Public Key Encryption with
keyword Search
Author: Dan Boneh
Rafail Ostroversity
Giovanni Di Crescenzo
Giuseppe Persiano
Presenter: 陳昱圻
Problem(1/2)
user
Pre-stored data
Search
Ciphertext
untrusted server
Problem(2/2)
User1(Alice)
User2(Bob)
send
receive
mail server
Properties



Query isolation: The un-trusted server can
not learn anything more about the plaintext
than the search result.
Controlled searching: The un-trusted server
can not search for an arbitrary word without
the user’s authorization.
Hidden queries: The user may ask the untrusted server to search for a secret word
without revealing the word to the server.
Public key encryption with search:
definitions (1/4)

Bob wants to mail to Alice, then he sends the
following message:
E


Apub
msg, PEKS( Apub ,W1 ),..., PEKS( Apub ,Wk )
Our goal is to enable Alice to send Tw to mail
server that will enable the server to all
messages containing the keyword W. And
server simply sends the relevant email back
to Alice.
We call it “search public-key encryption”.
Public key encryption with search:
definitions (2/4)
User1(Alice)
User2(Bob)
receive
Send
E
Search Bob’s
Apub
msg, PEKS( Apub ,W1 ),..., PEKS( Apub,Wk )
Tw
mail server
Public key encryption with search:
definitions (3/4)

Def. A non-interactive public key encryption
with keyword search scheme consists of the
following polynomial time randomized
algorithms:
1.KeyGen( s )
2.PEKS ( Apub , W )
3.Trapdoor ( Apriv , W )
4.Test ( Apub , S , Tw )
Public key encryption with search:
definitions (4/4)
1. KeyGen(s) : Take a security parameter, s, and generates a pub/priv key
pair Apub , Apriv.
2. PEKS( Apub, W) : for a public key Apub and a word W, produces a searchable
encryption of W.
3. Trapdoor( Apriv , W) : given A' s private key and a word W
produces a trapdoor TW .
4. Test( Apub , S, TW ) : given A' s public key, searchable encryption
S  PEK( Apub , W' ), and a trapdoor TW  Trapdoor ( Apriv ,W ),
outputs " yes" if W  W' and " no" otherwise.
PEKS implies Identity Based
Encryption



Public key encryption with keyword search is
related to Identity Based Encryption (IBE).
Constructing a secure PEKS appears to be a
harder problem than constructing an IBE.
Lemma 2.3 A non-interactive searchable
encryption scheme (PEKS) that is
semantically secure against an adaptive
chosen keyword attack gives rise to a chosen
ciphertext secure IBE system (IND-ID-CCA).
PEKS implies Identity Based
Encryption



Proof sketch: Given a PEKS (KeyGen,
PEKS, Trapdoor, Test) the IBE system is as
follow:
1. Setup: Run the PEKS KeyGen algorithm to
generate Apub / Apriv . The IBE system parameter
are Apub . The master-key is Apriv .
2.KeyGen: the IBE private key associated
*
X

{
0
,
1
}
with a public key
is

d X  Trapdoor ( Apriv , X || 0), Trapdoor ( Apriv , X || 1)

PEKS implies Identity Based
Encryption


3.Encrypt: Encrypt a bit b  0,1 using a public
key X  0,1* as: CT  PEKS ( Apub , X || b)
4.Decrypt: To decrypt CT  PEKS ( Apub , X || b)
using the private d X  d0 , d1  . Output ‘0’ if
Test ( Apub , CT , d 0 ) ' yes ' and output ‘1’ if
Test ( Apub , CT , d1 ) ' yes '
PEKS implies Identity Based
Encryption


The resulting system is IND-ID-CCA
assuming the PEKS is semantically secure
against an adaptive chosen message attack.
Building non-interactive public-key
searchable encryption is at least as hard as
building an IBE system.
Constructions



