3 Key Technique: Trapdoor Locked Encryption Technique
Tải bản đầy đủ - 0trang
Probabilistic Generation of Trapdoors
353
where m and n are the numbers of keywords and documents which are stored in
the server, respectively.
Through the above discussion, in the case that trapdoors match any entry of
the encrypted index, search patterns are leaked even if trapdoors are generated
probabilistically. Additionally, the same search pattern is leaked regardless of the
probabilistic or deterministic generation of trapdoors when the user searches for
a keyword which is matched once, because the server can compute and ﬁnd same
val by using deterministic/probabilistic trapdoors where (val, id) is an entry of
encrypted index. Thus, we have a possibility of speed-up of re-searching process
by using deterministic trapdoors instead of probabilistic trapdoors in the case
that the user searches the same keyword which matches encrypted index. From
the above observation, we will set up a goal of Re-Search case as follows: we aim
the speed up of re-search by using deterministic trapdoors when re-searching
process is executed.
In order to achieve this purpose, we construct another encrypted index I
to further speed up search process. In re-search phase, the server searches documents by using this encrypted index I . In this paper, our re-search performance aims at O(log n ) equal to the structured encryption scheme of Chase
and Kamara [7] where n is the number of indexes in I . In order to search in
O(log n ), I should contain deterministic information for searched keywords.
Hence, we adopt the following goals.
(1) In the ﬁrst search phase, a trapdoor should be generated probabilistically for
search pattern hiding. Additionally, the user should not give any information
of keywords to the server if the trapdoor does not match any document.
(2) At the same time, to construct another encrypted index I , the server has
to obtain deterministic information for the keyword if the trapdoor matches
with some entry of the encrypted index I in the keyword searching process.
(3) In re-search phase, the server executes searching process by using encrypted
index I which consists of deterministic information for searched keywords.
The user can choose executing of searching process or re-searching process when
the user generates trapdoors. In Tentative scheme, the server cannot generate
deterministic encrypted index I . On the other hand, the search patterns are
leaked to the server if the user generates deterministic trapdoor. In order to
overcome this seemingly contradictory situation, we introduce a new technique
trapdoor locked encryption technique.
Trapdoor Locked Encryption Technique. For the above purposes, the user
should send deterministic information of keywords to the server and trapdoors
Table 1. SSE-2 v.s. Tentative scheme
SSE-2 [9]
Tentative scheme
Entry of encrypted index: (κj = F (K, w, j), idj ) ⇒
(κj = F (K, w, j), idj )
t = F (K, w , j)
⇒ (t = F (F (K, w , j), u), u)
Trapdoor:
Search:
?
t = κj
⇒
?
t = F (κj , u)
354
K. Hayasaka et al.
Table 2. SSE-2 v.s. Proposed scheme
SSE-2 [9]
Entry of I:
Trapdoor:
Search:
Proposed scheme
(κj = F (K, w, j), idj ) ⇒
(κj = F (K, w, j), idj )
(t = F (K, w , j))
⇒ (t = SKE.Enc(F (K, w , j), F (K , w )||r), r)
?
t = κj
⇒
X||r = SKE.Dec(κj , t)
⇒
r=r
X = F (K , w )
?
Entry of I :
not available
?
not available
⇒
F (K , w ) = X
Re-Search:
(Note that w, w and w are keywords which are used in the document storing process,
the searching process, and the re-searching process, respectively.)
should be probabilistic value to the third parties and the server when the keyword
is searched for the ﬁrst time. Then, we consider that trapdoors are generated
probabilistically by encrypting deterministic information of the keyword using
a symmetric key encryption (e.g., AES-CBC or AES-CTR). However, search
patterns are leaked to the server if the sever can always decrypt trapdoors. We
need to develop the method that the server can decrypt only when the trapdoor
matches with some entry of the encrypted index I by using one component of
a part of the entry of encrypted index I as the secret key of a symmetric key
encryption.
