UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan
I will talk about (1) UC-Secure Searchable Symmetric Encryption A preliminary version = FC 2012 Final version = ePrint 2015/251 (2) Garbled Searchable Symmetric Encryption FC
Curtmola, Garay, Kamara and Ostrovsky (2006) defined privacy of SSE schemes as follows. 3
In the store phase, E(D 1 ), ⋯, E(D N ), E(Index) the server learns |D 1 |, …, |D N | and |{keywords}| 4
In the search phase, This means that the server knows the corresponding indexes {3, 6, 10} E(keyword) C(keyword)=( E(D 3 ), E(D 6 ), E(D 10 ) ) 5
We call these information |D 1 |, …, |D N | and |{keywords}| corresponding indexes {3, 6, 10} The minimum leakage 6
The Privacy definition requires that the server should not be able to learn any more information 7
In the Real Game D = {D 1, …, D N } W={set of keywords} Index Distinguisher E(D 1 ), ⋯, E(D N ) E{ Index } Challenger 8
In the Simulation Game D = {D 1, …, D N } W={set of keywords} Index Distinguisher Somehow returns E(D 1 ), ⋯, E(D N ) E{ Index } ChallengerSimulator the minimum leakage |D 1 |, …, |D N | and |{keywords}| 9
In the search phase of the real game keyword Distinguisher E(keyword) Challenger 10
In the simulation game, keyword Distinguisher Somehow returns E(keyword) ChallengerSimulator the minimum leakage {3, 6, 10} 11
Def. of Curtmola et al. Privacy is satisfied if there exists a simulator such that the real game ≈ the simulation game 12
We now define reliability and strong reliability UC security Prove a weak equivalence (1) UC-secure → privacy + reliability (2) privacy + strong reliability → UC-secure Show an efficient UC-secure SSE scheme 13
We now define reliability and strong reliability UC security Prove a weak equivalence (1) UC-secure → privacy + reliability (2) privacy + strong reliability → UC-secure Finally an efficient UC-secure SSE scheme 14
A malicious server tries to forge some files, delete some files, or replace E(D 3 ) with E(D 100 ). Client Server E(keyword) E(D 3 ), E(D 6 ), E(D 10 ) E(D 100 ) Malicious 15
Consider an adversary (A 1,A 2 ) s.t. 16 A1A1 A2A2 Client A 1 gives the inputs to the client A 2 runs the protocol with the client Adversary server
If A 2 is honest, 17 A1A1 A2A2 Client keyword w E(w) D(w) = {files which contain w} [C(w), Tag]
Reliability is satisfied if 18 A1A1 A2A2 Client keyword w E(w) D(w)’ ≠ D(w) with negligible probability for any (A 1,A 2 )
Strong reliability is satisfied if 19 A1A1 A2A2 Client keyword w E(w) [C(w)’, Tag’] ≠ [C(w), Tag] accepts with negligible probability for any (A 1,A 2 )
We then define Reliability, strong reliability UC security Prove a weak equivalence (1) UC-secure → privacy + reliability (2) privacy + strong reliability → UC-secure Finally an efficient UC-secure SSE scheme 20
In the ideal world, dummy Client Ideal Functionality F SSE Environment Z D={D 1, …, D N } W={set of keywords} Index D={D 1, …, D N } W={set of keywords} Index 21
F SSE sends the minimum leakage dummy Client Ideal Functionality F SSE Environment Z D={D 1, …, D N } W={set of keywords} Index UC adversary S |D 1 |, …, |D N | |{keywords}| 22
In the search phase dummy Client Ideal Functionality F SSE Environment Z keyword UC adversary S 23
F SSE sends the minimum leakage dummy Client Ideal Functionality F SSE Environment Z keyword UC adversary S {3,6,10} 24 D={D 1, …, D N } W={set of keywords} Index
S returns dummy Client Ideal Functionality F SSE Environment Z keyword UC adversary S {3,6,10} Accept or Reject 25 D={D 1, …, D N } W={set of keywords} Index
If S returns Reject, then F SSE sends Reject dummy Client Ideal Functionality F SSE Environment Z keyword UC adversary S {3,6,10} Reject 26
