SSE-2 Step1: keygen(1 k ):s {0,1} k,output K=s Step2:Buildindex(K,D): 建立 table T, p=word bit+max bit R 假設 w 1 出現在 D 1,D 3 T[π s (w 1 ||1)]=D 1 T[π s (w 1 ||2)]=D 3 ………………………… T[π s (w 1 ||max)]=random value Max:the size of the largest plaintext document in D T[π s (w 1 ||1)] T[π s (w 1 ||2)] D1D1 D3D3 2p2p ……. random value

m=max ‧ n, n is the number of document in D m'= ∑ w i  △ ' |D(w i )| if m'< m, set value for the (m-m') entries Output I = T Step3:Trapdoor(w):output T w =(T w 1 …T w max ) =(π s (w||1),…, π s (w||max)) Step4:Search(I,T w ): for 1≤i≤max:retrieve id=T[T w i ] and output id T 大小 :{0,1} p * {0,1} log 2 (n) * m ( 作者算法 ) (π:{0,1} k * {0,1} p {0,1} p )

SSE model History: documents and keywords View: encrypted documents, index, trapdoors Trace: length of documents, search outcomes, search pattern

一些符號定義 Let △ = {w 1,...,w d } be a dictionary of d words, and 2 △ be the set of all possible documents. let D ⊆ 2 △ be a collection of n documents D = (D 1,...,D n ) and 2 2 △ be the set of all possible document collections. Let id(D) be the identifier of document D D(w) (the set of identifiers of documents containing w) as the outcome of a search for w and to the sequence (D(w 1 ),...,D(w n )) as the access pattern of a client

SSE-2 證明 定義 1(History):Let △ be a dictionary. A history H q, H q  2 2 △ × △ q, is an interaction between a client and a server over q queries. The partial history H q t  2 2 △ × △ t of a given history H q = (D, w 1,...,w q ), is the sequence H q t = (D, w 1,...,w t ), where t ≤ q.

定義 2(View):Let D be a collection of n documents and H q = (D, w 1,...,w q ) be a history over q queries. An adversary ’ s view of H q under secret key K is defined as V K (H q ) =(id(D 1 ),...,id(D n ),ε(D 1 ),...,ε(D n ),I D,T 1,...,T q ). The partial view V K t (H q ) of a history H q under secret key K is the sequence V K t (H q )=(id(D 1 ),...,id(D n ),ε(D 1 ),...,ε(D n ), I D,T 1,...,T t ), where t ≤ q.

定義 3(Trace):Let D be a collection of n documents and H q = (D, w 1,...,w q ) be a history over q queries. The trace of H q is the sequence Tr(H q ) = (id(D 1 ),...,id(D n ), |D 1 |,...,|D n |,D(w 1 ),...,D(w q ), ∏ q ). Note:∏ q can be a symmetric binary matrix where ∏ q [i,j]=1 if w i= w j and ∏ q [i,j]=0 otherwise,for 1 ≤ i,j ≤ q

定義 3.9(Adaptive Semantic Security for SSE). A SSE scheme is adaptively semantically secure if for all q  N and for all (non-uniform) probabilistic polynomial-time adversaries A, there exists a (non-uniform) probabilistic polynomial- time algorithm (the simulator) S such that for all traces Tr q of length q, all polynomially samplable distributions  q over {H q  2 2 △ × △ q : Tr(H q ) = Tr q } (i.e., the set of histories with trace Tr q ), all functions f : {0, 1} m → {0, 1} l(m) (where m =|H q | and l(m) = poly(m)), all 0 ≤ t ≤ q and all polynomials p and sufficiently large k:

where H q  q, K←Keygen(1 k ), and the probabilities are taken over H q and the internal coins of Keygen, A, S and the underlying BuildIndex algorithm. 定理.SSE-2 is an adaptively secure SSE scheme. Proof:The idea behind the proof is to describe a simulator that can simulate the partial view of an adversary given only the trace of a partial history.