In SSE-2, an entry of encrypted index is formed as (F (K, w, j), idj ). Then, in
our scheme, the user generates a ciphertext by using κj = F (K, w, j) as the key
of symmetric key encryption. If the trapdoor matches, the server can decrypt
the trapdoor (ciphertext) correctly since the server has κj = F (K, w, j). On the
other hand, if the trapdoor does not match, the server cannot decrypt it and
cannot obtain the deterministic information since the server does not have the
key κj = F (K, w, j).
The overview of proposed method is as follows. The user generates t =
SKE.Enc(F (K, w , j), F (K , w )||r) as the trapdoor where SKE.Enc is a symmetric key encryption algorithm and K is a PRF key which is diﬀerent from K,
F (K , w ) is deterministic information for re-search and r is a l-bit randomness.
This trapdoor matches if the low order l bits of the decryption result is equivalent to r. We call this technique “trapdoor locked encryption technique”. The
construction overview is described in Table 2.
1.4
Our Contributions
– This paper presents a reasonable and useful deﬁnition which covers reducing
search pattern leakage and fast re-search. First, we deﬁne the syntax of our
SSE scheme (see Sect. 3). In our concept, the server can obtain deterministic information from trapdoors and update the encrypted index I from the
information in order to re-search quickly. After that, the user can generate a
deterministic trapdoor of keywords which have been already searched, and the
Probabilistic Generation of Trapdoors
355
server can quickly re-search by using it. We deﬁne DetTrpdr and QuickSearch
as a deterministic trapdoor generation algorithm and a search algorithm by
using deterministic trapdoors, respectively. Additionally, we propose a security deﬁnition, adaptive semantic security, which takes into account search
pattern hiding (see Sect. 3.2).
– This paper proposes the ﬁrst adaptive secure and search pattern hiding SSE
scheme based on SSE-2 [9] (see Sect. 4.1). Security of our scheme is proved
under the existence of PRFs in the standard model (see Sect. 4.2).
1.5
Related Works
There are SSE schemes closely related to our work [15,24]. Moataz and Shikfa
proposed the SSE scheme which can generate trapdoors probabilistically [24].
Their trapdoor is expressed as a vector form, and all trapdoors obtained from
the same keyword can be represented as scalar multiplications of some vector.
Therefore, anyone can easily check whether given trapdoors contain the same
keyword. That is, their scheme cannot reduce search pattern leakage. The SSE
scheme providing a quick re-searching algorithm was also proposed by Hahn
and Kerschbaum [15]. Their strategy for quick re-searching is similar to ours.
However, the trapdoors of their scheme are generated deterministically (i.e. their
search pattern of the scheme is leaked more than that of our proposed scheme),
and no trapdoor locked encryption technique is used.
2
Preliminaries
Notations. We denote the set of positive real numbers by R+ . We say that a
function negl : N → R+ is negligible if for any (positive) polynomial p, there
exists n0 ∈ N such that for all n ≥ n0 , it holds that negl(n) < 1/p(n). We
denote by poly(n) unspeciﬁed polynomial in n. If A is a probabilistic algorithm,
y ← A(x) denotes running A on input x with a uniformly-chosen random tape
and assigning the output to y. AO denotes an algorithm with oracle access to O.
We denote the empty set by ∅. For an associative array I , its value for a key s
is denoted by I [s], and I [s] ← x represents assignment of x to I [s]. We denote
by |S| the cardinality for a ﬁnite set S, and the bit length for a bit string S. If
u
S is a ﬁnite set, s ←
− S denotes that s is uniformly chosen from S. We denote a
security parameter by λ throughout this paper.
Cryptographic Primitives. We recall the deﬁnition of pseudo-random functions (PRF). A function f : {0, 1}λ × {0, 1}m → {0, 1}n is pseudo-random if f
is polynomial-time computable in λ, and for any probabilistic polynomial-time
(PPT) algorithm A, it holds that
u
u
− {0, 1}λ ] − Pr[1 ← Ag(·) (1λ ) | g ←
− Fm,n ]| ≤ negl(λ),
|Pr[1 ← Af (K,·) (1λ ) | K ←
where Fm,n is the set of functions mapping {0, 1}m to {0, 1}n .
