多媒體網路安全實驗室
Protecting the Privacy of Users in
Retrieving Valuable Information by
a PIR Scheme with Mutual
Authentication by RSA Signature
Algorithm
Date：2010.10.1
Reporter:Chien-Wen Huang
出處:Innovative Computing, Information and Control, 2007. ICICIC '07.
Second International Conference
多媒體網路安全實驗室
Outline
1
Introduction
2
Related work
3
The proposed PIR scheme
4
Security Analysis of the proposed
scheme and comparisons with others
5
Conclusions and Future Work
2
多媒體網路安全實驗室
Introduction
Motivation
 As the user query a patent but the server will not
know which patent the user queried.
Private Information Retrieval (PIR)
 Initial research of PIR was done by Chor et al.(1995)
 Beimel proposed several robust PIR
schemes.(2004)
Results
 A new one-server PIR scheme, with mutual
authentication between the user and the server.
3
多媒體網路安全實驗室
Related work
Computational Private Information Retrieval
 Chor et al. introduced a c-PIR scheme(from
information-theory security to computational
security)
 Kushilevitz et al. proposed a CPIR scheme based
on the quadratic residuosity assumption.
 Cachin et al. proposed a CPIR scheme which is
based on the -Hiding assumption.

4
多媒體網路安全實驗室
Private Information Retrieval Using a Secure
Coprocessor (SC)
 An SC is a temper-proof device with small memory
in it; it is designed to prevent anybody from
accessing its memory.
 Conquers the problem of CPIR which can only deal
with one bit per query.
 the communication complexity to O(1).
 the server’s computation complexity is still O(n).
5
多媒體網路安全實驗室
For the reason of confusing
 the server, in the kth query,
the SC must read
previously accessed
records,and one unread
record.
6
多媒體網路安全實驗室
The proposed PIR scheme
7
多媒體網路安全實驗室
1. Registering phase:
1
e
and
d
(

e
1) User U calculates u
u
u mod  ( n))
2) User U computes C1 = E PK S C ( IDU , eu , n) and send
to SC.
3) On receiving C1 , the SC decrypts C1with its
private key SKSC and then stores ( IDU , eu , n) to the
ID file in server S.
2. Preprocessing phase:
 The preprocessing phase is to produce a shuffled
copy of DB in server S and a shuffled index in the
SC.
8
多媒體網路安全實驗室
3. Online-query phase:
1) U selects a ru(a part of the session key)and sends
C2= EPK SC ( IDU , EPK SC (ru )) to the SC.
2) The SC decrypts C2 with its private key SK SC to
get IDU and ru.
3) SC selects a rs random number(another part of the
session key)and calculates the session key
K  K su  rs  ru ,then send C3= (rs , EK (ru )) to user.
'
4) User U calculates the session key K  K us  ru  rs
EK (ru )
and decrypts
(with K’).if the result= ru,
user U E
send
to the SC,otherwise not.
K (Query )
9
多媒體網路安全實驗室
5) User calculates C4=M du mod n( where M  h( IDU , rs , ru ))
and send to SC.
eu
6) SC checks whether C4 mod n  h( IDU , rs , ru ) mod n  M
if the answer is correct then go to next one,else
stop the online-query.
7) SC reads the Ri from the shuffled database
according to the shuffled index and sends EK ( Ri )
8) User U decrypts EK ( Ri ) with K’.
10
多媒體網路安全實驗室
Security Analysis of the proposed
scheme and comparisons with others
The proposed scheme is a mutual
authentication scheme
 Lemma1. The proposed scheme correctly
authenticates a legal user U.
 Proof:E can generate C4' ( M d E ) in step(5),s.t.
(M d E )eu  M mod n ,E can be authenticated
successfully in step(6).Thus,
d E  eu  d u  eu  k '   (n)
 d E  eu  d u  eu mod  (n)
 d E  d u mod  (n)
11
多媒體網路安全實驗室
 Lemma2. The proposed scheme correctly
authenticates Server S (with the SC in it).
 Proof:
1.If the SC knows the secret key SKSC,it can decrypt
C2 to obtain ru and calculate the session key K su  rs  ru
2.user U calculates the session key Kus  ru  rs
Thus,the session keys Ksu and Kus are the same
value.
 Theorem 3. The proposed scheme is a mutual
authentication scheme.(Lemma1,2)
12
多媒體網路安全實驗室
 The proposed scheme is a secure scheme
The key exchange scheme is secure if the following
requirements are satisfied:
1. If both participants honestly execute the scheme
then the session key is K=Ksu = Kus.
2. No one can calculate the session key except
participants(U and SC in the Server S)
3. The session key is indistinguishable from a truly
random number.
13
多媒體網路安全實驗室
 Lemma 4. The proposed scheme satisfies the first
requirement.
Proof: K su  rs  ru  ru  rs  Kus
 Lemma 5. The proposed scheme satisfies the
second requirement.
Proof: K su  rs  ru  ru  rs  Kus (The random number ru
is selected by user and encrypted by E PK S C () )
 Lemma 6. The proposed scheme satisfies the third
requirement
Proof: ru,rs are two random numbers selected by user
U and the SC
The session key K is also a
random number.
14
多媒體網路安全實驗室
Comparisons with other schemes
 the proposed scheme, which uses only one server,
is more practical in feasibility.
 It has mutual authentication and key agreement
process, which makes it more robust in security
than past schemes.
15
多媒體網路安全實驗室
Conclusions and Future Work
The proposed scheme is more practical than
previous PIR k-server schemes and it has
mutual authentication and key agreement
process.
It can not only apply in the environment
mentioned above, but also other applications
which need the privacy of users on the
internet(e.g:e-voting).
16
多媒體網路安全實驗室