Tải bản đầy đủ - 0 (trang)
3 Key Technique: Trapdoor Locked Encryption Technique

3 Key Technique: Trapdoor Locked Encryption Technique

Tải bản đầy đủ - 0trang

Probabilistic Generation of Trapdoors



353



where m and n are the numbers of keywords and documents which are stored in

the server, respectively.

Through the above discussion, in the case that trapdoors match any entry of

the encrypted index, search patterns are leaked even if trapdoors are generated

probabilistically. Additionally, the same search pattern is leaked regardless of the

probabilistic or deterministic generation of trapdoors when the user searches for

a keyword which is matched once, because the server can compute and find same

val by using deterministic/probabilistic trapdoors where (val, id) is an entry of

encrypted index. Thus, we have a possibility of speed-up of re-searching process

by using deterministic trapdoors instead of probabilistic trapdoors in the case

that the user searches the same keyword which matches encrypted index. From

the above observation, we will set up a goal of Re-Search case as follows: we aim

the speed up of re-search by using deterministic trapdoors when re-searching

process is executed.

In order to achieve this purpose, we construct another encrypted index I

to further speed up search process. In re-search phase, the server searches documents by using this encrypted index I . In this paper, our re-search performance aims at O(log n ) equal to the structured encryption scheme of Chase

and Kamara [7] where n is the number of indexes in I . In order to search in

O(log n ), I should contain deterministic information for searched keywords.

Hence, we adopt the following goals.

(1) In the first search phase, a trapdoor should be generated probabilistically for

search pattern hiding. Additionally, the user should not give any information

of keywords to the server if the trapdoor does not match any document.

(2) At the same time, to construct another encrypted index I , the server has

to obtain deterministic information for the keyword if the trapdoor matches

with some entry of the encrypted index I in the keyword searching process.

(3) In re-search phase, the server executes searching process by using encrypted

index I which consists of deterministic information for searched keywords.

The user can choose executing of searching process or re-searching process when

the user generates trapdoors. In Tentative scheme, the server cannot generate

deterministic encrypted index I . On the other hand, the search patterns are

leaked to the server if the user generates deterministic trapdoor. In order to

overcome this seemingly contradictory situation, we introduce a new technique

trapdoor locked encryption technique.

Trapdoor Locked Encryption Technique. For the above purposes, the user

should send deterministic information of keywords to the server and trapdoors

Table 1. SSE-2 v.s. Tentative scheme

SSE-2 [9]



Tentative scheme



Entry of encrypted index: (κj = F (K, w, j), idj ) ⇒

(κj = F (K, w, j), idj )

t = F (K, w , j)

⇒ (t = F (F (K, w , j), u), u)

Trapdoor:

Search:



?



t = κj







?



t = F (κj , u)



354



K. Hayasaka et al.

Table 2. SSE-2 v.s. Proposed scheme

SSE-2 [9]



Entry of I:

Trapdoor:

Search:



Proposed scheme



(κj = F (K, w, j), idj ) ⇒

(κj = F (K, w, j), idj )

(t = F (K, w , j))

⇒ (t = SKE.Enc(F (K, w , j), F (K , w )||r), r)

?



t = κj







X||r = SKE.Dec(κj , t)







r=r

X = F (K , w )



?



Entry of I :



not available



?



not available



F (K , w ) = X

Re-Search:

(Note that w, w and w are keywords which are used in the document storing process,

the searching process, and the re-searching process, respectively.)



should be probabilistic value to the third parties and the server when the keyword

is searched for the first time. Then, we consider that trapdoors are generated

probabilistically by encrypting deterministic information of the keyword using

a symmetric key encryption (e.g., AES-CBC or AES-CTR). However, search

patterns are leaked to the server if the sever can always decrypt trapdoors. We

need to develop the method that the server can decrypt only when the trapdoor

matches with some entry of the encrypted index I by using one component of

a part of the entry of encrypted index I as the secret key of a symmetric key

encryption.