356
K. Hayasaka et al.
We recall the deﬁnition of pseudo-randomness against the chosen plaintext
attack (PCPA) for a symmetric-key encryption scheme SKE = (Gen, Enc, Dec).
Let PCPAA,SKE (λ) be an experiment for an adversary A and SKE as follows:
A key K is generated by SKE.Gen(1λ ).
A is given oracle access to SKE.Enc(K, ·).
A outputs a message m.
Two ciphertexts c0 and c1 are generated as follows: c0 ← SKE.Enc(K, m) and
u
c1 ←
− C, where C denotes the set of all possible ciphertexts. A random bit
u
− {0, 1} is chosen, and cb is given to A.
b←
5. A is given oracle access to SKE.Enc(K, ·), and outputs a bit b ∈ {0, 1}.
6. The output of the experiment is 1 if b = b, 0 otherwise.
1.
2.
3.
4.
We say that SKE is PCPA-secure if for any PPT adversary A,
Pr[PCPAA,SKE (λ) = 1] −
1
≤ negl(λ),
2
where the probability is taken over the random coins of Gen and Enc.
Document Collections. Let w be a keyword, and Δ ⊆ {0, 1} be a set of d
keywords.
Let D ∈ {0, 1}∗ be a document (or ﬁle), and D = (D1 , . . . , Dn ) be a document
collection. Let C = (C1 , . . . , Cn ) be a ciphertext collection of D, where Ci is a
ciphertext of Di for 1 ≤ i ≤ n. We assume that the ciphertext Ci contain a
unique identiﬁer (or ﬁle name) idi ∈ {0, 1}ν . For D = (D1 , . . . , Dn ), let D(w) be
a set of identiﬁers of documents that contain the keyword w. That is, D(w) =
{idi1 , . . . , idin }.
3
Definitions
In this section, we deﬁne our new SSE scheme which has two keyword search
algorithms. One is a search algorithm for a trapdoor generated probabilistically.
The other is a search algorithm for a trapdoor generated deterministically.
The former algorithm can reduce the amount of the search pattern leakage. On the other hand, the latter algorithm using deterministically-generated
trapdoors can reduce computational cost of a re-searching case when the user
wants to search using a keyword which has already been searched. Furthermore,
index updating algorithm is also provided in order to achieve the above quick
re-searching.
3.1
Syntax
We now deﬁne new SSE scheme over a Δ, SSE = (Gen, Enc, Trpdr, Search,
Dec, Update, DetTrpdr, QuickSearch), which consists of the following algorithms:
Probabilistic Generation of Trapdoors
357
– K ← Gen(1λ ): is a probabilistic algorithm which generates a secret key K,
where λ is a security parameter.
– (I, C, I ) ← Enc(K, D): is a probabilistic algorithm which outputs two
encrypted indexes I and I , and a ciphertext collection C = (C1 , . . . , Cn ).
– t(w) ← Trpdr(K, w): is a probabilistic algorithm which outputs a probabilistic
trapdoor t(w) for a keyword w.
– S(w) ← Search(I, t(w)): is a deterministic algorithm which outputs an identiﬁer set S(w).
– D ← Dec(K, C): is a deterministic algorithm which outputs a plaintext D of
C.
– I ← Update(I , I, t(w)): is a deterministic algorithm which outputs an
updated encrypted index I .
– T (w) ← DetTrpdr(K, w): is a deterministic algorithm which outputs a deterministic trapdoor T (w) for a keyword w.
– S(w) ← QuickSearch(I , T (w)): is a deterministic algorithm which outputs
an identiﬁer set S(w).
Here, the SSE scheme is correct if for all λ ∈ N, all w ∈ Δ, all K
output by Gen(1λ ), all D, and (I, C, I ) output by Enc(K, D), the following conditions hold: (i) Search(I, Trpdr(K, w)) = D(w), and Dec(K, Ci ) =
Di (1 ≤ i ≤ n), (ii) QuickSearch(I , DetTrpdr(K, w)) = D(w) if D(w) is
not empty and Update(I , I, Trpdr(K, w)) has been run at least once so far,
QuickSearch(I , DetTrpdr(K, w)) = ⊥ otherwise.
