Embed Size (px)
Citation preview
UC/Garbled Searchable Symmetric Encryption
Kaoru Kurosawa Ibaraki University, Japan
I will talk about
(1) UC-Secure Searchable Symmetric Encryption A preliminary version = FC 2012 Final version = ePrint 2015/251
(2) Garbled Searchable Symmetric Encryption FC 2014
2
Curtmola, Garay, Kamara and Ostrovsky (2006)
• defined privacy of SSE schemes • as follows.
3
In the store phase,
E(D1), , E(D⋯ N), E(Index)
the server learns |D1|, …, |DN| and |{keywords}|
4
In the search phase,
This means that the server knows the corresponding indexes {3, 6, 10}
E(keyword)
C(keyword)=( E(D3), E(D6), E(D10) )
5
We call
these information• |D1|, …, |DN| and |{keywords}|• corresponding indexes {3, 6, 10}
The minimum leakage
6
The Privacy definition
• requires that the server should not be able to learn any more information
7
In the Real Game
D = {D1, …, DN}W={set of keywords}Index
Distinguisher
E(D1), , E(D⋯ N) E{ Index }
Challenger
8
In the Simulation Game
D = {D1, …, DN}W={set of keywords}Index
Distinguisher
Somehow returns E(D1), , E(D⋯ N) E{ Index }
ChallengerSimulator
the minimum leakage|D1|, …, |DN| and |{keywords}|
9
In the search phase of the real game
keyword
Distinguisher
E(keyword)
Challenger
10
In the simulation game,
keyword
Distinguisher
Somehow returns E(keyword)
ChallengerSimulator
the minimum leakage {3, 6, 10}
11
Def. of Curtmola et al.
• Privacy is satisfied if• there exists a simulator such that
the real game ≈ the simulation game
12
We now define
• reliability and strong reliability • UC security • Prove a weak equivalence (1) UC-secure → privacy + reliability (2) privacy + strong reliability → UC-secure• Show an efficient UC-secure SSE scheme
13
We now define
• reliability and strong reliability • UC security • Prove a weak equivalence (1) UC-secure → privacy + reliability (2) privacy + strong reliability → UC-secure• Finally an efficient UC-secure SSE scheme
14
A malicious server• tries to forge some files, delete some files,• or replace E(D3) with E(D100).
Client Server
E(keyword)
E(D3), E(D6), E(D10)E(D100)
Malicious
15
Consider an adversary (A1,A2) s.t.
16
A1 A2Client
A1 gives the inputs to the client
A2 runs the protocolwith the client
Adversary
server
If A2 is honest,
17
A1 A2Client
keyword w E(w)
D(w) = {files which contain w}[C(w), Tag]
Reliability is satisfied if
18
A1 A2Client
keyword w E(w)
D(w)’≠ D(w)with negligible probabilityfor any (A1,A2)
Strong reliability is satisfied if
19
A1 A2Client
keyword w E(w)
[C(w)’, Tag’]≠ [C(w), Tag] acceptswith negligible probabilityfor any (A1,A2)
We then define
• Reliability, strong reliability• UC security • Prove a weak equivalence (1) UC-secure → privacy + reliability (2) privacy + strong reliability → UC-secure• Finally an efficient UC-secure SSE scheme
20
In the ideal world,
dummyClient
Ideal Functionality
FSSE
Environment
Z
D={D1, …, DN} W={set of keywords}Index
D={D1, …, DN} W={set of keywords}Index 21
FSSE sends the minimum leakage
dummyClient
Ideal Functionality
FSSE
Environment
Z
D={D1, …, DN} W={set of keywords}Index
UC adversary
S
|D1|, …, |DN||{keywords}|
22
In the search phase
dummyClient
Ideal Functionality
FSSE
Environment
Z
keyword
keyword
UC adversary
S
23
FSSE sends the minimum leakage
dummyClient
Ideal Functionality
FSSE
Environment
Z
keyword
keyword
UC adversary
S
{3,6,10}
24
D={D1, …, DN} W={set of keywords}Index
S returns
dummyClient
Ideal Functionality
FSSE
Environment
Z
keyword
keyword
UC adversary
S
{3,6,10} Accept or Reject
25
D={D1, …, DN} W={set of keywords}Index
If S returns Reject,then FSSE sends Reject
dummyClient
Ideal Functionality
FSSE
Environment
Z
keyword
keyword
UC adversary
S
{3,6,10} Reject
Reject
Reject
26
If S returns Accept,FSSE sends D(w)={D3,D6,D10}
dummyClient
Ideal Functionality
FSSE
Environment
Z
keyword
keyword
UC adversary
S
{3,6,10} Accept
D(w)={D3,D6,D10}
D(w)={D3,D6,D10}
27
Also S and Z can interact freely
dummyClient
Ideal Functionality
FSSE
Environment
ZUC adversary
S
28
This is an ideal world
Because(Correctness.) The dummy client outputs reject or D(w) correctly (Security.) The UC adversary S learns only the minimum leakage.