In SSE-2, an entry of encrypted index is formed as (F (K, w, j), idj ). Then, in

our scheme, the user generates a ciphertext by using κj = F (K, w, j) as the key

of symmetric key encryption. If the trapdoor matches, the server can decrypt

the trapdoor (ciphertext) correctly since the server has κj = F (K, w, j). On the

other hand, if the trapdoor does not match, the server cannot decrypt it and

cannot obtain the deterministic information since the server does not have the

key κj = F (K, w, j).

The overview of proposed method is as follows. The user generates t =

SKE.Enc(F (K, w , j), F (K , w )||r) as the trapdoor where SKE.Enc is a symmetric key encryption algorithm and K is a PRF key which is different from K,

F (K , w ) is deterministic information for re-search and r is a l-bit randomness.

This trapdoor matches if the low order l bits of the decryption result is equivalent to r. We call this technique “trapdoor locked encryption technique”. The

construction overview is described in Table 2.

1.4



Our Contributions



– This paper presents a reasonable and useful definition which covers reducing

search pattern leakage and fast re-search. First, we define the syntax of our

SSE scheme (see Sect. 3). In our concept, the server can obtain deterministic information from trapdoors and update the encrypted index I from the

information in order to re-search quickly. After that, the user can generate a

deterministic trapdoor of keywords which have been already searched, and the



Probabilistic Generation of Trapdoors



355



server can quickly re-search by using it. We define DetTrpdr and QuickSearch

as a deterministic trapdoor generation algorithm and a search algorithm by

using deterministic trapdoors, respectively. Additionally, we propose a security definition, adaptive semantic security, which takes into account search

pattern hiding (see Sect. 3.2).

– This paper proposes the first adaptive secure and search pattern hiding SSE

scheme based on SSE-2 [9] (see Sect. 4.1). Security of our scheme is proved

under the existence of PRFs in the standard model (see Sect. 4.2).

1.5



Related Works



There are SSE schemes closely related to our work [15,24]. Moataz and Shikfa

proposed the SSE scheme which can generate trapdoors probabilistically [24].

Their trapdoor is expressed as a vector form, and all trapdoors obtained from

the same keyword can be represented as scalar multiplications of some vector.

Therefore, anyone can easily check whether given trapdoors contain the same

keyword. That is, their scheme cannot reduce search pattern leakage. The SSE

scheme providing a quick re-searching algorithm was also proposed by Hahn

and Kerschbaum [15]. Their strategy for quick re-searching is similar to ours.

However, the trapdoors of their scheme are generated deterministically (i.e. their

search pattern of the scheme is leaked more than that of our proposed scheme),

and no trapdoor locked encryption technique is used.



2



Preliminaries



Notations. We denote the set of positive real numbers by R+ . We say that a

function negl : N → R+ is negligible if for any (positive) polynomial p, there

exists n0 ∈ N such that for all n ≥ n0 , it holds that negl(n) < 1/p(n). We

denote by poly(n) unspecified polynomial in n. If A is a probabilistic algorithm,

y ← A(x) denotes running A on input x with a uniformly-chosen random tape

and assigning the output to y. AO denotes an algorithm with oracle access to O.

We denote the empty set by ∅. For an associative array I , its value for a key s

is denoted by I [s], and I [s] ← x represents assignment of x to I [s]. We denote

by |S| the cardinality for a finite set S, and the bit length for a bit string S. If

u

S is a finite set, s ←

− S denotes that s is uniformly chosen from S. We denote a

security parameter by λ throughout this paper.

Cryptographic Primitives. We recall the definition of pseudo-random functions (PRF). A function f : {0, 1}λ × {0, 1}m → {0, 1}n is pseudo-random if f

is polynomial-time computable in λ, and for any probabilistic polynomial-time

(PPT) algorithm A, it holds that

u



u



− {0, 1}λ ] − Pr[1 ← Ag(·) (1λ ) | g ←

− Fm,n ]| ≤ negl(λ),

|Pr[1 ← Af (K,·) (1λ ) | K ←

where Fm,n is the set of functions mapping {0, 1}m to {0, 1}n .



