UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.
-
Upload
randolf-james -
Category
Documents
-
view
219 -
download
0
Transcript of UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.
![Page 1: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/1.jpg)
UC/Garbled Searchable Symmetric Encryption
Kaoru Kurosawa Ibaraki University, Japan
![Page 2: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/2.jpg)
I will talk about
(1) UC-Secure Searchable Symmetric Encryption A preliminary version = FC 2012 Final version = ePrint 2015/251
(2) Garbled Searchable Symmetric Encryption FC 2014
2
![Page 3: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/3.jpg)
Curtmola, Garay, Kamara and Ostrovsky (2006)
• defined privacy of SSE schemes • as follows.
3
![Page 4: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/4.jpg)
In the store phase,
E(D1), , E(D⋯ N), E(Index)
the server learns |D1|, …, |DN| and |{keywords}|
4
![Page 5: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/5.jpg)
In the search phase,
This means that the server knows the corresponding indexes {3, 6, 10}
E(keyword)
C(keyword)=( E(D3), E(D6), E(D10) )
5
![Page 6: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/6.jpg)
We call
these information• |D1|, …, |DN| and |{keywords}|• corresponding indexes {3, 6, 10}
The minimum leakage
6
![Page 7: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/7.jpg)
The Privacy definition
• requires that the server should not be able to learn any more information
7
![Page 8: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/8.jpg)
In the Real Game
D = {D1, …, DN}W={set of keywords}Index
Distinguisher
E(D1), , E(D⋯ N) E{ Index }
Challenger
8
![Page 9: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/9.jpg)
In the Simulation Game
D = {D1, …, DN}W={set of keywords}Index
Distinguisher
Somehow returns E(D1), , E(D⋯ N) E{ Index }
ChallengerSimulator
the minimum leakage|D1|, …, |DN| and |{keywords}|
9
![Page 10: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/10.jpg)
In the search phase of the real game
keyword
Distinguisher
E(keyword)
Challenger
10
![Page 11: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/11.jpg)
In the simulation game,
keyword
Distinguisher
Somehow returns E(keyword)
ChallengerSimulator
the minimum leakage {3, 6, 10}
11
![Page 12: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/12.jpg)
Def. of Curtmola et al.
• Privacy is satisfied if• there exists a simulator such that
the real game ≈ the simulation game
12
![Page 13: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/13.jpg)
We now define
• reliability and strong reliability • UC security • Prove a weak equivalence (1) UC-secure → privacy + reliability (2) privacy + strong reliability → UC-secure• Show an efficient UC-secure SSE scheme
13
![Page 14: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/14.jpg)
We now define
• reliability and strong reliability • UC security • Prove a weak equivalence (1) UC-secure → privacy + reliability (2) privacy + strong reliability → UC-secure• Finally an efficient UC-secure SSE scheme
14
![Page 15: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/15.jpg)
A malicious server• tries to forge some files, delete some files,• or replace E(D3) with E(D100).
Client Server
E(keyword)
E(D3), E(D6), E(D10)E(D100)
Malicious
15
![Page 16: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/16.jpg)
Consider an adversary (A1,A2) s.t.
16
A1 A2Client
A1 gives the inputs to the client
A2 runs the protocolwith the client
Adversary
server
![Page 17: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/17.jpg)
If A2 is honest,
17
A1 A2Client
keyword w E(w)
D(w) = {files which contain w}[C(w), Tag]
![Page 18: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/18.jpg)
Reliability is satisfied if
18
A1 A2Client
keyword w E(w)
D(w)’≠ D(w)with negligible probabilityfor any (A1,A2)
![Page 19: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/19.jpg)
Strong reliability is satisfied if
19
A1 A2Client
keyword w E(w)
[C(w)’, Tag’]≠ [C(w), Tag] acceptswith negligible probabilityfor any (A1,A2)
![Page 20: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/20.jpg)
We then define
• Reliability, strong reliability• UC security • Prove a weak equivalence (1) UC-secure → privacy + reliability (2) privacy + strong reliability → UC-secure• Finally an efficient UC-secure SSE scheme