If S returns Accept, F SSE sends D(w)={D 3,D 6,D 10 } dummy Client Ideal Functionality F SSE Environment Z keyword UC adversary S {3,6,10}Accept D(w)={D 3,D 6,D 10 } D(w)= {D 3,D 6,D 10 } 27
Also S and Z can interact freely dummy Client Ideal Functionality F SSE Environment Z UC adversary S 28
This is an ideal world Because (Correctness.) The dummy client outputs reject or D(w) correctly (Security.) The UC adversary S learns only the minimum leakage. 29
Client Server Environment Z Z gives the inputs to the client 30 In the real world the client and the server run the real protocol
A can corrupt the server and communicate with Z freely 31 Client Server Environment Z Adversary A corrupt
We say that An SSE scheme is UC-secure if for any adversary A, there exists a UC-adversary S such that Pr[Z ⇒ 1 in the real] ≈ Pr[Z ⇒ 1 in the ideal] 32
We define reliability (unforgeability) strong reliability (strong unforgeability) UC security Prove a weak equivalence (1) UC-secure → privacy + reliability (2) privacy + strong reliability → UC-secure Finally an efficient UC-secure SSE scheme 33
Suppose that There exists an SSE scheme which is UC-secure 34
In the real world, 35 Client Server Environment Z Adversary A Consider A who relays everything to Z E(keyword) keyword
The real world = the real game of privacy 36 Client Server distinguisher Z Adversary A challenger E(keyword) keyword
In the ideal world, 37 dummy client F SSE Environment Z UC adversary S There exists S which simulates A from the minimum leakage Minimum leakage keyword E(keyword)
The ideal world = the ideal game of privacy 38 dummy client F SSE distinguisher Z UC adversary S Minimum leakage challenger simulator E(keyword) keyword
Therefore if the SSE scheme is UC secure, then privacy is satisfied. 39
Next for a reliability adversary (A 1,A 2 ), 40 A1A1 A2A2 Client Adversary
Consider (Z,A) s.t. 41 Client Server Z=A 1 Adversary A=A 2
In the corresponding ideal world, 42 dummy Client F SSE Z UC Adversary S The dummy client never outputs D(w)’ ≠ D(w) from the definition of F SSE w D(w) or reject D(w) or reject
Hence In the real world, the client outputs D(w)’ ≠ D(w) with negligible probability. Therefore Reliability is satisfied 43
We define reliability (unforgeability) strong reliability (strong unforgeability) UC security Prove a weak equivalence (1) UC-secure → privacy + reliability (2) privacy + strong reliability → UC-secure Finally an efficient UC-secure SSE scheme 44
Suppose that There exists an SSE scheme Which satisfies privacy and strong reliability 45
Game 0 = Real world 46 Client Server Z Adversary A keyword wD(w) or reject E(w) C(w), Tag
In Game 1, 47 Client Server Z Adversary A w E(w) [C(w)’, Tag’] ≠[C(w), Tag] If A instructs the server to return an invalid message E(w)
Game 1 48 Client Server Z Adversary A w reject E(w) reject Then the server returns reject to the client, And the client sends reject to Z [C(w)’, Tag’] ≠[C(w), Tag] E(w)
Game 1 49 Client Server Z Adversary A w D(w) E(w) accept [C(w), Tag] Otherwise the server returns accept to the client and the client outputs D(w) = {files which contain the keyword w}
Game 1 and Game 0 are indistinguishable Because the SSE scheme satisfies strong reliability. 50
Client 2 Z A server Client 1 accept or reject D(w) or reject E(w) In Game 2, w 51
From a view point of Z, Game 2 and Game 1 are the same 52
Client 2 server Z A Simulator of privacy Client 1 Minimum leakage accept reject In Game 3, E(w) 53
Client 2 server Z A Simulator of privacy Client 1 Minimum leakage accept reject distinguisher challenger Game 3 = simulation game of privacy E(w) keyword 54
Client 2 server Z A Client 1 accept reject distinguisher challenger Game 2 = real game of privacy E(w) keyword 55