29
Client Server
Environment
Z
Z gives the inputs to the client
30
In the real world
the client and the server runthe real protocol
A can corrupt the server andcommunicate with Z freely
31
Client Server
Environment
ZAdversary
A
corrupt
We say that
• An SSE scheme is UC-secure if for any adversary A, there exists a UC-adversary S such that Pr[Z 1 in the real]⇒ ≈ Pr[Z 1 in the ideal]⇒
32
We define
• reliability (unforgeability) strong reliability (strong unforgeability) UC security • Prove a weak equivalence (1) UC-secure → privacy + reliability (2) privacy + strong reliability → UC-secure• Finally an efficient UC-secure SSE scheme
33
Suppose that
• There exists an SSE scheme• which is UC-secure
34
In the real world,
35
Client Server
Environment
ZAdversary
A
Consider A who relays everything to Z
E(keyword)
E(keyword)
E(keyword)
keyword
The real world = the real game of privacy
36
Client Server
distinguisher
ZAdversary
A
challenger
E(keyword)
E(keyword)
E(keyword)
keyword
In the ideal world,
37
dummyclient
FSSE
Environment
ZUC adversary
S
There exists S which simulates Afrom the minimum leakage
Minimum leakage
keyword
E(keyword)
The ideal world = the ideal game of privacy
38
dummyclient
FSSE
distinguisher
ZUC adversary
S
Minimum leakage
challenger
simulatorE(keyword)
keyword
keyword
Therefore
• if the SSE scheme is UC secure,• then privacy is satisfied.
39
Nextfor a reliability adversary (A1,A2),
40
A1 A2Client
Adversary
Consider (Z,A) s.t.
41
Client Server
Z=A1
Adversary
A=A2
In the corresponding ideal world,
42
dummyClient
FSSE
ZUC Adversary
S
The dummy client never outputs D(w)’ ≠ D(w)from the definition of FSSE
wD(w) or reject
D(w) or reject
Hence
• In the real world,• the client outputs D(w)’ ≠ D(w)• with negligible probability.• Therefore• Reliability is satisfied
43
We define
• reliability (unforgeability) strong reliability (strong unforgeability) UC security • Prove a weak equivalence (1) UC-secure → privacy + reliability (2) privacy + strong reliability → UC-secure• Finally an efficient UC-secure SSE scheme
44
Suppose that
• There exists an SSE scheme• Which satisfies privacy and strong reliability
45
Game 0 = Real world
46
Client Server
ZAdversary
A
keyword wD(w) orreject
E(w)
C(w), Tag
In Game 1,
47
Client Server
ZAdversary
A
w
E(w)
[C(w)’, Tag’]≠[C(w), Tag]
If A instructs the server to return an invalid message
E(w)
Game 1
48
Client Server
ZAdversary
A
wreject
E(w)
reject
Then the server returns reject to the client,And the client sends reject to Z
[C(w)’, Tag’]≠[C(w), Tag]
E(w)
Game 1
49
Client Server
ZAdversary
A
wD(w)
E(w)
accept
[C(w), Tag]
Otherwise the server returns accept to the clientand the client outputs D(w) = {files which contain the keyword w}
• Game 1 and Game 0 are indistinguishable• Because • the SSE scheme satisfies strong reliability.
50
Client 2
Z A
server
Client 1acceptor reject
D(w) or reject
E(w)
In Game 2,
w51
• From a view point of Z,• Game 2 and Game 1 are the same
52
Client 2
serverZ A
Simulatorof privacy
Client 1
Minimum leakage
acceptreject
In Game 3,
E(w)
53
Client 2
serverZ A
Simulatorof privacy
Client 1
Minimum leakage
acceptreject
distinguisher
challenger
Game 3 = simulation game of privacy
E(w)keyword
54
Client 2
serverZ A
Client 1
acceptreject
distinguisher
challenger
Game 2 = real game of privacy
E(w)
keyword
55
Therefore
• Game 3 and Game 2 are indistinguishable• Because • the SSE scheme satisfies privacy
56
Client 2
serverZ A
simulatorS0
Client 1
Minimum leakage
acceptreject
UC adversary S
FSSE
Finally Game 3 = the ideal world
57
Namely
• Game 0 = the real world• Game 3 = the ideal world• and Z cannot distinguish them• Therefore the SSE scheme is UC-secure.
