cryptography for cloud storage service
DESCRIPTION
Cryptography for Cloud Storage Service. Kaoru Kurosawa Ibaraki University, Japan. CRYPTOLOGY 2012, 4-6 June, Langkawi , Malaysia . Cloud Storage Service. ( or online storage service) is now available on the commercial basis . Big Internet enterprises such as Google , Amazon, Yahoo - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/1.jpg)
Cryptography for Cloud Storage Service
Kaoru Kurosawa Ibaraki University, Japan
CRYPTOLOGY 2012, 4-6 June, Langkawi, Malaysia
![Page 2: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/2.jpg)
Cloud Storage Service
• (or online storage service) • is now available on the commercial basis.
• Big Internet enterprises such as • Google, Amazon, Yahoo • are providing these services.
2
![Page 3: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/3.jpg)
The Advantages are
• Companies need only pay for the storage they actually use• Companies do not need to install physical
storage devices in their own data center• Storage maintenance tasks, such as backup,
are offloaded to the responsibility of a service provider
3
![Page 4: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/4.jpg)
In Japan
• After the big earthquake last year, many local governments are considering using cloud storage service to store their important data which includes the original copy of family registers.
4
![Page 5: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/5.jpg)
But Potential Threats
• The number of people with access to the data who could be compromised
(bribed, or coerced) increases dramatically.• It is possible for other customers to access your data. Sometimes because of human error, faulty equipment, a bug or criminal intent.
5
![Page 6: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/6.jpg)
In such systems
• The role of cryptography is crucial.
6
![Page 7: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/7.jpg)
A Searchable Symmetric Encryption(SSE) scheme
• Consists of a store phase and a search phase
7
![Page 8: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/8.jpg)
In the store phase,
• A client stores encrypted files (or documents) on a server
Client Server
E(D1), , E(D⋯ N)
8
![Page 9: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/9.jpg)
In the search phase,
• The client sends an encrypted keyword to the server
Client Server
E(keyword)
9
![Page 10: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/10.jpg)
The server somehow returns
• The encrypted files E(D3), E(D6), E(D10) which contains the keyword
Client Server
E(keyword)
E(D3), E(D6), E(D10)
10
![Page 11: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/11.jpg)
So the client can
• retrieve some of the encrypted files• which contains a specific keyword,• keeping the keyword secret
Client Server
E(keyword)
E(D3), E(D6), E(D10)
11
![Page 12: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/12.jpg)
By Passive Attack
• A malicious server breaks the privacy• She tries to find • the keyword and the documents
Client Server
E(keyword)
E(D3), E(D6), E(D10)
Malicious
12
![Page 13: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/13.jpg)
By Active Attack• A malicious server breaks the reliability• She tries to forge/delete some files.• or replace E(D3) with another E(D100).
Client Server
E(keyword)
E(D3), E(D6), E(D10)E(D100)
Malicious
13
![Page 14: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/14.jpg)
The security against passive attacks
has been studied by several researchers.
• Song, Wagner, Perrig• Goh• Bellovin and Cheswick• Chang and Mitzenmacher
14
![Page 15: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/15.jpg)
Finally
• Curtmola, Garay, Kamara and Ostrovsky• showed a rigorous definition of security against passive attacks.• They also gave a scheme which satisfies their definition.
15
![Page 16: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/16.jpg)
However
• The security against active attacks has not been considered so far.
