1 / 31

Secure Conjunctive Keyword Search Over Encrypted Data

Secure Conjunctive Keyword Search Over Encrypted Data. Author: Philippe Golle and Jessica Staddon and Brent Waters Presenter: 陳昱圻. Outline. Motivating Scenario Model and definitions Security Game & Hardness Assumption Basic protocol Amortized Protocol Constant-size Protocol.

zulema
Download Presentation

Secure Conjunctive Keyword Search Over Encrypted Data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Conjunctive Keyword Search Over Encrypted Data Author: Philippe Golle and Jessica Staddon and Brent Waters Presenter: 陳昱圻

  2. Outline • Motivating Scenario • Model and definitions • Security Game & Hardness Assumption • Basic protocol • Amortized Protocol • Constant-size Protocol

  3. Motivating Scenario • Alice has a large amount of data • Which is private • Which she wants to access any time and from anywhere • Example: her emails • Alice stores her data on a remote server • Good connectivity • Low administration overhead • Cheaper cost of storage • But untrusted

  4. Motivating Scenario • Alice may not trust the server • Data must be stored encrypted • Alice wants ability to search her data • Keyword search: “All emails from Bob” • Alice wants powerful, efficient search • She wants to ask conjunctive queries • E.g. ask for “All emails from Bob AND received last Sunday”

  5. Encryption E(D1), E(D2), …, E(Dn) Later, Alice wants all Di which contain a keyword W She generates a capability for W Cap = GenCap(W) E(Di) such that Verify(Cap,E(Di)) = T Search on Encrypted Data Alice Storage Server D1, D2, …, Dn Verify(Cap, E(Di)) = True if Di contains W Verify(Cap, E(Di)) = False otherwise Alice decrypts E(Di)

  6. Single Keyword Search • Solution of Song, Wagner & Perrig • [2000 IEEE Security and Privacy] • Define a security model for single keyword search • Propose provably secure protocols • Limitations • Limited to queries for a single keyword • Can’t do boolean combinations of queries • Example: “emails from Bob AND (received last week OR urgent)” • We focus on conjunctive queries • Documents Di which contains keywords W1 and W2 … and Wn • More restrictive than full boolean combinations • But powerful enough! (see search engines)

  7. Possible Approaches to Conjunctive Queries • Alice wants all documents with keywords W1 and W2 … and Wn • Computing set intersections • She generates capabilities Cap1 , Cap2 … Capn for W1 ,W2 … Wn • Storage server finds sets of documents S1 ,S2 … Sn that match the capabilities Cap1 , Cap2 … Capn and returns the intersection ∩Si • Problem • Server learns a lot of extra information on top of result of conjunctive query • E.g. “Emails from Bob & Secret” “Emails from President & Secret” “Emails from President & Non-secret”

  8. Possible Approaches to Conjunctive Queries • Defining Meta-Keywords • Define a meta-keyword for every possible conjunction of keywords • E.g. “Email from Bob & Secret”  meta-keyword “From Bob || Secret” • Meta-keywords are associated with documents like regular keywords • Problem: with m keywords, we must define 2m meta-keywords to allow for all possible conjunctive queries. • Ex: Now we have 5 keywords: • If we use zero keyword to search, we have meta-keyword. • If we use 1 keyword to search, we have meta-keywords. • Total we have

  9. m fields From To Date Status D1 D2 n docs Dn Model of Documents • We assume structured documents where keywords are organized by fields The documents are the rows of the matrix Di = (Wi, 1, …, Wi, m)

  10. Conjunctive Search on Encrypted Data Scheme • Encryption: same as before • Generating a Capability • Before: Cap = GenCap(W) • Now: Cap = Gencap(j1, …,jt, Wj1, …, Wjt) where • j1, …,jt are t field indices • Wj1, …, Wjt are t keywords • Example: GenCap(“From, Date”, “Bob, 06/04/2004”) • Verifying a capability • Let Cap = Gencap(j1, …,jt, Wj1, …, Wjt) • Verify (Cap, D) returns True if • D has keyword Wj1 in field j1 • … • D has keyword Wjt in field jt

  11. Security definitions • A capability Cap enables the server to divide documents into two groups: those that satisfy the capability, and those that do not. • A conjunctive keyword search scheme is secure if the server learns no other information from a set of encrypted documents and capabilities.

  12. Security definitions(cont.) • To facilitate the security definitions we define a randomized document Rand(D, T), for any set of indices and document D = (W1,…,Wm). • Rand(D,T) is formed from D by replacing the keywords of D that are indexed by T (i.e., the set ) by random values.

