Upload
thyra
View
128
Download
1
Embed Size (px)
DESCRIPTION
Public Key Encryption with keyword Search. Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻. Problem(1/2). user. untrusted server. Pre-stored data. Search. Ciphertext. Problem(2/2). User1(Alice). User2(Bob). send. receive. - PowerPoint PPT Presentation
Citation preview
Public Key Encryption with keyword Search
Author: Dan Boneh
Rafail Ostroversity
Giovanni Di Crescenzo
Giuseppe Persiano
Presenter: 陳昱圻
Properties
Query isolation: The un-trusted server can not learn anything more about the plaintext than the search result.
Controlled searching: The un-trusted server can not search for an arbitrary word without the user’s authorization.
Hidden queries: The user may ask the un-trusted server to search for a secret word without revealing the word to the server.
Public key encryption with search: definitions (1/4) Bob wants to mail to Alice, then he sends the
following message:
Our goal is to enable Alice to send Tw to mail server that will enable the server to all messages containing the keyword W. And server simply sends the relevant email back to Alice.
We call it “search public-key encryption”.
),(),...,,( , 1 kpubpubA WAPEKSWAPEKSmsgEpub
Public key encryption with search: definitions (2/4)
User1(Alice)User2(Bob)
receive
Send
mail server
),(),...,,( , 1 kpubpubA WAPEKSWAPEKSmsgEpub
wTSearch Bob’s
Public key encryption with search: definitions (3/4) Def. A non-interactive public key encryption
with keyword search scheme consists of the following polynomial time randomized algorithms:
),,(.4
),(.3
),(.2
)(.1
wpub
priv
pub
TSATest
WATrapdoor
WAPEKS
sKeyGen
Public key encryption with search: definitions (4/4)
.,pair
key pub/priv a generates ands, parameter,security a Take:KeyGen(s) 1.
privpub AA
W.of encryption
searchable a produces W, worda and key public afor :W)PEKS( 2. , pubpub AA
. trapdoor a produces
W worda andkey private sA'given :W),Trapdoor( 3.
W
priv
T
A
otherwise. no"" and W' Wif yes"" outputs
,),( trapdoor a and ),W',PEK(S
encryption searchable key, public sA'given :)S,,Test( 4.
WATrapdoorTA
TA
privWpub
Wpub
PEKS implies Identity Based Encryption Public key encryption with keyword search is
related to Identity Based Encryption (IBE). Constructing a secure PEKS appears to be a
harder problem than constructing an IBE. Lemma 2.3 A non-interactive searchable
encryption scheme (PEKS) that is semantically secure against an adaptive chosen keyword attack gives rise to a chosen ciphertext secure IBE system (IND-ID-CCA).
PEKS implies Identity Based Encryption Proof sketch: Given a PEKS (KeyGen, PEKS,
Trapdoor, Test) the IBE system is as follow: 1. Setup: Run the PEKS KeyGen algorithm to
generate . The IBE system parameter are . The master-key is .
2.KeyGen: the IBE private key associated with a public key is
privpub AA /
privApubA
*}1,0{X
)1||,(),0||,( XATrapdoorXATrapdoord privprivX
PEKS implies Identity Based Encryption 3.Encrypt: Encrypt a bit using a public
key as: 4.Decrypt: To decrypt
using the private . Output ‘0’ if
and output ‘1’ if
1,0b
*1,0X )||,( bXAPEKSCT pub)||,( bXAPEKSCT pub
10 ,dddX
''),,( 0 yesdCTATest pub
''),,( 1 yesdCTATest pub
PEKS implies Identity Based Encryption The resulting system is IND-ID-CCA
assuming the PEKS is semantically secure against an adaptive chosen message attack.
Building non-interactive public-key searchable encryption is at least as hard as building an IBE system.
Constructions
Two constructions for public-key searchable encryption:
(1) an efficient system based on a variant of Decision Diffie-Hellman assumption . (assuming a random oracle)
(2) a limited system based on general trapdoor permutations, but less efficient. (without assuming the random oracle)
驗證 Diffie-Hellman 演算法 Alice 選定: n = 47, g =3, x=8, 計算出:
gx mod n = 38 mod 47 = 28 mod 47 訊息 (1) = {47, 3, 28}
Bob 選定: y =10 , 計算出: gy mod n = 310 mod 47 = 17 mod 47 訊息 (2) = {17}
Alice 計算會議鑰匙: (gx mod n)y = gxy mod n = 2810 mod 47 = 4 mod 47
Bob 計算會議鑰匙: (gy mod n)x = gxy mod n = 178 mod 47 = 4 mod 47
會議鑰匙 k= 4
Construction using bilinear maps(1/5) Our first construction is based on a variant of
the Computational Diffie-Hellman problem. Boneh and Franklin [2] used bilinear maps on
elliptic curves to build an efficient IBE system.
Construction using bilinear maps(2/5) Using two groups of prime order p and a
bilinear map between them. The map satisfies :
1.Computable: given there is a polynomial time algorithms to compute
2.Bilinear: for any integer then
3.Non-degenerate: if g is a generator of then is a generator of
21,GG
211: GGGe
1, Ghg
2),( Ghge
xyyx ggegge ),(),(
1G),( gge 2G
],1[, pyx
Construction using bilinear maps(3/5) We build a non-interactive searchable
encryption scheme from such a bilinear map. hash functions H1 : {0, 1} *→ G1 and H2 : G2
→ KeyGen:Input security parameter determines
the size, p, of the groups G1 and G2. Picking a random and generator g of G1. Output
plog}1,0{
*pZ
privpub AghgA and ],[
Construction using bilinear maps(4/5) PEKS : compute
for a random .
Output PEKS = Trapdoor Test Test if
If so, output ‘yes’ ; otherwise, output ‘no’.
),( WApub 21 , GhWHet r *pZr
),( WApub )](,[ 2 tHg r
11output :),( GWHTWA wpriv .],[let :,, BASTSA wpub BATeH w )),((2
Construction using bilinear maps(5/5) Compute
Since , right=left .
if Test outputs ‘yes’ then the mail server sends the Bob’s mail to Alice.
BATeH w )),((2
)) )(),(((
))),((()(
)),)((()),)(((
12
122
1212
r
r
r
gwHeH
hwHeHtHright
gwHeHAwHeHleft
xyyx ggegge ),(),(
Conclusion
Constructing a PEKS is related to Identity Based Encryption (IBE), though PEKS seems to be harder to construct.
Our constructions for PEKS are based on recent IBE constructions. We are able to prove security by exploiting extra properties of these schemes.
How to use to the following idea?
Construction
中間過程方法採用 Practical Techniques for Searches on Encrypted Data 這篇所提到的方法 , 而後如果有增加可在做修改
文字處理 : 每個 word 皆轉成 ASCII code 並在加密後長度一樣 (http://home.educities.edu.tw/wanker742126/asm/ap04.html)
Server 只存資料 而 user 要知道 keyword 才能丟給伺服器做搜尋動作