COM S
COM S 453X – Spring 2017
Privacy Preserving Algorithms
and Data Security
Lecture 19: PEKS
Prof. EWD Rozier
Less General Homomorphisms
•
Public key encryption with search
• Need KeyGen(s) -> (Apub,Apriv)
• Need PEKS(Apub, W) -> W’
• Need Trapdoor(Apriv,W) -> Tw
• Need Test(Apub, S, Tw) -> Yes|No
2
COM S
PEKS
•
•
•
Alice runs KeyGen.
Alice generates Trapdoors for keywords she
wants to search.
Bob runs searches for Alice by using Trapdoors
for the Test algorithm.
3
COM S
PEKS
•
Semantic security test
• Ensure that PEKS(Apub,W) doesn’t reveal
anything about W unless Tw is available.
• Assume an attacker can obtain trapdoors for
any W of his choice.
• Attacker should not be able to distinguish an
encrypted keyword W0 from W1 for which he
did not obtain the trapdoor.
4
COM S
PEKS Semantic Security Game
•
Security against an active attack uses a similar
game as before.
• Challenger runs KeyGen to create keys.
Gives public key to the attacker.
• Attacker adaptively asks the challenger for
the trapdoor for any keyword of his choice.
• Attacker sends two challenge words, W0 and
W1. Challenger randomly picks b={0,1} and
sends back C = PEKS(Apub, Wb). C is
referred to as the PEKS Challenge.
5
COM S
PEKS Semantic Security Game
The attacker can continue to ask for
trapdoors Tw for any keyword, W of his
choice as long as W != W0, W1.
• Eventually the attacker guesses b.
Attacker wins if he can guess whether he was
given the PEKS for W0 or W1.
•
•
6
COM S
The PEKS Game shows something
important…
PEKS requires identity-based encryption.
(Adi Shamir 1984)
• Identity based encryption requires unique
information about the identity of the user.
• Any party can generate a public key from the
known identity.
• A trusted third party generates the private key
which corresponds. We call this party the
PKG.
•
7
COM S
IBE System (Boneh/Franklin)
•
•
•
•
PKG runs the following algorithm once.
• Begin with a message space (M) and
ciphertext space (C).
• Create a master key Km.
Extract – User requests his private key from
PKG. PKG authenticates, and securely
transfers (How?) the private key d.
Encrypt – Take (M,C), a message m in M,
outputs an encryption c in C.
Decrypt – Accept d, (M,C), and c in C. Returns
m in M.
8
COM S
What is different here?
9
COM S
A new game
•
•
•
•
•
Say we have two public keys: pk0 and pk1
Say we have ciphertext C formed by encrypting
some data under these keys.
Does the adversary have an advantage of
determining which key was used in the creation
of C?
Under what assumptions?
What are the consequences?
10
COM S
Public-Key Privacy
•
PEKS requires both IBE, and Public-Key
Privacy.
• Why?
11
COM S