Therefore Game 3 and Game 2 are indistinguishable Because the SSE scheme satisfies privacy 56
Client 2 server Z A simulator S 0 Client 1 Minimum leakage accept reject UC adversary S F SSE Finally Game 3 = the ideal world 57
Namely Game 0 = the real world Game 3 = the ideal world and Z cannot distinguish them Therefore the SSE scheme is UC-secure. 58
We define reliability (unforgeability) strong reliability (strong unforgeability) UC security Prove a weak equivalence (1) UC-secure → privacy + reliability (2) privacy + strong reliability → UC-secure show an efficient UC-secure SSE scheme 59
Consider this example D1D2D3D4D5 Austin10101 Boston
The client computes E(D1)E(D2)E(D3)E(D4)E(D5) PRP(Austin)( 10101) PRP(Boston)( 01010) where PRP means pseudorandom permutation 61
and adds E(D1)E(D2)E(D3)E(D4)E(D5) PRP(Austin)( 10101) PRP(Boston)( 01010) +PRF(Austin) +PRF(Boston) where PRF means pseudorandom function. 62
The client stores this table E(D1)E(D2)E(D3)E(D4)E(D5) PRP(Austin)( 10101) PRP(Boston)( 01010) +PRF(Austin) +PRF(Boston) + Tag A =MAC( PRP(Austin), E(D 1 ), E(D 3 ), E(D 5 ) ) Tag B =MAC(PRP(Boston), E(D 2 ), E(D 4 )) 63
In the search phase, E(D1)E(D2)E(D3)E(D4)E(D5) PRP(Austin)( 10101) PRP(Boston)( 01010) +PRF(Austin) +PRF(Boston) For a keyword Austin, the client sends E(Austin) 64
The server decrypts (10101) E(D1)E(D2)E(D3)E(D4)E(D5) PRP(Austin)( 10101)1) PRP(Boston)( 01010) +PRF(Austin) +PRF(Boston) 65
And returns E(D 1 ), E(D 3 ), E(D 5 ), Tag A E(Austin)= {PRP(Austin), PRF(Austin)} 66
The client accepts if E(D 1 ), E(D 3 ), E(D 5 ), Tag A =MAC(PRP(Austin), E(D 1 ), E(D 3 ), E(D 5 )) PRP(Austin) and PRF(Austin) 67
Theorem The above SSE scheme satisfies privacy and strong reliability if E is CPA-secure Corollary The above SSE scheme is UC-secure 68
So far, single keyword search SSE schemes. Next multiple keyword search SSE schemes. 69
Wang et al. (2008) Showed a multiple keyword SSE scheme for AND search.
At CRYPTO 2013, Cash, Jarecki, Jutla, Krawczyk, Rosu, and Steiner showed an SSE scheme which can support any search formula f (in the random oracle model). The comm. overhead is sublinear in N, where N=the number of files. 71
However, the search formula f is revealed to the server and the search phase requires 2 rounds. Search phase Search formula Cash et al.2 roundsrevealed 72
In their scheme, If 「 Japan AND Crypto 」 is searched, the following information is leaked to the server the search formula = AND the search result of Japan or that of Crypto and some more information ( see Sec.5.3 of their paper ) 73
Kurosawa (FC 2014) even the search formula f is kept secret. the search phase requires only 1 round. Search phase Search formula Cash et al.2 roundsrevealed Proposed1 roundsecret 74
In my scheme only the following information is leaked (other than the minimum leakage) The topological circuit f- (π(j 1 ), …, π(j c )), where π is a random permutation and {w j1, …, w jc } are the queried keywords 75
XOR AND 1 OR If this the search formula f, 76
This is the topological circuit f- 77
On the other hand, The communication overhead is O(N) While it is sublinear in N in Cash et al’s scheme where N=the number of files. 78
The proposed SSE scheme is based on Yao’s garbled circuit. 79
A garbled circuit of f is an encoding garble(f) such that one can compute f(X) from garble(f) and label(X) without learning anything on f and X. garble(f) label(X) f(X) 80
x 1 = 0 x 2 = 1 Consider f(x 1,x 2 )= (x 1 and x 2 ) x1x2x x 3 = 0 81
garble(f) is an encoded truth table by random strings x1x2x3 A0A0 B0B0 H(A 0,B 0 )+ 0 A0A0 B1B1 H(A 0,B 1 )+ 0 A1A1 B0B0 H(A 1,B 0 )+ 0 A1A1 B1B1 H(A 1,B 1 )+ 1 A0A0 B1B1 x 3 = 0 82
label(X) is these random strings x1x2x3 A0A0 B0B0 H(A 0,B 0 )+ 0 A0A0 B1B1 H(A 0,B 1 )+ 0 A1A1 B0B0 H(A 1,B 0 )+ 0 A1A1 B1B1 H(A 1,B 1 )+ 1 A0A0 B1B1 x 3 = 0 83