20
![Page 21: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/21.jpg)
In the ideal world,
dummyClient
Ideal Functionality
FSSE
Environment
Z
D={D1, …, DN} W={set of keywords}Index
D={D1, …, DN} W={set of keywords}Index 21
![Page 22: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/22.jpg)
FSSE sends the minimum leakage
dummyClient
Ideal Functionality
FSSE
Environment
Z
D={D1, …, DN} W={set of keywords}Index
UC adversary
S
|D1|, …, |DN||{keywords}|
22
![Page 23: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/23.jpg)
In the search phase
dummyClient
Ideal Functionality
FSSE
Environment
Z
keyword
keyword
UC adversary
S
23
![Page 24: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/24.jpg)
FSSE sends the minimum leakage
dummyClient
Ideal Functionality
FSSE
Environment
Z
keyword
keyword
UC adversary
S
{3,6,10}
24
D={D1, …, DN} W={set of keywords}Index
![Page 25: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/25.jpg)
S returns
dummyClient
Ideal Functionality
FSSE
Environment
Z
keyword
keyword
UC adversary
S
{3,6,10} Accept or Reject
25
D={D1, …, DN} W={set of keywords}Index
![Page 26: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/26.jpg)
If S returns Reject,then FSSE sends Reject
dummyClient
Ideal Functionality
FSSE
Environment
Z
keyword
keyword
UC adversary
S
{3,6,10} Reject
Reject
Reject
26
![Page 27: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/27.jpg)
If S returns Accept,FSSE sends D(w)={D3,D6,D10}
dummyClient
Ideal Functionality
FSSE
Environment
Z
keyword
keyword
UC adversary
S
{3,6,10} Accept
D(w)={D3,D6,D10}
D(w)={D3,D6,D10}
27
![Page 28: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/28.jpg)
Also S and Z can interact freely
dummyClient
Ideal Functionality
FSSE
Environment
ZUC adversary
S
28
![Page 29: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/29.jpg)
This is an ideal world
Because(Correctness.) The dummy client outputs reject or D(w) correctly (Security.) The UC adversary S learns only the minimum leakage.
29
![Page 30: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/30.jpg)
Client Server
Environment
Z
Z gives the inputs to the client
30
In the real world
the client and the server runthe real protocol
![Page 31: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/31.jpg)
A can corrupt the server andcommunicate with Z freely
31
Client Server
Environment
ZAdversary
A
corrupt
![Page 32: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/32.jpg)
We say that
• An SSE scheme is UC-secure if for any adversary A, there exists a UC-adversary S such that Pr[Z 1 in the real]⇒ ≈ Pr[Z 1 in the ideal]⇒
32
![Page 33: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/33.jpg)
We define
• reliability (unforgeability) strong reliability (strong unforgeability) UC security • Prove a weak equivalence (1) UC-secure → privacy + reliability (2) privacy + strong reliability → UC-secure• Finally an efficient UC-secure SSE scheme
33
![Page 34: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/34.jpg)
Suppose that
• There exists an SSE scheme• which is UC-secure
34
![Page 35: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/35.jpg)
In the real world,
35
Client Server
Environment
ZAdversary
A
Consider A who relays everything to Z
E(keyword)
E(keyword)
E(keyword)
keyword
![Page 36: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/36.jpg)
The real world = the real game of privacy
36
Client Server
distinguisher
ZAdversary
A
challenger
E(keyword)
E(keyword)
E(keyword)
keyword
![Page 37: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/37.jpg)
In the ideal world,
37
dummyclient
FSSE
Environment
ZUC adversary
S
There exists S which simulates Afrom the minimum leakage
Minimum leakage
keyword
E(keyword)
![Page 38: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/38.jpg)
The ideal world = the ideal game of privacy
38
dummyclient
FSSE
distinguisher
ZUC adversary
S
Minimum leakage
challenger
simulatorE(keyword)
keyword
keyword
![Page 39: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/39.jpg)
Therefore
• if the SSE scheme is UC secure,• then privacy is satisfied.
39
![Page 40: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/40.jpg)
Nextfor a reliability adversary (A1,A2),
40
A1 A2Client
Adversary
![Page 41: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/41.jpg)
Consider (Z,A) s.t.
