Practical Techniques for
Searches on Encrypted Data
Author:Dawn Xiaodong Song, David Wagner, Adrian Perrig
Presenter:紀汶承
Outline
•
•
•
•
Problem
Properties
Background and Definitions
Solution
Problem
Pre-stored data
Alice
search
Bob (untrusted server)
Cipher text
•Where the pre-stored data is some set of doucuments encryptedfrom
Alice
properties
• Controlled searching:
the un-trusted server can not search for an arbitrary word without
user’s authorization
• Hidden searches:
the user may ask the un-trusted server to search for a secret word
without revealing the word to the server
• Query isolation:
the un-trusted server can not learn anything more about the plaintext
than the search result
Background and Definitions
• Pseudorandom generator
• Pseudorandom function
• Pseudorandom permutation
• Let A : {0, 1}n  {0, 1} be an arbitrary
algorithm and let X and Y be random
variables distributed on {0, 1}n . The
distinguishing probability of A --sometimes called the advantage of A --for X and Y is
Adv A = | Pr[ A(X) = 1] - Pr[ A(Y) = 1] |.
Pseudorandom generator
A pseudorandom generator G, i.e., a stream
cipher. We say that G: κG  S is a (t, e)secure pseudorandom generator if every
algorithm A with running time at most t has
advantage Adv A < e. The advantage of an
adversary A is defined as Adv A = | Pr[ A(U κG)
= 1] - Pr[ A(Us) = 1] |, where U κG,, Us are
random variables distributed uniformly on κG,
S.
Pseudorandom function
A pseudorandom function F. We say that F: κF ×
X  Y is a (t, q, e)- secure pseudorandom
function if every oracle algorithm A making at
most q oracle queries and with running time at
most t has advantage Adv A < e. The advantage
is defined as Adv A = | Pr[ AFk = 1] - Pr[ AR = 1] |,
where R represents a random function selected
uniformly from the set of all maps from X to Y,
and where the probabilities are taken over the
choice of k and R.
Pseudorandom permutation
A pseudorandom permutation E, i.e., a block cipher. We
say that E: κE × Z  Z is a (t, q, e)- secure
pseudorandom permutation if every oracle algorithm A
making at most q oracle queries and with running time at
most t has advantage Adv A <-1e. The advantage is
-1
defined as Adv A = | Pr[ AEk, Ek = 1] - Pr[ Aπ, π = 1] |,
where π represents a random permutation selected
uniformly from the set of all bijections on Z, and where
the probabilities are taken over the choice of k and π.
Notice that the adversary is given an oracle for
encryption as well as for decryption; this corresponds to
the adaptive chosen-plaintext/ ciphertext attack model.
Our solution with sequential scan
The scheme 1: The basic scheme
n bits
n-m bits
m bits
Alice produces Si and ki.
Where Si are pseudorandom values generated by pseudorandom generator,
F is a pseudorandom function.
The scheme 2: The controlled search
Alice produces Si and k’.
Let ki = fk’(Wi), where k’ be chosen uniformly randomly by Alice and
never be revealed. If Alice wish to allow Bob to search for the word W,
she reveals fk’(W), and W to him.
The scheme 3: Support for hidden searches
Alice produces Si, k’ and
k’’. We let Xi = Ek’’(Wi)
Let ki = fk’(Xi), where k’ be chosen uniformly randomly by Alice and
never be revealed. If Alice wish to allow Bob to search for the word W,
she reveals fk’(Ek’’( W)), and Ek’’(W) to him.
The scheme 4: The final scheme
Alice produces Si, k’ and
k’’. We let Xi = Ek’’(Wi)
Let ki = fk’(Li), where k’ be chosen uniformly randomly by Alice and
never be revealed. If Alice wish to allow Bob to search for the word W,
she reveals fk’(Ek’’( W)), and Ek’’(W) to him.