Public Key Encryption with Conjunctive Field Keyword Search

Transcription

1 Public Key Encryption with Conjunctive Field Keyword Search Dong Jin PARK Kihyun KIM Pil Joong LEE IS Lab, POSTECH, Korea August 23, 2004

2 Contents 1 Preliminary 2 Security Model 3 Proposed Scheme 1 4 Proposed Scheme 2 5 Comparision 6 Conclusion

3 Public Key Encryption with Keyword Search Encrypted message [E Apub [M], PEKS(A pub, (W 1 )),..., PEKS(A pub, (W m ))] PEKS (Public key Encryption with Keyword Search) Should not reveal any information about M. Enable searching for a specific keyword. D. Boneh, G. Di Crescenzo, R. Ostrovsky and G. Persiano, Public key encryption with keyword search, EUROCRYPT 2004, LNCS 3027, pp , Springer-Verlag, 2004.

4 Public Key Encryption with Keyword Search - Examples gateway Environment: Bob sends encrypted to Alice using Alice s public key. Both the contents and the keywords are encrypted. Alice can make the gateway route with the keyword urgent to her pager (or PDA) without information leakage. server Environment: An server stores many s. Each contains a small number of keywords. All s are encrypted using Alice s public key. Alice can enable the server to retrieve s containing a keyword finance by giving a corresponding trapdoor without information leakage.

5 Conjunctive Keyword Search Ex.) Searching an urgent from Bob about finance. Two trivial solutions for conjunctive keyword search Set intersection Information leakage: Server can learn which document matches individual keyword. Meta keyword Huge storage requirement: A document that contains m keywords requires an additional 2 m meta keywords to allow for all possible conjunctive queries. First solution is proposed by Golle et al. (Too heavy) secret key system P. Golle, J. Staddon and B. Waters, Secure conjunctive keyword search over encrypted data, ACNS 2004, LNCS 3089, pp , Springer-Verlag, 2004.

6 Bilinear Map G 1 and G 2 : two groups of order q for some large prime q G 1 : an additive group. G 2 : a multiplicative group. A bilinear map ê : G 1 G 1 G 2 Bilinear: ê(au, bv ) = ê(u, V ) ab for all U, V G 1 and all a, b Z Non-degenerate: If P is a generator of G 1, then ê(p, P ) is a generator of G 2. Computable: There is an efficient algorithm to compute this map Implementation of bilinear map Weil pairing, Tate pairing

7 Model Encrypted message: [E Apub [M], PECK(A pub, (W 1, W 2,..., W m ))]. Assumptions: 1 All document has m keyword fields. 2 The same keyword never appears in two different keyword fields of the same document. Prepending the name of keyword field. Ex.) From:Bob, To:Alice, Subject:WISA Every keyword field is defined for every document. Assigning NULL value in an empty field. Ex.) Subject:NULL.

8 Model - Notations i-th document, D i = (W i,1, W i,2,..., W i,m ) m: the number of keyword fields. W i,j : the keyword in j-th field of the i-th document. A format of query for the conjunctive search, Q = (I 1, I 2,..., I t, Ω 1, Ω 2,..., Ω t ) t: the number of keywords in Q. I i [1, m]: position of a keyword in the keyword fields. Ω i : keywords to search. Trapdoor for Q, T Q = (T, I 1, I 2,..., I t )

9 Model - PECKS A Public Key Encryption with Conjunctive Keyword Search consists of 1 KeyGen(1 k ): Takes a security parameter, 1 k, and generates a public/private key pair A pub, A priv. 2 PECK(A pub, D): For a public key A pub and a document D, produces a conjunctive searchable encryption of D. 3 Trapdoor(A priv, Q): Given a private key A priv and a query Q, produces a trapdoor T Q. 4 Test(A pub, S, T Q ): Given a public key A pub, a conjunctive searchable encryption S = PECK(A pub, D), and a trapdoor T Q = Trapdoor(A priv, Q), outputs yes if {(W I1 = Ω 1 ), (W I2 = Ω 2 ),..., and (W It = Ω t )} and no otherwise.