41
Client Server
Z=A1
Adversary
A=A2
![Page 42: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/42.jpg)
In the corresponding ideal world,
42
dummyClient
FSSE
ZUC Adversary
S
The dummy client never outputs D(w)’ ≠ D(w)from the definition of FSSE
wD(w) or reject
D(w) or reject
![Page 43: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/43.jpg)
Hence
• In the real world,• the client outputs D(w)’ ≠ D(w)• with negligible probability.• Therefore• Reliability is satisfied
43
![Page 44: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/44.jpg)
We define
• reliability (unforgeability) strong reliability (strong unforgeability) UC security • Prove a weak equivalence (1) UC-secure → privacy + reliability (2) privacy + strong reliability → UC-secure• Finally an efficient UC-secure SSE scheme
44
![Page 45: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/45.jpg)
Suppose that
• There exists an SSE scheme• Which satisfies privacy and strong reliability
45
![Page 46: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/46.jpg)
Game 0 = Real world
46
Client Server
ZAdversary
A
keyword wD(w) orreject
E(w)
C(w), Tag
![Page 47: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/47.jpg)
In Game 1,
47
Client Server
ZAdversary
A
w
E(w)
[C(w)’, Tag’]≠[C(w), Tag]
If A instructs the server to return an invalid message
E(w)
![Page 48: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/48.jpg)
Game 1
48
Client Server
ZAdversary
A
wreject
E(w)
reject
Then the server returns reject to the client,And the client sends reject to Z
[C(w)’, Tag’]≠[C(w), Tag]
E(w)
![Page 49: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/49.jpg)
Game 1
49
Client Server
ZAdversary
A
wD(w)
E(w)
accept
[C(w), Tag]
Otherwise the server returns accept to the clientand the client outputs D(w) = {files which contain the keyword w}
![Page 50: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/50.jpg)
• Game 1 and Game 0 are indistinguishable• Because • the SSE scheme satisfies strong reliability.
50
![Page 51: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/51.jpg)
Client 2
Z A
server
Client 1acceptor reject
D(w) or reject
E(w)
In Game 2,
w51
![Page 52: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/52.jpg)
• From a view point of Z,• Game 2 and Game 1 are the same
52
![Page 53: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/53.jpg)
Client 2
serverZ A
Simulatorof privacy
Client 1
Minimum leakage
acceptreject
In Game 3,
E(w)
53
![Page 54: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/54.jpg)
Client 2
serverZ A
Simulatorof privacy
Client 1
Minimum leakage
acceptreject
distinguisher
challenger
Game 3 = simulation game of privacy
E(w)keyword
54
![Page 55: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/55.jpg)
Client 2
serverZ A
Client 1
acceptreject
distinguisher
challenger
Game 2 = real game of privacy
E(w)
keyword
55
![Page 56: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/56.jpg)
Therefore
• Game 3 and Game 2 are indistinguishable• Because • the SSE scheme satisfies privacy
56
![Page 57: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/57.jpg)
Client 2
serverZ A
simulatorS0
Client 1
Minimum leakage
acceptreject
UC adversary S
FSSE
Finally Game 3 = the ideal world
57
![Page 58: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/58.jpg)
Namely
• Game 0 = the real world• Game 3 = the ideal world• and Z cannot distinguish them• Therefore the SSE scheme is UC-secure.
58
![Page 59: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/59.jpg)
We define
• reliability (unforgeability) strong reliability (strong unforgeability) UC security • Prove a weak equivalence (1) UC-secure → privacy + reliability (2) privacy + strong reliability → UC-secure• show an efficient UC-secure SSE scheme
59
![Page 60: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/60.jpg)
Consider this example
D1 D2 D3 D4 D5Austin 1 0 1 0 1Boston 0 1 0 1 0
60
![Page 61: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/61.jpg)
The client computes
E(D1) E(D2) E(D3) E(D4) E(D5)PRP(Austin) ( 1 0 1 0 1)PRP(Boston) ( 0 1 0 1 0)
where PRP means pseudorandom permutation
61
![Page 62: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/62.jpg)
and adds
E(D1) E(D2) E(D3) E(D4) E(D5)PRP(Austin) ( 1 0 1 0 1)PRP(Boston) ( 0 1 0 1 0)
+PRF(Austin)+PRF(Boston)
where PRF means pseudorandom function.
62
![Page 63: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/63.jpg)
The client stores this table
E(D1) E(D2) E(D3) E(D4) E(D5)PRP(Austin) ( 1 0 1 0 1)PRP(Boston) ( 0 1 0 1 0)
+PRF(Austin)+PRF(Boston)
+
TagA=MAC( PRP(Austin), E(D1), E(D3), E(D5) ) TagB=MAC(PRP(Boston), E(D2), E(D4))
63
![Page 64: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/64.jpg)
In the search phase,
E(D1) E(D2) E(D3) E(D4) E(D5)PRP(Austin) ( 1 0 1 0 1)PRP(Boston) ( 0 1 0 1 0)
+PRF(Austin)+PRF(Boston)
For a keyword Austin, the client sends
E(Austin)
64
![Page 65: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/65.jpg)
The server decrypts (10101)
E(D1) E(D2) E(D3) E(D4) E(D5)PRP(Austin) ( 1 0 1 0 1)PRP(Boston) ( 0 1 0 1 0)
+PRF(Austin)+PRF(Boston)
65
![Page 66: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/66.jpg)
And returns
E(D1), E(D3), E(D5 ), TagA
E(Austin)={PRP(Austin), PRF(Austin)}
66
![Page 67: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/67.jpg)
The client accepts if
E(D1), E(D3), E(D5 ),
TagA=MAC(PRP(Austin), E(D1), E(D3), E(D5 ))
PRP(Austin) and PRF(Austin)
67
![Page 68: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/68.jpg)
Theorem
• The above SSE scheme satisfies privacy and strong reliability if E is CPA-secure
Corollary• The above SSE scheme is UC-secure
68
![Page 69: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/69.jpg)
So far,
• single keyword search SSE schemes.
