Presentation is loading. Please wait.

Presentation is loading. Please wait.

UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.

Published byRandolf James Modified over 8 years ago

Similar presentations

Presentation on theme: "UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan."— Presentation transcript:

1 UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan

2 I will talk about (1) UC-Secure Searchable Symmetric Encryption A preliminary version = FC 2012 Final version = ePrint 2015/251 (2) Garbled Searchable Symmetric Encryption FC 2014 2

3 Curtmola, Garay, Kamara and Ostrovsky (2006) defined privacy of SSE schemes as follows. 3

4 In the store phase, E(D 1 ), ⋯, E(D N ), E(Index) the server learns |D 1 |, …, |D N | and |{keywords}| 4

5 In the search phase, This means that the server knows the corresponding indexes {3, 6, 10} E(keyword) C(keyword)=( E(D 3 ), E(D 6 ), E(D 10 ) ) 5

6 We call these information |D 1 |, …, |D N | and |{keywords}| corresponding indexes {3, 6, 10} The minimum leakage 6

7 The Privacy definition requires that the server should not be able to learn any more information 7

8 In the Real Game D = {D 1, …, D N } W={set of keywords} Index Distinguisher E(D 1 ), ⋯, E(D N ) E{ Index } Challenger 8

9 In the Simulation Game D = {D 1, …, D N } W={set of keywords} Index Distinguisher Somehow returns E(D 1 ), ⋯, E(D N ) E{ Index } ChallengerSimulator the minimum leakage |D 1 |, …, |D N | and |{keywords}| 9

10 In the search phase of the real game keyword Distinguisher E(keyword) Challenger 10

11 In the simulation game, keyword Distinguisher Somehow returns E(keyword) ChallengerSimulator the minimum leakage {3, 6, 10} 11

12 Def. of Curtmola et al. Privacy is satisfied if there exists a simulator such that the real game ≈ the simulation game 12

13 We now define reliability and strong reliability UC security Prove a weak equivalence (1) UC-secure → privacy + reliability (2) privacy + strong reliability → UC-secure Show an efficient UC-secure SSE scheme 13

14 We now define reliability and strong reliability UC security Prove a weak equivalence (1) UC-secure → privacy + reliability (2) privacy + strong reliability → UC-secure Finally an efficient UC-secure SSE scheme 14

15 A malicious server tries to forge some files, delete some files, or replace E(D 3 ) with E(D 100 ). Client Server E(keyword) E(D 3 ), E(D 6 ), E(D 10 ) E(D 100 ) Malicious 15

16 Consider an adversary (A 1,A 2 ) s.t. 16 A1A1 A2A2 Client A 1 gives the inputs to the client A 2 runs the protocol with the client Adversary server

17 If A 2 is honest, 17 A1A1 A2A2 Client keyword w E(w) D(w) = {files which contain w} [C(w), Tag]

18 Reliability is satisfied if 18 A1A1 A2A2 Client keyword w E(w) D(w)’ ≠ D(w) with negligible probability for any (A 1,A 2 )

19 Strong reliability is satisfied if 19 A1A1 A2A2 Client keyword w E(w) [C(w)’, Tag’] ≠ [C(w), Tag] accepts with negligible probability for any (A 1,A 2 )

20 We then define Reliability, strong reliability UC security Prove a weak equivalence (1) UC-secure → privacy + reliability (2) privacy + strong reliability → UC-secure Finally an efficient UC-secure SSE scheme 20

21 In the ideal world, dummy Client Ideal Functionality F SSE Environment Z D={D 1, …, D N } W={set of keywords} Index D={D 1, …, D N } W={set of keywords} Index 21

22 F SSE sends the minimum leakage dummy Client Ideal Functionality F SSE Environment Z D={D 1, …, D N } W={set of keywords} Index UC adversary S |D 1 |, …, |D N | |{keywords}| 22

23 In the search phase dummy Client Ideal Functionality F SSE Environment Z keyword UC adversary S 23

24 F SSE sends the minimum leakage dummy Client Ideal Functionality F SSE Environment Z keyword UC adversary S {3,6,10} 24 D={D 1, …, D N } W={set of keywords} Index

