Thesis Presentation for the Degree of Doctor
Efficient Conjunctive Keyword Search on Encrypted Data Storage System
Authors : Jin Wook Byun, Dong Hoon Lee, Jongin Lim Center for Information Security Technologies (CIST) Graduate School of Information Security (GSIS) Korea University, Korea June. 20. 2006 PM 12:00 – 12:30
EuroPKI 2006, Turin, Italy, 20, June
1
Organization Introduction Security Model The proposed scheme : ECKS-PS Security Result Conclusion
EuroPKI 2006, Turin, Italy, 20, June
2
Background and Motivation Sensitive data Sensitive data to be stored on database is rapidly increased !! ¾ How to prevent it from outsider/insider attacker TV
PC
Phone s
Kiosks
…
Information Highway
Merchant
Health Care
Application Serer
Financial Institute
Public Service
Server platform EuroPKI 2006, Turin, Italy, 20, June
3
Background and Motivation Simple Solution ? Encryption of sensitive data ¾ Management of encryption/decryption keys ¾ But, it makes data be random and unreadable to anyone other than the users holding the encrypted keys.
Q : How can original documents be efficiently searched including the user specific keywords over the encrypted documents ?
Love, Bob, Alice Encrypted results Conjunctive keyword search EuroPKI 2006, Turin, Italy, 20, June
4
Related Works Web-based personal storage systems Two entities are involved ¾ Data supplier uploads encrypted data, then searches data containing keywords
Song et al. [13] ¾ In 2000, they first suggest efficient and provably secure keyword search scheme by block cipher
Goh [8] ¾ Goh suggested a secure search scheme using a Bloom filter
Chang and Mitzenmacher [6] ¾ They suggested a practical keyword search protocol in terms of communication and storage overheads.
These schemes are not appropriate for fully conjunctive keyword search, as they mentioned in the papers !! EuroPKI 2006, Turin, Italy, 20, June
5
Related Works Conjunctive keyword search Golle et al.’s work [7] ¾ They suggested two conjunctive keyword search protocols enabling users to search conjunctively. – Golle I » Communication and storage costs » It requires O(n) – Golle II » Unverifiable computational assumption » Is it really secure ?
Main contribution is to improve the above two things still keeping provable security in the random oracle model !! EuroPKI 2006, Turin, Italy, 20, June
6
Our Contributions Constant communication and storage overheads Constant ¾ Storage cost of a user ¾ Communication costs between a user and a server are constant – Although the value of n is grower up to GBytes or TBytes, our scheme only requires at most 2,052 bits. – The storage cost is only 2048 bits.
Formal Security Proof ¾ Multi decisional bilinear Diffie-Hellman (MDBDH) = DBDH ¾ Reducing the security to the assumption of MDBDH
EuroPKI 2006, Turin, Italy, 20, June
7
Our Contributions Comparison Table Efficiency + Provable Security ¾ ECKS-PS : Efficient Conjunctive Keyword Search in the Personal Storage Systems
EuroPKI 2006, Turin, Italy, 20, June
8
Conjunctive keyword search and Its Security Definitions Database n low and m columns ¾ For each row Ri we define i-th document by Di={Wi,1,...,Wi,m} – Where Wi,j is the j-th keyword of document Di.
¾ Each Ri consists of encrypted data and conjunctive searchable information. – CSI={Ii,CSI(Wi,j),...,CSI(Wi,j)}
CSI(Wi,j)
Ii
Personal Database
encrypted data CSI(Wi,m)}
Assumption : The same keyword never appear in two different keyword fields and every keyword field is defined for every document EuroPKI 2006, Turin, Italy, 20, June
9
Conjunctive keyword search and Its Security Definitions Conjunctive Keyword Search Personal Storage System ¾ Key generation algorithm KeyGen(1k ) – Output : a private/public key pair (prk, pk)
¾ Conjunctive searchable information algorithm CSI ( prk , pk , Di ) – Output :
CSIi = {I i , CSIi ,1 (Wi ,1 ),..., CSIi ,m (Wi ,m ))