3.2
Security
We deﬁne Adaptive Semantic Security under the Chosen Keyword Attack as
follows, based on [7]. In our SSE, since there are two trapdoor generation algorithms, Trpdr or DetTrpdr, we denote a query by (w, β) where β ∈ {0, 1} is used
to switch these trapdoor generation algorithms. Namely, a probabilistic trapdoor
t(w) is generated for a query (w, 0) by Trpdr and is to be input to Search. In contrast, a deterministic trapdoor T (w) is generated for a query (w, 1) by DetTrpdr
and is to be input to QuickSearch. We denote a query sequence whose length
is q by wq = ((w1 , β1 ), . . . , (wq , βq )), and a set of trapdoors by T .
Deﬁnition 1. Let SSE be an SSE scheme, λ be a security parameter, and L1 , L2
be leakage functions. For PPT algorithms A = (A0 , A1 , . . . , Aq+1 ) with its state
stA and S = (S0 , S1 , . . . , Sq ) with its state stS such that q = poly(λ), define the
adpt
following games Realadpt
SSE,A (λ) and SimSSE,A,S (λ).
Realadpt
SSE,A (λ):
K ← Gen(1λ )
(D, stA ) ← A0 (1λ )
(I, C, I ) ← Enc(K, D)
T ←∅
for 1 ≤ i ≤ q,
358
K. Hayasaka et al.
(wi , βi , stA ) ← Ai (stA , I, C, I , T )
if βi = 0 then
t(wi ) ← Trpdr(K, wi ) and T ← T ∪ {t(wi )}
else
T (wi ) ← DetTrpdr(K, wi ) and T ← T ∪ {T (wi )}
b ← Aq+1 (stA , I, C, I , T ), output b
Simadpt
SSE,A,S (λ):
(D, stA ) ← A0 (1λ )
(I, C, I , stS ) ← S0 (L1 (D))
T ←∅
for 1 ≤ i ≤ q,
(wi , βi , stA ) ← Ai (stA , I, C, I , T )
if βi = 0 then
(t(wi ), stS ) ← Si (stS , L2 (D, wi )) and T ← T ∪ {t(wi )}
else
(T (wi ), stS ) ← Si (stS , L2 (D, wi )) and T ← T ∪ {T (wi )}
b ← Aq+1 (stA , I, C, I , T ), output b
SSE is secure in the sense of adaptive semantic security under the chosen keyword
attacks if for any PPT adversary A, there exists a PPT simulator S such that
adpt
|Pr[Realadpt
SSE,A (λ) = 1] − Pr[SimSSE,A,S (λ) = 1]| ≤ negl(λ).
4
Specific Construction
In this section, we ﬁrstly give a construction of our scheme based on SSE-2
proposed by Curtmola et al. [9]. Secondly, we deﬁne three acceptable information
leakage functions H, α and σ in our construction. Finally, we prove that our
construction is adaptive semantic secure for these leakage functions.
4.1
A Construction of Our Scheme
Here, we give our construction of SSE. In this construction, F is a pseudo-random
function such that F : {0, 1}λ × {0, 1}∗ → {0, 1}μ , SKE = (Gen, Enc, Dec) is a
PCPA-secure symmetric key encryption scheme, I is a associative array and
n = |D|. We denote by idj the j-th identiﬁer in D.
u
– Gen(1λ ): Sample K1 , K2 ←
− {0, 1}λ , generate K3 ← SKE.Gen(1λ ), and output
K = (K1 , K2 , K3 ).