356



K. Hayasaka et al.



We recall the definition of pseudo-randomness against the chosen plaintext

attack (PCPA) for a symmetric-key encryption scheme SKE = (Gen, Enc, Dec).

Let PCPAA,SKE (λ) be an experiment for an adversary A and SKE as follows:

A key K is generated by SKE.Gen(1λ ).

A is given oracle access to SKE.Enc(K, ·).

A outputs a message m.

Two ciphertexts c0 and c1 are generated as follows: c0 ← SKE.Enc(K, m) and

u

c1 ←

− C, where C denotes the set of all possible ciphertexts. A random bit

u

− {0, 1} is chosen, and cb is given to A.

b←

5. A is given oracle access to SKE.Enc(K, ·), and outputs a bit b ∈ {0, 1}.

6. The output of the experiment is 1 if b = b, 0 otherwise.



1.

2.

3.

4.



We say that SKE is PCPA-secure if for any PPT adversary A,

Pr[PCPAA,SKE (λ) = 1] −



1

≤ negl(λ),

2



where the probability is taken over the random coins of Gen and Enc.

Document Collections. Let w be a keyword, and Δ ⊆ {0, 1} be a set of d

keywords.

Let D ∈ {0, 1}∗ be a document (or file), and D = (D1 , . . . , Dn ) be a document

collection. Let C = (C1 , . . . , Cn ) be a ciphertext collection of D, where Ci is a

ciphertext of Di for 1 ≤ i ≤ n. We assume that the ciphertext Ci contain a

unique identifier (or file name) idi ∈ {0, 1}ν . For D = (D1 , . . . , Dn ), let D(w) be

a set of identifiers of documents that contain the keyword w. That is, D(w) =

{idi1 , . . . , idin }.



3



Definitions



In this section, we define our new SSE scheme which has two keyword search

algorithms. One is a search algorithm for a trapdoor generated probabilistically.

The other is a search algorithm for a trapdoor generated deterministically.

The former algorithm can reduce the amount of the search pattern leakage. On the other hand, the latter algorithm using deterministically-generated

trapdoors can reduce computational cost of a re-searching case when the user

wants to search using a keyword which has already been searched. Furthermore,

index updating algorithm is also provided in order to achieve the above quick

re-searching.

3.1



Syntax



We now define new SSE scheme over a Δ, SSE = (Gen, Enc, Trpdr, Search,

Dec, Update, DetTrpdr, QuickSearch), which consists of the following algorithms:



Probabilistic Generation of Trapdoors



357



– K ← Gen(1λ ): is a probabilistic algorithm which generates a secret key K,

where λ is a security parameter.

– (I, C, I ) ← Enc(K, D): is a probabilistic algorithm which outputs two

encrypted indexes I and I , and a ciphertext collection C = (C1 , . . . , Cn ).

– t(w) ← Trpdr(K, w): is a probabilistic algorithm which outputs a probabilistic

trapdoor t(w) for a keyword w.

– S(w) ← Search(I, t(w)): is a deterministic algorithm which outputs an identifier set S(w).

– D ← Dec(K, C): is a deterministic algorithm which outputs a plaintext D of

C.

– I ← Update(I , I, t(w)): is a deterministic algorithm which outputs an

updated encrypted index I .

– T (w) ← DetTrpdr(K, w): is a deterministic algorithm which outputs a deterministic trapdoor T (w) for a keyword w.

– S(w) ← QuickSearch(I , T (w)): is a deterministic algorithm which outputs

an identifier set S(w).

Here, the SSE scheme is correct if for all λ ∈ N, all w ∈ Δ, all K

output by Gen(1λ ), all D, and (I, C, I ) output by Enc(K, D), the following conditions hold: (i) Search(I, Trpdr(K, w)) = D(w), and Dec(K, Ci ) =

Di (1 ≤ i ≤ n), (ii) QuickSearch(I , DetTrpdr(K, w)) = D(w) if D(w) is

not empty and Update(I , I, Trpdr(K, w)) has been run at least once so far,

QuickSearch(I , DetTrpdr(K, w)) = ⊥ otherwise.

