7/27/2019 Sedg Hi Sedan 2009

http://slidepdf.com/reader/full/sedg-hi-sedan-2009 1/16

Public Key Encryption with

Prefix Keyword Search

Saeed SedghiSEDAN Workshop

October 7 2009

7/27/2019 Sedg Hi Sedan 2009

http://slidepdf.com/reader/full/sedg-hi-sedan-2009 2/16

Outline

• Public key encryption with keyword search

• Prefix search

• Scheme

• Conclusion

7/27/2019 Sedg Hi Sedan 2009

http://slidepdf.com/reader/full/sedg-hi-sedan-2009 3/16

Public key encryption with keyword

search

Dan Boneh, Giovanni Di Crescenzo, Rafail Ostrovsky, Giuseppe Persiano

Server 

W W’ 

Test( , ) =1W  W’ 

7/27/2019 Sedg Hi Sedan 2009

http://slidepdf.com/reader/full/sedg-hi-sedan-2009 4/16

PEKS algorithms

•

Keygen( s): Given a security parameter  s: –  Master secret key: msk 

 –  Public parameters: param

• SearchableRepresentation(W , param) : S W 

• Trapdoor(W’ , msk ): T W’ 

• Test(T W’ , S W ) = 1 if W = W’ 

7/27/2019 Sedg Hi Sedan 2009

http://slidepdf.com/reader/full/sedg-hi-sedan-2009 5/16

 Anonymous identity based encryption

• Searchable Encryption Revisited: Consistency Properties, Relation to Anonymous IBE, and Extensions

Abdallah et al

• Any anonymous identity based encryption (IBE) scheme can

 be used as a PEKS scheme.

• Anonymous identity based encryption: an IBE scheme which

hides the identity of the receiver.• Message to be encrypted is 1 and identity is replaced by

keyword

• There are quite many PEKS schemes

7/27/2019 Sedg Hi Sedan 2009

http://slidepdf.com/reader/full/sedg-hi-sedan-2009 6/16

PEKS with Prefix Test

• In many practical cases client wants to perform a prefixkeyword test

 – Example: retrieve encrypted documents that contain “take”, “takes” and

“taken” via a trapdoor built by “take”.

• Existing PEKS schemes (Anonymous IBE) are capable of 

equality search.

– Keygen( s): Given a security parameter  s:

• Master secret key: msk 

• Public parameters: param

– Searchable-Encryption(“Takes” , param) : S Takes

– Trapdoor(“Take” , msk ): T Take

– Test(T Take , S Takes) ≠ 1

7/27/2019 Sedg Hi Sedan 2009

http://slidepdf.com/reader/full/sedg-hi-sedan-2009 7/16

Why PEKS is suitable equality search only

G: a multiplicative group of order q g : group generator of group G

e: G G GT

e( g  x

 , g  y

) = e( g,g ) xy

 , ( g  x

 , g  y

) Є G2

 H 1: {0,1}* G , H 2: GT  {0,1} p

• Boneh et al PEKS:

Keygen( s): msk : a Є Z q , param: (q, G , GT  , g a) , H 1 , H 2 , e(.,.) )

Searchable-representation(w, g a):

S W = [ g r  , H 2(e( g , H 1(W ))ar )]

Trapdoor(W , a): T W’ = H 1(W’ )a

Test(T W’ 

, S W 

): output 1 if [ g r , H (e(T W’ 

, g r )] = S W 

7/27/2019 Sedg Hi Sedan 2009

http://slidepdf.com/reader/full/sedg-hi-sedan-2009 8/16

Solution Directions• Trivial solutions:

 –  Client sends trapdoor of all the possible keywords

 –  Extend PEKS to a character based searchable encryption

• Using range queries on encrypted data techniques( Hidden vector encryption)

 –  Trapdoor is built for keyword W *

• Problem:

 –  Not efficient: Decryption cost depends on #characters in

trapdoor 

 –  Revealing #characters in trapdoor is revealed

7/27/2019 Sedg Hi Sedan 2009

http://slidepdf.com/reader/full/sedg-hi-sedan-2009 9/16

Prefix Keyword Search Scheme

7/27/2019 Sedg Hi Sedan 2009

http://slidepdf.com/reader/full/sedg-hi-sedan-2009 10/16

Preliminaries

G: a multiplicative group of order nn = pq for two large primes p and q

 g : group generator of group G

e: G G GT

• Decision Linear Diffie-Hellman problem: Given a

tuple ( g z1 , g z2 , g z1z3 , g z4 , Z ) for random exponents

( z 1 , z 2 , z 3 , z 4) Є Z p it is hard to distinguish between

 Z = g  z 2( z 4 - z3) and a random Z є G.

7/27/2019 Sedg Hi Sedan 2009

http://slidepdf.com/reader/full/sedg-hi-sedan-2009 11/16

Prefix search without random oracle• keygen( s): msk = (α , p, q)  p is order of group G

• Pick (u , u1 ,.., u L) Є Z n. Pick  α Є Z n

 Pk =

• Searchable-Representation(W , pk ): W = (w1,…,wl )

• Pick (r 1 , r 2) Є Z n

S W =

•

Trapdoor(W’ , α): W’ = (w’ 1 ,…,w’ m), Pick  s Є Z n

T W =

• Test(T W’ , S W ): Let S W = (C1 , C2 , C3). Let T W’ = (T 1 , T 2 , T 3).

check if: e(C 1 , T 1)e(C 2 , T 2) = e(C 3 , T 3)

7/27/2019 Sedg Hi Sedan 2009

http://slidepdf.com/reader/full/sedg-hi-sedan-2009 12/16

Correctness

Since e( g,g ) pqx = e( g,g )nx = 1 for any integer  x:

7/27/2019 Sedg Hi Sedan 2009

http://slidepdf.com/reader/full/sedg-hi-sedan-2009 13/16

IND-CPA Security

Challenger Attacker  

Public parameters

W i

T W’ 

(W 0 , W 1)

S Wb

Guess b

If Pr[b=b’] = ½ + ε, scheme is IND-CPA secure

Setup

Query

Challenge

Guess

7/27/2019 Sedg Hi Sedan 2009

http://slidepdf.com/reader/full/sedg-hi-sedan-2009 14/16

Security analysis

• The searchable representation

is indistinguishable from ( g αr 1 , g r 2 , Z ) , Z is random from G

• Decision Linear Diffie-Hellman problem: Given atuple ( g z1 , g z2 , g z1z3 , g z4 , Z ) for random exponents

( z 1 , z 2 , z 3 , z 4) Є Z p it is hard to distinguish between

 Z = g  z 

2( z 

4

- z3

)

and a random Z є G.

7/27/2019 Sedg Hi Sedan 2009

http://slidepdf.com/reader/full/sedg-hi-sedan-2009 15/16

ConclusionCipher-text

cost

Trapdoor 

Cost

Search

cost

Revealing #

letters intrapdoor 

Trivially extended

Anonymous IBE

and PEKS

O(l ) O(m) O(m) Yes

Waters range queryO(l ) O(m) O(m) Yes

Dimensional range

query O(l ) O(m) O(m) Yes

Our scheme O(l ) O(m) O(1) No

Capability

Prefix Search

Subset, range,

comparison query

Subset, rangecomparison query

Prefix Search

7/27/2019 Sedg Hi Sedan 2009

http://slidepdf.com/reader/full/sedg-hi-sedan-2009 16/16

Questions?