10 Security Game ICC Indistinguishability of ciphertext from ciphertext (ICC): 1 The challenger runs the KeyGen(1 k ) algorithm to generate A pub and A priv. It gives A pub to the attacker. 2 The attacker can adaptively ask the challenger for the trapdoor T Q for any query Q of his choice. 3 At some point, the attacker A sends the challenger two documents D 0, D 1. The only restriction is that none of trapdoors asked previously in step 2 is distinguishing D 0 for D 1. The challenger picks a random b {0, 1} and gives the attacker PECK(A pub, D b ). 4 The attacker can continue to ask for trapdoor T Q for any query Q of his choice unless T Q can distinguish D 0 for D 1. 5 Eventually, the attacker A outputs b {0, 1} and wins the game if b = b.

11 Security Game ICC The attacker wins the game if he can correctly guess whether he was given the PECK for D 0 or D 1. We defined an attacker A s advantage as Adv A (1 k ) = P r[b = b ] 1 2. Definition A PECKS is semantically secure against an adaptive chosen keyword attack if for any polynomial time attacker its advantage is a negligible function.

12 Security Game ILCR - a Variant of ICC Indistinguishability of limited ciphertext from random (ILCR) Step 3 of ICC Attacker Challenger: D 0, D 1 Challenger Attacker: P ECK(A pub, D b ) Theorem Step 3 of ILCR Attacker Challenger: W, z W : A keyword z: The position of the keyword Challenger Attacker: P ECK(A pub, D b ), D 0, D 1 D 0: A random document with restriction that z-th word is W D 1: A random document If a scheme is secure according to the ILCR, then the scheme is secure according to the ICC.

13 Construction KeyGen(1 k ): (A pub, A priv ) H : {0, 1} G 1. A pub = [P, Y 1 = s 1 P, Y 2 = s 2 P ] and A priv = [s 1, s 2 ]. PECK(A pub, D): S = [A 1,..., A m, B, C] Select a random r Z p. S = [ ê(rh(w 1 ), Y 1 ),..., ê(rh(w m ), Y 1 ), ry 2, rp ]. Trapdoor(A priv, Q): T Q = [T 1, T 2, I 1,..., I t ] Select ( a random T 2 ) ( Z p. ) T 1 = mod p H(Ω 1 ) + + H(Ω t ). s 1 s 2+T 2 Test(A pub, S, T Q ): yes or no Check the equality, A I1 A It = ê(t 1, B + T 2 C). If so, output yes ; if not, output no.

14 Construction Parameters: H : {0, 1} G 1. A pub = [P, Y 1 = s 1 P, Y 2 = s 2 P ]. [A 1,..., A m, B, C] = [ê(rh(w1 ), Y 1 ),..., ê(rh(w m ), Y 1 ), ry 2, rp ]. T 1 = ( s1 s 2+T 2 ) ( ) mod p H(Ω 1 ) + + H(Ω t ). The equality of Test holds if W Ii = Ω i for 1 i t. A I1 A I2 A It = ê(r(h(w I1 ) + H(W I2 ) H(W It )), Y 1 ). = ê(s 1 (H(Ω 1 ) + H(Ω 2 ) H(Ω t )), rp ). = ê(t 1, B + T 2 C).

15 Security Proof Decision Bilinear Diffie-Hellman (DBDH) Problem To distinguish from (P, αp, βp, γp, ê(p, P ) αβγ ) (P, αp, βp, γp, R) where P, αp, βp, γp G 1 and α, β, γ Z p. Theorem The proposed scheme 1 is secure according to the game ILCR assuming DBDH is intractable.

16 Efficient Implementation - Pseudo-Compressed Pairing A pairing operation consists of Miller s algorithm Final exponentiation ê(u, V ) = (x + iy) (q2 1)/p = ((x + iy) (q 1) ) (q+1)/p (x + iy) is the output of the Miller s algorithm Define ˆε(U, V ) as (x + iy) (q 1) ê(u, V ) = ˆε(U, V ) (q+1)/p a + bi = ˆε(U, V ) b = ±((a 2 1) 1/2 )/i Pseudo-compressed pairing a s(a, b) s(a, b): a single bit that determines the sign of b

17 Efficient Implementation - Efficient Construction PECK(A pub, D): Select a random r Z p. Obtain hash values. Compute a i + b i i from ˆε(rH(W i ), Y 1 ). The PECK(A pub, D) is [ a1 s(a 1, b 1 ), a 2 s(a 2, b 2 ),..., a m s(a m, b m ), ry 2, rp ], Test(A pub, S, T Q ): Recompute a i + b i i s from A i s, Compute a T + b T i = ˆε(T 1, B + T 2 C). Check the equality, ( ) (q+1)/p (ai1 + b I1 i) (a I2 + b I2 i) (a It + b It i) = 1. (a T + b T i)

