs D1D1 D2D2 DnDn The documents are the rows of the matrix D i = (W i, 1, …, W i, m )

8 Conjunctive Search on Encrypted Data Encryption: same as before Generating a Capability –Before: Cap = GenCap(W) –Now: Cap = Gencap(j 1, …,j t, W j1, …, W jt ) where j 1, …,j t are t field indices W j1, …, W jt are t keywords –Example: GenCap(“From, Date”, “Bob, 06/04/2004”) Verifying a capability –Let Cap = Gencap(j 1, …,j t, W j1, …, W jt ) –Verify (Cap, D) returns True if D has keyword W j1 in field j 1 … D has keyword W jt in field j t

9 Security Model Informally –“capabilities reveal no more information than they should” –In particular, capabilities can’t be combined to create new ones GenCap (j 1, j 2, W 1, W 2 ) & GenCap(j 1, W 1 )  GenCap(j 2, W 2 ) –Except for “trivial” set-theoretic combinations GenCap (j 1, j 2, W 1, W 2 ) & GenCap(j 1, W 1 )  GenCap(j 1, j 2, W 1, ┐W 2 ) Formally: we define the following game with an adversary A 1.A calls Encrypt and GenCap 2.A chooses two documents D 0 and D 1 and receives E(D b ) 3.A again calls Encrypt and GenCap 4.A guesses the bit b A wins if –A guesses b correctly –None of the capabilities given in Steps 1 and 3 distinguish D 0 from D 1 A protocol is secure if A wins with prob non-negligibly > 1/2

10 Outline Model and definitions –Model of documents –Define conjunctive keyword search –Security model for conjunctive queries Basic protocol –Size of capabilities is linear in the number of documents (n) Amortized Protocol –Size of capabilities is linear in n but linear cost is incurred offline before the query is asked –Standard security assumptions Constant-size Protocol –Size of capabilities is constant in n –But relies on new hardness assumption

11 Basic Protocol Parameters –A group G of order q in which DDH is hard and a generator g of G –A keyed hash function f k (Alice has the secret key k) –A hash function h Encrypting D i = (W i,1, …, W i,m ) –Let V i, j = f k (W i, j ) –Let a i be a random value Intuition Alice commits to the encrypted keywords The a i ’s ensure that commitments are different for each document Same keyword looks different in different documents The commitments are malleable within the same document Product of commitments = commitment to sum Commitments are NOT malleable across different documents

12 Basic Protocol (Continued) Generating a capability Gencap(j 1, …,j t, W j1, …, W jt ) Verifying a capability Intuition –The commitments are malleable –The capability that allows the verification of commitments is not malleable

13 Basic Protocol: Example Capability for emails from Alice to Bob is Let s = f k (alice) + f k (Bob) From To Status√ X Problem: the size of capabilities is linear in n

14 Amortized Protocol Parameters: unchanged Encrypting a document D i = (W i,1, …, W i,m ) –Let V i, j = f k ( W i, j ) –Let a i be a random value

15 Amortized Protocol (Continued) Generating a capability Gencap(j 1, …,j t, W j1, …, W jt ) –Pick a random value s –A proto-capability –The query part Intuition –In the basic protocol, we had –Now, the proto-capability is independent of the query It can be transmitted “offline” before the query –The random value s ties the proto-capability to the query Verification: compute return True if and False otherwise

16 Constant Protocol Parameters –Two group G 1 and G 2 of order q –An admissible bilinear map e : G 1 X G 1  G 2 –A generator g of G 1 –A keyed hash function f k Encrypting a document D = (W 1, …, W m ) –Let V i = f k (W i ) –Let R i,j be values chosen uniformly independently at random –Let

17 Constant Protocol (Continued) Generating a capability Gencap(j 1, …,j t, W j1, …, W jt ) Verification

18 Conclusion and Future Work Our contributions: Define security model for conjunctive keyword search on encrypted data and propose 3 protocols 1.Linear communication cost 2.Amortized linear communication cost Standard hardness assumption 3.Constant cost Uses new hardness assumption Future work –Extend to full boolean queries The OR operator appears tricky… –Indistinguishability of capabilities Hide the fields that are being searched on

Download ppt "Secure Conjunctive Keyword Search Over Encrypted Data Philippe Golle Jessica Staddon Palo Alto Research Center Brent Waters Princeton University."

Similar presentations

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.

Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,

Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
Intro to Quantum Cryptography Algorithms Andrew Hamel EECS 598 Quantum Computing FALL 2001.

Intro to Quantum Cryptography Algorithms Andrew Hamel EECS 598 Quantum Computing FALL 2001.
ITIS 6200/8200. 2 Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
Building an Encrypted and Searchable Audit Log Brent Waters Dirk Balfanz Glenn Durfee D.K. Smetters.

Building an Encrypted and Searchable Audit Log Brent Waters Dirk Balfanz Glenn Durfee D.K. Smetters.
Physical Unclonable Functions and Applications

Physical Unclonable Functions and Applications
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Short course on quantum computing Andris Ambainis University of Latvia.

Short course on quantum computing Andris Ambainis University of Latvia.
Introduction to Practical Cryptography Lecture 9 Searchable Encryption.

Introduction to Practical Cryptography Lecture 9 Searchable Encryption.
1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.

1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.
1 Conjunctive Keyword Search on Encrypted Data with Completeness and Computational Privacy Author : Radu Sion Bogdan Carbunar Presentered by Chia Jui Hsu.

1 Conjunctive Keyword Search on Encrypted Data with Completeness and Computational Privacy Author : Radu Sion Bogdan Carbunar Presentered by Chia Jui Hsu.
1 Efficient Conjunctive Keyword Search on Encrypted Data Storage System Author : Jin Wook Byun Dong Hoon Lee Jongin Lim Presentered by Chia Jui Hsu Date.

1 Efficient Conjunctive Keyword Search on Encrypted Data Storage System Author : Jin Wook Byun Dong Hoon Lee Jongin Lim Presentered by Chia Jui Hsu Date.
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions
Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.
Identity Based Encryption

Identity Based Encryption
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.

Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.

Similar presentations

Ads by Google