uc/garbled searchable symmetric encryption kaoru kurosawa ibaraki university, japan

UC/Garbled Searchable Symmetric Encryption

Kaoru Kurosawa Ibaraki University, Japan

I will talk about

(1) UC-Secure Searchable Symmetric Encryption　　　 A preliminary version = FC 2012　　　 Final version = ePrint 2015/251

(2) Garbled Searchable Symmetric Encryption　　　 FC 2014

2

Curtmola, Garay, Kamara and Ostrovsky (2006)

• defined privacy of SSE schemes • as follows.

3

In the store phase,

E(D1), , E(D⋯ N), E(Index)

the server learns |D1|, …, |DN| and |{keywords}|

4

In the search phase,

This means that the server knows the corresponding indexes {3, 6, 10}

E(keyword)

C(keyword)=( E(D3), E(D6), E(D10) )

5

We call

these information• |D1|, …, |DN| and |{keywords}|• corresponding indexes {3, 6, 10}

The minimum leakage

6

The Privacy definition

• requires that the server should not be able to learn any more information

7

In the Real Game

D = {D1, …, DN}W={set of keywords}Index

Distinguisher

E(D1), , E(D⋯ N) E{ Index }

Challenger

8

In the Simulation Game

D = {D1, …, DN}W={set of keywords}Index

Distinguisher

Somehow returns E(D1), , E(D⋯ N) E{ Index }

ChallengerSimulator

the minimum leakage|D1|, …, |DN| and |{keywords}|

9

In the search phase of the real game

keyword

Distinguisher

E(keyword)

Challenger

10

In the simulation game,

keyword

Distinguisher

Somehow returns E(keyword)

ChallengerSimulator

the minimum leakage {3, 6, 10}

11

Def. of Curtmola et al.

• Privacy is satisfied if• there exists a simulator such that

the real game ≈ the simulation game

12

We now define

• reliability and strong reliability • UC security • Prove a weak equivalence　 (1) UC-secure → 　 privacy + reliability　 (2) privacy + strong reliability → UC-secure• Show an efficient UC-secure SSE scheme

13

We now define

• reliability and strong reliability • UC security • Prove a weak equivalence　 (1) UC-secure → 　 privacy + reliability　 (2) privacy + strong reliability → UC-secure• Finally an efficient UC-secure SSE scheme

14

A malicious server• tries to forge some files, delete some files,• or replace E(D3) with E(D100).

Client Server

E(keyword)

E(D3), E(D6), E(D10)E(D100)

Malicious

15

Consider an adversary (A1,A2) s.t.

16

A1 A2Client

A1 gives the inputs to the client

A2 runs the protocolwith the client

Adversary

server

If A2 is honest,

17

A1 A2Client

keyword w E(w)

D(w) = {files which contain w}[C(w), Tag]

Reliability is satisfied if

18

A1 A2Client

keyword w E(w)

D(w)’≠ D(w)with negligible probabilityfor any (A1,A2)

Strong reliability is satisfied if

19

A1 A2Client

keyword w E(w)

[C(w)’, Tag’]≠ [C(w), Tag] acceptswith negligible probabilityfor any (A1,A2)

We then define

• Reliability, strong reliability• UC security • Prove a weak equivalence　 (1) UC-secure → 　 privacy + reliability　 (2) privacy + strong reliability → UC-secure• Finally an efficient UC-secure SSE scheme

20

In the ideal world,

dummyClient

Ideal Functionality

FSSE

Environment

Z

D={D1, …, DN} W={set of keywords}Index

D={D1, …, DN} W={set of keywords}Index 21

FSSE sends the minimum leakage

dummyClient

Ideal Functionality

FSSE

Environment

Z

D={D1, …, DN} W={set of keywords}Index

UC adversary

S

|D1|, …, |DN||{keywords}|

22

In the search phase

dummyClient

Ideal Functionality

FSSE

Environment

Z

keyword

keyword

UC adversary

S

23

FSSE sends the minimum leakage

dummyClient

Ideal Functionality

FSSE

Environment

Z

keyword

keyword

UC adversary

S

{3,6,10}

24

D={D1, …, DN} W={set of keywords}Index

S returns

dummyClient

Ideal Functionality

FSSE

Environment

Z

keyword

keyword

UC adversary

S

{3,6,10} Accept or Reject

25

D={D1, …, DN} W={set of keywords}Index

If S returns Reject,then FSSE sends Reject

dummyClient

Ideal Functionality

FSSE

Environment

Z

keyword

keyword

UC adversary

S

{3,6,10} Reject

Reject

Reject

26

If S returns Accept,FSSE sends D(w)={D3,D6,D10}

dummyClient

Ideal Functionality

FSSE

Environment

Z

keyword

keyword

UC adversary

S

{3,6,10} Accept

D(w)={D3,D6,D10}

D(w)={D3,D6,D10}

27

Also S and Z can interact freely

dummyClient

Ideal Functionality

FSSE

Environment

ZUC adversary

S

28

This is an ideal world

Because(Correctness.) The dummy client outputs reject or D(w) correctly (Security.) The UC adversary S learns only the minimum leakage.