16
![Page 17: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/17.jpg)
In this talk
(1) Extend the model of SSE to verifiable SSE(2) Define the security against active attacks.(3) Next formulate the UC-security(4) Then prove the equivalence between (2) and (3)(5) Finally show a UC-secure scheme
17
![Page 18: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/18.jpg)
In this talk
(1) Extend the model of SSE to verifiable SSE(2) Define the security against active attacks.(3) Next formulate the UC-security(4) Then prove the equivalence between (2) and (3)(5) Finally show a UC-secure scheme
18
![Page 19: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/19.jpg)
In this talk
(1) Extend the model of SSE to verifiable SSE(2) Define the security against active attacks.(3) Next formulate the UC-security(4) Then prove the equivalence between (2) and (3)(5) Finally show a UC-secure scheme
19
![Page 20: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/20.jpg)
In this talk
(1) Extend the model of SSE to verifiable SSE(2) Define the security against active attacks.(3) Next formulate the UC-security(4) Then prove the equivalence between (2) and (3)(5) Finally show a UC-secure scheme
20
![Page 21: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/21.jpg)
In this talk
(1) Extend the model of SSE to verifiable SSE(2) Define the security against active attacks.(3) Next formulate the UC-security(4) Then prove the equivalence between (2) and (3)(5) Finally show a UC-secure scheme
21
![Page 22: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/22.jpg)
Overview
Privacy Curtmola et al.Reliability Our paperUC security Our paper
22
![Page 23: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/23.jpg)
Outline of this talk
(1) Curtmola et al. ‘s scheme(2) Our UC-secure scheme(3) Our theoretical results
23
![Page 24: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/24.jpg)
Curtmola et al.
keyword DocumentsAustin D3, D6, D10
Boston D8, D10
Washington D1, D4, D8
Showed a scheme such as follows.(It is secure against passive attacks.)
Consider the following “Index”
Index24
![Page 25: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/25.jpg)
The client first constructs E(Index) • as follows.• He first chooses a pseudorandom permutation π.
E(Index) =
25
![Page 26: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/26.jpg)
He next computes • π(Austin, 1), π(Austin, 2) and π(Austin, 3),• Writes the indexes (3, 6, 10) in these addresses
3
6
10
Address
π(Austin, 1)
π(Austin, 2)
π(Austin, 3) E(Index)
26
![Page 27: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/27.jpg)
Do the same for each keyword
3
6
10
8
10
Address
π(Austin, 1)
π(Austin, 2)
π(Austin, 3)
π(Boston, 1)
π(Boston, 2)
E(Index)
27
![Page 28: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/28.jpg)
In the store phase,
• The client stores
Client Server
E(D1), , E(D⋯ N), and E(Index)
28
![Page 29: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/29.jpg)
In the search phase,
• The client sends
Client Server
t(Austin)=( π(Austin, 1), π(Austin, 2), π(Austin, 3) )
3
6
10
8
10
E(Index)
29
![Page 30: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/30.jpg)
The server sees that the corresponding indexes are
Client Server
π(Austin, 1), π(Austin, 2), π(Austin, 3)
3
6
10
8
10
E(Index)30
![Page 31: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/31.jpg)
Hence the server can return
Client Server
π(Austin, 1), π(Austin, 2), π(Austin, 3)
E(D3), E(D6), E(D10)
3
6
10
8
10
E(Index)31
![Page 32: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/32.jpg)
This scheme
• Is secure against passive attacks.• But it is not secure against active attacks.
32
![Page 33: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/33.jpg)
A naive approach is to add MAC to each E(Di)
Client Server
π(Austin, 1), π(Austin, 2), π(Austin, 3)
E(D3), MAC(E(D3)),E(D6), MAC(E(D6)),E(D10), MAC(E(D10))
The server returnsthese files together with their MACs 33
![Page 34: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/34.jpg)
But a malicious server will
Client
π(Austin, 1), π(Austin, 2), π(Austin, 3)
E(D3), MAC(E(D3)),E(D6), MAC(E(D6)),E(D10), MAC(E(D10))
Malicious
Replace some pair with another pair
E(D100), MAC(E(D100))
34
![Page 35: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/35.jpg)
The client cannot detect this cheating
Client
π(Austin, 1), π(Austin, 2), π(Austin, 3)
E(D3), MAC(E(D3)),E(D6), MAC(E(D6)),E(D10), MAC(E(D10))
Malicious
Because this is a valid pairof MAC
E(D100), MAC(E(D100))
35
![Page 36: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/36.jpg)
The proposed scheme
Client
π(Austin, 1)
E(D3), Tag3=MAC(π(Austin, 1), E(D3))
We include π(Austin, 1) in the input of MAC
So the server returns
36
![Page 37: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/37.jpg)
This method works
Client
π(Austin, 1)
E(D3), Tag3=MAC(π(Austin, 1), E(D3))
Because the MAC binds the query and the answer pair
37
![Page 38: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/38.jpg)
More precisely,• The client writes such MAC values in E(Index), and stores it on the server
3, tag3=MAC( π(Austin, 1), E(D3) )
6, tag6=MAC( π(Austin, 2) , E(D6) )
10, tag10=MAC( π(Austin, 3) , E(D10) )
π(Austin, 1)
π(Austin, 2)
π(Austin, 3)
E(Index)
38
![Page 39: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/39.jpg)
For a query π(Austin, 1)E(Index)
π(Austin, 1)
π(Austin, 1)
The server returns E(D3) andtag3=MAC( π(Austin, 1), E(D3) )
3, tag3=MAC( π(Austin, 1), E(D3) )
6, tag6=MAC( π(Austin, 2) , E(D6) )
10, tag10=MAC( π(Austin, 3) , E(D10) )
39
![Page 40: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/40.jpg)
The client checks the validity of
π(Austin, 1)
tag3=MAC( π(Austin, 1), E(D3) )
E(D3)
The details are written in the paper.
