Date post: | 14-Apr-2018 |
Category: |
Documents |
Upload: | bodhayan-prasad |
View: | 222 times |
Download: | 0 times |
7/27/2019 Sedg Hi Sedan 2009
http://slidepdf.com/reader/full/sedg-hi-sedan-2009 1/16
Public Key Encryption with
Prefix Keyword Search
Saeed SedghiSEDAN Workshop
October 7 2009
7/27/2019 Sedg Hi Sedan 2009
http://slidepdf.com/reader/full/sedg-hi-sedan-2009 2/16
Outline
• Public key encryption with keyword search
• Prefix search
• Scheme
• Conclusion
7/27/2019 Sedg Hi Sedan 2009
http://slidepdf.com/reader/full/sedg-hi-sedan-2009 3/16
Public key encryption with keyword
search
Dan Boneh, Giovanni Di Crescenzo, Rafail Ostrovsky, Giuseppe Persiano
Server
W W’
Test( , ) =1W W’
7/27/2019 Sedg Hi Sedan 2009
http://slidepdf.com/reader/full/sedg-hi-sedan-2009 4/16
PEKS algorithms
•
Keygen( s): Given a security parameter s: – Master secret key: msk
– Public parameters: param
• SearchableRepresentation(W , param) : S W
• Trapdoor(W’ , msk ): T W’
• Test(T W’ , S W ) = 1 if W = W’
7/27/2019 Sedg Hi Sedan 2009
http://slidepdf.com/reader/full/sedg-hi-sedan-2009 5/16
Anonymous identity based encryption
• Searchable Encryption Revisited: Consistency Properties, Relation to Anonymous IBE, and Extensions
Abdallah et al
• Any anonymous identity based encryption (IBE) scheme can
be used as a PEKS scheme.
• Anonymous identity based encryption: an IBE scheme which
hides the identity of the receiver.• Message to be encrypted is 1 and identity is replaced by
keyword
• There are quite many PEKS schemes
7/27/2019 Sedg Hi Sedan 2009
http://slidepdf.com/reader/full/sedg-hi-sedan-2009 6/16
PEKS with Prefix Test
• In many practical cases client wants to perform a prefixkeyword test
– Example: retrieve encrypted documents that contain “take”, “takes” and
“taken” via a trapdoor built by “take”.
• Existing PEKS schemes (Anonymous IBE) are capable of
equality search.
– Keygen( s): Given a security parameter s:
• Master secret key: msk
• Public parameters: param
– Searchable-Encryption(“Takes” , param) : S Takes
– Trapdoor(“Take” , msk ): T Take
– Test(T Take , S Takes) ≠ 1
7/27/2019 Sedg Hi Sedan 2009
http://slidepdf.com/reader/full/sedg-hi-sedan-2009 7/16
Why PEKS is suitable equality search only
G: a multiplicative group of order q g : group generator of group G
e: G G GT
e( g x
, g y
) = e( g,g ) xy
, ( g x
, g y
) Є G2
H 1: {0,1}* G , H 2: GT {0,1} p
• Boneh et al PEKS:
Keygen( s): msk : a Є Z q , param: (q, G , GT , g a) , H 1 , H 2 , e(.,.) )
Searchable-representation(w, g a):
S W = [ g r , H 2(e( g , H 1(W ))ar )]
Trapdoor(W , a): T W’ = H 1(W’ )a
Test(T W’
, S W
): output 1 if [ g r , H (e(T W’
, g r )] = S W
7/27/2019 Sedg Hi Sedan 2009
http://slidepdf.com/reader/full/sedg-hi-sedan-2009 8/16
Solution Directions• Trivial solutions:
– Client sends trapdoor of all the possible keywords
– Extend PEKS to a character based searchable encryption
• Using range queries on encrypted data techniques( Hidden vector encryption)
– Trapdoor is built for keyword W *
• Problem:
– Not efficient: Decryption cost depends on #characters in
trapdoor
– Revealing #characters in trapdoor is revealed
7/27/2019 Sedg Hi Sedan 2009
http://slidepdf.com/reader/full/sedg-hi-sedan-2009 9/16
Prefix Keyword Search Scheme
7/27/2019 Sedg Hi Sedan 2009
http://slidepdf.com/reader/full/sedg-hi-sedan-2009 10/16
Preliminaries
G: a multiplicative group of order nn = pq for two large primes p and q
g : group generator of group G
e: G G GT
• Decision Linear Diffie-Hellman problem: Given a
tuple ( g z1 , g z2 , g z1z3 , g z4 , Z ) for random exponents
( z 1 , z 2 , z 3 , z 4) Є Z p it is hard to distinguish between
Z = g z 2( z 4 - z3) and a random Z є G.
7/27/2019 Sedg Hi Sedan 2009
http://slidepdf.com/reader/full/sedg-hi-sedan-2009 11/16
Prefix search without random oracle• keygen( s): msk = (α , p, q) p is order of group G
• Pick (u , u1 ,.., u L) Є Z n. Pick α Є Z n
Pk =
• Searchable-Representation(W , pk ): W = (w1,…,wl )
• Pick (r 1 , r 2) Є Z n
S W =
•
Trapdoor(W’ , α): W’ = (w’ 1 ,…,w’ m), Pick s Є Z n
T W =
• Test(T W’ , S W ): Let S W = (C1 , C2 , C3). Let T W’ = (T 1 , T 2 , T 3).
check if: e(C 1 , T 1)e(C 2 , T 2) = e(C 3 , T 3)
7/27/2019 Sedg Hi Sedan 2009
http://slidepdf.com/reader/full/sedg-hi-sedan-2009 12/16
Correctness
Since e( g,g ) pqx = e( g,g )nx = 1 for any integer x:
7/27/2019 Sedg Hi Sedan 2009
http://slidepdf.com/reader/full/sedg-hi-sedan-2009 13/16
IND-CPA Security
Challenger Attacker
Public parameters
W i
T W’
(W 0 , W 1)
S Wb
Guess b
If Pr[b=b’] = ½ + ε, scheme is IND-CPA secure
Setup
Query
Challenge
Guess
7/27/2019 Sedg Hi Sedan 2009
http://slidepdf.com/reader/full/sedg-hi-sedan-2009 14/16
Security analysis
• The searchable representation
is indistinguishable from ( g αr 1 , g r 2 , Z ) , Z is random from G
• Decision Linear Diffie-Hellman problem: Given atuple ( g z1 , g z2 , g z1z3 , g z4 , Z ) for random exponents
( z 1 , z 2 , z 3 , z 4) Є Z p it is hard to distinguish between
Z = g z
2( z
4
- z3
)
and a random Z є G.
7/27/2019 Sedg Hi Sedan 2009
http://slidepdf.com/reader/full/sedg-hi-sedan-2009 15/16
ConclusionCipher-text
cost
Trapdoor
Cost
Search
cost
Revealing #
letters intrapdoor
Trivially extended
Anonymous IBE
and PEKS
O(l ) O(m) O(m) Yes
Waters range queryO(l ) O(m) O(m) Yes
Dimensional range
query O(l ) O(m) O(m) Yes
Our scheme O(l ) O(m) O(1) No
Capability
Prefix Search
Subset, range,
comparison query
Subset, rangecomparison query
Prefix Search