29

Client Server

Environment

Z

Z gives the inputs to the client

30

In the real world

the client and the server runthe real protocol

A can corrupt the server andcommunicate with Z freely

31

Client Server

Environment

ZAdversary

A

corrupt

We say that

• An SSE scheme is UC-secure if for any adversary A, there exists a UC-adversary S such that 　 Pr[Z 1 in the real]⇒ ≈ Pr[Z 1 in the ideal]⇒

32

We define

• reliability (unforgeability) strong reliability (strong unforgeability) UC security • Prove a weak equivalence　 (1) UC-secure → 　 privacy + reliability　 (2) privacy + strong reliability → UC-secure• Finally an efficient UC-secure SSE scheme

33

Suppose that

• There exists an SSE scheme• which is UC-secure

34

In the real world,

35

Client Server

Environment

ZAdversary

A

Consider A who relays everything to Z

E(keyword)

E(keyword)

E(keyword)

keyword

The real world = the real game of privacy

36

Client Server

distinguisher

ZAdversary

A

challenger

E(keyword)

E(keyword)

E(keyword)

keyword

In the ideal world,

37

dummyclient

FSSE

Environment

ZUC adversary

S

There exists S which simulates Afrom the minimum leakage

Minimum leakage

keyword

E(keyword)

The ideal world = the ideal game of privacy

38

dummyclient

FSSE

distinguisher

ZUC adversary

S

Minimum leakage

challenger

simulatorE(keyword)

keyword

keyword

Therefore

• if the SSE scheme is UC secure,• then privacy is satisfied.

39

Nextfor a reliability adversary (A1,A2),

40

A1 A2Client

Adversary

Consider (Z,A) s.t.

41

Client Server

Z=A1

Adversary

A=A2

In the corresponding ideal world,

42

dummyClient

FSSE

ZUC Adversary

S

The dummy client never outputs D(w)’ ≠ D(w)from the definition of FSSE

wD(w) or reject

D(w) or reject

Hence

• In the real world,• the client outputs D(w)’ ≠ D(w)• with negligible probability.• Therefore• Reliability is satisfied

43

We define

• reliability (unforgeability) strong reliability (strong unforgeability) UC security • Prove a weak equivalence　 (1) UC-secure → 　 privacy + reliability　 (2) privacy + strong reliability → UC-secure• Finally an efficient UC-secure SSE scheme

44

Suppose that

• There exists an SSE scheme• Which satisfies privacy and strong reliability

45

Game 0 = Real world

46

Client Server

ZAdversary

A

keyword wD(w) orreject

E(w)

C(w), Tag

In Game 1,

47

Client Server

ZAdversary

A

w

E(w)

[C(w)’, Tag’]≠[C(w), Tag]

If A instructs the server to return an invalid message

E(w)

Game 1

48

Client Server

ZAdversary

A

wreject

E(w)

reject

Then the server returns reject to the client,And the client sends reject to Z

[C(w)’, Tag’]≠[C(w), Tag]

E(w)

Game 1

49

Client Server

ZAdversary

A

wD(w)

E(w)

accept

[C(w), Tag]

Otherwise the server returns accept to the clientand the client outputs D(w) = {files which contain the keyword w}

• Game 1 and Game 0 are indistinguishable• Because • the SSE scheme satisfies strong reliability.

50

Client ２

Z A

server

Client １acceptor reject

D(w) or reject

E(w)

In Game 2,

w51

• From a view point of Z,• Game 2 and Game 1 are the same

52

Client ２

serverZ A

Simulatorof privacy

Client １

Minimum leakage

acceptreject

In Game 3,

E(w)

53

Client ２

serverZ A

Simulatorof privacy

Client １

Minimum leakage

acceptreject

distinguisher

challenger

Game 3 = simulation game of privacy

E(w)keyword

54

Client ２

serverZ A

Client １

acceptreject

distinguisher

challenger

Game 2 = real game of privacy

E(w)

keyword

55

Therefore

• Game 3 and Game 2 are indistinguishable• Because • the SSE scheme satisfies privacy

56

Client ２

serverZ A

simulatorS0

Client １

Minimum leakage

acceptreject

UC adversary S

FSSE

Finally Game 3 = the ideal world

57

Namely

• Game 0 = the real world• Game 3 = the ideal world• and Z cannot distinguish them• Therefore the SSE scheme is UC-secure.