40
![Page 41: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/41.jpg)
Another Subtle Point
• If 3 appears many times in E(Index), • the adversary sees that• D3 includes more keywords than the other documents.
3
3, tag3=MAC( π(Austin, 1), E(D3) )
3
6, tag6=MAC( π(Austin, 2) , E(D6) )
3
10, tag10=MAC( π(Austin, 3) , E(D10) )
E(Index) =
41
![Page 42: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/42.jpg)
Hence• the index i of each Di should appear the same number of times.• Curtmola et al. didn’t show such a method.
3, tag3=MAC( π(Austin, 1), E(D3) )
6, tag6=MAC( π(Austin, 2) , E(D6) )
10, tag10=MAC( π(Austin, 3) , E(D10) )
E(Index) =
42
![Page 43: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/43.jpg)
We solve this problem as follows
keyword DocumentsAustin D1, D2
Boston D3, D4
Washington D5
Suppose that there are 5 documentsand
Index
43
![Page 44: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/44.jpg)
1,
2,
dummy,
dummy,
dummy,
Since Austin ∈{D1, D2}. we consider a list such that
44
![Page 45: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/45.jpg)
1,
2,
dummy,
dummy,
dummy,
We consider another listwhich includes (3,4,5)
dummy,
dummy,
3
4
5
45
![Page 46: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/46.jpg)
π(0, Austin, 1) 1
π(0, Austin, 2) 2
π(0, Austin, 3) dummy
π(0, Austin, 4) dummy
π(0, Austin, 5) dummy
π(1, Austin, 1) dummy
π(1, Austin, 2) dummy
π(1, Austin, 3) 3
π(1, Austin, 4) 4
π(1, Austin, 5) 5
address address
E(Index) is constructed by permuting them randomly by using a PRP π as follows.
46
![Page 47: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/47.jpg)
π(0, Austin, 1) 1
π(0, Austin, 2) 2
π(0, Austin, 3) dummy
π(0, Austin, 4) dummy
π(0, Austin, 5) dummy
π(1, Austin, 1) dummy
π(1, Austin, 2) dummy
π(1, Austin, 3) 3
π(1, Austin, 4) 4
π(1, Austin, 5) 5
address address
In the search phase,the client sends π(0, Austin, *) to the server
47
![Page 48: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/48.jpg)
π(0, Austin, 1) 1
π(0, Austin, 2) 2
π(0, Austin, 3) dummy
π(0, Austin, 4) dummy
π(0, Austin, 5) dummy
π(1, Austin, 1) dummy
π(1, Austin, 2) dummy
π(1, Austin, 3) 3
π(1, Austin, 4) 4
π(1, Austin, 5) 5
address address
The server returns the corresponding contents
48
![Page 49: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/49.jpg)
π(0, Austin, 1) 1
π(0, Austin, 2) 2
π(0, Austin, 3) dummy
π(0, Austin, 4) dummy
π(0, Austin, 5) dummy
π(1, Austin, 1) dummy
π(1, Austin, 2) dummy
π(1, Austin, 3) 3
π(1, Austin, 4) 4
π(1, Austin, 5) 5
address address
Noweach i {1,2,3,4,5} appears once for each keyword∈
E(Index) 49
![Page 50: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/50.jpg)
Later
• We will prove that our scheme is UC-secure• Hence it is secure against active attacks.