58
We define
• reliability (unforgeability) strong reliability (strong unforgeability) UC security • Prove a weak equivalence (1) UC-secure → privacy + reliability (2) privacy + strong reliability → UC-secure• show an efficient UC-secure SSE scheme
59
Consider this example
D1 D2 D3 D4 D5Austin 1 0 1 0 1Boston 0 1 0 1 0
60
The client computes
E(D1) E(D2) E(D3) E(D4) E(D5)PRP(Austin) ( 1 0 1 0 1)PRP(Boston) ( 0 1 0 1 0)
where PRP means pseudorandom permutation
61
and adds
E(D1) E(D2) E(D3) E(D4) E(D5)PRP(Austin) ( 1 0 1 0 1)PRP(Boston) ( 0 1 0 1 0)
+PRF(Austin)+PRF(Boston)
where PRF means pseudorandom function.
62
The client stores this table
E(D1) E(D2) E(D3) E(D4) E(D5)PRP(Austin) ( 1 0 1 0 1)PRP(Boston) ( 0 1 0 1 0)
+PRF(Austin)+PRF(Boston)
+
TagA=MAC( PRP(Austin), E(D1), E(D3), E(D5) ) TagB=MAC(PRP(Boston), E(D2), E(D4))
63
In the search phase,
E(D1) E(D2) E(D3) E(D4) E(D5)PRP(Austin) ( 1 0 1 0 1)PRP(Boston) ( 0 1 0 1 0)
+PRF(Austin)+PRF(Boston)
For a keyword Austin, the client sends
E(Austin)
64
The server decrypts (10101)
E(D1) E(D2) E(D3) E(D4) E(D5)PRP(Austin) ( 1 0 1 0 1)PRP(Boston) ( 0 1 0 1 0)
+PRF(Austin)+PRF(Boston)
65
And returns
E(D1), E(D3), E(D5 ), TagA
E(Austin)={PRP(Austin), PRF(Austin)}
66
The client accepts if
E(D1), E(D3), E(D5 ),
TagA=MAC(PRP(Austin), E(D1), E(D3), E(D5 ))
PRP(Austin) and PRF(Austin)
67
Theorem
• The above SSE scheme satisfies privacy and strong reliability if E is CPA-secure
Corollary• The above SSE scheme is UC-secure
68
So far,
• single keyword search SSE schemes.
Next• multiple keyword search SSE schemes.
69
Wang et al. (2008)
• Showed a multiple keyword SSE scheme• for AND search.
At CRYPTO 2013,
• Cash, Jarecki, Jutla, Krawczyk, Rosu, and Steiner showed an SSE scheme
• which can support any search formula f (in the random oracle model).
• The comm. overhead is sublinear in N,• where N=the number of files.
71
However,
• the search formula f is revealed to the server and• the search phase requires 2 rounds.
Search phase
Search formula
Cash et al. 2 rounds revealed
72
In their scheme,
If 「 Japan AND Crypto 」 is searched,the following information is leaked to the server
the search formula = AND the search result of Japan or that of Crypto and some more information ( see Sec.5.3 of their paper )
73
Kurosawa (FC 2014)
• even the search formula f is kept secret.• the search phase requires only 1 round.
Search phase
Search formula
Cash et al.
2 rounds revealed
Proposed 1 round secret74
In my scheme
only the following information is leaked (other than the minimum leakage)• The topological circuit f- • (π(j1), …, π(jc)),
where π is a random permutation and {wj1, …, wjc} are the queried keywords
75
XOR
AND
1
OR
4
2
3
If this the search formula f,
76
1
4
2
3
This is the topological circuit f-
77
On the other hand,
• The communication overhead is O(N)• While it is sublinear in N in Cash et al’s scheme• where N=the number of files.
78
The proposed SSE scheme
• is based on Yao’s garbled circuit.
79
A garbled circuit of f
• is an encoding garble(f) such that• one can compute f(X) • from garble(f) and label(X) without learning anything on f and X.
garble(f)label(X) f(X)
80
x1= 0
x2= 1
Consider f(x1,x2)= (x1 and x2)
x1 x2 x30 0 00 1 01 0 11 1 1
x3= 0
81
garble(f) is an encoded truth tableby random strings
x1 x2 x3
A0 B0 H(A0,B0)+ 0
A0 B1 H(A0,B1)+ 0
A1 B0 H(A1,B0)+ 0
A1 B1 H(A1,B1)+ 1
A0
B1
x3= 0
82
label(X) is these random strings
x1 x2 x3
A0 B0 H(A0,B0)+ 0
A0 B1 H(A0,B1)+ 0
A1 B0 H(A1,B0)+ 0
A1 B1 H(A1,B1)+ 1
A0
B1
x3= 0
83
In this example,x3=0 is obtained by computing H(A0,B1)
x1 x2 x3
A0 B0 H(A0,B0)+ 0
A0 B1 H(A0,B1)+ 0
A1 B0 H(A1,B0)+ 0
A1 B1 H(A1,B1)+ 1
A0
B1
x3= 0
label(X)garble(f)
84
High level overview of the proposed scheme
w1 w2 w3
D1 1 1 1D2 1 0 0
keywords
files
Consider this example.
