1

Secure Indexes

Author ： Eu-Jin GohPresented by Yi Cheng Lin

2

Outline

Introduction Contribution Index Scheme Background Construction Choosing Suitable Bloom Filter

Parameter

3

Outline

Pseudo-Random Functions IND-CKA Z-IDX is a IND-CKA index Conclusion Comment

4

Introduction

Keyword indexes let us search in constant time for documents containing specified keywords

Unfortunately, standard index constructions such as those using hash table are unsuitable for indexing encrypted documents

5

Introduction

In this paper, they formally define a secure index that allows a querier with a “trapdoor” for a word x to test in O (1) time only if the index contains x

The index reveals no information about its constants without valid trapdoors

6

Contribution

The first contribution of this paper is in defining a secure index and formulating a security model for indexes known as semantic security against adaptive chosen keyword attack (IND-CKA)

adversary A

index

document D

Knows m

words

n words

Can’t get any word

n-m unknown wotrds

7

Contribution

The second contribution is an efficient IND-CKA secure index construction called Z-IDX, which is built using pseudo-random functions and Bloom filters

Z-IDX scheme is efficient

8

Contribution2654

plaintext files

Debian Linux

an index for the average document is roughly 121.4 kilobytes in sizeThe largest document in this collection is 876.6 kilobytes long and its index is 774.3 kilobytes largeThe smallest document is 9 bytes long and its index is 115 bytes large

15151 indexes can searched in one second on a 866 MHz Pentium 3 machine

27.4 megabytes

9

Index Scheme

Keygen (s): Given a security parameter s, outputs the master private key Kpriv

Trapdoor (Kpriv, w): Given the master key Kpriv and word w, outputs the trapdoor Tw for w

10

Index Scheme

BuildIndex (D, Kpriv): Given a document D and the master key Kpriv, outputs the index ID

SearchIndex(Tw, ID): Given the trapdoor Tw for word w and the index ID for document D, outputs 1 if w D and 0 otherwise

11

Index Scheme

AliceKeygen (s): Kpriv

BuildIndex (D1, Kpriv): ID1

ID1, E(D1)

Store

Server

ID1 E(D1)

ID2 E(D2)

… …

Index Encrypted data

12

Index Scheme

Alice Server

Trapdoor (Kpriv, w): Tw

Tw

SearchIndex(Tw, ID1)

ID1 E(D1)

ID2 E(D2)

… …

1

E(D1), …

…

0

Keygen (s): Kpriv

13

Background

pseudo-random functions :is computationally indistinguishable from a random function

given pairs (x1, f(x1, k)), . . . , (xm, f(xm, k)), an adversary cannot predict f(xm+1, k) for any xm+1

14

Background

Bloom Filter: a set of S = {s1, . . . , sn} of n elements and is represented by an array of m bits.

All array bits are initially set to 0. The filter uses r independent hash functions h1, . . . , hr, where hi : {0, 1}* ->[1,m] for i [1, r].

15

a h1(a)

h2(a)

hr(a)

.

.

.

To determine if an element a belongs to

the set S

If all bit are 1’s,then a SElse a S

16

Construction

Keygen(s): Given a security parameter s, choose a pseudo-random function f : {0, 1}n×{0, 1}s {0, 1}s and the master key Kpriv = (k1, . . . , kr) {0, 1}sr

Trapdoor(Kpriv,w): Given the master key Kpriv = (k1, . . . , kr) {0, 1}sr and word w, output the trapdoor for word w as Tw = (f(w, k1) , . . . , f(w, kr)) {0, 1}sr

R

17

Construction

BuildIndex(D,Kpriv):Document D : Did {0, 1}nA list of words (w0, . . . ,wt) {0, 1}ntKpriv = (k1, . . . , kr) {0, 1}sr

Wix1 = f (wi , k1)

. . .

xr = f (wi , kr)

y1 = f (Did , x1)

. . .

yr = f (Did , xr)

BF for Did

trapdoor codeword

Input

Output IDid = (Did, BF)

18

Construction

SearchIndex(Tw, IDid):Input trapdoor Tw = (x1,…, xr) {0, 1}sr

index IDid = (Did , BF) for document Did

y1 = f (Did , x1)

. . .

yr = f (Did , xr)

