* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download PK b
Survey
Document related concepts
Birthday problem wikipedia , lookup
Computer security wikipedia , lookup
Digital signature wikipedia , lookup
Commitment scheme wikipedia , lookup
Block cipher wikipedia , lookup
Public-key cryptography wikipedia , lookup
Cryptanalysis wikipedia , lookup
Fisher–Yates shuffle wikipedia , lookup
One-time pad wikipedia , lookup
Quantum key distribution wikipedia , lookup
Secure multi-party computation wikipedia , lookup
Hardware random number generator wikipedia , lookup
Cryptography wikipedia , lookup
History of cryptography wikipedia , lookup
Transcript
Public Key Encryption with keyword search Author: Dan Boneh, Giovanni Di Crescenzo, Rafail Ostrovsky, Giuseppe Persiano. Presenter: 紀銘偉 1 Problem User1(Alice) User2(Bob) No interactive send receive Untrusted mail server 2 outline Public key encryption keyword search(PEKS) PEKS Security game PEKS implies Identity Based Encryption Construction 1. 2. Construction using bilinear maps Construction using any trapdoor permutation (two method) Source-indistinguishability security game 3 Public key encryption with search: definitions (1/4) Bob wants to send mail to Alice, then he sends the following message: EPK A ( M ) || PEKS ( PK A ,W1 ) || ... || PEKS ( PK A ,Wk ) Our goal is to enable Alice to send Tw to mail server that will enable the server to all mails containing the keyword W. And server simply sends the relevant email back to Alice. 4 Public key encryption with search: definitions (2/4) User1(Alice) User2(Bob) retrieve Send EPK ( M ), PEKS ( PK ,W1 ),..., PEKS ( PK ,Wk ) Search mails with word W Tw Untrusted mail server 5 Public key encryption with search: definitions (3/4) Definition 2.1.: A non-interactive public key encryption with keyword search scheme consists of the following polynomial time randomized algorithms: 1.KeyGen( s ) 2.PEKS ( PK ,W ) 3.Trapdoor ( SK ,W ) 4.Test ( PK , S , Tw ) 6 Public key encryption with search: definitions (4/4) 1. KeyGen(s):Take a security parameter, s,and generates a pub/priv key pair PK , SK . 2. PEKS(PK ,W ): for a public key PK and a word W , produces a searchable encryption of W . 3. Trapdoor(SK ,W ):given A's private key and a word W produces a trapdoor TW . 4. Test(PK ,S ,TW ):given A's public key, a searchable encryption S PEKS(PK ,W ' ), and a trapdoor TW Trapdoor( SK ,W ), outputs "yes" if W W ' and "no" otherwise. 7 PEKS Security game 1. 2. 3. The challenger C runs the KeyGen(s) algorithm to generate PK and SK. It gives PK to the attacker A. A can adaptively ask C for the trapdoor Tw for any keyword W {0, 1}* of his choice. A sends W0, W1 on which it wants to challenge. 唯一的 限制是step2時不能得到TW 或 TW . C gives A ciphertext=PEKS(PK, Wb), where b {0, 1}. A can continue to ask for trapdoors for any keyword as long as W ≠ W0, W1. Then, A outputs b’ {0, 1} and wins the game if b=b’. 0 4. 5. 1 AdvA(s)=|Pr[b=b’ ]-1/2| 8 PEKS security PEKS is semantically secure against an adaptive chosen keyword attack if AdvA(s) is negligible. PEKS is not chosen ciphertext secure. 9 PEKS implies Identity Based Encryption(1/4) Constructing a secure PEKS is at least a harder problem than constructing an IBE. Lemma 2.3 A non-interactive searchable encryption scheme (PEKS) that is semantically secure against an adaptive chosen keyword attack gives rise to a chosen ciphertext secure IBE system (IND-ID-CCA). 