in Searchable Symmetric Encryption Kaoru Kurosawa and Yasuhiro - PowerPoint PPT Presentation

How to Update Documents Verifiably in Searchable Symmetric Encryption Kaoru Kurosawa and Yasuhiro Ohtaki Ibaraki University, Japan

Outline (1) Introduction (2) Our (previous) verifiable SSE scheme (3) Extend it to a dynamic SSE scheme (but not yet fully verifiable) (4) Verifiable dynamic SSE scheme (5) Summary

A Searchable Symmetric Encryption (SSE) scheme • Consists of a store phase and a search phase • Suppose that we have 5 documents and 3 keywords. keyword Documents Austin D 1 , D 3 , D 5 Boston D 2 , D 4 Washington D 1 , D 2 , D 4

In the store phase, • A client stores encrypted files (or documents) and an index I (in a encrypted form) on a server. E(D 1 ), ⋯ , E(D 5 ), I Client Server

In the search phase, • the client sends an encrypted keyword to the server. E(Austin) Client Server

The server somehow returns • the encrypted files E(D 1 ), E(D 3 ), E(D 5 ) which contain the keyword. Client E(D 1 ), E(D 3 ), E(D 5 ) Server

So the client can • retrieve the encrypted files which contain a specific keyword, keeping the keyword and document secret to the server. E(D 1 ), ⋯ , E(D 5 ), I E(Austin) Client E(D 1 ), E(D 3 ), E(D 5 ) Server

By Passive Attack • A malicious server breaks the privacy. • She tries to find the keyword and the documents. Malicious E(Austin) E(D 1 ), E(D 3 ), E(D 5 ) Client Server

The security against passive attacks • has been studied by several researchers. • Curtmola, Garay, Kamara and Ostrovsky showed a rigorous definition of security against passive attacks. • They also gave a scheme which satisfies their definition.

By Active Attack • A malicious server breaks the reliability. • She tries to forge/delete some files or replace E(D 1 ) with another (valid) E(D 2 ). Malicious E(Austin) E(D 1 ), E(D 3 ), E(D 5 ) E(D 2 ) Client Server

The security against active attacks • has been studied by Kurosawa et al. (2011) • They showed a definition of security against active attacks. • They proposed a verifiable SSE scheme – the client can detect any cheating behavior of malicious server. – UC-secure

Dynamic SSE scheme • Kamara et al. showed a dynamic SSE scheme. – the client can add and delete documents. – secure against adaptive chosen keyword attacks. • Subsequently, they showed a parallel and dynamic SSE scheme. • However, these dynamic schemes are not verifiable.

Our contribution Comparison with Previous Works Verifiability Dynamism Curtmola et al. X X Kurosawa et al. O X Kamara et al. X O This paper O O

Outline (1) Introduction (2) Our (previous) verifiable SSE (3) Extend it to a dynamic SSE scheme (but not yet fully verifiable) (4) Verifiable dynamic SSE scheme (5) Summary

Contents of the encrypted index keyword Documents Austin D 1 , D 3 , D 5 Boston D 2 , D 4 Washington D 1 , D 2 , D 4 label document ID Authenticator t(Austin) (1, 3, 5) tag Austin =MAC( t(Austin), (C 1 , C 3 , C 5 ) ) t(Boston) (2, 4) tag Boston =MAC( t(Boston), (C 2 , C 4 ) ) t(Washington) (1, 2, 4) tag Washington =MAC( t(Washington), (C 1 , C 2 , C 4 ) ) t() : some trapdoor function MAC() : some Message Authentication Code

In the search phase, • The server receives t(keyword) and output C= { C 1 , ⋯ , C N }, I t(Austin) C(keyword) tag keyword Search and send them to the client. C(Austin) = { C 1 , C 3 , C 5 } tag Austin

Verify algorithm t(Austin) C 1 , C 3 , C 5 , tag* C 1 , C 3 , C 5 t(Austin) tag* • Accept iff K Verify MAC(t(Austin), C 1 , C 3 , C 5 ) = tag* Accept / Reject

Outline (1) Introduction (2) Our (previous) verifiable SSE (3) Extend it to a dynamic SSE scheme (but not yet fully verifiable) (4) Verifiable dynamic SSE scheme (5) Summary

Extending the previous scheme • When we consider extending our previous scheme to a dynamic scheme, we noticed that the scheme cannot modify documents efficiently.

Suppose the client wants to modify C 1 to C′ 1 • The client must store C′ 1 and two updated authenticators to the server. label document ID Authenticator t(Austin) (1, 3, 5) tag Austin =MAC( t(Austin), (C 1 , C 3 , C 5 ) ) t(Boston) (2, 4) tag Boston =MAC( t(Boston), (C 2 , C 4 ) ) t(Washington) (1, 2, 4) tag Washington =MAC( t(Washington), (C 1 , C 2 , C 4 ) ) • If C 1 includes more keywords, then the client must update more authenticators.