Two constructions for public-key searchable
encryption:
(1) an efficient system based on a variant of
Decision Diffie-Hellman assumption .
(assuming a random oracle)
(2) a limited system based on general
trapdoor permutations, but less efficient.
(without assuming the random oracle)
Diffie-Hellman 鑰匙交換的運作程序



n 與 g 為公開值
雙方各選一個較大的數值 x 與 y
計算出『秘密鑰匙』：gxy mod n
驗證 Diffie-Hellman 演算法





Alice 選定：n = 47, g =3, x=8, 計算出：
x
8
 g mod n = 3 mod 47 = 28 mod 47
 訊息 (1) = {47, 3, 28}
Bob 選定：y =10 , 計算出：
 gy mod n = 310 mod 47 = 17 mod 47
 訊息 (2) = {17}
Alice 計算會議鑰匙：
 (gx mod n)y = gxy mod n = 2810 mod 47 = 4 mod 47
Bob 計算會議鑰匙：
 (gy mod n)x = gxy mod n = 178 mod 47 = 4 mod 47
會議鑰匙 k= 4
Construction using bilinear maps(1/5)


Our first construction is based on a variant of
the Computational Diffie-Hellman problem.
Boneh and Franklin [2] used bilinear maps on
elliptic curves to build an efficient IBE system.
Construction using bilinear maps(2/5)
Using two groups G1 ,G2 of prime order p and a
bilinear map e : G1  G1  G2 between them.
 The map satisfies :
1.Computable: given g , h  G1 there is a
polynomial time algorithms to compute e( g, h)  G2
2.Bilinear: for any integer x, y  [1, p] then

e( g , g )  e( g , g )
x
y
xy
3.Non-degenerate: if g is a generator of G1
then e( g , g ) is a generator of G2
Construction using bilinear maps(3/5)



We build a non-interactive searchable
encryption scheme from such a bilinear map.
hash functions H1 : {0, 1} *→ G1 and H2 : G2
→ {0,1}log p
KeyGen:Input security parameter determines
the size, p, of the groups G1 and G2. Picking
*
a random   Z p and generator g of G1.
Output Apub  [ g , h  g  ] and Apriv  
Construction using bilinear maps(4/5)





r


t

e
H
W
,
h
 G2
PEKS ( Apub , W ) : compute
1
*
r

Z
for a random
p .
r
(
A
,
W
)
[
g
, H 2 (t )]
Output PEKS pub
=
Trapdoor ( Apriv , W ) : output Tw  H1 W   G1
Test Apub , S , Tw  : let S  [ A, B]. Test if H 2 (e(Tw , A))  B
If so, output ‘yes’ ; otherwise, output ‘no’.
Construction using bilinear maps(5/5)

Compute H 2 (e(Tw , A))  B
left  H 2 (e( H1 ( w) , A))  H 2 (e( H1 ( w) , g r ))
right  H 2 (t )  H 2 (e( H1 ( w), h r ))
 H 2 (e( H1 ( w), ( g  ) r ))

Since e( g x , g y )  e( g , g ) xy , right=left .
if Test outputs ‘yes’ then the mail server
sends the Bob’s mail to Alice.
Conclusion



Constructing a PEKS is related to Identity
Based Encryption (IBE), though PEKS seems
to be harder to construct.
Our constructions for PEKS are based on
recent IBE constructions. We are able to
prove security by exploiting extra properties
of these schemes.
How to use to the following idea?
idea
User1(Alice)
User2(Bob)
Search
Store
Ciphertext
Untrusted server
加密搜尋系統 user
2008.2.26
陳昱圻
Introduction




單一user
資料只有自己可以取得
Server只負責比對
視窗介面(預計先設計單機)
Outline






身份認證(確定為有權限user)
讀取明文 顯示文字
執行加密 輸出密文
並得到trapdoor
搜尋時讓server去做比對
進而到多機版本
Construction



中間過程方法採用Practical Techniques for
Searches on Encrypted Data這篇所提到的方
法,而後如果有增加可在做修改
文字處理: 每個word皆轉成ASCII code 並在
加密後長度一樣
(http://home.educities.edu.tw/wanker742126/
asm/ap04.html)
Server只存資料 而user要知道keyword才能丟
給伺服器做搜尋動作
Construction(cont.)
user
Pre-stored data,
with E(W)
untrusted server
Search, with Trapdoor
Ciphertext
User(Document, Word, Trapdoor)
Server(E(W), Trapdoor)