- 65 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' Secure Indexes' - amethyst-randall

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Outline

- Introduction
- Contribution
- Index Scheme
- Background
- Construction
- Choosing Suitable Bloom Filter Parameter

Outline

- Pseudo-Random Functions
- IND-CKA
- Z-IDX is a IND-CKA index
- Conclusion
- Comment

Introduction

- Keyword indexes let us search in constant time for documents containing specified keywords
- Unfortunately, standard index constructions such as those using hash table are unsuitable for indexing encrypted documents

Introduction

- In this paper, they formally define a secure index that allows a querier with a “trapdoor” for a word x to test in O (1) time only if the index contains x
- The index reveals no information about its constants without valid trapdoors

Contribution

- The first contribution of this paper is in defining a secure index and formulating a security model for indexes known as semantic security against adaptive chosen keyword attack (IND-CKA)

n words

Knows m words

n-m unknown wotrds

index

Can’t get any word

adversary A

document D

Contribution

- The second contribution is an efficient IND-CKA secure index construction called Z-IDX, which is built using pseudo-random functions and Bloom filters
- Z-IDX scheme is efficient

Contribution

27.4 megabytes

2654 plaintext files

an index for the average document is roughly 121.4 kilobytes in size

The largest document in this collection is 876.6 kilobytes long and its index is 774.3 kilobytes large

The smallest document is 9 bytes long and its index is 115 bytes large

Debian Linux

15151 indexes can searched in one second

on a 866 MHz Pentium 3 machine

Index Scheme

- Keygen (s): Given a security parameter s, outputs the master private key Kpriv
- Trapdoor (Kpriv, w): Given the master key Kpriv and word w, outputs the trapdoor Tw for w

Index Scheme

- BuildIndex (D, Kpriv): Given a document D and the master key Kpriv, outputs the index ID
- SearchIndex(Tw, ID): Given the trapdoor Tw for word w and the index ID for document D, outputs 1 if w D and 0 otherwise

Index Scheme

Store

ID1, E(D1)

Server

Alice

Index

Encrypted data

Keygen (s): Kpriv

BuildIndex (D1, Kpriv): ID1

Index Scheme

Tw

E(D1), …

Alice

Server

SearchIndex(Tw, ID1)

Keygen (s): Kpriv

1

Trapdoor (Kpriv, w): Tw

0

…

Background

- pseudo-random functions :is computationally indistinguishable from a random function
- given pairs (x1, f(x1, k)), . . . , (xm, f(xm, k)), an adversary cannot predict f(xm+1, k) for any xm+1

Background

- Bloom Filter: a set of S = {s1, . . . , sn} of n elements and is represented by an array of m bits.
- All array bits are initially set to 0. The filter uses r independent hash functions h1, . . . , hr, where hi : {0, 1}* ->[1,m] for i [1, r].

To determine if an element a belongs to the set S

a

h1(a)

h2(a)

.

.

.

hr(a)

If all bit are 1’s,then a S

Else a S

Construction

- Keygen(s): Given a security parameter s, choose a pseudo-random function f : {0, 1}n×{0, 1}s {0, 1}s and the master key Kpriv = (k1, . . . , kr) {0, 1}sr
- Trapdoor(Kpriv,w): Given the master key Kpriv = (k1, . . . , kr) {0, 1}sr and word w, output the trapdoor for word w as Tw = (f(w, k1) , . . . , f(w, kr)) {0, 1}sr

R

Construction

- BuildIndex(D,Kpriv):

Document D : Did {0, 1}n

Input

A list of words (w0, . . . ,wt) {0, 1}nt

Kpriv = (k1, . . . , kr) {0, 1}sr

Output IDid = (Did, BF)

trapdoor

codeword

x1 = f (wi , k1)

. . .

xr= f (wi , kr)

y1 = f (Did , x1)

. . .

yr = f (Did , xr)

Wi

BF for Did

Construction

- SearchIndex(Tw, IDid):

Input trapdoor Tw = (x1,…, xr) {0, 1}sr

index IDid= (Did , BF) for document Did

Test if BF contains 1’s in all r locations denoted by y1, . . . , yr

y1 = f (Did , x1)

. . .