To update efficiently Authenticator • Authenticate for Document 1 MAC(1, C 1 ) (t(Austin), (1, 3, 5)) 2 MAC(2, C 2 ) and 3 MAC(3, C 3 ) each (i, C i ) 4 MAC(4, C 4 ) separately. … … label doc ID Authenticator for index t(Austin) (1, 3, 5) tag Austin =MAC( t(Austin), (1, 3, 5) ) t(Boston) (2, 4) tag Boston =MAC( t(Boston), (2, 4) ) t(Washington) (1, 2, 4) tag Washington =MAC( t(Washington), (1, 2, 4) )

To update C 1 to C′ 1 Authenticator • the client has only to store for Document 1 MAC(1, C' 1 ) just one authenticator on (1, C′ 1 ) 2 MAC(2, C 2 ) no matter how many keywords 3 MAC(3, C 3 ) are included in C 1 . 4 MAC(4, C 4 ) … … label doc ID Authenticator for index t(Austin) (1, 3, 5) tag Austin =MAC( t(Austin), (1, 3, 5) ) t(Boston) (2, 4) tag Boston =MAC( t(Boston), (2, 4) ) t(Washington) (1, 2, 4) tag Washington =MAC( t(Washington), (1, 2, 4) )

Deletion and Addition • To delete a document C 2 the client runs update with a special symbol C′ 2 = delete . • To add a new document D 6 which includes Austin, the client updates the authenticator tag Austin = MAC( t(Austin), (1, 3, 5) ) to tag' Austin = MAC( t(Austin), (1, 3, 5, 6) ).

However, • This scheme is vulnerable against replay attack. • A malicious server may return old (1, C 1 , MAC(1,C 1 ) ) instead of the latest Malicious ( 1, C’ 1 , MAC(1,C ’ 1 ) ). tag Austin , (1, C' 1 , x' 1 ), (3, C 3 , x 3 ), (5, C 5 , x 5 ) Client Server (1, C 1 , x 1 )

So the problem is • How to timestamp on the current/updated (i, C i ) • How to timestamp on the current/updated ( label Austin , (1, 3, 5))

We solved this problem by • using an authentication scheme which posses the timestamp functionality. – Merkle hash tree – Authenticated skip list – RSA accumulator

These schemes • Allows one to hash a set of inputs E= { x 1 ,x 2 ,..., x n } into one short accumulation value Acc(E). • Infeasible to find a set E' such that Acc(E) = Acc (E') , E≠E ' . • Able to construct a "witness" ฀ j that a given input x j was incorporated into Acc(E).

RSA accumulator • Let f be a function randomly chosen from a two-universal function family F = { f a : {0,1} 3l {0,1} l } . • For any y ∈ {0,1} l , we can compute a prime x ∈ {0,1} 3l such that f(x)=y by sampling O( l 2 ) times with overwhelming probability.

RSA accumulator • Let p=2p'+1 and q=2q'+1 be two large primes such that p' and q' are also primes and | pq |>3λ. • Let N=pq. • Let QR N ={ a | x 2 mod N for some x ∈ Z * N }. Then QR N is a cyclic group of size (p-1)(q-1)/4. • Let g be a generator of QR N.

RSA accumulator • For a set E={y 1 , y 2 , ..., y n } with y i ∈ {0,1} l , RSA accumulator works as follows: – For each y i , Alice chooses a prime x i ∈ {0,1} 3l randomly. Let prime (y i ) denote such a prime x i . x i = prime (y i ) – Alice computes accumulated value of set E as x 1 x 2 … x n Acc(E) = g mod N and sends Acc(E) to Bob.

RSA accumulator • Later, Alice proves that y j ∈ E to Bob as follows ： – She computes x 1 x 2 … x j-1 x j+1 … x n π j = g mod N x j = prime (y i ) and sends π j and x j to Bob – Bob verifies that x j Acc(E) = π j mod N

To time stamp in our scheme • We apply the RSA accumulator to the sets E c = { (i, C i ) | i =1, …, n } E I = { (label i , j, [index i ] j ) | i=1 ,…,m , j=1,…,n } and compute their accumulated values A C = Acc(E C ) A I = Acc(E I ) [x] j : j-th bit of x

Update and Verification • The client updates A C each time when he modifies or deletes a document. • He also updates A I each time when he adds a document. • In the search phase, the client checks whether the server returned the valid latest ciphertexts, based on A C and A I .

Outline (1) Introduction (2) Our (previous) verifiable SSE (3) Extend it to a dynamic SSE scheme (but not yet fully verifiable) (4) Verifiable dynamic SSE scheme (5) Summary

Key generation The client first generates set of keys KeyGen K e key of SKE K 0, K 1 keys of PRF K and keeps them secret.

Store phase: File encryption The client first encrypts each document. D 1 D 2 D 3 D 4 D 5 K e E E E E E C 1 C 2 C 3 C 4 C 5

Store phase: Index encryption The plain index is an 5 x 3 binary matrix where e i,j =1 if keyword i is contained in D j, 0 otherwise D 1 D 2 D 3 D 4 D 5 1 2 3 4 5 1 1 0 1 0 1 Austin 2 0 1 0 1 0 Baltimore 3 1 1 0 1 0 Washington

Store phase: Index encryption 1 2 3 4 5 1 1 0 1 0 1 Austin Baltimore 2 0 1 0 1 0 Washington 3 1 1 0 1 0 K 0 1 0 1 0 1 PRF K 1 PRF first 5 bits first 128 bits pad Austin label Austin index Austin

Store phase: Index encryption 1 2 3 4 5 1 1 0 1 0 1 Austin Baltimore 2 0 1 0 1 0 Washington 3 1 1 0 1 0 K 0 K 1 index Austin label Austin label Baltimore index Baltimore label Washington index Washington