58

We define

• reliability (unforgeability) strong reliability (strong unforgeability) UC security • Prove a weak equivalence　 (1) UC-secure → 　 privacy + reliability　 (2) privacy + strong reliability → UC-secure• show an efficient UC-secure SSE scheme

59

Consider this example

D1 D2 D3 D4 D5Austin 1 0 1 0 1Boston 0 1 0 1 0

60

The client computes

E(D1) E(D2) E(D3) E(D4) E(D5)PRP(Austin) ( 1 0 1 0 1)PRP(Boston) ( 0 1 0 1 0)

where PRP means pseudorandom permutation

61

and adds

E(D1) E(D2) E(D3) E(D4) E(D5)PRP(Austin) ( 1 0 1 0 1)PRP(Boston) ( 0 1 0 1 0)

+PRF(Austin)+PRF(Boston)

where PRF means pseudorandom function.

62

The client stores this table

E(D1) E(D2) E(D3) E(D4) E(D5)PRP(Austin) ( 1 0 1 0 1)PRP(Boston) ( 0 1 0 1 0)

+PRF(Austin)+PRF(Boston)

　　　　　　　　＋

TagA=MAC( PRP(Austin), E(D1), E(D3), E(D5) ) TagB=MAC(PRP(Boston), E(D2), E(D4))

63

In the search phase,

E(D1) E(D2) E(D3) E(D4) E(D5)PRP(Austin) ( 1 0 1 0 1)PRP(Boston) ( 0 1 0 1 0)

+PRF(Austin)+PRF(Boston)

For a keyword Austin, the client sends

E(Austin)

64

The server decrypts (10101)

E(D1) E(D2) E(D3) E(D4) E(D5)PRP(Austin) ( 1 0 1 0 1)PRP(Boston) ( 0 1 0 1 0)

+PRF(Austin)+PRF(Boston)

65

And returns

E(D1), E(D3), E(D5 ), TagA

E(Austin)={PRP(Austin), PRF(Austin)}

66

The client accepts if

E(D1), E(D3), E(D5 ),

TagA=MAC(PRP(Austin), E(D1), E(D3), E(D5 ))

PRP(Austin) and PRF(Austin)

67

Theorem

• The above SSE scheme satisfies privacy and strong reliability if E is CPA-secure

Corollary• The above SSE scheme is UC-secure

68

So far,

• single keyword search SSE schemes.

Next• multiple keyword search SSE schemes.

69

Wang et al. (2008)

• Showed a multiple keyword SSE scheme• for AND search.

At CRYPTO 2013,

• Cash, Jarecki, Jutla, Krawczyk, Rosu, and Steiner showed an SSE scheme

• which can support any search formula f (in the random oracle model).

• The comm. overhead is sublinear in N,• where N=the number of files.

71

However,

• the search formula f is revealed to the server and• the search phase requires 2 rounds.

Search phase

Search formula

Cash et al. 2 rounds revealed

72

In their scheme,

If 「 Japan AND Crypto 」 is searched,the following information is leaked to the server

the search formula ＝ AND the search result of Japan or that of Crypto and some more information （ see Sec.5.3 of their paper ）

73

Kurosawa (FC 2014)

• even the search formula f is kept secret.• the search phase requires only 1 round.

Search phase

Search formula

Cash et al.

2 rounds revealed

Proposed 1 round secret74

In my scheme

only the following information is leaked (other than the minimum leakage)• The topological circuit f- • (π(j1), …, π(jc)),

　 where π is a random permutation and {wj1, …, wjc} are the queried keywords

75

XOR

AND

1

OR

4

2

3

If this the search formula f,

76

1

4

2

3

This is the topological circuit f-

77

On the other hand,

• The communication overhead is O(N)• While it is sublinear in N in Cash et al’s scheme• where N=the number of files.

78

The proposed SSE scheme

• is based on Yao’s garbled circuit.

79

A garbled circuit of f

• is an encoding garble(f) such that• one can compute f(X) • from garble(f) and label(X) without learning anything on f and X.

garble(f)label(X) f(X)

80

x1= 0

x2= 1

Consider f(x1,x2)= (x1 and x2)

x1 x2 x30 0 00 1 01 0 11 1 1

x3= 0

81

garble(f) is an encoded truth tableby random strings

x1 x2 x3

A0 B0 H(A0,B0)+ 0

A0 B1 H(A0,B1)+ 0

A1 B0 H(A1,B0)+ 0

A1 B1 H(A1,B1)+ 1

A0

B1

x3= 0

82

label(X) is these random strings

x1 x2 x3

A0 B0 H(A0,B0)+ 0

A0 B1 H(A0,B1)+ 0

A1 B0 H(A1,B0)+ 0

A1 B1 H(A1,B1)+ 1

A0

B1

x3= 0

83

In this example,x3=0 is obtained by computing H(A0,B1)

x1 x2 x3

A0 B0 H(A0,B0)+ 0

A0 B1 H(A0,B1)+ 0

A1 B0 H(A1,B0)+ 0

A1 B1 H(A1,B1)+ 1

A0

B1

x3= 0

label(X)garble(f)

84

High level overview of the proposed scheme

w1 w2 w3

D1 1 1 1D2 1 0 0

keywords

files

Consider this example.

