Download PK b

Public Key Encryption with
keyword search
Author:
Dan Boneh, Giovanni Di Crescenzo,
Rafail Ostrovsky, Giuseppe Persiano.
Presenter: 紀銘偉
1
Problem
User1(Alice)
User2(Bob)
No interactive
send
receive
Untrusted mail server
2
outline




Public key encryption keyword search(PEKS)
PEKS Security game
PEKS implies Identity Based Encryption
Construction
1.
2.

Construction using bilinear maps
Construction using any trapdoor permutation
(two method)
Source-indistinguishability security game
3
Public key encryption with search:
definitions (1/4)


Bob wants to send mail to Alice, then he
sends the following message:
 EPK A ( M ) || PEKS ( PK A ,W1 ) || ... || PEKS ( PK A ,Wk ) 
Our goal is to enable Alice to send Tw to mail
server that will enable the server to all mails
containing the keyword W. And server simply
sends the relevant email back to Alice.
4
Public key encryption with search:
definitions (2/4)
User1(Alice)
User2(Bob)
retrieve
Send
 EPK ( M ), PEKS ( PK ,W1 ),..., PEKS ( PK ,Wk )
Search mails with word W
Tw
Untrusted mail server
5
Public key encryption with search:
definitions (3/4)

Definition 2.1.: A non-interactive public key
encryption with keyword search scheme
consists of the following polynomial time
randomized algorithms:
1.KeyGen( s )
2.PEKS ( PK ,W )
3.Trapdoor ( SK ,W )
4.Test ( PK , S , Tw )
6
Public key encryption with search:
definitions (4/4)
1. KeyGen(s):Take a security parameter, s,and generates a pub/priv key
pair PK , SK .
2. PEKS(PK ,W ): for a public key PK and a word W , produces a searchable
encryption of W .
3. Trapdoor(SK ,W ):given A's private key and a word W
produces a trapdoor TW .
4. Test(PK ,S ,TW ):given A's public key, a searchable encryption
S  PEKS(PK ,W ' ), and a trapdoor TW  Trapdoor( SK ,W ),
outputs "yes" if W  W ' and "no" otherwise.
7
PEKS Security game
1.
2.
3.
The challenger C runs the KeyGen(s) algorithm to
generate PK and SK. It gives PK to the attacker A.
A can adaptively ask C for the trapdoor Tw for any
keyword W  {0, 1}* of his choice.
A sends W0, W1 on which it wants to challenge. 唯一的
限制是step2時不能得到TW 或 TW . C gives A
ciphertext=PEKS(PK, Wb), where b {0, 1}.
A can continue to ask for trapdoors for any keyword as
long as W ≠ W0, W1.
Then, A outputs b’ {0, 1} and wins the game if b=b’.
0
4.
5.
1
AdvA(s)=|Pr[b=b’ ]-1/2|
8
PEKS security


PEKS is semantically secure against an
adaptive chosen keyword attack if AdvA(s) is
negligible.
PEKS is not chosen ciphertext secure.
9
PEKS implies Identity Based
Encryption(1/4)


Constructing a secure PEKS is at least a
harder problem than constructing an IBE.
Lemma 2.3 A non-interactive searchable
encryption scheme (PEKS) that is
semantically secure against an adaptive
chosen keyword attack gives rise to a chosen
ciphertext secure IBE system (IND-ID-CCA).
10
PEKS implies Identity Based
Encryption(2/4)



Proof sketch: Given a PEKS (KeyGen,
PEKS, Trapdoor, Test) the IBE system is as
follow:
1. Setup: Run the PEKS KeyGen algorithm
to generate PK/SK. The IBE system
parameter are PK. The master-key is SK.
2.KeyGen: the IBE private key associated
*
X

{
0
,
1
}
with a public key
is
d X  Trapdoor( SK , X || 0), Trapdoor( SK , X ||1)
11
PEKS implies Identity Based
Encryption(3/4)


3.Encrypt: Encrypt a bit b  0,1 using a public
key X  0,1* as: CT  PEKS ( PK , X || b)
4.Decrypt: To decrypt CT  PEKS ( PK , X || b)
using the private d X  d0 , d1  . Output ‘0’ if
Test ( PK , CT , d 0 )  ' yes ' and output ‘1’ if
Test ( PK , CT , d1 )  ' yes '
12
PEKS implies Identity Based
Encryption(4/4)


The resulting system is IND-ID-CCA
assuming the PEKS is semantically secure
against an adaptive chosen message
attack.(once can send a bit?)
Building non-interactive public-key
searchable encryption is at least as hard as
building an IBE system.
13
Constructions