In this example, x 3 =0 is obtained by computing H(A 0,B 1 ) x1x2x3 A0A0 B0B0 H(A 0,B 0 )+ 0 A0A0 B1B1 H(A 0,B 1 )+ 0 A1A1 B0B0 H(A 1,B 0 )+ 0 A1A1 B1B1 H(A 1,B 1 )+ 1 A0A0 B1B1 x 3 = 0 label(X) garble(f) 84
High level overview of the proposed scheme w1w1 w2w2 w3w3 D1D1 111 D2D2 100 keywords files Consider this example. 85
Let w1w1 w2w2 w3w3 D1D1 (111)=X 1 D2D2 (100)=X 2 86
The client computes w1w1 w2w2 w3w3 D1D1 label(X 1 ) D2D2 label(X 2 ) 87
The client also computes PRP(w 1 )PRP(w 2 )PRP(w 3 ) E(D 1 )label(X 1 ) E(D 2 )label(X 2 ) 88
and sends PRP(w 1 )PRP(w 2 )PRP(w 3 ) E(D 1 )label(X 1 ) E(D 2 )label(X 2 ) Server 89
In the search phase, Suppose that the client wants to search on f(w 1,w 2,w 3 )=w 1 ⋀ w 2 ⋀ w 3 He computes the garbled circuits of f: Γ 1 for D 1 and Γ 2 for D 2. 90
PRP(w 1 ), …, PRP(w 3 ) Γ 1 Γ 2 The client sends 91
PRP(w 1 ), …, PRP(w 3 ) Γ 1 Γ 2 The server has this table PRP(w 1 )PRP(w 2 )PRP(w 3 ) E(D 1 )label(X 1 ) E(D 2 )label(X 2 ) 92
PRP(w 1 ), …, PRP(w 3 ) Γ 1 Γ 2 The server computes f(X 1 ) from PRP(w 1 )PRP(w 2 )PRP(w 3 ) E(D 1 )label(X 1 ) E(D 2 )label(X 2 ) label(X 1 ) Γ1Γ1 f(X 1 )=1 garbled circuit 93
PRP(w 1 ), …, PRP(w 3 ) Γ 1 Γ 2 Similarly she computes f(X 2 ) PRP(w 1 )PRP(w 2 )PRP(w 3 ) E(D 1 )label(X 1 ) E(D 2 )label(X 2 ) Γ2Γ2 f(X 2 )=0 garbled circuit 94
The server returns E(D 1 ) If f(X 1 )=1 and f(X 2 )=0, 95
However, if label(X) is reused, then some information on (f, X) is leaked. garble(f) label(X) f(X) 96
We use counter as an additional input to H x1x2x3 A0A0 B0B0 H(counter, A 0,B 0 )+ 0 A0A0 B1B1 H(counter, A 0,B 1 )+ 0 A1A1 B0B0 H(counter, A 1,B 0 )+ 0 A1A1 B1B1 H(counter, A 1,B 1 )+ 1 A0A0 B1B1 x 3 = 0 97
Formally Bellare et al. (2012) defined Kurosawa ( 2014 ) extended them to garbling schemesextended garbling schemes Input-circuit privacylabel reusable privacy 98
Label reusable privacy Even if label(X) is reused for multiple garbled circuits Γ 1, Γ 2, …., no information on X and (f 1,f 2, … ) are leaked, where Γ i is a garbled circuit of f i
Theorem 1 Our construction satisfies label reusable privacy in the random oracle model 100
Theorem 2 If the underlying extended garbling scheme satisfies label reusable privacy only the following information is leaked (other than the minimum leakage) 101
The topological circuit f- (π(j 1 ), …, π(j c )), where π is a random permutation and {w j1, …, w jc } are the queried keywords 102
Communication overhead of the proposed scheme Let m = # of files c = # of search keywords s = # of gates of f In the search phase, the com. overhead is |counter|+(c+4m(s-1))×128+4m bits 103
If # of search keywords is 2 The communication overhead is |counter| × ( # of files ) bits 104
Computer simulation We used a computer such as follows. 2.4GHz CPU and 32G byte RAM OS = CentOS 6.5 C++ and NTL library The total # of keywords is
The running time of the client in the search phase 106
The running time of the server in the search phase 107
Summary (1) UC-Secure Searchable Symmetric Encryption A preliminary version = FC 2012 Final version = ePrint 2015/251 (2) Garbled Searchable Symmetric Encryption FC
Open problem (1) Construct a multiple keyword SSE scheme such that The communication overhead is sublinear in N And the leakage is as small as possible In the standard model 109
Open problem (2) In all the known single keyword SSE schemes, E(keyword) is deterministic Hence if the client sends E(keyword) twice, This search pattern is leaked. So construct a UC-secure scheme such that Even the search pattern is kept secret 110
Open problem (3) Prove the tight equivalence between UC security and some stand alone security 111
Thank you ! 112