Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Secure Indexes

advertisement 
Secure Indexes
Author:Eu-Jin Goh
Presented by Yi Cheng Lin
1
Outline






Introduction
Contribution
Index Scheme
Background
Construction
Choosing Suitable Bloom Filter
Parameter
2
Outline





Pseudo-Random Functions
IND-CKA
Z-IDX is a IND-CKA index
Conclusion
Comment
3
Introduction


Keyword indexes let us search in
constant time for documents containing
specified keywords
Unfortunately, standard index
constructions such as those using hash
table are unsuitable for indexing
encrypted documents
4
Introduction


In this paper, they formally define a
secure index that allows a querier with
a “trapdoor” for a word x to test in O (1)
time only if the index contains x
The index reveals no information about
its constants without valid trapdoors
5
Contribution

Knows m
words
The first contribution of this paper is in
defining a secure index and formulating
a security model for indexes known as
semantic security against adaptive
chosen keyword attack (IND-CKA) n words
n-m
unknown
wotrds
adversary A
Can’t get
any word
index
document D
6
Contribution


The second contribution is an efficient
IND-CKA secure index construction
called Z-IDX, which is built using
pseudo-random functions and Bloom
filters
Z-IDX scheme is efficient
7
Contribution
27.4 megabytes
2654
plaintext
files
an index for the average document is
roughly 121.4 kilobytes in size
The largest document in this
collection is 876.6 kilobytes long and
its index is 774.3 kilobytes large
The smallest document is 9 bytes
long and its index is 115 bytes large
Debian Linux
15151 indexes can searched in one second
on a 866 MHz Pentium 3 machine
8
Index Scheme


Keygen (s): Given a security parameter
s, outputs the master private key Kpriv
Trapdoor (Kpriv, w): Given the master
key Kpriv and word w, outputs the
trapdoor Tw for w
9
Index Scheme


BuildIndex (D, Kpriv): Given a document
D and the master key Kpriv, outputs the
index ID
SearchIndex(Tw, ID): Given the trapdoor
Tw for word w and the index ID for
document D, outputs 1 if w D and 0
otherwise
10
Index Scheme
Store
ID1, E(D1)
Alice
Keygen (s): Kpriv
BuildIndex (D1, Kpriv): ID1
Server
Index
ID 1
ID 2
…
Encrypted data
E(D1)
E(D2)
…
11
Index Scheme
Tw
E(D1), …
Alice
Keygen (s): Kpriv
Trapdoor (Kpriv, w): Tw
Server
SearchIndex(Tw, ID1)
ID 1
E(D1)
1
ID 2
E(D2)
…
0
…
…12
Background


pseudo-random functions :is
computationally indistinguishable from a
random function
given pairs (x1, f(x1, k)), . . . , (xm, f(xm,
k)), an adversary cannot predict f(xm+1,
k) for any xm+1
13
Background


Bloom Filter: a set of S = {s1, . . . , sn}
of n elements and is represented by an
array of m bits.
All array bits are initially set to 0. The
filter uses r independent hash functions
h1, . . . , hr, where hi : {0, 1}* ->[1,m]
for i [1, r].
14
To determine if an element
a belongs to the set S
a
h 1 ( a)
h 2 ( a)
.
.
.
hr(a)
S
If all bit are 1’s,then a
Else a
S
15
Construction


Keygen(s): Given a security parameter s,
choose a pseudo-random function f : {0,
1}n×{0, 1}s {0, 1}s and the master key
Kpriv = (k1, . . . , kr) R {0, 1}sr
Trapdoor(Kpriv,w): Given the master key
Kpriv = (k1, . . . , kr){0, 1}sr and word w,
output the trapdoor for word w as Tw =
(f(w, k1) , . . . , f(w, kr)) {0, 1}sr
16

Construction

Input
BuildIndex(D,Kpriv):
Document D : Did
{0, 1}n
A list of words (w0, . . . ,wt)
Kpriv = (k1, . . . , kr)
trapdoor
Wi
 {0, 1}
nt
 {0, 1}
sr
Output IDid = (Did, BF)
x1 = f (wi , k1)
...
xr = f (wi , kr)
codeword
y1 = f (Did , x1)
...
BF for
Did
yr = f (Did , xr)
17
Construction

SearchIndex(Tw, IDid):
Input trapdoor Tw = (x1,…, xr)
index
y1 = f
...
 {0, 1}
IDid = (Did , BF) for document Did
Test if BF contains 1’s in all
(Did , x1) r locations denoted by
y1, . . . , yr
yr = f (Did , xr)
sr
If so, output 1;
Otherwise, output 0
18
Choosing Suitable Bloom Filter
Parameter