85

Let

w1 w2 w3

D1 (1 1 1)=X1

D2 (1 0 0)=X2

86

The client computes

w1 w2 w3

D1 label(X1)D2 label(X2)

87

The client also computes

PRP(w1) PRP(w2) PRP(w3)E(D1) label(X1)E(D2) label(X2)

88

and sends

PRP(w1) PRP(w2) PRP(w3)E(D1) label(X1)E(D2) label(X2)

Server89

In the search phase,

• Suppose that the client wants to search on f(w1,w2,w3)=w1 w⋀ 2 w⋀ 3

• He computes the garbled circuits of f: Γ1 for D1 and

Γ2 for D2.

90

PRP(w1), …, PRP(w3) Γ1

Γ2

The client sends

91

PRP(w1), …, PRP(w3) Γ1

Γ2

The server has this tablePRP(w1) PRP(w2) PRP(w3)

E(D1) label(X1)E(D2) label(X2)

92

PRP(w1), …, PRP(w3) Γ1

Γ2

The server computes f(X1) fromPRP(w1) PRP(w2) PRP(w3)

E(D1) label(X1)E(D2) label(X2)

label(X1) Γ1 f(X1)=1

garbled circuit93

PRP(w1), …, PRP(w3) Γ1

Γ2

Similarly she computes f(X2)PRP(w1) PRP(w2) PRP(w3)

E(D1) label(X1)E(D2) label(X2)

Γ2 label(X2) f(X2)=0

garbled circuit94

The server returns E(D1)

If f(X1)=1 and f(X2)=0,

95

However, if

• label(X) is reused, then some information on (f, X) is leaked.

garble(f)label(X) f(X)

96

We use counter as an additional input to H

x1 x2 x3

A0 B0 H(counter, A0,B0)+ 0

A0 B1 H(counter, A0,B1)+ 0

A1 B0 H(counter, A1,B0)+ 0

A1 B1 H(counter, A1,B1)+ 1

A0

B1

x3= 0

97

Formally

Bellare et al. (2012)defined Kurosawa（ 2014）

extended them togarbling schemes extended garbling

schemesInput-circuit privacy label reusable privacy

98

Label reusable privacy

• Even if label(X) is reused for multiple garbled circuits Γ1, Γ2, …. ,

• no information on X and (f1,f2, … )

are leaked, where Γi is a garbled circuit of fi

Theorem 1

• Our construction satisfies label reusable privacy in the random oracle model

100

Theorem 2

If the underlying extended garbling scheme satisfies label reusable privacy

only the following information is leaked (other than the minimum leakage)

101

• The topological circuit f- • (π(j1), …, π(jc)),

　 where π is a random permutation and {wj1, …, wjc} are the queried keywords

102

Communication overheadof the proposed scheme

• Let m = # of files c = # of search keywords s = # of gates of f• In the search phase, the com. overhead is |counter|+(c+4m(s-1))×128+4m bits

103

If # of search keywords is 2

• The communication overhead is |counter|+256+ 4× （ # of files ） bits

104

Computer simulation

• We used a computer such as follows. 2.4GHz CPU and 32G byte RAM OS = CentOS 6.5 C++ and NTL library

• The total # of keywords is 20.

105

The running time of the clientin the search phase

106

The running time of the serverin the search phase

107

Summary

(1) UC-Secure Searchable Symmetric Encryption　　　 A preliminary version = FC 2012　　　 Final version = ePrint 2015/251

(2) Garbled Searchable Symmetric Encryption　　　 FC 2014

108

Open problem (1)

• Construct a multiple keyword SSE scheme such that

• The communication overhead is sublinear in N• And the leakage is as small as possible• In the standard model

109

Open problem (2)

• In all the known single keyword SSE schemes, E(keyword) is deterministic

• Hence if the client sends E(keyword) twice,• This search pattern is leaked.• So • construct a UC-secure scheme such that • Even the search pattern is kept secret

110

Open problem (3)

• Prove the tight equivalence between • UC security and some stand alone security

111

Thank you !

112