Public Key Encryption with
Keyword Search
Authors: D. Boneh, G. Di Crescenzo,
R. Ostrovsky, and G. Persiano
-Presented by Brijesh
1
Mobile People Architecture
(Stanford)


MPA – focuses on people (and not
devices) as endpoints of
communication.
A personal proxy maintains a list of
devices, a person is currently reachable
on and routes based on urgency/
keywords etc..
2
MPA
(simple example)
Mail server
Devices (A is currently
reachable on)
pager
Email(desktop)
Proxy
manager
To A, M,”urgent”
To A, M,”lunch”
Server gets to read all messages and the keywords!
How to secure email without violating User privacy?
3
Basic Problem
(trapdoor for keyword w) Tw
A
$~?@$
Email encrypted
Under Apub
Yes/no
B
Mail server
/ Gateway
(stores only encrypted emails)
Now, server cant read the messages.
Problem : How does server check for keywords in the encrypted
mail?
4
Basics
Mail server
B
[EApub[msg], PEKS(Apub,W1),PEKS(Apub,W2), ….PEKS(Apub,Wk)]
Encrypted mail for A
PEKS for each keyword
5
Goals


Given a searchable encryption of the keyword
w’ by B and a trapdoor for w by A, the server
should be able to find out all messages
having keyword w’ (if w’ = w) and learn
nothing more about the keywords.
Also, the server shouldn’t learn anything
about the encrypted email itself.
6
PEKS Definitions

Polynomial time randomised algorithms

KeyGen(s)  Apub, Apriv

PEKS(Apub,W)  searchble enc of W

Trapdoor(Apriv,W)  trapdoor Tw

Test(Apub,S,Tw)  Yes if W=W’
No, otherwise
7
Sample Application

Mail server – stores all incoming mails
[Search mail with keyword “urgent”]enc
M2, M5, M13
Server doesn’t learn anything about the messages!
8
Construction using Bilinear
Maps

Bilinear maps



e(gx, gy) = [e(g,g)]xy
If g is generator in G1, e(g,g) is generator
in G2
e is a polynomial time algorithm.
9
Construction using Bilinear
Maps

KeyGen: random α
Apub = [g, gα]
Apriv = α

PEKS(Apub,w):



Sender picks a random r
t = e(H1(w), hr)
H1:{0,1}*G1
Output S=[A,B] = [gr, H2(t)]
10
Construction using Bilinear
Maps

Trapdoor(Apriv, w):


Output Tw = H1(w)α Є G1
Receiver
sender
Test if H2(e(Tw,A)) = B
Or H2(e(Tw,A)) = H2(t)
Or e(Tw,A) = t
Or e(Tw,gr) = t
11
Construction using Bilinear
Maps - Testing

e(Tw,gr) = e(H1(w)α,gr)
= e(gm1.α,gr)
= e(g,g)m1.αr
H1 : {0,1}*  G1
We can write
H1(w) as gm
We have managed to check for
keywords
in encrypted
messages,
If the Tw and PEKS
correspond
to same w,
there is a match
without allowing the server to
(as m1 = m2)
learn anything
r about the

messages or the keywords
t = e(H1(w),h )
= e(gm2, gαr)
= e(g,g)m2.αr
12
Construction using Bilinear
Maps



We need H1 as it maps keywords onto G1
Sender chooses a random r each time for
each keyword. Choice of r is independent of
receiver.
Does H2 provide any benefit? It wasn’t
included in the original construction.
13
Construction using any
trapdoor permutation

Assumptions


Number of keywords is bounded by some
polynomial function in the security
parameter
We need a public key system that is source
indistinguishable.

It should be computationally hard to say which
public key a ciphertext is associated with.
14
Construction using any
trapdoor permutation

For each keyword w




Generate PKw and Privw
Hence, the number of
keywords
have to be limited
PEKS : output(M,E[PKw,M]) , M is
random for keyword w.
Trapdoor : for keyword w, Tw = Privw
If Decryption gives M again, output yes
else No
It relies on source indistinguishability of the encryptions
15
PEKS security Game

Semantically secure against adaptive
chosen keyword attack.
W0, W1
Random b Є {0,1}
PEKS(Apub,Wb)
Can have many rounds
Attacker
Guess b’
If b’=b,
Attacker wins
AdvA(s) = | Pr[b’=b] – 1/2 | is very small
16
Issues



The sender of the mail needs to explicitly
mention what the keywords are.
Also keywords may not be relevant to the
message at all.
Ideally, we need a system, in which we can
query the encrypted mail itself for keywords!
i.e without wanting to append PEKS for each
keyword, along with the mail. Can we do
away with PEKS values!
17
Issues


The same trapdoor can be used many
times in the future as well by the mail
server ?
Can an attacker reuse the trapdoor to
get some information about the
message or the keyword?
18
Open problem


I m not sure if this has been done
before or if it is possible.
We want to be able to search the
encrypted message itself for any word,
given some trapdoor information.
19
Questions
20