25 S returns dummy Client Ideal Functionality F SSE Environment Z keyword UC adversary S {3,6,10} Accept or Reject 25 D={D 1, …, D N } W={set of keywords} Index

26 If S returns Reject, then F SSE sends Reject dummy Client Ideal Functionality F SSE Environment Z keyword UC adversary S {3,6,10} Reject 26

27 If S returns Accept, F SSE sends D(w)={D 3,D 6,D 10 } dummy Client Ideal Functionality F SSE Environment Z keyword UC adversary S {3,6,10}Accept D(w)={D 3,D 6,D 10 } D(w)= {D 3,D 6,D 10 } 27

28 Also S and Z can interact freely dummy Client Ideal Functionality F SSE Environment Z UC adversary S 28

29 This is an ideal world Because (Correctness.) The dummy client outputs reject or D(w) correctly (Security.) The UC adversary S learns only the minimum leakage. 29

30 Client Server Environment Z Z gives the inputs to the client 30 In the real world the client and the server run the real protocol

31 A can corrupt the server and communicate with Z freely 31 Client Server Environment Z Adversary A corrupt

32 We say that An SSE scheme is UC-secure if for any adversary A, there exists a UC-adversary S such that Pr[Z ⇒ 1 in the real] ≈ Pr[Z ⇒ 1 in the ideal] 32

33 We define reliability (unforgeability) strong reliability (strong unforgeability) UC security Prove a weak equivalence (1) UC-secure → privacy + reliability (2) privacy + strong reliability → UC-secure Finally an efficient UC-secure SSE scheme 33

34 Suppose that There exists an SSE scheme which is UC-secure 34

35 In the real world, 35 Client Server Environment Z Adversary A Consider A who relays everything to Z E(keyword) keyword

36 The real world = the real game of privacy 36 Client Server distinguisher Z Adversary A challenger E(keyword) keyword

37 In the ideal world, 37 dummy client F SSE Environment Z UC adversary S There exists S which simulates A from the minimum leakage Minimum leakage keyword E(keyword)

38 The ideal world = the ideal game of privacy 38 dummy client F SSE distinguisher Z UC adversary S Minimum leakage challenger simulator E(keyword) keyword

39 Therefore if the SSE scheme is UC secure, then privacy is satisfied. 39

40 Next for a reliability adversary (A 1,A 2 ), 40 A1A1 A2A2 Client Adversary

41 Consider (Z,A) s.t. 41 Client Server Z=A 1 Adversary A=A 2

42 In the corresponding ideal world, 42 dummy Client F SSE Z UC Adversary S The dummy client never outputs D(w)’ ≠ D(w) from the definition of F SSE w D(w) or reject D(w) or reject

43 Hence In the real world, the client outputs D(w)’ ≠ D(w) with negligible probability. Therefore Reliability is satisfied 43

44 We define reliability (unforgeability) strong reliability (strong unforgeability) UC security Prove a weak equivalence (1) UC-secure → privacy + reliability (2) privacy + strong reliability → UC-secure Finally an efficient UC-secure SSE scheme 44

45 Suppose that There exists an SSE scheme Which satisfies privacy and strong reliability 45

46 Game 0 = Real world 46 Client Server Z Adversary A keyword wD(w) or reject E(w) C(w), Tag

47 In Game 1, 47 Client Server Z Adversary A w E(w) [C(w)’, Tag’] ≠[C(w), Tag] If A instructs the server to return an invalid message E(w)

48 Game 1 48 Client Server Z Adversary A w reject E(w) reject Then the server returns reject to the client, And the client sends reject to Z [C(w)’, Tag’] ≠[C(w), Tag] E(w)

49 Game 1 49 Client Server Z Adversary A w D(w) E(w) accept [C(w), Tag] Otherwise the server returns accept to the client and the client outputs D(w) = {files which contain the keyword w}