18 Admissible Encoding Function: MapToPoint Implementation of H : {0, 1} G 1. MapToPoint requires log 2 (q/p)-bit scalar multiplication in E(F q ). F q is the field on which G 1 is based. p is the size of group G 1 and G 2. Cost Embedding degree of pairing is 6 log 2 p log 2 q log 2 (q/p) A. Lenstra and E. R. Verheul, Selecting cryptographic key sizes, Journal of Cryptology, Vol. 14, No. 4, pp , Springer-Verlag, is the largest known embedding degree.

19 Construction KeyGen(1 k ): (A pub, A priv ) H 1 : {0, 1} {0, 1} log 2 p and H 2 : {0, 1} {0, 1} log 2 p. A pub = [P, Y 1 = s 1 P,..., Y m+2 = s m+2 P, g = ê(p, P )], A priv = [s 1,..., s m+2 ]. PECK(A pub, D): S = [A 1,..., A m, B 1,..., B m, C, D] Select random r 0, r 1,..., r m Z p. S = [ r 0 (Y 1 +H 1 (W 1 )P )+r 1 P,..., r 0 (Y m +H 1 (W m )P )+r m P, r 1 Y m+1,..., r m Y m+1, r 0 Y m+2, H 2 (g r0 ) ]. Trapdoor(A priv, Q): T Q = [T 1, T 2, T 3, I 1,..., I t ] Select a random T 3 Z p. T 1 = 1 s I1 + +s It +H 1(Ω 1)+ +H 1(Ω t)+s m+2t 3 P, T 2 = 1 s m+1 T 1, Test(A pub, S, T Q ): yes or no ( ) ê(ai1 + +A Check the equality, H It +T 3C,T 1) 2 ê(b I1 + +B It,T 2) = D. If so, output yes ; if not, output no.

20 Construction Parameters: A pub = [P, Y 1 = s 1 P,..., Y m+2 = s m+2 P, g = ê(p, P )]. A i = r 0 (Y i + H 1 (W i )P ) + r i P. B i = r i Y m+1, C = r 0 Y m+2, D = H 2 (g r0 ). 1 T 1 = s I1 + +s It +H 1(Ω 1)+ +H 1(Ω t)+s m+2t 3 P, T 2 = 1 s m+1 T 1. The equality of Test holds if W Ii = Ω i for 1 i t. ê(a I1 + + A It + T 3 C, T 1 ) ê(b I1 + + B It, T 2 ) = ê(a I A It + T 3 C, T 1 ) ê(r I1 P + + r It P, T 1 ) = ê(r 0 (Y I1 + H 1 (W I1 )P ) + + r 0 (Y It + H 1 (W It )P ) + T 3 C, T 1 ) = ê(r 0 P, P ) = ê(p, P ) r 0 H 2 (ê(p, P ) r 0 ) = D

21 Security Proof Decision Bilinear Diffie-Hellman Inversion (DBDHI) Problem To distinguish from where P G 1 and x Z p. (P, xp,..., x q P, ê(p, P ) 1/x ) (P, xp,..., x q P, R) Theorem The proposed scheme 2 is secure according to the game ILCR assuming DBDHI is intractable.

22 Comparison PECK Trapdoor Test Scheme 1 mp + (m + 2)M + ma 1M + ta 1P + 1M Scheme 2 (3m + 2)M 2M 2P + 1M BCOP1 mp + 2mM + ma 1M + 1A 1P GSW2 (2m + 1)M 3M 3P Schemes BCOP1: the first scheme (in Section 3) of Boneh et al. 1 keyword search m keywords in a document GSW2: the second scheme (in Section 4) of Golle et al. Secret key scheme Abbreviation P : Pairing operation M: Scalar multiplication (or modular exponentiation) A: Admissible encoding function

23 Conclusion We defined the security model for PECKS. We provided two efficient schemes Scheme 1 Quick search Techniques to reduce a burden of pairings Decision bilinear Diffie-Hellman problem Scheme 2 No MapToPoint No pairing operation in PECK Decision bilinear Diffie-Hellman inversion problem