– Enc(K, D): I ← ∅
for 1 ≤ i ≤ |Δ| do
for 1 ≤ j ≤ n do
if idj ∈ D(wi ) then
I ← I ∪ {(F (K2 , wi , j), idj )}
Probabilistic Generation of Trapdoors
–
–
–
–
–
–
359
else
I ← I ∪ {(F (K2 , wi , n + j), idj )}
C←∅
for 1 ≤ i ≤ n do
C ← C ∪ {SKE.Enc(K3 , Di )}
Set I to empty associative array
return (I, C, I )
Trpdr(K, w):
u
r←
− {0, 1}λ
for 1 ≤ j ≤ n do
tj (w) ← SKE.Enc(F (K2 , w, j), F (K1 , w) || r)
return t(w) = (t1 (w), t2 (w), . . . , tn (w), r)
Search(I, t(w)):
S(w) ← ∅
for 1 ≤ i ≤ n do
for ∀(κj , idij ) ∈ I do
a ← SKE.Dec(κj , ti (w)), and parse a as s || r
if r = r then
S(w) ← S(w) ∪ {idij }
return S(w)
Dec(K, C): return D ← SKE.Dec(K3 , C)
Update(I , I, t(w)):
if Search(I, t(w)) = ∅ then
retrieve s such that r = r from t(w) in the same manner as Search
I [s] ← Search(I, t(w))
return I
DetTrpdr(K, w): return T (w) ← F (K1 , w)
QuickSearch(I , T (w)): return I [T (w)]
4.2
Security
In this section, let us discuss acceptable information leakage L1 and L2 of our
SSE, in order to formalize security of our SSE. First, we deﬁne the leakage
functions H, α and σ that the server can obtain from (I, C, I , T ) in our SSE.
H, α and σ represent history, access pattern and search pattern, respectively
as the security deﬁnition of Curtmola et al. [9]. The most important diﬀerence
between our SSE and ordinary SSE is the probabilistic generation of trapdoors.
By using probabilistic trapdoors, we can reduce the leakage of the search pattern
σ in the case where D(w) = ∅ in contrast to a ordinary SSE which always leaks
the search pattern.
– If a ciphertext Ci of a document Di is stored in the server, then the server can
easily infer the bit length |Di |, and thereby |D1 |, . . . , |Dn | are always leaked
in SSE. Let H(D) = (|D1 |, . . . , |Dn |).
– For a probabilistic trapdoor t(w), the server can easily obtain the search result
of t(w), i.e. the set of identiﬁers D(w). On the other hand, for a deterministic
360
K. Hayasaka et al.
trapdoor T (w), the search result will be D(w) or ⊥. If D(w) = ∅ and a
probabilistic trapdoor t(w) has been used at least once before searching with
T (w), I is updated by running Update. The search result with T (w) will be
D(w) then. Otherwise, the search result of T (w) is ⊥ since updating I has
never occurred. Then, let α(D, wk ) be a function as follows:
α(D, wk ) =
D(wk )
⊥
if (βk = 0) ∨ ((D(wk ) = ∅) ∧ ((wk , 0) ∈ wk )),
otherwise.
– As ordinary SSE whose trapdoors are generated deterministically, the server
immediately infer whether the i-th query (wi , 1) and the j-th query (wj , 1)
are the same or not by checking T (wi ) = T (wj ). On the other hand, for
probabilistic trapdoors t(wi ) and t(wj ), it is hard for the server to decide
whether wi = wj from t(wi ) = t(wj ). However, the server can decide it when
D(wi ) = ∅ and D(wj ) = ∅ in our SSE, since a combination of entries that a
query w matches in an encrypted index I is unique to w unless D(w) = ∅.