3.2



Security



We define Adaptive Semantic Security under the Chosen Keyword Attack as

follows, based on [7]. In our SSE, since there are two trapdoor generation algorithms, Trpdr or DetTrpdr, we denote a query by (w, β) where β ∈ {0, 1} is used

to switch these trapdoor generation algorithms. Namely, a probabilistic trapdoor

t(w) is generated for a query (w, 0) by Trpdr and is to be input to Search. In contrast, a deterministic trapdoor T (w) is generated for a query (w, 1) by DetTrpdr

and is to be input to QuickSearch. We denote a query sequence whose length

is q by wq = ((w1 , β1 ), . . . , (wq , βq )), and a set of trapdoors by T .

Definition 1. Let SSE be an SSE scheme, λ be a security parameter, and L1 , L2

be leakage functions. For PPT algorithms A = (A0 , A1 , . . . , Aq+1 ) with its state

stA and S = (S0 , S1 , . . . , Sq ) with its state stS such that q = poly(λ), define the

adpt

following games Realadpt

SSE,A (λ) and SimSSE,A,S (λ).

Realadpt

SSE,A (λ):

K ← Gen(1λ )

(D, stA ) ← A0 (1λ )

(I, C, I ) ← Enc(K, D)

T ←∅

for 1 ≤ i ≤ q,



358



K. Hayasaka et al.



(wi , βi , stA ) ← Ai (stA , I, C, I , T )

if βi = 0 then

t(wi ) ← Trpdr(K, wi ) and T ← T ∪ {t(wi )}

else

T (wi ) ← DetTrpdr(K, wi ) and T ← T ∪ {T (wi )}

b ← Aq+1 (stA , I, C, I , T ), output b

Simadpt

SSE,A,S (λ):

(D, stA ) ← A0 (1λ )

(I, C, I , stS ) ← S0 (L1 (D))

T ←∅

for 1 ≤ i ≤ q,

(wi , βi , stA ) ← Ai (stA , I, C, I , T )

if βi = 0 then

(t(wi ), stS ) ← Si (stS , L2 (D, wi )) and T ← T ∪ {t(wi )}

else

(T (wi ), stS ) ← Si (stS , L2 (D, wi )) and T ← T ∪ {T (wi )}

b ← Aq+1 (stA , I, C, I , T ), output b

SSE is secure in the sense of adaptive semantic security under the chosen keyword

attacks if for any PPT adversary A, there exists a PPT simulator S such that

adpt

|Pr[Realadpt

SSE,A (λ) = 1] − Pr[SimSSE,A,S (λ) = 1]| ≤ negl(λ).



4



Specific Construction



In this section, we firstly give a construction of our scheme based on SSE-2

proposed by Curtmola et al. [9]. Secondly, we define three acceptable information

leakage functions H, α and σ in our construction. Finally, we prove that our

construction is adaptive semantic secure for these leakage functions.

4.1



A Construction of Our Scheme



Here, we give our construction of SSE. In this construction, F is a pseudo-random

function such that F : {0, 1}λ × {0, 1}∗ → {0, 1}μ , SKE = (Gen, Enc, Dec) is a

PCPA-secure symmetric key encryption scheme, I is a associative array and

n = |D|. We denote by idj the j-th identifier in D.

u



– Gen(1λ ): Sample K1 , K2 ←

− {0, 1}λ , generate K3 ← SKE.Gen(1λ ), and output

K = (K1 , K2 , K3 ).