50
![Page 51: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/51.jpg)
Our theoretical results
(1) Extend the model of SSE to verifiable SSE(2) Define the security against active attacks.(3) Next formulate the UC-security(4) Then prove the equivalence between (1) and (2)(4) Finally show a UC-secure scheme
51
![Page 52: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/52.jpg)
A verifiable SSE
consists of 6 algorithms:
• KeyGen• Enc• Trapdoor• Search• Verify • Dec
52
![Page 53: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/53.jpg)
In the store phase,
The client first generates a key K ← KeyGen(1k) and keeps it secret.
53
![Page 54: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/54.jpg)
The client next chooses
D={set of documents} = {D1, …, DN}W={set of keywords}
Enc K
And computes C= { E(D1), , E(D⋯ N) } I= E{ Index }
54
![Page 55: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/55.jpg)
D={set of documents} = {D1, …, DN}W={set of keywords}
Enc K
Then the client sends C= { E(D1), , E(D⋯ N) } I= E{ Index }
55
![Page 56: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/56.jpg)
In the search phase,
keyword
Trapdoor K
and computes t(keyword) =[π(0,Austin,1), …, π(0,Austin,1)]By using Trapdoor algorithm
The client chooses
56
![Page 57: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/57.jpg)
keyword
Trapdoor K
Then the client sends t(keyword)
57
![Page 58: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/58.jpg)
and computes C(keyword)= { E(D3), E(D6), E(D10) } Tag
Search
The server receives t(keyword)
C= { E(D1), , E(D⋯ N) } I= E{ Index }
Ex. the keyword is included in D3, D6 and D10.58
![Page 59: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/59.jpg)
Search t(keyword)
Then the server returns C(keyword)={ E(D3), E(D6), E(D10) } Tag
C= { E(D1), , E(D⋯ N) } I= E{ Index }
59
![Page 60: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/60.jpg)
ClientServer
t(keyword)
C(keyword)={E(D3), E(D6), E(D10)}Tag
60
![Page 61: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/61.jpg)
Then the client computes Verify algorithmon input
t(keyword)
C(keyword)={E(D3), E(D6), E(D10)}Tag
Verify
Accept / Reject
K
61
![Page 62: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/62.jpg)
If Accept, the clients decrypts
C(keyword)={E(D3), E(D6), E(D10)}
DecK
and obtains the documents D3, D6, D10 which contain the keyword
62
![Page 63: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/63.jpg)
Our theoretical results
(1) Extend the model of SSE to verifiable SSE(2) Define the security against active attacks.(3) Next formulate the UC-security(4) Then prove the equivalence between (1) and (2)(4) Finally show a UC-secure scheme
63
![Page 64: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/64.jpg)
The security against active attacks
• Consists of privacy and reliability• We define privacy similarly to Curtmola et al.• That is,
64
![Page 65: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/65.jpg)
In the store phase,
Client Server
E(D1), , E(D⋯ N), E(Index)
The server will learn |D1|, …, |DN| and |{keywords}|from what she received
65
![Page 66: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/66.jpg)
In the search phase,
This means that the server knows the corresponding indexes {3, 6, 10}
For t(keyword)the server returns C(keyword).