Next• multiple keyword search SSE schemes.
69
![Page 70: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/70.jpg)
Wang et al. (2008)
• Showed a multiple keyword SSE scheme• for AND search.
![Page 71: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/71.jpg)
At CRYPTO 2013,
• Cash, Jarecki, Jutla, Krawczyk, Rosu, and Steiner showed an SSE scheme
• which can support any search formula f (in the random oracle model).
• The comm. overhead is sublinear in N,• where N=the number of files.
71
![Page 72: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/72.jpg)
However,
• the search formula f is revealed to the server and• the search phase requires 2 rounds.
Search phase
Search formula
Cash et al. 2 rounds revealed
72
![Page 73: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/73.jpg)
In their scheme,
If 「 Japan AND Crypto 」 is searched,the following information is leaked to the server
the search formula = AND the search result of Japan or that of Crypto and some more information ( see Sec.5.3 of their paper )
73
![Page 74: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/74.jpg)
Kurosawa (FC 2014)
• even the search formula f is kept secret.• the search phase requires only 1 round.
Search phase
Search formula
Cash et al.
2 rounds revealed
Proposed 1 round secret74
![Page 75: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/75.jpg)
In my scheme
only the following information is leaked (other than the minimum leakage)• The topological circuit f- • (π(j1), …, π(jc)),
where π is a random permutation and {wj1, …, wjc} are the queried keywords
75
![Page 76: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/76.jpg)
XOR
AND
1
OR
4
2
3
If this the search formula f,
76
![Page 77: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/77.jpg)
1
4
2
3
This is the topological circuit f-
77
![Page 78: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/78.jpg)
On the other hand,
• The communication overhead is O(N)• While it is sublinear in N in Cash et al’s scheme• where N=the number of files.
78
![Page 79: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/79.jpg)
The proposed SSE scheme
• is based on Yao’s garbled circuit.
79
![Page 80: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/80.jpg)
A garbled circuit of f
• is an encoding garble(f) such that• one can compute f(X) • from garble(f) and label(X) without learning anything on f and X.
garble(f)label(X) f(X)
80
![Page 81: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/81.jpg)
x1= 0
x2= 1
Consider f(x1,x2)= (x1 and x2)
x1 x2 x30 0 00 1 01 0 11 1 1
x3= 0
81
![Page 82: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/82.jpg)
garble(f) is an encoded truth tableby random strings
x1 x2 x3
A0 B0 H(A0,B0)+ 0
A0 B1 H(A0,B1)+ 0
A1 B0 H(A1,B0)+ 0
A1 B1 H(A1,B1)+ 1
A0
B1
x3= 0
82
![Page 83: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/83.jpg)
label(X) is these random strings
x1 x2 x3
A0 B0 H(A0,B0)+ 0
A0 B1 H(A0,B1)+ 0
A1 B0 H(A1,B0)+ 0
A1 B1 H(A1,B1)+ 1
A0
B1
x3= 0
83
![Page 84: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/84.jpg)
In this example,x3=0 is obtained by computing H(A0,B1)
x1 x2 x3
A0 B0 H(A0,B0)+ 0
A0 B1 H(A0,B1)+ 0
A1 B0 H(A1,B0)+ 0
A1 B1 H(A1,B1)+ 1
A0
B1
x3= 0
label(X)garble(f)
84
![Page 85: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/85.jpg)
High level overview of the proposed scheme
w1 w2 w3
D1 1 1 1D2 1 0 0
keywords
files
Consider this example.
85
![Page 86: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/86.jpg)
Let
w1 w2 w3
D1 (1 1 1)=X1
D2 (1 0 0)=X2
86
![Page 87: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/87.jpg)
The client computes
w1 w2 w3
D1 label(X1)D2 label(X2)
87
![Page 88: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/88.jpg)
The client also computes
PRP(w1) PRP(w2) PRP(w3)E(D1) label(X1)E(D2) label(X2)
88
![Page 89: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/89.jpg)
and sends
PRP(w1) PRP(w2) PRP(w3)E(D1) label(X1)E(D2) label(X2)
Server89
![Page 90: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/90.jpg)
In the search phase,
• Suppose that the client wants to search on f(w1,w2,w3)=w1 w⋀ 2 w⋀ 3
• He computes the garbled circuits of f: Γ1 for D1 and
Γ2 for D2.