10 PEKS implies Identity Based Encryption(2/4) Proof sketch: Given a PEKS (KeyGen, PEKS, Trapdoor, Test) the IBE system is as follow: 1. Setup: Run the PEKS KeyGen algorithm to generate PK/SK. The IBE system parameter are PK. The master-key is SK. 2.KeyGen: the IBE private key associated * X { 0 , 1 } with a public key is d X Trapdoor( SK , X || 0), Trapdoor( SK , X ||1) 11 PEKS implies Identity Based Encryption(3/4) 3.Encrypt: Encrypt a bit b 0,1 using a public key X 0,1* as: CT PEKS ( PK , X || b) 4.Decrypt: To decrypt CT PEKS ( PK , X || b) using the private d X d0 , d1 . Output ‘0’ if Test ( PK , CT , d 0 ) ' yes ' and output ‘1’ if Test ( PK , CT , d1 ) ' yes ' 12 PEKS implies Identity Based Encryption(4/4) The resulting system is IND-ID-CCA assuming the PEKS is semantically secure against an adaptive chosen message attack.(once can send a bit?) Building non-interactive public-key searchable encryption is at least as hard as building an IBE system. 13 Constructions Two constructions for public-key searchable encryption: (1) an efficient system based on a variant of Decision Diffie-Hellman assumption . (assuming a random oracle) (2) a limited system based on general trapdoor permutations, but less efficient. (without assuming the random oracle) 14 Diffie-Hellman 鑰匙交換的運作程序 n 與 g 為公開值 雙方各選一個較大的數值 x 與 y 計算出『秘密鑰匙』:gxy mod n 15 Construction using bilinear maps(1/4) Using two groups G1 ,G2 of prime order p and a bilinear map e : G1 G1 G2 . The map satisfies : 1.Computable: given g , h G1 there is a polynomial time algorithms to compute e( g, h) G2 2.Bilinear: for any integer x, y [1, p] then e( g , g ) e( g , g ) x y xy 3.Non-degenerate: if g is a generator of G1 then e( g , g ) is a generator of G2 16 Construction using bilinear maps(2/4) We need two hash functions H1 : {0, 1}*→ G1 log p and H2 : G2 → {0,1} . KeyGen: Picking a random value *p and generator g of G1. Output PK [ g , h g ] and SK 17 Construction using bilinear maps(3/4) PEKS ( PK ,W ) : compute t e H1 W , h ( g ) G2 for a random r *p . r [ g , H 2 (t )] Output PEKS ( PK ,W ) = r r Trapdoor ( SK ,W ) : output Tw H1 W G1 Test PK , S , Tw : let S [ A, B]. Test if H 2 (e(Tw , A)) B (hence H 2 ( e( H1 (W ) , g r )) H 2 (t ) )If so, output ‘yes’ ; otherwise, output ‘no’. 18 Construction using bilinear maps(4/4) S [ A, B ] PEKS( PK ,W ) [ g r , H 2 (t )] Compute H 2 (e(Tw , A)) B , where TW=H1(W)α r left H 2 (e( H1 (W ) , g )) H 2 ( e( H 1 (W ), g ) ) r right H 2 (t ) H 2 (e( H 1 (W '), h )) r r r H 2 ( e( H1 (W '),( g ) )) H 2 ( e( H1 (W '), g ) ) if Test outputs ‘yes’ means W=W’ then the mail server sends the Bob’s mail to Alice. 19 Bilinear Diffie-Hellman Problem (BDH) Fix a generator g of G1. The BDH problem is as follows: given g, ga, gb, gc G1 as input, compute e(g, g)abc G2. We say that BDH is intractable if all polynomial time algorithms have a negligible advantage in solving BDH. 20 PEKS using bilinear maps security (Theorem) Theorem 3.1: The non-interactive searchable encryption scheme(PEKS) above is semantically secure against a chosen keyword attack in the random oracle model assuming Bilinear Diffie-Hellman(BDH) is intractable. 21 PEKS using bilinear maps security (parameter) Parameters: : A's advantage in breaking PEKS qH 2 : A at most hash function query times qT : A at most trapdoor query times g: generator of G1 Goal:We construct B that solves the BDH problem with probability at least ' /( eqT qH 2 ), Where e is the base of the natural logarithm. 22 PEKS using bilinear maps security (step) H1, H2-queries. Trapdoor queries. Challenge. More trapdoor queries. Output. 1. 2. 3. 4. 5. 1. 2. 3. Claim 1 Claim 2 Claim 3 23 PEKS using bilinear maps security (H1, H2-queries 1/2) H1-list: each tuple=<Wj, hj, aj, cj> maintains by B for initially empty. A queries H1 with Wi {0,1}*and B responds as follows: If Wi appears on H1-list then B returns H1(Wi)=hi G1 Otherwise, B generates a random coin ci {0,1} so that Pr[ci=0]=1/(qT+1). B picks a random ai p 1. 