– Enc(K, D): I ← ∅

for 1 ≤ i ≤ |Δ| do

for 1 ≤ j ≤ n do

if idj ∈ D(wi ) then

I ← I ∪ {(F (K2 , wi , j), idj )}



Probabilistic Generation of Trapdoors























359



else

I ← I ∪ {(F (K2 , wi , n + j), idj )}

C←∅

for 1 ≤ i ≤ n do

C ← C ∪ {SKE.Enc(K3 , Di )}

Set I to empty associative array

return (I, C, I )

Trpdr(K, w):

u

r←

− {0, 1}λ

for 1 ≤ j ≤ n do

tj (w) ← SKE.Enc(F (K2 , w, j), F (K1 , w) || r)

return t(w) = (t1 (w), t2 (w), . . . , tn (w), r)

Search(I, t(w)):

S(w) ← ∅

for 1 ≤ i ≤ n do

for ∀(κj , idij ) ∈ I do

a ← SKE.Dec(κj , ti (w)), and parse a as s || r

if r = r then

S(w) ← S(w) ∪ {idij }

return S(w)

Dec(K, C): return D ← SKE.Dec(K3 , C)

Update(I , I, t(w)):

if Search(I, t(w)) = ∅ then

retrieve s such that r = r from t(w) in the same manner as Search

I [s] ← Search(I, t(w))

return I

DetTrpdr(K, w): return T (w) ← F (K1 , w)

QuickSearch(I , T (w)): return I [T (w)]



4.2



Security



In this section, let us discuss acceptable information leakage L1 and L2 of our

SSE, in order to formalize security of our SSE. First, we define the leakage

functions H, α and σ that the server can obtain from (I, C, I , T ) in our SSE.

H, α and σ represent history, access pattern and search pattern, respectively

as the security definition of Curtmola et al. [9]. The most important difference

between our SSE and ordinary SSE is the probabilistic generation of trapdoors.

By using probabilistic trapdoors, we can reduce the leakage of the search pattern

σ in the case where D(w) = ∅ in contrast to a ordinary SSE which always leaks

the search pattern.

– If a ciphertext Ci of a document Di is stored in the server, then the server can

easily infer the bit length |Di |, and thereby |D1 |, . . . , |Dn | are always leaked

in SSE. Let H(D) = (|D1 |, . . . , |Dn |).

– For a probabilistic trapdoor t(w), the server can easily obtain the search result

of t(w), i.e. the set of identifiers D(w). On the other hand, for a deterministic



360



K. Hayasaka et al.



trapdoor T (w), the search result will be D(w) or ⊥. If D(w) = ∅ and a

probabilistic trapdoor t(w) has been used at least once before searching with

T (w), I is updated by running Update. The search result with T (w) will be

D(w) then. Otherwise, the search result of T (w) is ⊥ since updating I has

never occurred. Then, let α(D, wk ) be a function as follows:

α(D, wk ) =



D(wk )





if (βk = 0) ∨ ((D(wk ) = ∅) ∧ ((wk , 0) ∈ wk )),

otherwise.



– As ordinary SSE whose trapdoors are generated deterministically, the server

immediately infer whether the i-th query (wi , 1) and the j-th query (wj , 1)

are the same or not by checking T (wi ) = T (wj ). On the other hand, for

probabilistic trapdoors t(wi ) and t(wj ), it is hard for the server to decide

whether wi = wj from t(wi ) = t(wj ). However, the server can decide it when

D(wi ) = ∅ and D(wj ) = ∅ in our SSE, since a combination of entries that a

query w matches in an encrypted index I is unique to w unless D(w) = ∅.

Furthermore, for queries (wi , βi ), (wj , βj ) such that (βi = 0 or βj = 0) and

D(wi ) = D(wj ) = ∅, it is hard for the server to decide wi = wj because no

information which is effective to infer whether wi = wj is disclosed. Therefore,

for k queries (w1 , β1 ), . . . , (wk , βk ), the following binary matrix Hk is always

leaked in our SSE. For 1 ≤ i < j ≤ k, the element in the i-th row and the j-th

column, Hk [i, j], is defined as below:





⎨1 if ((βi = βj = 1) ∨ (D(wi ) = ∅ ∨ D(wj ) = ∅)) ∧ (wi = wj ),

Hk [i, j] = 0 if ((βi = βj = 1) ∨ (D(wi ) = ∅ ∨ D(wj ) = ∅)) ∧ (wi = wj ),





⊥ if (βi = 0 ∨ βj = 0) ∧ (D(wi ) = D(wj ) = ∅),

Let σ(D, wk ) = (Hk , β1 , . . . , βk ), where wk = ((w1 , β1 ), . . . , (wk , βk )).