Furthermore, for queries (wi , βi ), (wj , βj ) such that (βi = 0 or βj = 0) and
D(wi ) = D(wj ) = ∅, it is hard for the server to decide wi = wj because no
information which is eﬀective to infer whether wi = wj is disclosed. Therefore,
for k queries (w1 , β1 ), . . . , (wk , βk ), the following binary matrix Hk is always
leaked in our SSE. For 1 ≤ i < j ≤ k, the element in the i-th row and the j-th
column, Hk [i, j], is deﬁned as below:
⎧
⎪
⎨1 if ((βi = βj = 1) ∨ (D(wi ) = ∅ ∨ D(wj ) = ∅)) ∧ (wi = wj ),
Hk [i, j] = 0 if ((βi = βj = 1) ∨ (D(wi ) = ∅ ∨ D(wj ) = ∅)) ∧ (wi = wj ),
⎪
⎩
⊥ if (βi = 0 ∨ βj = 0) ∧ (D(wi ) = D(wj ) = ∅),
Let σ(D, wk ) = (Hk , β1 , . . . , βk ), where wk = ((w1 , β1 ), . . . , (wk , βk )).
We now have the following theorem for the leakage L1 (D) = H(D) and
L2 (D, w) = (α(D, w), σ(D, w)).
Theorem 1. If F : {0, 1}λ ×{0, 1}∗ → {0, 1}μ is a pseudo-random function and
SKE is PCPA-secure symmetric key encryption scheme, our scheme is adaptive
semantic secure for the above leakage (L1 , L2 ).
Proof. We construct a PPT simulator S = (S0 , S1 , . . . , Sq ) such that for
any PPT-adversary A = (A0 , A1 , . . . , Aq+1 ), the outputs of Realadpt
SSE,A (λ) and
adpt
SimSSE,A,S (λ) are computationally indistinguishable.
Firstly, we construct S = {S0 , S1 , . . . , Sq } as follows.
– S0 (L1 (D)): Generate I ∗ , C∗ = {C1∗ , C2∗ , . . . , Cn∗ } and I
as follows:
• Set I ∗ ← ∅.
For 1 ≤ i ≤ |Δ|, 1 ≤ j ≤ n:
u
∗ Generate κ∗i,j ←
− {0, 1}μ
∗
from L1 (D) = H(D)
Probabilistic Generation of Trapdoors
361
∗ Set I ∗ ← I ∗ ∪ {(κ∗i,j , idj )}.
u
− {0, 1}|Di | (1 ≤ i ≤ n), and set C∗ = (C1∗ , . . . , Cn∗ ).
• Generate Ci∗ ←
∗
• Set I ← ∅ and stS ← I ∗ .
• Output (I ∗ , C∗ , I ∗ , stS ).
– Si (stS , L2 (D, wi )): Generate t∗ (wi ) = (t∗1 (wi ), . . . , t∗n (wi ), ri ) or T ∗ (w) from
L2 (D, wi ) = (α(D, wi ), σ(D, wi )) as follows:
1. Firstly, Si checks if wj such that wj = wi (j < i) exists using σ(D, wi ).
Namely, Si tries to ﬁnd wj such that Hi [j, i] = 1 (Si ignores a case that
Hi [j, i] = ⊥).
2. If such wj does not exist:
u
− {0, 1}μ .
(a) Pick δi ←
(b) If βi = 0, Si chooses ni = |α(D, wi )| entries {(κ∗i,k , idik )}k=1,...,ni ⊆
I ∗ for all elements idik ∈ α(D, wi ), where κ∗i,k have never chou
− {0, 1}λ and sets t∗k (wi ) ←
sen by Si (i < i). Si picks ri ←
u
− {0, 1}μ+λ for
SKE.Enc(κ∗i,k , δi ||ri ). Additionally, Si sets t∗k (wi ) ←
ni + 1 ≤ k ≤ n. Finally, Si outputs t∗ (wi ) and stS ← stS ∪
(i, δi , κ∗i,1 , . . . , κ∗i,ni ).
(c) If βi = 1, Si outputs T ∗ (wi ) ← δi and stS ← stS ∪ (i, δi ).
3. Otherwise:
(a) In the case of βi = 0, if (wi , βi ) is the ﬁrst query such that βi = 0,
κ∗j,k has not created in stS yet. In such case, Si chooses them from
I ∗ in the same manner as the case 2-(b) above, and complements the
entry by the κ∗j,k . Si now has the retrieved δj and κ∗j,k in stS , then Si
u
picks ri ←
− {0, 1}λ and computes t∗k (wi ) for 1 ≤ k ≤ n as mentioned
in the case 2-(b). Finally, Si outputs t∗ (wi ) and stS .