Two constructions for public-key searchable
encryption:
(1) an efficient system based on a variant of
Decision Diffie-Hellman assumption .
(assuming a random oracle)
(2) a limited system based on general
trapdoor permutations, but less efficient.
(without assuming the random oracle)
14
Diffie-Hellman 鑰匙交換的運作程序



n 與 g 為公開值
雙方各選一個較大的數值 x 與 y
計算出『秘密鑰匙』：gxy mod n
15
Construction using bilinear maps(1/4)
Using two groups G1 ,G2 of prime order p and a
bilinear map e : G1  G1  G2 .
 The map satisfies :
1.Computable: given g , h  G1 there is a
polynomial time algorithms to compute e( g, h)  G2
2.Bilinear: for any integer x, y  [1, p] then

e( g , g )  e( g , g )
x
y
xy
3.Non-degenerate: if g is a generator of G1
then e( g , g ) is a generator of G2
16
Construction using bilinear maps(2/4)


We need two hash functions H1 : {0, 1}*→ G1
log p
and H2 : G2 → {0,1}
.
KeyGen: Picking a random value   *p and
generator g of G1. Output
PK  [ g , h  g  ] and SK  
17
Construction using bilinear maps(3/4)

PEKS ( PK ,W ) : compute
t  e  H1 W  , h  ( g )   G2
for a random r  *p .
r
[
g
, H 2 (t )]
Output PEKS ( PK ,W ) =
r


 r
Trapdoor ( SK ,W ) : output Tw  H1 W   G1
Test  PK , S , Tw  : let S  [ A, B]. Test if
H 2 (e(Tw , A))  B (hence H 2 ( e( H1 (W ) , g r ))  H 2 (t )
)If so, output ‘yes’ ; otherwise, output ‘no’.

18
Construction using bilinear maps(4/4)

S  [ A, B ]  PEKS( PK ,W )  [ g r , H 2 (t )]
Compute H 2 (e(Tw , A))  B , where TW=H1(W)α

r
left  H 2 (e( H1 (W ) , g ))  H 2 ( e( H 1 (W ), g ) )
r
right  H 2 (t )  H 2 (e( H 1 (W '), h ))
r
 r
r
 H 2 ( e( H1 (W '),( g ) ))  H 2 ( e( H1 (W '), g ) )

if Test outputs ‘yes’ means W=W’ then the
mail server sends the Bob’s mail to Alice.
19
Bilinear Diffie-Hellman Problem
(BDH)

Fix a generator g of G1. The BDH problem is
as follows: given g, ga, gb, gc  G1 as input,
compute e(g, g)abc  G2. We say that BDH is
intractable if all polynomial time algorithms
have a negligible advantage in solving BDH.
20
PEKS using bilinear maps security
(Theorem)

Theorem 3.1: The non-interactive searchable
encryption scheme(PEKS) above is
semantically secure against a chosen
keyword attack in the random oracle model
assuming Bilinear Diffie-Hellman(BDH) is
intractable.
21
PEKS using bilinear maps security
(parameter)
Parameters:
 : A's advantage in breaking PEKS
qH 2 : A at most hash function query times

qT : A at most trapdoor query times
g: generator of G1
Goal:We construct B that solves the BDH problem
with probability at least  '   /( eqT qH 2 ),
Where e is the base of the natural logarithm.
22
PEKS using bilinear maps security
(step)
H1, H2-queries.
Trapdoor queries.
Challenge.
More trapdoor queries.
Output.
1.
2.
3.
4.
5.
1.
2.
3.
Claim 1
Claim 2
Claim 3
23
PEKS using bilinear maps security
(H1, H2-queries 1/2)


H1-list: each tuple=<Wj, hj, aj, cj> maintains
by B for initially empty.
A queries H1 with Wi  {0,1}*and B responds
as follows:
If Wi appears on H1-list then B returns H1(Wi)=hi  G1
Otherwise, B generates a random coin ci  {0,1}
so that Pr[ci=0]=1/(qT+1).
B picks a random ai   p
1.
2.
3.