Hash functions h1,…., hr
Insert n distinct element in to an array
of size m
The probability that bit i in the array is
0 is (1 – (1/m))rn ≈ e-rn/m
the probability of a false positive is (1 −
(1 − (1/m))rn)r ≈ (1 − e−rn/m)r
19
Choosing Suitable Bloom Filter
Parameter
False positive rate
fp = (1/2)r = (1 − e−rn/m)r
½ = 1 − e−rn/m
−rn/m
 ½ = e
 ln(1/2) = -rn/m
 ln 2 = r (n/m)
 m = rn/ ln 2

20
Choosing Suitable Bloom Filter
Parameter
Choose suitable m
fp = 0.01
r=7
fp = 0.001
r = 10
n = 1000
10102
14431
n = 10000
101011
144301
21
Pseudo-Random Functions

f : {0, 1}n × {0, 1}s ->{0, 1}m is a (t, ɛ,
q)-pseudo-random function if for any t
time oracle algorithm A that makes at
most q adaptive queries
22
IND-CKA

Setup :
Challenger C
creates a set S of q
words
C build index
for each subset
in S*

Queries :
S
S*
Index
Adversary A
Chooses a number
of subsets from S
This collection of
subset is called S*
Query C on a word x
Trapdoor Tx for x
23
IND-CKA

Challenge :
A picks a non-empty subset V0 S*, and generating another
non-empty subset V1 from S such that |V0 −
V1| 0, |V1 − V0| 0, and the total length of words in V0 is
equal to that in V1
Next, A gives V0 and V1 to C who chooses b {0,1}, invokes
BuildIndex(Vb , Kpriv) to obtain the index IVb for Vb , and return
IVb to A
24
IND-CKA

Response :A eventually output a bit b’,
representing its guess for b
The advantage of A in winning this game is
defined as AdvA = | Pr[b = b’] − 1/2|
We say that an adversary A (t, ɛ, q)-breaks
an index if AdvA is at least ɛ after A takes at
most t time and makes q trapdoor queries to
the challenger. We say that I is an (t, ɛ, q)IND-CKA secure index if no adversary can (t,
ɛ, q)-break it

AdvA = | Pr[b = b’] − 1/2|< ɛ


25
Z-IDX is a IND-CKA index


Theorem 3.2.
If f is a (t, ɛ, q)-pseudo-random
function, then Z-IDX is a (t, ɛ, q/2)IND-CKA index
We use ¬q -> ¬p to prove
26
Z-IDX is a IND-CKA index

Prove :Suppose Z-IDX is not a (t, ɛ,
q/2)- IND-CKA index
algorithm A
(t, ɛ, q/2)-breaks Z-IDX
We build an algorithm B that
uses A to determine if f is a pseudo-random function
or a random function.
the unknown function f that takes as input x {0, 1}n
and returns f (x){0, 1}s.
27
Z-IDX is a IND-CKA index

Setup :
algorithm B
creates a set S of q/2
words
B build index
for each subset
in S*

Queries :
S
S*
Index
algorithm A
Chooses a number
of subsets from S
This collection of
subset is called S*
Query B on a word x
Trapdoor Tx for x
28
Z-IDX is a IND-CKA index


Response : A eventually outputs a bit b’,
representing its guess for b. If b’ = b, then B
outputs 0, indicating that it guesses that f is a
pseudo-random function. Otherwise, B
outputs 1
B takes at most t time because A takes at
most t time. Furthermore, B makes at most q
queries to f because there are only q/2
strings in S and A makes at most q/2 queries
29
Z-IDX is a IND-CKA index


Claim 1: When f is a pseudo-random
function, then
Claim 2: When f is a random function,
then
30
Z-IDX is a IND-CKA index
By claim1 and claim 2
But, if f is a (t, ɛ, q)-pseudo-random function
Theorem 3.2.
If f is a (t, ɛ, q)-pseudo-random function,
then Z-IDX is a (t, ɛ, q/2)- IND-CKA index
31
Conclusion



Z-IDX is efficient for search indexes
Index and document’s size are
independent
Property : ”hidden queries”, “controlled
searching”, and “query isolation”
32
Comment
Bloom Filter is a probabilistic data
structure
 Need more space
(index’s size ≈ document’s size)

33
Related documents
Citation: Ellen E. Sward, Values, Ideology, and the Evolution of the
Citation: Ellen E. Sward, Values, Ideology, and the Evolution of the
Performance Task List for Book Report
Performance Task List for Book Report
QUY CAÙCH VIEÁT BAØI
QUY CAÙCH VIEÁT BAØI
Bloom`s Taxonomy of the Cognitive Domain
Bloom`s Taxonomy of the Cognitive Domain
2011 Engagement of Students
2011 Engagement of Students
4 LP Aug 25 BED 4416..
4 LP Aug 25 BED 4416..
Download
advertisement