  13. Definition 1. • A capability Cap is distinguishing for documents Di and Dj if • Give a set of indices, ,a capability Cap distinguishes a document D from Rand(D,T) if

  14. Security Model • Informally • “capabilities reveal no more information than they should” • In particular, capabilities can’t be combined to create new ones • GenCap (j1, j2, W1, W2) & GenCap(j1, W1)  GenCap(j2, W2) • Except for “trivial” set-theoretic combinations • GenCap (j1, j2, W1, W2) & GenCap(j1, W1)  GenCap(j1, j2, W1, ┐W2) • Formally: we define the following game(ICC) with an adversary A • A calls Encrypt and GenCap • A chooses two documents D0 and D1 and receives E(Db) • A again calls Encrypt and GenCap • A guesses the bit b

  15. Security Model • A wins if • A guesses b correctly • And none of the capabilities given in Steps 1 and 3 distinguish D0 from D1 • We say that the scheme is secure if A can’t distinguish D0 and D1 with non-negligibly advantage without the help of distinguish capability for D0 and D1 .

  16. Security Game • ICC(indistinguishability of ciphertext from ciphertext) with D0 & D1 • ICR(indistinguishability of ciphertext from random) D0 & Rand(D,T) • ICLR(indistinguishability of ciphertext from limited random) Rand(D,T) & Rand(D,T-{t})

  17. Hardness Assumptions • Decisional Diffie-Hellman (DDH) • Bilinear Decisional Diffie-Hellman (BDDH) • 假設DDH與BDDH不好解得

  18. Basic Protocol • Parameters • A group G of order q in which DDH is hard and a generator g of G • A keyed hash function fk (Alice has the secret key k) • A hash function h • Encrypting Di = (Wi,1, …, Wi,m) • Let Vi, j = fk(Wi, j) • Let ai be a random value • Intuition • Alice commits to the encrypted keywords • The ai’s ensure that commitments are different for each document • Same keyword looks different in different documents • The commitments are malleable within the same document • Product of commitments = commitment to sum • Commitments are NOT malleable across different documents

  19. Generating a capability Gencap(j1, …,jt, Wj1, …, Wjt) • Verifying a capability Basic Protocol (Continued) • Intuition • The commitments are malleable • The capability that allows the verification of commitments is not malleable

  20. X Example From To Status • Capability for emails from Alice to Bob is • Let s = fk (alice) + fk (Bob) Problem: the size of capabilities is linear in n

  21. Amortized Protocol • Parameters: unchanged • Encrypting a document Di = (Wi,1, …, Wi,m) • Let Vi, j = fk ( Wi, j ) • Let ai be a random value

  22. Verification: compute • return True if and False otherwise Amortized Protocol (Continued) • Generating a capability Gencap(j1, …,jt, Wj1, …, Wjt) • Pick a random value s • A proto-capability • The query part • Intuition • In the basic protocol, we had • Now, the proto-capability is independent of the query • It can be transmitted “offline” before the query • The random value s ties the proto-capability to the query

  23. Constant Protocol • Parameters • Two group G1 and G2 of order q • An admissible bilinear map e : G1 X G1 G2 • A generator g of G1 • A keyed hash function fk • Encrypting a document D = (W1, …, Wm) • Let Vi = fk(Wi) • Let Ri,j be values chosen uniformly independently at random • Let

  24. Constant Protocol (Continued) • Generating a capability Gencap(j1, …,jt, Wj1, …, Wjt) • Verification

  25. Conclusion and Future Work • Our contributions: Define security model for conjunctive keyword search on encrypted data and propose 3 protocols • Linear communication cost • Amortized linear communication cost • Standard hardness assumption • Constant cost • Uses new hardness assumption • Future work • Extend to full boolean queries • The OR operator appears tricky… • Indistinguishability of capabilities • Hide the fields that are being searched on(欄位的隱藏)

  26. Definition 2. • We say a conjunctive search scheme is secure according to the game ICC if any polynomial time adversary A, is a negligible function of the security parameter k.

  27. Security Game ICC • The adversary, A, adaptively requests the encryption, , of documents, D, and search capabilities, Cap. • A picks two documents, D0,D1 such that none of the capabilities Cap given in step 1 is distinguishing for D0 and D1. The challenger then chooses b randomly from {0,1} and gives A an encryption of Db.

  28. Security Game ICC • A may again ask for encrypted documents and capabilities, with the restriction that A may not ask for a capability that is distinguishing for D0 and D1. The total number of all ciphertext and capability requests is polynomial in k. • A outputs and is successful if We define the adversary's advantage as: and the adversary is said to have an ε-advantage if

  29. Security Game ICR • 類似於ICC • 唯有D1=Rand(D0,T) • A目標也是分辨D0&D1 • Proposition 1.If there is an adversary A that wins Game ICC with advantage ε, then there exists an adversary A’ that wins Game ICR with advantage ε/2.

  30. Security Game ICLR • 類似於ICR • 唯有D0=Rand(D,T) D1=Rand(D,T-{t}) • A目標也是分辨D0&D1 • Proposition 2.If there is an adversary A that wins Game ICR with advantage ε, then there exists an adversary A’ that wins Game ICLR with advantage .

More Related