50 Game 1 and Game 0 are indistinguishable Because the SSE scheme satisfies strong reliability. 50

51 Client 2 Z A server Client 1 accept or reject D(w) or reject E(w) In Game 2, w 51

52 From a view point of Z, Game 2 and Game 1 are the same 52

53 Client 2 server Z A Simulator of privacy Client 1 Minimum leakage accept reject In Game 3, E(w) 53

54 Client 2 server Z A Simulator of privacy Client 1 Minimum leakage accept reject distinguisher challenger Game 3 = simulation game of privacy E(w) keyword 54

55 Client 2 server Z A Client 1 accept reject distinguisher challenger Game 2 = real game of privacy E(w) keyword 55

56 Therefore Game 3 and Game 2 are indistinguishable Because the SSE scheme satisfies privacy 56

57 Client 2 server Z A simulator S 0 Client 1 Minimum leakage accept reject UC adversary S F SSE Finally Game 3 = the ideal world 57

58 Namely Game 0 = the real world Game 3 = the ideal world and Z cannot distinguish them Therefore the SSE scheme is UC-secure. 58

59 We define reliability (unforgeability) strong reliability (strong unforgeability) UC security Prove a weak equivalence (1) UC-secure → privacy + reliability (2) privacy + strong reliability → UC-secure show an efficient UC-secure SSE scheme 59

60 Consider this example D1D2D3D4D5 Austin10101 Boston01010 60

61 The client computes E(D1)E(D2)E(D3)E(D4)E(D5) PRP(Austin)( 10101) PRP(Boston)( 01010) where PRP means pseudorandom permutation 61

62 and adds E(D1)E(D2)E(D3)E(D4)E(D5) PRP(Austin)( 10101) PRP(Boston)( 01010) +PRF(Austin) +PRF(Boston) where PRF means pseudorandom function. 62

63 The client stores this table E(D1)E(D2)E(D3)E(D4)E(D5) PRP(Austin)( 10101) PRP(Boston)( 01010) +PRF(Austin) +PRF(Boston) + Tag A =MAC( PRP(Austin), E(D 1 ), E(D 3 ), E(D 5 ) ) Tag B =MAC(PRP(Boston), E(D 2 ), E(D 4 )) 63

64 In the search phase, E(D1)E(D2)E(D3)E(D4)E(D5) PRP(Austin)( 10101) PRP(Boston)( 01010) +PRF(Austin) +PRF(Boston) For a keyword Austin, the client sends E(Austin) 64

65 The server decrypts (10101) E(D1)E(D2)E(D3)E(D4)E(D5) PRP(Austin)( 10101)1) PRP(Boston)( 01010) +PRF(Austin) +PRF(Boston) 65

66 And returns E(D 1 ), E(D 3 ), E(D 5 ), Tag A E(Austin)= {PRP(Austin), PRF(Austin)} 66

67 The client accepts if E(D 1 ), E(D 3 ), E(D 5 ), Tag A =MAC(PRP(Austin), E(D 1 ), E(D 3 ), E(D 5 )) PRP(Austin) and PRF(Austin) 67

68 Theorem The above SSE scheme satisfies privacy and strong reliability if E is CPA-secure Corollary The above SSE scheme is UC-secure 68

69 So far, single keyword search SSE schemes. Next multiple keyword search SSE schemes. 69

70 Wang et al. (2008) Showed a multiple keyword SSE scheme for AND search.

71 At CRYPTO 2013, Cash, Jarecki, Jutla, Krawczyk, Rosu, and Steiner showed an SSE scheme which can support any search formula f (in the random oracle model). The comm. overhead is sublinear in N, where N=the number of files. 71

72 However, the search formula f is revealed to the server and the search phase requires 2 rounds. Search phase Search formula Cash et al.2 roundsrevealed 72

73 In their scheme, If 「 Japan AND Crypto 」 is searched, the following information is leaked to the server the search formula = AND the search result of Japan or that of Crypto and some more information ( see Sec.5.3 of their paper ) 73

74 Kurosawa (FC 2014) even the search formula f is kept secret. the search phase requires only 1 round. Search phase Search formula Cash et al.2 roundsrevealed Proposed1 roundsecret 74