If ci = 0, B computes hi  g   g ai  G1
a
If ci = 1, B computes hi  g i  G1
24
PEKS using bilinear maps security
(H1, H2-queries 2/2)
B adds <Wi, hi, ai, ci> to the H1-list and responds
to A by setting H1(Wi)=hi.
Note that hi is uniform in G1 and is independent
of A’s current view as required.
Similarly, A queries to H2. B responds to H2(t) by
picking a new random V {0,1}log p for each new t and
setting H2(t)=V. Then, B adds (t, V) to H2-list for initially
empty.
4.
25
PEKS using bilinear maps security
(Trapdoor queries)

When A queries a trapdoor corresponding to
the word Wi then B responds as follows:
1.
2.
B runs H1-queries to obtain an hiG1 such that
H1(Wi)=hi. If ci=0 then B reports failure.
Otherwise, we know ci  1 and hence hi  g  G1.
ai
Define Ti  ( g  ) ai . Observe that Ti  H1 (Wi ) and
therefore Ti is the correct trapdoor for the keyword
Wi under the public key PK  [ g , g  ]. B gives Ti to A.
26
PEKS using bilinear maps security
(Challenge 1/2)

A wants to challenge W0 and W1. B
generates the challenge PEKS as follows:
1.
2.
3.
B runs H1-queries twice to obtain h0, h1 G1
such that H1(W0)=h0 and H1(W1)=h1. If both c0=1
and c1=1 then B reports failure.
We know that at least one of c0, c1 is equal to 0.
B randomly picks b {0,1} such that cb=0.
B responds with the challenge PEKS C  [ g  , J ]
for a random J {0,1}log p.
27
PEKS using bilinear maps security
(Challenge 2/2)

Note that this challenge implicitly defines
H 2 (e( H1 (Wb ),( g  ) ))  J . In other words,
 


J  H 2 (e( H1 (Wb ),( g ) ))  H 2 (e( g  g , g ))
 (   ab )
 H 2 ( e( g , g )

ab
)
With this definition, C is a valid PEKS for Wb
as required.
28
PEKS using bilinear maps security
(More trapdoor queries)

A can continue to issue trapdoor queries for
keywords Wi where the only restriction is that
Wi ≠W0, W1. B responds to these queries as
before.
29
PEKS using bilinear maps security
(output)

A outputs its guess b’ {0,1} for whether C is
the result of PEKS(PK,W0) or PEKS(PK,W1).
B picks a random pair (t,V) from H2-list and

 ab

outputs t / e( g , g ) as its guess for e( g , g )
, where ab is the value used in the Challenge
step.
30
PEKS using bilinear maps security
(define events)



E1: B does not abort as a result of any of A’s
trapdoor queries.
E2: B does not abort during the challenge
phase.
E3: In the real attack A does not issue a
query for either one of
H 2 (e( H1 (W0 ),( g  ) )) and H 2 ( e( H1 (W1 ),( g  ) )).
31
PEKS using bilinear maps security
(claim 1)
The probability that B does not abort as a
result of A’s trapdoor queries is at least 1/e.
Hence, Pr[E1] ≧ 1/e.
Pf: B will abort only when ci=0 and
Pr[ci=0]=1/(qT+1), and the other parameters
are independent with ci. Since A makes at
most qT trapdoor queries, B does not abort as
a result of all trapdoor queries is at least
(1  1/( qT  1)) qT  1/ e.

32
PEKS using bilinear maps security
(claim 2)
The probability that B does not abort during
the challenge phase is at least 1/qT. Hence,
Pr[E2] ≧1/qT.
Pf: B will abort only when c0=c1=1 and the other
parameters are independent with c0, c1.
Since Pr[ci=0]=1/(qT+1) for all i, and ci is
independent with cj for all i≠j. We have that B
does not abort during the challenge phase is

Pr[c0  c1  1]  (1  1/( qT  1))  1  1/ qT .
2
33
PEKS using bilinear maps security
(claim 3 1/4)

Suppose that in a real attack game A is given

[
g
,
g
] and A asks to be
the public key
challenged on words W0 and W1. In
response, A is given a challenge C  [ g  , J ]
Then, in the real attack game A issues an H2
query for either
H 2 (e( H1 (W0 ),( g  ) )) or H 2 (e( H1 (W1 ),( g  ) ))
with probability at least 2 .
34
PEKS using bilinear maps security
(claim 3 2/4)
Pf: When E3 occurs, we know that A’s output b’
will satisfy b=b’ with probability at most ½. By
definition of A, we know that in the real attack
|Pr[b=b’]-1/2|≧ε.
Pr[b  b '] 
Pr[b  b ' | E3 ]* Pr[ E3 ]  Pr[b  b '] | E3 ]* Pr[E3 ]
 Pr[b  b ' | E3 ]* Pr[ E3 ]  Pr[E3 ]
1
1 1
 Pr[ E3 ]  Pr[E3 ]   Pr[E3 ]
2
2 2
35
PEKS using bilinear maps security
(claim 3 3/4)
Pr[b  b '] 
Pr[b  b ' | E3 ]* Pr[ E3 ]  Pr[b  b '] | E3 ]* Pr[E3 ]
1
1 1
 Pr[b  b ' | E3 ]* Pr[ E3 ]  Pr[ E3 ]   Pr[E3 ]
2
2 2
1 1
It follows that  | Pr[b  b ']  | Pr[E3 ].
2 2
Therefore, in the real attack,
Pr[E3 ]  2 as required.
36
PEKS using bilinear maps security
(claim 3 4/4)