85
Let
w1 w2 w3
D1 (1 1 1)=X1
D2 (1 0 0)=X2
86
The client computes
w1 w2 w3
D1 label(X1)D2 label(X2)
87
The client also computes
PRP(w1) PRP(w2) PRP(w3)E(D1) label(X1)E(D2) label(X2)
88
and sends
PRP(w1) PRP(w2) PRP(w3)E(D1) label(X1)E(D2) label(X2)
Server89
In the search phase,
• Suppose that the client wants to search on f(w1,w2,w3)=w1 w⋀ 2 w⋀ 3
• He computes the garbled circuits of f: Γ1 for D1 and
Γ2 for D2.
90
PRP(w1), …, PRP(w3) Γ1
Γ2
The client sends
91
PRP(w1), …, PRP(w3) Γ1
Γ2
The server has this tablePRP(w1) PRP(w2) PRP(w3)
E(D1) label(X1)E(D2) label(X2)
92
PRP(w1), …, PRP(w3) Γ1
Γ2
The server computes f(X1) fromPRP(w1) PRP(w2) PRP(w3)
E(D1) label(X1)E(D2) label(X2)
label(X1) Γ1 f(X1)=1
garbled circuit93
PRP(w1), …, PRP(w3) Γ1
Γ2
Similarly she computes f(X2)PRP(w1) PRP(w2) PRP(w3)
E(D1) label(X1)E(D2) label(X2)
Γ2 label(X2) f(X2)=0
garbled circuit94
The server returns E(D1)
If f(X1)=1 and f(X2)=0,
95
However, if
• label(X) is reused, then some information on (f, X) is leaked.
garble(f)label(X) f(X)
96
We use counter as an additional input to H
x1 x2 x3
A0 B0 H(counter, A0,B0)+ 0
A0 B1 H(counter, A0,B1)+ 0
A1 B0 H(counter, A1,B0)+ 0
A1 B1 H(counter, A1,B1)+ 1
A0
B1
x3= 0
97
Formally
Bellare et al. (2012)defined Kurosawa( 2014)
extended them togarbling schemes extended garbling
schemesInput-circuit privacy label reusable privacy
98
Label reusable privacy
• Even if label(X) is reused for multiple garbled circuits Γ1, Γ2, …. ,
• no information on X and (f1,f2, … )
are leaked, where Γi is a garbled circuit of fi
Theorem 1
• Our construction satisfies label reusable privacy in the random oracle model
100
Theorem 2
If the underlying extended garbling scheme satisfies label reusable privacy
only the following information is leaked (other than the minimum leakage)
101
• The topological circuit f- • (π(j1), …, π(jc)),
where π is a random permutation and {wj1, …, wjc} are the queried keywords
102
Communication overheadof the proposed scheme
• Let m = # of files c = # of search keywords s = # of gates of f• In the search phase, the com. overhead is |counter|+(c+4m(s-1))×128+4m bits
103
If # of search keywords is 2
• The communication overhead is |counter|+256+ 4× ( # of files ) bits
104
Computer simulation
• We used a computer such as follows. 2.4GHz CPU and 32G byte RAM OS = CentOS 6.5 C++ and NTL library
• The total # of keywords is 20.
105
The running time of the clientin the search phase
106
The running time of the serverin the search phase
107
Summary
(1) UC-Secure Searchable Symmetric Encryption A preliminary version = FC 2012 Final version = ePrint 2015/251
(2) Garbled Searchable Symmetric Encryption FC 2014
108
Open problem (1)
• Construct a multiple keyword SSE scheme such that
• The communication overhead is sublinear in N• And the leakage is as small as possible• In the standard model
109
Open problem (2)
• In all the known single keyword SSE schemes, E(keyword) is deterministic
• Hence if the client sends E(keyword) twice,• This search pattern is leaked.• So • construct a UC-secure scheme such that • Even the search pattern is kept secret
110
Open problem (3)
• Prove the tight equivalence between • UC security and some stand alone security
111
Thank you !
112