yr = f (Did , xr)

If so, output 1; Otherwise, output 0

Choosing Suitable Bloom Filter Parameter

- Hash functions h1,…., hr
- Insert n distinct element in to an array of size m
- The probability that bit i in the array is 0 is (1 – (1/m))rn ≈ e-rn/m
- the probability of a false positive is (1 − (1 − (1/m))rn)r ≈ (1 − e−rn/m)r

Choosing Suitable Bloom Filter Parameter

- False positive rate
fp = (1/2)r =(1 − e−rn/m)r

½ = 1 − e−rn/m

- ½ = e−rn/m
- ln(1/2) = -rn/m
- ln 2 = r (n/m)
- m = rn/ ln 2

Choosing Suitable Bloom Filter Parameter

Choose suitable m

Pseudo-Random Functions

- f : {0, 1}n × {0, 1}s ->{0, 1}m is a (t, ɛ, q)-pseudo-random function if for any t time oracle algorithm A that makes at most q adaptive queries

IND-CKA

- Setup :
- Queries :

Adversary A

Chooses a number of subsets from S

This collection of subset is called S*

Challenger C

creates a set S of q words

S

S*

C build index for each subset in S*

Index

Query C on a word x

Trapdoor Tx for x

IND-CKA

- Challenge :

A picks a non-empty subset V0S*, and generating another non-empty subset V1 from S such that |V0 −

V1| 0, |V1 − V0| 0, and the total length of words in V0 is equal to that in V1

Next, A gives V0 and V1 to C who chooses b {0,1}, invokes BuildIndex(Vb , Kpriv) to obtain the index IVb for Vb , and return IVb to A

IND-CKA

- Response :A eventually output a bit b’, representing its guess for b
- The advantage of A in winning this game is defined as AdvA = | Pr[b = b’] − 1/2|
- We say that an adversary A (t, ɛ, q)-breaks an index if AdvA is at least ɛ after A takes at most t time and makes q trapdoor queries to the challenger. We say that I is an (t, ɛ, q)-IND-CKA secure index if no adversary can (t, ɛ, q)-break it

- AdvA = | Pr[b = b’] − 1/2|< ɛ

Z-IDX is a IND-CKA index

- Theorem 3.2.
If f is a (t, ɛ, q)-pseudo-random function, then Z-IDX is a (t, ɛ, q/2)- IND-CKA index

- We use ¬q -> ¬p to prove

Z-IDX is a IND-CKA index

- Prove :Suppose Z-IDX is not a (t, ɛ, q/2)- IND-CKA index

algorithm A

(t, ɛ, q/2)-breaks Z-IDX

We build an algorithm B that

uses A to determine if f is a pseudo-random function or a random function.

the unknown function f that takes as input x {0, 1}n and returns f (x) {0, 1}s.

Z-IDX is a IND-CKA index

- Setup :
- Queries :

algorithm A

Chooses a number of subsets from S

This collection of subset is called S*

algorithm B

creates a set S of q/2 words

S

S*

B build index for each subset in S*

Index

Query B on a word x

Trapdoor Tx for x

Z-IDX is a IND-CKA index

- Response : A eventually outputs a bit b’, representing its guess for b. If b’ = b, then B outputs 0, indicating that it guesses that f is a pseudo-random function. Otherwise, B outputs 1
- B takes at most t time because A takes at most t time. Furthermore, B makes at most q queries to f because there are only q/2 strings in S and A makes at most q/2 queries

Z-IDX is a IND-CKA index

- Claim 1: When f is a pseudo-random function, then
- Claim 2: When f is a random function, then

Z-IDX is a IND-CKA index

By claim1 and claim 2

But, if f is a (t, ɛ, q)-pseudo-random function

Theorem 3.2.

If f is a (t, ɛ, q)-pseudo-random function, then Z-IDX is a (t, ɛ, q/2)- IND-CKA index

Conclusion

- Z-IDX is efficient for search indexes
- Index and document’s size are independent
- Property : ”hidden queries”, “controlled searching”, and “query isolation”

Comment

- Bloom Filter is a probabilistic data structure
- Need more space
(index’s size ≈ document’s size)

Download Presentation

Connecting to Server..