If so, output 1; Otherwise, output 0

Test if BF contains 1’s in all r locations denoted by y1, . . . , yr

19

Choosing Suitable Bloom Filter Parameter

Hash functions h1,…., hr

Insert n distinct element in to an array of size m

The probability that bit i in the array is 0 is (1 – (1/m))rn ≈ e-rn/m

the probability of a false positive is (1 − (1 − (1/m))rn)r ≈ (1 − e−rn/m)r

20

Choosing Suitable Bloom Filter Parameter

False positive rate fp = (1/2)r = (1 − e−rn/m)r ½ = 1 − e−rn/m ½ = e−rn/m ln(1/2) = -rn/m ln 2 = r (n/m) m = rn/ ln 2

21

Choosing Suitable Bloom Filter Parameter

fp = 0.01r = 7

fp = 0.001r = 10

n = 1000 10102 14431

n = 10000 101011 144301

Choose suitable m

22

Pseudo-Random Functions

f : {0, 1}n × {0, 1}s ->{0, 1}m is a (t, ɛ, q)-pseudo-random function if for any t time oracle algorithm A that makes at most q adaptive queries

23

IND-CKA

Setup :

Queries :

Challenger C

creates a set S of q words

SAdversary A

Chooses a number of subsets from S

This collection of subset is called S*

S*

C build index for each subset in S*

Index

Query C on a word xTrapdoor Tx for x

24

IND-CKA

Challenge : A picks a non-empty subset V0 S*, and generating another non-empty subset V1 from S such that |V0 −V1| 0, |V1 − V0| 0, and the total length of words in V0 is equal to that in V1

Next, A gives V0 and V1 to C who chooses b {0,1}, invokes BuildIndex(Vb , Kpriv) to obtain the index IVb for Vb , and return IVb to A

25

IND-CKA Response :A eventually output a bit b’, rep

resenting its guess for b The advantage of A in winning this game is

defined as AdvA = | Pr[b = b’] − 1/2| We say that an adversary A (t, , q)-breaks aɛ

n index if AdvA is at least after ɛ A takes at most t time and makes q trapdoor queries to the challenger. We say that I is an (t, , q)-INɛD-CKA secure index if no adversary can (t, , ɛq)-break it

AdvA = | Pr[b = b’] − 1/2|< ɛ

26

Z-IDX is a IND-CKA index

Theorem 3.2. If f is a (t, ɛ, q)-pseudo-random function, then Z-IDX is a (t, ɛ, q/2)- IND-CKA index

We use ¬q -> ¬p to prove

27

Z-IDX is a IND-CKA index

Prove :Suppose Z-IDX is not a (t, ɛ, q/2)- IND-CKA index

algorithm A

(t, ɛ, q/2)-breaks Z-IDX

We build an algorithm B thatuses A to determine if f is a pseudo-random function or a random function.the unknown function f that takes as input x {0, 1}n and returns f (x) {0, 1}s.

28

Z-IDX is a IND-CKA index

Setup :

Queries :

algorithm B

creates a set S of q/2 words

Salgorithm A

Chooses a number of subsets from S

This collection of subset is called S*

S*

B build index for each subset in S*

Index

Query B on a word xTrapdoor Tx for x

29

Z-IDX is a IND-CKA index Response : A eventually outputs a bit b’,

representing its guess for b. If b’ = b, then B outputs 0, indicating that it guesses that f is a pseudo-random function. Otherwise, B outputs 1

B takes at most t time because A takes at most t time. Furthermore, B makes at most q queries to f because there are only q/2 strings in S and A makes at most q/2 queries

30

Z-IDX is a IND-CKA index

Claim 1: When f is a pseudo-random function, then

Claim 2: When f is a random function, then

31

Z-IDX is a IND-CKA index

By claim1 and claim 2

But, if f is a (t, ɛ, q)-pseudo-random function

Theorem 3.2. If f is a (t, ɛ, q)-pseudo-random

function, then Z-IDX is a (t, ɛ, q/2)- IND-CKA index

32

Conclusion

Z-IDX is efficient for search indexes

Index and document’s size are independent

Property : ”hidden queries”, “controlled searching”, and “query isolation”

33

Comment

Bloom Filter is a probabilistic data structure

Need more space (index’s size ≈ document’s size)