We now have the following theorem for the leakage L1 (D) = H(D) and

L2 (D, w) = (α(D, w), σ(D, w)).

Theorem 1. If F : {0, 1}λ ×{0, 1}∗ → {0, 1}μ is a pseudo-random function and

SKE is PCPA-secure symmetric key encryption scheme, our scheme is adaptive

semantic secure for the above leakage (L1 , L2 ).

Proof. We construct a PPT simulator S = (S0 , S1 , . . . , Sq ) such that for

any PPT-adversary A = (A0 , A1 , . . . , Aq+1 ), the outputs of Realadpt

SSE,A (λ) and

adpt

SimSSE,A,S (λ) are computationally indistinguishable.

Firstly, we construct S = {S0 , S1 , . . . , Sq } as follows.

– S0 (L1 (D)): Generate I ∗ , C∗ = {C1∗ , C2∗ , . . . , Cn∗ } and I

as follows:

• Set I ∗ ← ∅.

For 1 ≤ i ≤ |Δ|, 1 ≤ j ≤ n:

u

∗ Generate κ∗i,j ←

− {0, 1}μ







from L1 (D) = H(D)



Probabilistic Generation of Trapdoors



361



∗ Set I ∗ ← I ∗ ∪ {(κ∗i,j , idj )}.

u

− {0, 1}|Di | (1 ≤ i ≤ n), and set C∗ = (C1∗ , . . . , Cn∗ ).

• Generate Ci∗ ←



• Set I ← ∅ and stS ← I ∗ .

• Output (I ∗ , C∗ , I ∗ , stS ).

– Si (stS , L2 (D, wi )): Generate t∗ (wi ) = (t∗1 (wi ), . . . , t∗n (wi ), ri ) or T ∗ (w) from

L2 (D, wi ) = (α(D, wi ), σ(D, wi )) as follows:

1. Firstly, Si checks if wj such that wj = wi (j < i) exists using σ(D, wi ).

Namely, Si tries to find wj such that Hi [j, i] = 1 (Si ignores a case that

Hi [j, i] = ⊥).

2. If such wj does not exist:

u

− {0, 1}μ .

(a) Pick δi ←

(b) If βi = 0, Si chooses ni = |α(D, wi )| entries {(κ∗i,k , idik )}k=1,...,ni ⊆

I ∗ for all elements idik ∈ α(D, wi ), where κ∗i,k have never chou

− {0, 1}λ and sets t∗k (wi ) ←

sen by Si (i < i). Si picks ri ←

u

− {0, 1}μ+λ for

SKE.Enc(κ∗i,k , δi ||ri ). Additionally, Si sets t∗k (wi ) ←

ni + 1 ≤ k ≤ n. Finally, Si outputs t∗ (wi ) and stS ← stS ∪

(i, δi , κ∗i,1 , . . . , κ∗i,ni ).

(c) If βi = 1, Si outputs T ∗ (wi ) ← δi and stS ← stS ∪ (i, δi ).

3. Otherwise:

(a) In the case of βi = 0, if (wi , βi ) is the first query such that βi = 0,

κ∗j,k has not created in stS yet. In such case, Si chooses them from

I ∗ in the same manner as the case 2-(b) above, and complements the

entry by the κ∗j,k . Si now has the retrieved δj and κ∗j,k in stS , then Si

u

picks ri ←

− {0, 1}λ and computes t∗k (wi ) for 1 ≤ k ≤ n as mentioned

in the case 2-(b). Finally, Si outputs t∗ (wi ) and stS .

