1. Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻

2. Problem(1/2) Pre-stored data Search Ciphertext user untrusted server

3. Problem(2/2) User1(Alice) User2(Bob) receive send mail server

4. Properties Query isolation: The un-trusted server can not learn anything more about the plaintext than the search result. Controlled searching: The un-trusted server can not search for an arbitrary word without the user’s authorization. Hidden queries: The user may ask the un- trusted server to search for a secret word without revealing the word to the server.

5. Public key encryption with search: definitions (1/4) Bob wants to mail to Alice, then he sends the following message: Our goal is to enable Alice to send Tw to mail server that will enable the server to all messages containing the keyword W. And server simply sends the relevant email back to Alice. We call it “search public-key encryption”.

6. Public key encryption with search: definitions (2/4) User1(Alice) User2(Bob) receive Send mail server Search Bob’s

7. Public key encryption with search: definitions (3/4) Def. A non-interactive public key encryption with keyword search scheme consists of the following polynomial time randomized algorithms:

8. Public key encryption with search: definitions (4/4)

9. PEKS implies Identity Based Encryption Public key encryption with keyword search is related to Identity Based Encryption (IBE). Constructing a secure PEKS appears to be a harder problem than constructing an IBE. Lemma 2.3 A non-interactive searchable encryption scheme (PEKS) that is semantically secure against an adaptive chosen keyword attack gives rise to a chosen ciphertext secure IBE system (IND-ID-CCA).

10. PEKS implies Identity Based Encryption Proof sketch: Given a PEKS (KeyGen, PEKS, Trapdoor, Test) the IBE system is as follow: 1. Setup: Run the PEKS KeyGen algorithm to generate. The IBE system parameter are. The master-key is. 2.KeyGen: the IBE private key associated with a public key is

11. PEKS implies Identity Based Encryption 3.Encrypt: Encrypt a bit using a public key as: 4.Decrypt: To decrypt using the private. Output ‘0’ if and output ‘1’ if

12. PEKS implies Identity Based Encryption The resulting system is IND-ID-CCA assuming the PEKS is semantically secure against an adaptive chosen message attack. Building non-interactive public-key searchable encryption is at least as hard as building an IBE system.

13. Constructions Two constructions for public-key searchable encryption: (1) an efficient system based on a variant of Decision Diffie-Hellman assumption. (assuming a random oracle) (2) a limited system based on general trapdoor permutations, but less efficient. (without assuming the random oracle)

14. Diffie-Hellman 鑰匙交換的運作程序 n 與 g 為公開值 雙方各選一個較大的數值 x 與 y 計算出『秘密鑰匙』： g xy mod n

15. 驗證 Diffie-Hellman 演算法 Alice 選定： n = 47, g =3, x=8, 計算出：  g x mod n = 3 8 mod 47 = 28 mod 47  訊息 (1) = {47, 3, 28} Bob 選定： y =10, 計算出：  g y mod n = 3 10 mod 47 = 17 mod 47  訊息 (2) = {17} Alice 計算會議鑰匙：  (g x mod n) y = g xy mod n = 28 10 mod 47 = 4 mod 47 Bob 計算會議鑰匙：  (g y mod n) x = g xy mod n = 17 8 mod 47 = 4 mod 47 會議鑰匙 k= 4

16. Construction using bilinear maps(1/5) Our first construction is based on a variant of the Computational Diffie-Hellman problem. Boneh and Franklin [2] used bilinear maps on elliptic curves to build an efficient IBE system.

17. Construction using bilinear maps(2/5) Using two groups of prime order p and a bilinear map between them. The map satisfies : 1.Computable: given there is a polynomial time algorithms to compute 2.Bilinear: for any integer then 3.Non-degenerate: if g is a generator of then is a generator of

18. Construction using bilinear maps(3/5) We build a non-interactive searchable encryption scheme from such a bilinear map. hash functions H1 : {0, 1} *→ G1 and H2 : G2 → KeyGen:Input security parameter determines the size, p, of the groups G1 and G2. Picking a random and generator g of G1. Output

19. Construction using bilinear maps(4/5) PEKS : compute for a random. Output PEKS = Trapdoor Test Test if If so, output ‘yes’ ; otherwise, output ‘no’.

20. Construction using bilinear maps(5/5) Compute Since, right=left. if Test outputs ‘yes’ then the mail server sends the Bob’s mail to Alice.

21. Conclusion Constructing a PEKS is related to Identity Based Encryption (IBE), though PEKS seems to be harder to construct. Our constructions for PEKS are based on recent IBE constructions. We are able to prove security by exploiting extra properties of these schemes. How to use to the following idea?

22. idea User1(Alice) User2(Bob) Store Search Ciphertext Untrusted server

23. 加密搜尋系統 user 2008.2.26 陳昱圻

24. Introduction 單一 user 資料只有自己可以取得 Server 只負責比對 視窗介面 ( 預計先設計單機 )

25. Outline 身份認證 ( 確定為有權限 user) 讀取明文 顯示文字 執行加密 輸出密文 並得到 trapdoor 搜尋時讓 server 去做比對 進而到多機版本

26. Construction 中間過程方法採用 Practical Techniques for Searches on Encrypted Data 這篇所提到的方 法, 而後如果有增加可在做修改 文字處理 : 每個 word 皆轉成 ASCII code 並在 加密後長度一樣 (http://home.educities.edu.tw/wanker742126/ asm/ap04.html)http://home.educities.edu.tw/wanker742126/ asm/ap04.html Server 只存資料 而 user 要知道 keyword 才能丟 給伺服器做搜尋動作

27. Construction(cont.) Pre-stored data, with E(W) Search, with Trapdoor Ciphertext user untrusted server User(Document, Word, Trapdoor) Server(E(W), Trapdoor)