90
![Page 91: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/91.jpg)
PRP(w1), …, PRP(w3) Γ1
Γ2
The client sends
91
![Page 92: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/92.jpg)
PRP(w1), …, PRP(w3) Γ1
Γ2
The server has this tablePRP(w1) PRP(w2) PRP(w3)
E(D1) label(X1)E(D2) label(X2)
92
![Page 93: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/93.jpg)
PRP(w1), …, PRP(w3) Γ1
Γ2
The server computes f(X1) fromPRP(w1) PRP(w2) PRP(w3)
E(D1) label(X1)E(D2) label(X2)
label(X1) Γ1 f(X1)=1
garbled circuit93
![Page 94: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/94.jpg)
PRP(w1), …, PRP(w3) Γ1
Γ2
Similarly she computes f(X2)PRP(w1) PRP(w2) PRP(w3)
E(D1) label(X1)E(D2) label(X2)
Γ2 label(X2) f(X2)=0
garbled circuit94
![Page 95: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/95.jpg)
The server returns E(D1)
If f(X1)=1 and f(X2)=0,
95
![Page 96: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/96.jpg)
However, if
• label(X) is reused, then some information on (f, X) is leaked.
garble(f)label(X) f(X)
96
![Page 97: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/97.jpg)
We use counter as an additional input to H
x1 x2 x3
A0 B0 H(counter, A0,B0)+ 0
A0 B1 H(counter, A0,B1)+ 0
A1 B0 H(counter, A1,B0)+ 0
A1 B1 H(counter, A1,B1)+ 1
A0
B1
x3= 0
97
![Page 98: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/98.jpg)
Formally
Bellare et al. (2012)defined Kurosawa( 2014)
extended them togarbling schemes extended garbling
schemesInput-circuit privacy label reusable privacy
98
![Page 99: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/99.jpg)
Label reusable privacy
• Even if label(X) is reused for multiple garbled circuits Γ1, Γ2, …. ,
• no information on X and (f1,f2, … )
are leaked, where Γi is a garbled circuit of fi
![Page 100: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/100.jpg)
Theorem 1
• Our construction satisfies label reusable privacy in the random oracle model
100
![Page 101: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/101.jpg)
Theorem 2
If the underlying extended garbling scheme satisfies label reusable privacy
only the following information is leaked (other than the minimum leakage)
101
![Page 102: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/102.jpg)
• The topological circuit f- • (π(j1), …, π(jc)),
where π is a random permutation and {wj1, …, wjc} are the queried keywords
102
![Page 103: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/103.jpg)
Communication overheadof the proposed scheme
• Let m = # of files c = # of search keywords s = # of gates of f• In the search phase, the com. overhead is |counter|+(c+4m(s-1))×128+4m bits
103
![Page 104: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/104.jpg)
If # of search keywords is 2
• The communication overhead is |counter|+256+ 4× ( # of files ) bits
104
![Page 105: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/105.jpg)
Computer simulation
• We used a computer such as follows. 2.4GHz CPU and 32G byte RAM OS = CentOS 6.5 C++ and NTL library
• The total # of keywords is 20.
105
![Page 106: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/106.jpg)
The running time of the clientin the search phase
106
![Page 107: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/107.jpg)
The running time of the serverin the search phase
107
![Page 108: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/108.jpg)
Summary
(1) UC-Secure Searchable Symmetric Encryption A preliminary version = FC 2012 Final version = ePrint 2015/251
(2) Garbled Searchable Symmetric Encryption FC 2014
108
![Page 109: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/109.jpg)
Open problem (1)
• Construct a multiple keyword SSE scheme such that
• The communication overhead is sublinear in N• And the leakage is as small as possible• In the standard model
109
![Page 110: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/110.jpg)
Open problem (2)
• In all the known single keyword SSE schemes, E(keyword) is deterministic
• Hence if the client sends E(keyword) twice,• This search pattern is leaked.• So • construct a UC-secure scheme such that • Even the search pattern is kept secret
110
![Page 111: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/111.jpg)
Open problem (3)
• Prove the tight equivalence between • UC security and some stand alone security
111
![Page 112: UC/Garbled Searchable Symmetric Encryption Kaoru Kurosawa Ibaraki University, Japan.](https://reader036.fdocuments.in/reader036/viewer/2022062519/5697bfd11a28abf838cab3fe/html5/thumbnails/112.jpg)
Thank you !
112