Now, assuming B does not abort. A will query
 
 
H
(
e
(
H
(
W
),(
g
)
))
H
(
e
(
H
(
W
),(
g
) ))
for either 2
or 2
1
0
1
1
with probability at least 2ε. The value
e( H1 (Wb ),( g  ) )  e( g  ab , g ) Will appear in
the H2-list. B will choose correctly at least
and therefore, B will produce correct answer
with probability at least 1/ qH 2 . Since B does
not abort with probability at least 1/(eqT ) , we
see that B’s success probability is at least
 /( eqT qH )
2
37
Construction using any trapdoor
permutation(1/5)

KeyGen: W  run G ( s ) to generate a new pair
PKW / SKW . The PEKS public key is
PK  {PKW | W }. The
private key is SK  {SKW | W }.
38
Construction using any trapdoor
permutation(2/5)



PEKS(PK, W): Pick a random M {0,1}s and
output PEKS(PK, W)=(M, EPKw(M)).
Trapdoor(SK, W): The trapdoor for W is
Tw=SKw.
Test(PK, S, Tw): Test if D[Tw, S]=0s, output
“yes” if so and “no” otherwise.
S=[A,B]=[M,EPKw(M)],
D[Tw,S]=D(B)⊕A.
39
Source-indistinguishability security
game
1.
2.
3.
The challenger C runs algorithm G(s) two
times to generate two public/private key
pairs (PK0, SK0) and (PK1, SK1).
C picks a random M {0,1}s and a random
b  {0,1} and compute Cipher=PKb(M). Then
C gives (M, Cipher) to the attacker A.
A outputs b’ and wins the game if b=b’.
AdvSIA(s)=|Pr[b=b’ ]-1/2|
40
Cover-free families

Definition 3.5.:
Let d , t , k be positive integers, let G be a ground
set of size d , and let F  {S1 ,..., Sk } be a family of
subsets of G. We say that subset Si  S j if S j
cover Si . We say that family F is t -cover free over
G if each subset in F is not covered by the union
of t subsets in F . Moreover, we say that a family
of subsets is q-uniform if all subsets in the family
have size q.
41
Lemma

There exists a deterministic algorithm that, for
any fixed t, k, constructs a q-uniform t-cover
free family F over a ground set of size d, for
2
q  d / 4t  and d  16t (1  log(k / 2) / log3).
42
Construction using any trapdoor
permutation(reducing the public key)(3/5)

KeyGen:
Run G ( s ) to generate PKi / SKi for i=1,...,d.
The PEKS key is PK  {PK1,..., PK d },
SK  {SK1 ,..., SK d }.
We'll use a q-uniform t -cover free family of subsets
F  {S1 ,..., Sk } of {PK1,..., PK d }. Hence, each Si is
a subset of public keys. And | Si | q, for all i.
43
Construction using any trapdoor
permutation(reducing the public key)(4/5)

PEKS(PK,Wi):
Let Si  F be the subset associated with Wi  .
Let Si  {PK ,..., PK }. Pick random messages
(1)
(q)
M 1 ,..., M q  {0,1}s and let M  M 1  ...  M q .
output:
PEKS( PK ,Wi )  ( M , EPK (1) ( M 1 ),..., EPK ( q ) ( M q ))
44
Construction using any trapdoor
permutation(reducing the public key)(5/5)


Trapdoor(SK,Wi): Let Si F be the subset
associated with Wi Σ. The trapdoor for Wi is
the set of SKi corresponding to PKi in the set
Si.
Test(PK,R,TW):
Let TW  {SK (1) ,..., SK ( q ) } and let R  ( M , C1 ,..., Cq )
be a PEKS. Decrypt each C using corresponding
SK . Output "yes" if M  M 1  ...  M q , and output
"no" otherwise.
45