¾ Trapdoor generation algorithm TCK ( prk, pk, p1 ,..., pl , Ql ) – Output :
Tl for Ql = {W p1 ,..., W pl }
¾ Test algorithm Test (CSI i , Tl ) – If the following condition holds, Yes. Otherwise No
(Wi , p1 = Wp1 ) ∧ ... ∧ (Wi , pl = Wpl ) EuroPKI 2006, Turin, Italy, 20, June
10
Conjunctive keyword search and Its Security Definitions SS-CTA security in the PS setting CTA : chosen trapdoor attak ¾ Indistinguishability between two CSI,values
D0 = {W0,1 ,...,W0,m } D0 = {W0,1 ,...,W0,m } D1 = {W1,1 ,...,W1,m } D1 = {W1,1 ,...,W1,m } Coin toss b If b=1, CSI1ÆCSI Else, CSI2ÆCSI
Select
Asks queries Asking Trapdoor Asks queries
CSI
CSIb = {Ib ( prk, pk),CSIb,1(Wb,1, pk),...,CSIb,m (Wb,m , pk))
CSI Oracles
Guess b’ If b=d, then return 1 Otherwise, return 0
Adv Acta (k , qT , qC ) =| Pr[ Exp Acta (k ) = 1 | b = 1] − Pr[ Exp cta A ( k ) = 1 | b = 0] | EuroPKI 2006, Turin, Italy, 20, June
11
Computational Assumptions Decisional Bilinear Diffie-Hellman (DBDH) Assumption DBDH parameter generator Igdbdh(k) ¾ Two groups G1 and G2 and bilinear map e : G
DBDH problem
DBDH assumption ¾ If no polynomial algorithm has non-negligible advantage e in solving DBDH problem EuroPKI 2006, Turin, Italy, 20, June
12
Computational Assumptions Multi Decisional Bilinear Diffie-Hellman (MDBDH) Assumption DBDH parameter generator Igdbdh(k) ¾ Two groups G1 and G2 and bilinear map e : G
DBDH problem
Adv Adbdh (TD , k ) =| Pr[ Exp Areal ( k ) = 1 | b = 1] − Pr[ Exp Areal ( k ) = 1 | b = 0] | D
D
D
DBDH assumption ¾ If no polynomial algorithm has non-negligible advantage e in solving DBDH problem EuroPKI 2006, Turin, Italy, 20, June
13
Computational Assumptions Multi-Decisional Bilinear Diffie-Hellman (MDBDH) Assumption MDBDH parameter generator
¾ Advantage of solving the MDBDH problem real Adv Amdbdh (TDM , k ) =| Pr[ Exp Areal M M ( k ) = 1 | b = 1] − Pr[ Exp M ( k ) = 1 | b = 0 ] | A D
D
D
MDBDH assumption ¾ If no polynomial algorithm has non-negligible advantage e in solving DBDH problem
EuroPKI 2006, Turin, Italy, 20, June
14
Computational Assumptions Standard Assumption MDBDH assumption is an equivalent assumption of the DBDH assumption. ¾ Lemma 2.1 For any integer m and common parameters (G1, G2, e, q, g)
(1) Adv Amdbdh (TDM , k ) ≤ ( m − 1) Adv Adbdh (TDM + 2 mTG1 , k ) M D
D
( 2 ) Adv Adbdh (TD , k ) ≤ Adv Amdbdh (TD + 2 mTG1 , k ) M D
D
Where TG1 is the computational time for an exponentiation in G1.
EuroPKI 2006, Turin, Italy, 20, June
15
ECKS-PS Protocol Design A SS-CTA Secure ECKS-PS Based on Random Oracle Assumption ¾ We use an ideal hash function H:{0,1}*Æ {0,1}l
E (mi ) || g aiθ , g ai , e( y, H (Wi ,1 ) ai ),..., e( y, H (Wi ,m ) ai ) Personal Database
( g , y = g α ), (α ,θ )
......... A = ( H (Wi , p1 ) × ... × H (Wi , pl ))α , B = g r , p1 ,..., pl Corresponding encrypted results
e( g ai , A) aiθ = e (( g , B) ai ai e( y, H (Wi , p1 )) × ... × e( y, H (Wi , p1 )) EuroPKI 2006, Turin, Italy, 20, June
16
Security Results Standard Assumption Security theorem ¾ # of send, hash, trapdoor, CSI queries : qs , qT , qC ¾ TDM ≥ T + (qh + qT + qC )mT G1 TG1 is the computational time for an exponentiation in G1 M Adv Acta ( k , T , qT , q C , q h ) ≤ 2 e m ( qT + 1) 2 qC +1 Adv ∆mdbdh k T ( , D )+ mdbdh
EuroPKI 2006, Turin, Italy, 20, June
2 qm
17
Concluding Remarks Conclusion Improvement of Golle et al.’s scheme ¾ Communication and storage costs qs , qh , qε , qmac ECKS-PS
Future works SS-CTA secure scheme in the standard assumption ¾ It is never an easy problem to design SS-CTA secure CKS scheme in the standard model, still keeping constant costs of communication and storage !!
Design of CKS scheme without using pairing operation ¾ Is it possible to design it keeping constant communication cost?
EuroPKI 2006, Turin, Italy, 20, June
18
Thank you very much !! Q&A E-mail address :
[email protected]
EuroPKI 2006, Turin, Italy, 20, June
19