Following the simulation-based approach of Definition 3.9, we describe a probabilistic polynomial-time simulator S such that for all q  N, all probabilistic polynomial-time adversaries A, all polynomially- bounded functions f, all distributions  q, given Tr(H q t ), S can simulate A(V K t (H q )) for all 0 ≤ t ≤ q with probability negligibly close to 1,where H q  q, K←Keygen(1 k ). More precisely, we show that, for all 0 ≤ t ≤ q, S(Tr(H q t )) can generate a view (V q t ) * such that (V q t ) * is indistinguishable from V K t (H q ).

In the SSE-2 construction, for each word, the labels in the word ’ s family(ex:F w ={w || j:1 ≤ j≤|D(w)|})are inserted into the index and each label appears in only one document. Searching for a word consists of searching for max labels in its family. Before proceeding further, we recall that the parameters of the pseudo-random permutation used to instantiate the scheme are known to S. Also, recall the notions of a view and of a trace in the context of the SSE-2 construction:

For a given q, the simulator must commit to an index before any queries are made, i.e. at time t = 0 the simulator generates an index I * that will be included in all partial views (V q t ) * used to simulate A, for all 0 ≤ t ≤ q. Note that although at time t = 0 the simulator has no knowledge about future queries, the index I * must be indistinguishable from a real index I D in V K t (H q ), for all 0 ≤ t ≤ q.

Also, for all 0 ≤ t ≤ q, the simulator includes in the partial view (V q t ) * the document identifiers (which it knows from the trace of the partial history Tr(H q 0 )) and ciphertexts obtained by generating random values (of size known from Tr(H q 0 )). It follows trivially that the identifiers and ciphertexts in (V q t ) * are indistinguishable from those in V K t (H q ), for all 0 ≤ t ≤ q. It then remains to show how S constructs the other elements in the view, namely the index and the trapdoors.

For t = 0, the simulator ’ s trace on the partial history Tr(H q 0 ) contains among other things, the identifiers of each document in the collection. S constructs (and includes in (V q 0 ) * ) the index I * as a ({0, 1} p × {0, 1} log2(n) × m) look-up table T *, where m = max · n and T * contains max copies of each document ’ s identifier inserted at random locations. S keeps a copy of I * in order to be able to simulate future partial views for 1 ≤ t ≤ q. Given the algorithm used to construct a real index I included in the partial view V K 0 (H q ), it is clear that I * is indistinguishable from I, otherwise one could distinguish between the output of and a random string of size p. Thus, (V q 0 ) * is indistinguishable from V k 0 (H q ).For 1 ≤ t ≤ q, the simulator includes in the partial view (V q t ) * the index I * which was computed for t = 0 and which was established above to be indistinguishable from a real index I in a partial view V K t (H q ).Recall that I * consists of a look-up table T * and that Tr(H q t ) contains the search pattern matrix ∏ for the t queries in Tr(H q t ).

We describe how S constructs the trapdoors (T 1 *,..., T t * ) included in (V q t ) *. S reuses the trapdoors (T 1 *,..., T t−1 * ) that were included in (V q t−1 ) * (We assume that S remembers (V q t−1 ) * and can reuse the trapdoors in it; alternatively, S can reconstruct these trapdoors from Tr(H q t−1 ), one by one in the same manner we will show how to construct T t * from D(w t ) and ∏). To construct T t *, S first checks if H q t−1 contains w t (by checking if ∏ tj = 1 for any 1 ≤ j ≤ t − 1). If negative, then for each label w t ||i, with 1 ≤ i ≤ max, S randomly picks an address addr i from T * such that T * [addr i ] = D(w t ||i), and constructs trapdoor T t * = (addr 1,..., addr max ).Also, S remembers the association between T t * and w t. Otherwise, if H q t−1 contains w t, then S retrieves the trapdoor associated with w t and assigns it to T t *.

This ensures that if H q t contains repeated words, the corresponding trapdoors included in (V q t ) * are identical. It ’ s easy to see that the trapdoors (T 1 *,..., T t * ) in (V q t ) * are indistinguishable from the trapdoors (T 1,..., T t ) in V K t (H q ), otherwise one could distinguish between the output of and a random string of size p. Thus, (V q t ) * is indistinguishable from V K t (H q ), for all 0 ≤ t ≤ q.