(b) If βi = 1, Si outputs T ∗ (wi ) ← δj and stS since Si can retrieve it

from stS .

Let us analyze each output of Si for 0 ≤ i ≤ q. We denote the set of the

trapdoor which is output of Si by T ∗ . Firstly, we show that Search, Update and

QuickSearch on (I ∗ , C∗ , I , T ∗ ) behave in the same way as these on (I, C, I , T )

do. After that, we show that each component of (I ∗ , C∗ , T ∗ ) is computationally

indistinguishable from the corresponding component of (I, C, T ).

We consider queries (wi , βi ) and (wj , βj ) such that j < i. In the case of wj

such that Hi [j, i] = 1, namely ((βj = 0 ∨ βi = 0) ∧ D(wj ) = D(wi ) = ∅) ∨ (wj =

wi ) for ∀j < i, we have the following facts:

u



− {0, 1}μ+λ , all t∗k (wi ) will not

– If βi = 0 and D(wi ) = ∅: Since Si sets t∗k (wi ) ←



match any entry in I with all but negligible probability. Therefore, Search

just outputs S(wi ) = ∅, and Update does nothing.

– If βi = 0 and D(wi ) = ∅: Since Si sets t∗k (wi ) ← SKE.Enc(κ∗i,k , δi ||ri ) to match

the entries associated with idik ∈ D(wi ) by choosing κ∗i,k and generating

δi that have never appeared previously, t∗ (wi ) matches the entries that are

distinct from the entries any past trapdoor has matched with all but negligible

probability. Therefore, Search outputs S(wi ) = D(wi ) and Update sets the

entry I [δi ] ← D(wi ).



362



K. Hayasaka et al.

u



– If βi = 1: Since Si generates δi ←

− {0, 1}μ and sets T ∗ (wi ) ← δi , QuickSearch

outputs ⊥ with all but negligible probability. Note that QuickSearch outputs

⊥ even if D(wi ) = ∅ in real side since we have wj = wi for ∀j < i in this case,

namely Update for wi has never run so far.

Subsequently, we consider the other case, ∃wj such that Hi [j, i] = 1, namely

((βj = βi = 1) ∨ (D(wj ) = ∅ ∨ D(wi ) = ∅)) ∧ (wj = wi ) for ∃j < i:

– If βi = 0 and D(wi ) = ∅: As is the previous case βi = 0 and D(wi ) = ∅,

Search just outputs S(wi ) = ∅, and Update does nothing.

– If βi = 0 and D(wi ) = ∅: Since Si can retrieve κ∗j,k and δj which are previously

used from stS , Search and Update run in the same way as these for t∗ (wj ).

– If βi = 1: Since Si can retrieve δj from stS and set T ∗ (wi ) ← δj , QuickSearch

run in the same way as it for T ∗ (wj ).

We now show that (I, C, T ) and (I ∗ , C∗ , T ∗ ) are computationally indistinguishable for any PPT adversary A.

– I and I ∗ : Since all the elements κi,k in I are outputs of PRF F and A does

not have K2 with all but negligible probability, any A cannot distinguish κ

and a random string whose length is μ. Therefore, I ∗ is indistinguishable from

I.

– C and C∗ : Since all the elements Ci ∈ C are ciphertexts of the PCPA-secure

scheme SKE and A does not have K3 with all but negligible probability, any

A cannot distinguish Ci and a random string whose length is |Di |. Therefore,

C∗ is indistinguishable from C.

– T and T ∗ :

• t(wi ) and t∗ (wi ): Since all the elements tk (wi ) such that ni + 1 ≤ k ≤ n

are ciphertexts of the PCPA-secure scheme SKE and A does not have κi,k

with all but negligible probability, any A cannot distinguish tk (wi ) and a

random string whose length is μ + λ. For all the elements tk (wi ) such that

1 ≤ k ≤ ni , A can obtain the δi and a random string ri as its decryption

result with key κi,k ∈ I. Since δi are outputs of F and A does not have K1

with all but negligible probability, any A cannot distinguish δi ||ri and a

random string whose length is μ + λ. Therefore, t∗ (wi ) is indistinguishable

from t(wi ).