75 In my scheme only the following information is leaked (other than the minimum leakage) The topological circuit f- (π(j 1 ), …, π(j c )), where π is a random permutation and {w j1, …, w jc } are the queried keywords 75

76 XOR AND 1 OR 4 2 3 If this the search formula f, 76

77 1 4 2 3 This is the topological circuit f- 77

78 On the other hand, The communication overhead is O(N) While it is sublinear in N in Cash et al’s scheme where N=the number of files. 78

79 The proposed SSE scheme is based on Yao’s garbled circuit. 79

80 A garbled circuit of f is an encoding garble(f) such that one can compute f(X) from garble(f) and label(X) without learning anything on f and X. garble(f) label(X) f(X) 80

81 x 1 = 0 x 2 = 1 Consider f(x 1,x 2 )= (x 1 and x 2 ) x1x2x3 000 010 101 111 x 3 = 0 81

82 garble(f) is an encoded truth table by random strings x1x2x3 A0A0 B0B0 H(A 0,B 0 )+ 0 A0A0 B1B1 H(A 0,B 1 )+ 0 A1A1 B0B0 H(A 1,B 0 )+ 0 A1A1 B1B1 H(A 1,B 1 )+ 1 A0A0 B1B1 x 3 = 0 82

83 label(X) is these random strings x1x2x3 A0A0 B0B0 H(A 0,B 0 )+ 0 A0A0 B1B1 H(A 0,B 1 )+ 0 A1A1 B0B0 H(A 1,B 0 )+ 0 A1A1 B1B1 H(A 1,B 1 )+ 1 A0A0 B1B1 x 3 = 0 83

84 In this example, x 3 =0 is obtained by computing H(A 0,B 1 ) x1x2x3 A0A0 B0B0 H(A 0,B 0 )+ 0 A0A0 B1B1 H(A 0,B 1 )+ 0 A1A1 B0B0 H(A 1,B 0 )+ 0 A1A1 B1B1 H(A 1,B 1 )+ 1 A0A0 B1B1 x 3 = 0 label(X) garble(f) 84

85 High level overview of the proposed scheme w1w1 w2w2 w3w3 D1D1 111 D2D2 100 keywords files Consider this example. 85

86 Let w1w1 w2w2 w3w3 D1D1 (111)=X 1 D2D2 (100)=X 2 86

87 The client computes w1w1 w2w2 w3w3 D1D1 label(X 1 ) D2D2 label(X 2 ) 87

88 The client also computes PRP(w 1 )PRP(w 2 )PRP(w 3 ) E(D 1 )label(X 1 ) E(D 2 )label(X 2 ) 88

89 and sends PRP(w 1 )PRP(w 2 )PRP(w 3 ) E(D 1 )label(X 1 ) E(D 2 )label(X 2 ) Server 89

90 In the search phase, Suppose that the client wants to search on f(w 1,w 2,w 3 )=w 1 ⋀ w 2 ⋀ w 3 He computes the garbled circuits of f: Γ 1 for D 1 and Γ 2 for D 2. 90

91 PRP(w 1 ), …, PRP(w 3 ) Γ 1 Γ 2 The client sends 91

92 PRP(w 1 ), …, PRP(w 3 ) Γ 1 Γ 2 The server has this table PRP(w 1 )PRP(w 2 )PRP(w 3 ) E(D 1 )label(X 1 ) E(D 2 )label(X 2 ) 92

93 PRP(w 1 ), …, PRP(w 3 ) Γ 1 Γ 2 The server computes f(X 1 ) from PRP(w 1 )PRP(w 2 )PRP(w 3 ) E(D 1 )label(X 1 ) E(D 2 )label(X 2 ) label(X 1 ) Γ1Γ1 f(X 1 )=1 garbled circuit 93

94 PRP(w 1 ), …, PRP(w 3 ) Γ 1 Γ 2 Similarly she computes f(X 2 ) PRP(w 1 )PRP(w 2 )PRP(w 3 ) E(D 1 )label(X 1 ) E(D 2 )label(X 2 ) Γ2Γ2 f(X 2 )=0 garbled circuit 94