(b) If βi = 1, Si outputs T ∗ (wi ) ← δj and stS since Si can retrieve it
from stS .
Let us analyze each output of Si for 0 ≤ i ≤ q. We denote the set of the
trapdoor which is output of Si by T ∗ . Firstly, we show that Search, Update and
QuickSearch on (I ∗ , C∗ , I , T ∗ ) behave in the same way as these on (I, C, I , T )
do. After that, we show that each component of (I ∗ , C∗ , T ∗ ) is computationally
indistinguishable from the corresponding component of (I, C, T ).
We consider queries (wi , βi ) and (wj , βj ) such that j < i. In the case of wj
such that Hi [j, i] = 1, namely ((βj = 0 ∨ βi = 0) ∧ D(wj ) = D(wi ) = ∅) ∨ (wj =
wi ) for ∀j < i, we have the following facts:
u
− {0, 1}μ+λ , all t∗k (wi ) will not
– If βi = 0 and D(wi ) = ∅: Since Si sets t∗k (wi ) ←
∗
match any entry in I with all but negligible probability. Therefore, Search
just outputs S(wi ) = ∅, and Update does nothing.
– If βi = 0 and D(wi ) = ∅: Since Si sets t∗k (wi ) ← SKE.Enc(κ∗i,k , δi ||ri ) to match
the entries associated with idik ∈ D(wi ) by choosing κ∗i,k and generating
δi that have never appeared previously, t∗ (wi ) matches the entries that are
distinct from the entries any past trapdoor has matched with all but negligible
probability. Therefore, Search outputs S(wi ) = D(wi ) and Update sets the
entry I [δi ] ← D(wi ).
362
K. Hayasaka et al.
u
– If βi = 1: Since Si generates δi ←
− {0, 1}μ and sets T ∗ (wi ) ← δi , QuickSearch
outputs ⊥ with all but negligible probability. Note that QuickSearch outputs
⊥ even if D(wi ) = ∅ in real side since we have wj = wi for ∀j < i in this case,
namely Update for wi has never run so far.
Subsequently, we consider the other case, ∃wj such that Hi [j, i] = 1, namely
((βj = βi = 1) ∨ (D(wj ) = ∅ ∨ D(wi ) = ∅)) ∧ (wj = wi ) for ∃j < i:
– If βi = 0 and D(wi ) = ∅: As is the previous case βi = 0 and D(wi ) = ∅,
Search just outputs S(wi ) = ∅, and Update does nothing.
– If βi = 0 and D(wi ) = ∅: Since Si can retrieve κ∗j,k and δj which are previously
used from stS , Search and Update run in the same way as these for t∗ (wj ).
– If βi = 1: Since Si can retrieve δj from stS and set T ∗ (wi ) ← δj , QuickSearch
run in the same way as it for T ∗ (wj ).
We now show that (I, C, T ) and (I ∗ , C∗ , T ∗ ) are computationally indistinguishable for any PPT adversary A.
– I and I ∗ : Since all the elements κi,k in I are outputs of PRF F and A does
not have K2 with all but negligible probability, any A cannot distinguish κ
and a random string whose length is μ. Therefore, I ∗ is indistinguishable from
I.
– C and C∗ : Since all the elements Ci ∈ C are ciphertexts of the PCPA-secure
scheme SKE and A does not have K3 with all but negligible probability, any
A cannot distinguish Ci and a random string whose length is |Di |. Therefore,
C∗ is indistinguishable from C.
– T and T ∗ :
• t(wi ) and t∗ (wi ): Since all the elements tk (wi ) such that ni + 1 ≤ k ≤ n
are ciphertexts of the PCPA-secure scheme SKE and A does not have κi,k
with all but negligible probability, any A cannot distinguish tk (wi ) and a
random string whose length is μ + λ. For all the elements tk (wi ) such that
1 ≤ k ≤ ni , A can obtain the δi and a random string ri as its decryption
result with key κi,k ∈ I. Since δi are outputs of F and A does not have K1
with all but negligible probability, any A cannot distinguish δi ||ri and a
random string whose length is μ + λ. Therefore, t∗ (wi ) is indistinguishable
from t(wi ).