• T (wi ) and T ∗ (wi ): For all the elements T (wi ) are outputs of F and A

does not have K1 with all but negligible probability, any A cannot distinguish T (wi ) and a random string whose length is μ. Therefore, T ∗ (wi ) is

indistinguishable from T (wi ).



5



Conclusion



In this paper, we focused on the information, search pattern, leaked from trapdoors in ordinary SSE, and pointed out that the amount of the search pattern

can be reduced if a trapdoor is not matched any entry of an encrypted index.



Probabilistic Generation of Trapdoors



363



We formalized the security definition of SSE which can generate trapdoors probabilistically. Then, we proposed the SSE scheme which can reduce computational

cost in the re-searching case where the same keyword is searched again, and

showed that our scheme is secure in the sense of the security definition in the

standard model.



References

1. Asharov, G., Naor, M., Segev, G., Shahaf, I.: Searchable symmetric encryption:

Optimal locality in linear space via two-dimensional balanced allocations. STOC

2016, 1101–1114 (2016)

2. Boldyreva, A., Chenette, N.: Efficient fuzzy search on encrypted data. In: Cid,

C., Rechberger, C. (eds.) FSE 2014. LNCS, vol. 8540, pp. 613–633. Springer,

Heidelberg (2015)

3. Cash, D., Jaeger, J., Jarecki, S., Jutla, C., Krawczyk, H., Ro¸su, M., Steiner, M.:

Dynamic searchable encryption in very-large databases: data structures and implementation. In: NDSS 2014 (2014)

4. Cash, D., Jarecki, S., Jutla, C., Krawczyk, H., Ro¸su, M.-C., Steiner, M.: Highlyscalable searchable symmetric encryption with support for Boolean queries. In:

Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 353–

373. Springer, Heidelberg (2013)

5. Cash, D., Tessaro, S.: The locality of searchable symmetric encryption. In: Nguyen,

P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 351–368.

Springer, Heidelberg (2014)

6. Chang, Y.-C., Mitzenmacher, M.: Privacy preserving keyword searches on remote

encrypted data. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005.

LNCS, vol. 3531, pp. 442–455. Springer, Heidelberg (2005)

7. Chase, M., Kamara, S.: Structured encryption and controlled disclosure. In: Abe,

M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 577–594. Springer, Heidelberg

(2010)

8. Chase, M., Shen, E.: Substring-searchable symmetric encryption. In: PETS 2015,

vol. 2015(2), pp. 263–281 (2015)

9. Curtmola, R., Garay, J., Kamara, S., Ostrovsky, R.: Searchable symmetric encryption: improved definitions and efficient constructions. ACM CCS 2006, 79–88

(2006)

10. Curtmola, R., Garay, J., Kamara, S., Ostrovsky, R.: Searchable symmetric encryption: improved definitions and efficient constructions. J. Comput. Secur. 19(5),

895–934 (2011)

11. Dong, C., Russello, G., Dulay, N.: Shared and searchable encrypted data for

untrusted servers. J. Comput. Secur. 19(3), 367–397 (2011)

12. Faber, S., Jarecki, S., Krawczyk, H., Nguyen, Q., Rosu, M., Steiner, M.: Rich

queries on encrypted data: beyond exact matches. In: Pernul, G., Ryan, P.Y.A.,

Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9327, pp. 123–145. Springer,

Heidelberg (2015). doi:10.1007/978-3-319-24177-7 7

13. Goh, E.J.: Secure indexes. Cryptology ePrint Archive, Report 2003/216 (2003).

http://eprint.iacr.org/2003/216

14. Goldreich, O., Ostrovsky, R.: Software protection and simulation on oblivious

RAMs. J. ACM 43(3), 431–473 (1996)



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

3 Key Technique: Trapdoor Locked Encryption Technique

Tải bản đầy đủ ngay(0 tr)

×