95 The server returns E(D 1 ) If f(X 1 )=1 and f(X 2 )=0, 95

96 However, if label(X) is reused, then some information on (f, X) is leaked. garble(f) label(X) f(X) 96

97 We use counter as an additional input to H x1x2x3 A0A0 B0B0 H(counter, A 0,B 0 )+ 0 A0A0 B1B1 H(counter, A 0,B 1 )+ 0 A1A1 B0B0 H(counter, A 1,B 0 )+ 0 A1A1 B1B1 H(counter, A 1,B 1 )+ 1 A0A0 B1B1 x 3 = 0 97

98 Formally Bellare et al. (2012) defined Kurosawa ( 2014 ) extended them to garbling schemesextended garbling schemes Input-circuit privacylabel reusable privacy 98

99 Label reusable privacy Even if label(X) is reused for multiple garbled circuits Γ 1, Γ 2, …., no information on X and (f 1,f 2, … ) are leaked, where Γ i is a garbled circuit of f i

100 Theorem 1 Our construction satisfies label reusable privacy in the random oracle model 100

101 Theorem 2 If the underlying extended garbling scheme satisfies label reusable privacy only the following information is leaked (other than the minimum leakage) 101

102 The topological circuit f- (π(j 1 ), …, π(j c )), where π is a random permutation and {w j1, …, w jc } are the queried keywords 102

103 Communication overhead of the proposed scheme Let m = # of files c = # of search keywords s = # of gates of f In the search phase, the com. overhead is |counter|+(c+4m(s-1))×128+4m bits 103

104 If # of search keywords is 2 The communication overhead is |counter|+256+ 4× ( # of files ) bits 104

105 Computer simulation We used a computer such as follows. 2.4GHz CPU and 32G byte RAM OS = CentOS 6.5 C++ and NTL library The total # of keywords is 20. 105

106 The running time of the client in the search phase 106

107 The running time of the server in the search phase 107

108 Summary (1) UC-Secure Searchable Symmetric Encryption A preliminary version = FC 2012 Final version = ePrint 2015/251 (2) Garbled Searchable Symmetric Encryption FC 2014 108

109 Open problem (1) Construct a multiple keyword SSE scheme such that The communication overhead is sublinear in N And the leakage is as small as possible In the standard model 109

110 Open problem (2) In all the known single keyword SSE schemes, E(keyword) is deterministic Hence if the client sends E(keyword) twice, This search pattern is leaked. So construct a UC-secure scheme such that Even the search pattern is kept secret 110

111 Open problem (3) Prove the tight equivalence between UC security and some stand alone security 111

112 Thank you ! 112

Download ppt "UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan."

Similar presentations

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.

Constant-Round Private Database Queries Nenad Dedic and Payman Mohassel Boston UniversityUC Davis.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,

Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa.

Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.

1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
Introduction to Practical Cryptography Lecture 9 Searchable Encryption.

Introduction to Practical Cryptography Lecture 9 Searchable Encryption.
Searchable Symmetric Encryption :Improved Definitions and Efficient Constructions Reza Curtmola Juan Garay Seny Kamara Rafail Ostrovsky.

Searchable Symmetric Encryption :Improved Definitions and Efficient Constructions Reza Curtmola Juan Garay Seny Kamara Rafail Ostrovsky.
How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea.

How to Keyword-Search Securely in Cloud Storage Service Kaoru Kurosawa Ibaraki University, Japan ICISC 2014, Dec. 3-5, Chung-Ang University, Korea.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.

Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Reza Curtmola Juan Garay Seny Kamara Rafail Ostrovsky

Reza Curtmola Juan Garay Seny Kamara Rafail Ostrovsky
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
1 Secure Indexes Author : Eu-Jin Goh Presented by Yi Cheng Lin.

1 Secure Indexes Author : Eu-Jin Goh Presented by Yi Cheng Lin.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

Similar presentations

Ads by Google