t(keyword)
C(keyword)=( E(D3), E(D6), E(D10) )Tag
66
![Page 67: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/67.jpg)
To summarize
The server learns• |D1|, …, |DN| and |{keywords}|• the indexes {3, 6, 10} which corresponds to a queried keyword
67
![Page 68: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/68.jpg)
The Privacy definition
• requires that the server should not be able to learn any more information
68
![Page 69: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/69.jpg)
The Privacy definition
• requires that the server should not be able to learn any more information• To formulate this, we consider a real game and a simulation game
69
![Page 70: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/70.jpg)
In the Real Game
D = {D1, …, DN}W={set of keywords}
Distinguisher
C= { E(D1), , E(D⋯ N) } I= E{ Index }
Client
70
![Page 71: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/71.jpg)
Next
keyword
Distinguisher
t(keyword)
Client
71
![Page 72: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/72.jpg)
Next
keyword
Distinguisher
t(keyword)
Client
72
![Page 73: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/73.jpg)
Finally
keyword
Distinguisher
t(keyword)
Client
b=0 or 1
73
![Page 74: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/74.jpg)
In the Simulation Game
D = {D1, …, DN}W={set of keywords}
Distinguisher
Somehow computes C= { E(D1), , E(D⋯ N) } I= E{ Index }
ClientSimulator
|D1|, …, |DN| and |{keywords}|
74
![Page 75: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/75.jpg)
Next
keyword
Distinguisher
Somehow computes t(keyword)
ClientSimulator
The corresponding indexes {3, 6, 10}
75
![Page 76: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/76.jpg)
Next
keyword
Distinguiher
Somehow computes t(keyword)
ClientSimulator
The corresponding indexes {3, 6, 10}
76
![Page 77: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/77.jpg)
Finally
keyword
Distinguisher
t(keyword)
ClientSimulator
{3, 6, 10}
b=0 or 1
77
![Page 78: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/78.jpg)
Definition of Privacy
• We say that a verifiable SSE satisfies privacy if• there exists a simulator such that• |Pr( b=1 in Real)- Pr( b=1 in Simulation)|• is negligible for any distinguisher.
78
![Page 79: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/79.jpg)
The Def. of Curtmola et al.
• Requires that • for any distinguisher,• there exists a simulator such that• |Pr( b=1 in Real)- Pr( b=1 in Simulation)|• is negligible.
In this definition,the simulator depends on the distinguisher.
79
![Page 80: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/80.jpg)
Our definition
• is slightly stronger than that of Curtmola et al. because in our definition, the simulator is independent of the distinguisher.
80
![Page 81: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/81.jpg)
Our definition
• is slightly stronger than that of Curtmola et al. because in our definition, the simulator is independent of the distinguisher.• This small change is important when we prove the equivalence with the UC-security.
81
![Page 82: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/82.jpg)
The client sends
The honest server returns
t(keyword)
C(keyword)={E(D3), E(D6), E(D10)}Tag
Next Reliability
82
![Page 83: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/83.jpg)
The honest server returns
Client sends
t(keyword)
C(keyword)={E(D3), E(D6), E(D10)}Tag
We say that C(keyword)* is invalid for t(keyword) if C(keyword)* ≠ C(keyword)
83
![Page 84: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/84.jpg)
We say that Server* wins
If she can return (C(keyword)*, Tag*) for some t(keyword) such that(1) C(keyword)* is invalid and (2) The client accepts (C(keyword)*, Tag*)
84
![Page 85: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/85.jpg)
Definition of Reliability
We say that a verifiable SSE satisfies reliability if Pr(Server* wins) is negligiblefor any Server*, any D={set of documents},any W={set of keywords}and any queried keyword.
85
![Page 86: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/86.jpg)
Our theoretical results
(1) Extend the model of SSE to verifiable SSE(2) Define the security against active attacks.(3) Next formulate the UC-security(4) Then prove the equivalence between (1) and (2)(4) Finally show a UC-secure scheme
86
![Page 87: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/87.jpg)
In General
Even if a protocol π is secure,it may not be secure • if π is executed concurrently,
• Or if π is a part of a larger protocol
Client 1
Client 2
Server
87
![Page 88: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/88.jpg)
Universal Composability (UC)
Is a framework which guarantees that • A protocol π is secure• Even if π is executed concurrently, and• Even if π is a part of a larger protocol
88
![Page 89: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/89.jpg)
The notion of UC
• was introduced by Canetti.• He proved that UC-security is maintained under a general protocol composition.
89
![Page 90: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/90.jpg)
In the UC framework
A Real world An Ideal worldA protocol π An Ideal Functionality Fπ
We consider a real world and an ideal world.In the ideal world, there exists an ideal functionality
A protocol π is UC-secure if the real world is indistinguishable from the ideal world.