2. 3. If ci = 0, B computes hi g g ai G1 a If ci = 1, B computes hi g i G1 24 PEKS using bilinear maps security (H1, H2-queries 2/2) B adds <Wi, hi, ai, ci> to the H1-list and responds to A by setting H1(Wi)=hi. Note that hi is uniform in G1 and is independent of A’s current view as required. Similarly, A queries to H2. B responds to H2(t) by picking a new random V {0,1}log p for each new t and setting H2(t)=V. Then, B adds (t, V) to H2-list for initially empty. 4. 25 PEKS using bilinear maps security (Trapdoor queries) When A queries a trapdoor corresponding to the word Wi then B responds as follows: 1. 2. B runs H1-queries to obtain an hiG1 such that H1(Wi)=hi. If ci=0 then B reports failure. Otherwise, we know ci 1 and hence hi g G1. ai Define Ti ( g ) ai . Observe that Ti H1 (Wi ) and therefore Ti is the correct trapdoor for the keyword Wi under the public key PK [ g , g ]. B gives Ti to A. 26 PEKS using bilinear maps security (Challenge 1/2) A wants to challenge W0 and W1. B generates the challenge PEKS as follows: 1. 2. 3. B runs H1-queries twice to obtain h0, h1 G1 such that H1(W0)=h0 and H1(W1)=h1. If both c0=1 and c1=1 then B reports failure. We know that at least one of c0, c1 is equal to 0. B randomly picks b {0,1} such that cb=0. B responds with the challenge PEKS C [ g , J ] for a random J {0,1}log p. 27 PEKS using bilinear maps security (Challenge 2/2) Note that this challenge implicitly defines H 2 (e( H1 (Wb ),( g ) )) J . In other words, J H 2 (e( H1 (Wb ),( g ) )) H 2 (e( g g , g )) ( ab ) H 2 ( e( g , g ) ab ) With this definition, C is a valid PEKS for Wb as required. 28 PEKS using bilinear maps security (More trapdoor queries) A can continue to issue trapdoor queries for keywords Wi where the only restriction is that Wi ≠W0, W1. B responds to these queries as before. 29 PEKS using bilinear maps security (output) A outputs its guess b’ {0,1} for whether C is the result of PEKS(PK,W0) or PEKS(PK,W1). B picks a random pair (t,V) from H2-list and ab outputs t / e( g , g ) as its guess for e( g , g ) , where ab is the value used in the Challenge step. 30 PEKS using bilinear maps security (define events) E1: B does not abort as a result of any of A’s trapdoor queries. E2: B does not abort during the challenge phase. E3: In the real attack A does not issue a query for either one of H 2 (e( H1 (W0 ),( g ) )) and H 2 ( e( H1 (W1 ),( g ) )). 31 PEKS using bilinear maps security (claim 1) The probability that B does not abort as a result of A’s trapdoor queries is at least 1/e. Hence, Pr[E1] ≧ 1/e. Pf: B will abort only when ci=0 and Pr[ci=0]=1/(qT+1), and the other parameters are independent with ci. Since A makes at most qT trapdoor queries, B does not abort as a result of all trapdoor queries is at least (1 1/( qT 1)) qT 1/ e. 32 PEKS using bilinear maps security (claim 2) The probability that B does not abort during the challenge phase is at least 1/qT. Hence, Pr[E2] ≧1/qT. Pf: B will abort only when c0=c1=1 and the other parameters are independent with c0, c1. Since Pr[ci=0]=1/(qT+1) for all i, and ci is independent with cj for all i≠j. We have that B does not abort during the challenge phase is Pr[c0 c1 1] (1 1/( qT 1)) 1 1/ qT . 2 33 PEKS using bilinear maps security (claim 3 1/4) Suppose that in a real attack game A is given [ g , g ] and A asks to be the public key challenged on words W0 and W1. In response, A is given a challenge C [ g , J ] Then, in the real attack game A issues an H2 query for either H 2 (e( H1 (W0 ),( g ) )) or H 2 (e( H1 (W1 ),( g ) )) with probability at least 2 . 