• T (wi ) and T ∗ (wi ): For all the elements T (wi ) are outputs of F and A
does not have K1 with all but negligible probability, any A cannot distinguish T (wi ) and a random string whose length is μ. Therefore, T ∗ (wi ) is
indistinguishable from T (wi ).
5
Conclusion
In this paper, we focused on the information, search pattern, leaked from trapdoors in ordinary SSE, and pointed out that the amount of the search pattern
can be reduced if a trapdoor is not matched any entry of an encrypted index.
Probabilistic Generation of Trapdoors
363
We formalized the security deﬁnition of SSE which can generate trapdoors probabilistically. Then, we proposed the SSE scheme which can reduce computational
cost in the re-searching case where the same keyword is searched again, and
showed that our scheme is secure in the sense of the security deﬁnition in the
standard model.
References
1. Asharov, G., Naor, M., Segev, G., Shahaf, I.: Searchable symmetric encryption:
Optimal locality in linear space via two-dimensional balanced allocations. STOC
2016, 1101–1114 (2016)
2. Boldyreva, A., Chenette, N.: Eﬃcient fuzzy search on encrypted data. In: Cid,
C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 613–633. Springer,
Heidelberg (2015)
3. Cash, D., Jaeger, J., Jarecki, S., Jutla, C., Krawczyk, H., Ro¸su, M., Steiner, M.:
Dynamic searchable encryption in very-large databases: data structures and implementation. In: NDSS 2014 (2014)
4. Cash, D., Jarecki, S., Jutla, C., Krawczyk, H., Ro¸su, M.-C., Steiner, M.: Highlyscalable searchable symmetric encryption with support for Boolean queries. In:
Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 353–
373. Springer, Heidelberg (2013)
5. Cash, D., Tessaro, S.: The locality of searchable symmetric encryption. In: Nguyen,
P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 351–368.
Springer, Heidelberg (2014)
6. Chang, Y.-C., Mitzenmacher, M.: Privacy preserving keyword searches on remote
encrypted data. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005.
LNCS, vol. 3531, pp. 442–455. Springer, Heidelberg (2005)
7. Chase, M., Kamara, S.: Structured encryption and controlled disclosure. In: Abe,
M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 577–594. Springer, Heidelberg
(2010)
8. Chase, M., Shen, E.: Substring-searchable symmetric encryption. In: PETS 2015,
vol. 2015(2), pp. 263–281 (2015)
9. Curtmola, R., Garay, J., Kamara, S., Ostrovsky, R.: Searchable symmetric encryption: improved deﬁnitions and eﬃcient constructions. ACM CCS 2006, 79–88
(2006)
10. Curtmola, R., Garay, J., Kamara, S., Ostrovsky, R.: Searchable symmetric encryption: improved deﬁnitions and eﬃcient constructions. J. Comput. Secur. 19(5),
895–934 (2011)
11. Dong, C., Russello, G., Dulay, N.: Shared and searchable encrypted data for
untrusted servers. J. Comput. Secur. 19(3), 367–397 (2011)
12. Faber, S., Jarecki, S., Krawczyk, H., Nguyen, Q., Rosu, M., Steiner, M.: Rich
queries on encrypted data: beyond exact matches. In: Pernul, G., Ryan, P.Y.A.,
Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9327, pp. 123–145. Springer,
Heidelberg (2015). doi:10.1007/978-3-319-24177-7 7
13. Goh, E.J.: Secure indexes. Cryptology ePrint Archive, Report 2003/216 (2003).
http://eprint.iacr.org/2003/216
14. Goldreich, O., Ostrovsky, R.: Software protection and simulation on oblivious
RAMs. J. ACM 43(3), 431–473 (1996)