90
![Page 91: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/91.jpg)
We define
• An ideal functionality FvSSE of verifiable SSE as follows.
91
![Page 92: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/92.jpg)
In our case,the ideal world looks like this
dummyClient
Ideal FunctionalityFvSSE
EnvironmentZ
UC adversaryS
dummyServer
92
![Page 93: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/93.jpg)
First in the store phase
dummyClient
Ideal FunctionalityFvSSE
EnvironmentZ
D={D1, …, DN} W={set of keywords}
93
![Page 94: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/94.jpg)
The dummy client relays them to FvSSE
dummyClient
Ideal FunctionalityFvSSE
EnvironmentZ
D={D1, …, DN} W={set of keywords}
D={D1, …, DN} W={set of keywords}
94
![Page 95: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/95.jpg)
Our FvSSE sends
dummyClient
Ideal FunctionalityFvSSE
EnvironmentZ
D={D1, …, DN} W={set of keywords}
D={D1, …, DN} W={set of keywords}
UC adversaryS
|D1|, …, |DN||{keywords}|
95
![Page 96: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/96.jpg)
Next in the search phase
dummyClient
Ideal FunctionalityFvSSE
EnvironmentZ
keyword
UC adversaryS
96
![Page 97: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/97.jpg)
The dummy client relays it to FvSSE
dummyClient
Ideal FunctionalityFvSSE
EnvironmentZ
keyword
keyword
UC adversaryS
97
![Page 98: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/98.jpg)
Our FvSSE sends
dummyClient
Ideal FunctionalityFvSSE
EnvironmentZ
keyword
keyword
UC adversaryS
The corresponding indexes {3,6,10}
98
![Page 99: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/99.jpg)
The UC adversary S returns
dummyClient
Ideal FunctionalityFvSSE
EnvironmentZ
keyword
keyword
UC adversaryS
{3,6,10} Accept or Reject
99
![Page 100: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/100.jpg)
If S returns Reject,
dummyClient
Ideal FunctionalityFvSSE
EnvironmentZ
keyword
keyword
UC adversaryS
{3,6,10} Reject
100
![Page 101: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/101.jpg)
Our FvSSE sends Reject to the dummy client
dummyClient
Ideal FunctionalityFvSSE
EnvironmentZ
keyword
keyword
UC adversaryS
{3,6,10} Reject
Reject
101
![Page 102: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/102.jpg)
The dummy client relays it to Z
dummyClient
Ideal FunctionalityFvSSE
EnvironmentZ
keyword
keyword
UC adversaryS
{3,6,10} Reject
Reject
Reject
102
![Page 103: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/103.jpg)
If S returns Accept,
dummyClient
Ideal FunctionalityFvSSE
EnvironmentZ
keyword
keyword
UC adversaryS
{3,6,10} Accept
103
![Page 104: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/104.jpg)
Our FvSSE sends {D3,D6,D10}
dummyClient
Ideal FunctionalityFvSSE
EnvironmentZ
keyword
keyword
UC adversaryS
{3,6,10} Accept
{D3,D6,D10}
104
![Page 105: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/105.jpg)
The dummy client relays them to Z
dummyClient
Ideal FunctionalityFvSSE
EnvironmentZ
keyword
keyword
UC adversaryS
{3,6,10} Accept
{D3,D6,D10}
{D3,D6,D10}
105
![Page 106: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/106.jpg)
So Z receives {D3,D6,D10} correctlyor Reject
dummyClient
Ideal FunctionalityFvSSE
EnvironmentZ
keyword
keyword
UC adversaryS
{3,6,10} Accept/Reject
{D3,D6,D10}/Reject
{D3,D6,D10}/Reject
106
![Page 107: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/107.jpg)
This is an ideal world
Because(1) The dummy client receives {D3,D6,D10} which contains the keyword correctly, or receives Reject(2) UC adversary S learns only |D1|, …, |DN|, |{keywords}| and the indexes {3,6,10} for a queried keyword
107
![Page 108: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/108.jpg)
Further S can corrupt
dummyClient
Ideal FunctionalityFvSSE
EnvironmentZ
UC adversaryS
dummyServer
108
![Page 109: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/109.jpg)
Also Z can interact with S freely
dummyClient
Ideal FunctionalityFvSSE
EnvironmentZ
UC adversaryS
dummyServer
109
![Page 110: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/110.jpg)
Z finally outputs 0 or 1
dummyClient
Ideal FunctionalityFvSSE