34 PEKS using bilinear maps security (claim 3 2/4) Pf: When E3 occurs, we know that A’s output b’ will satisfy b=b’ with probability at most ½. By definition of A, we know that in the real attack |Pr[b=b’]-1/2|≧ε. Pr[b b '] Pr[b b ' | E3 ]* Pr[ E3 ] Pr[b b '] | E3 ]* Pr[E3 ] Pr[b b ' | E3 ]* Pr[ E3 ] Pr[E3 ] 1 1 1 Pr[ E3 ] Pr[E3 ] Pr[E3 ] 2 2 2 35 PEKS using bilinear maps security (claim 3 3/4) Pr[b b '] Pr[b b ' | E3 ]* Pr[ E3 ] Pr[b b '] | E3 ]* Pr[E3 ] 1 1 1 Pr[b b ' | E3 ]* Pr[ E3 ] Pr[ E3 ] Pr[E3 ] 2 2 2 1 1 It follows that | Pr[b b '] | Pr[E3 ]. 2 2 Therefore, in the real attack, Pr[E3 ] 2 as required. 36 PEKS using bilinear maps security (claim 3 4/4) Now, assuming B does not abort. A will query H ( e ( H ( W ),( g ) )) H ( e ( H ( W ),( g ) )) for either 2 or 2 1 0 1 1 with probability at least 2ε. The value e( H1 (Wb ),( g ) ) e( g ab , g ) Will appear in the H2-list. B will choose correctly at least and therefore, B will produce correct answer with probability at least 1/ qH 2 . Since B does not abort with probability at least 1/(eqT ) , we see that B’s success probability is at least /( eqT qH ) 2 37 Construction using any trapdoor permutation(1/5) KeyGen: W run G ( s ) to generate a new pair PKW / SKW . The PEKS public key is PK {PKW | W }. The private key is SK {SKW | W }. 38 Construction using any trapdoor permutation(2/5) PEKS(PK, W): Pick a random M {0,1}s and output PEKS(PK, W)=(M, EPKw(M)). Trapdoor(SK, W): The trapdoor for W is Tw=SKw. Test(PK, S, Tw): Test if D[Tw, S]=0s, output “yes” if so and “no” otherwise. S=[A,B]=[M,EPKw(M)], D[Tw,S]=D(B)⊕A. 39 Source-indistinguishability security game 1. 2. 3. The challenger C runs algorithm G(s) two times to generate two public/private key pairs (PK0, SK0) and (PK1, SK1). C picks a random M {0,1}s and a random b {0,1} and compute Cipher=PKb(M). Then C gives (M, Cipher) to the attacker A. A outputs b’ and wins the game if b=b’. AdvSIA(s)=|Pr[b=b’ ]-1/2| 40 Cover-free families Definition 3.5.: Let d , t , k be positive integers, let G be a ground set of size d , and let F {S1 ,..., Sk } be a family of subsets of G. We say that subset Si S j if S j cover Si . We say that family F is t -cover free over G if each subset in F is not covered by the union of t subsets in F . Moreover, we say that a family of subsets is q-uniform if all subsets in the family have size q. 41 Lemma There exists a deterministic algorithm that, for any fixed t, k, constructs a q-uniform t-cover free family F over a ground set of size d, for 2 q d / 4t and d 16t (1 log(k / 2) / log3). 42 Construction using any trapdoor permutation(reducing the public key)(3/5) KeyGen: Run G ( s ) to generate PKi / SKi for i=1,...,d. The PEKS key is PK {PK1,..., PK d }, SK {SK1 ,..., SK d }. We'll use a q-uniform t -cover free family of subsets F {S1 ,..., Sk } of {PK1,..., PK d }. Hence, each Si is a subset of public keys. And | Si | q, for all i. 43 Construction using any trapdoor permutation(reducing the public key)(4/5) PEKS(PK,Wi): Let Si F be the subset associated with Wi . Let Si {PK ,..., PK }. Pick random messages (1) (q) M 1 ,..., M q {0,1}s and let M M 1 ... M q . output: PEKS( PK ,Wi ) ( M , EPK (1) ( M 1 ),..., EPK ( q ) ( M q )) 44 Construction using any trapdoor permutation(reducing the public key)(5/5) Trapdoor(SK,Wi): Let Si F be the subset associated with Wi Σ. The trapdoor for Wi is the set of SKi corresponding to PKi in the set Si. Test(PK,R,TW): Let TW {SK (1) ,..., SK ( q ) } and let R ( M , C1 ,..., Cq ) be a PEKS. Decrypt each C using corresponding SK . Output "yes" if M M 1 ... M q , and output "no" otherwise. 45