EnvironmentZ
UC adversaryS
dummyServer
110
![Page 111: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/111.jpg)
In the real world
Client Server
EnvironmentZ
D={set of documents} W={set of keywords}
111
![Page 112: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/112.jpg)
Client Server
EnvironmentZ
D={set of documents} W={set of keywords}
Then the client and the server runs the store phaseof a verifiable SSE protocol 112
![Page 113: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/113.jpg)
In the search phase
Client Server
EnvironmentZ
keyword
113
![Page 114: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/114.jpg)
Client Server
EnvironmentZ
keyword
The client and the server runs the search phaseof the verifiable SSE protocol 114
![Page 115: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/115.jpg)
The client sends his output to Z
Client Server
EnvironmentZ
keywordD3, D6, D10
115
![Page 116: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/116.jpg)
An adversary A can corrupt
Client Server
EnvironmentZ
AdversaryA
116
![Page 117: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/117.jpg)
Further Z can interact with A freely
Client Server
EnvironmentZ
AdversaryA
117
![Page 118: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/118.jpg)
Z finally outputs 0 or 1
Client Server
EnvironmentZ
AdversaryA
118
![Page 119: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/119.jpg)
We say that
• A verifiable SSE protocol is UC-secure if for any adversary A, there exists a UC-adversary S such that• no environment Z can distinguish the real world from the ideal world.
119
![Page 120: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/120.jpg)
Our theoretical results
(1) Extend the model of SSE to verifiable SSE(2) Define the security against active attacks.(3) Next formulate the UC-security(4) Then prove the equivalence between (2) and (3)(4) Finally show a UC-secure scheme
120
![Page 121: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/121.jpg)
Equivalence
(Theorem) A verifiable SSE protocol is UC-secure if and only if it satisfies our definition of privacy and reliability
Herewe consider static adversaries.
121
![Page 122: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/122.jpg)
This means that
The security of a verifiable SSE protocolis maintained under a general protocol composition
if it satisfies our privacy and reliability
Client 1
Client 2Server
122
![Page 123: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/123.jpg)
Our theoretical results
(1) Extend the model of SSE to verifiable SSE(2) Define the security against active attacks.(3) Next formulate the UC-security(4) Then prove the equivalence between (2) and (3)(5) Finally prove our scheme is UC-secure
123
![Page 124: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/124.jpg)
We assume that
• The encryption algorithm E is CPA secure• MAC is unforgeable against chosen message
attack.
124
![Page 125: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/125.jpg)
Theorem
• Our scheme satisfies privacy and reliability of our definition.
125
![Page 126: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/126.jpg)
Proof of privacy
• Suppose that there are 5 documents, and 3 keywords.• We must show a simulator such that
126
![Page 127: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/127.jpg)
ClientSimulator
|D1|, …, |D5| and |{keywords}|=3
In the store phase, Sim receives |D1|, …, |D5| and |{keywords}|=3
127
![Page 128: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/128.jpg)
Then it must compute C= { E(D1), , E(D⋯ 5) } E(Index)
ClientSimulator
|D1|, …, |D5| and |{keywords}|=3
128
![Page 129: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/129.jpg)
Our Sim computes C as C= { E(random), , E(random)⋯ } E(Index)
ClientSimulator
|D1|, …, |D5| and |{keywords}|=3
129
![Page 130: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/130.jpg)
If E is secure,
• { E(D1), , E(D⋯ 5) } ≈ { E(random), , E(random) }⋯
130
![Page 131: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/131.jpg)
Next Sim constructs E(Index) as a random permutation of this table
π(1) 1 π(11) 1 π(21) 1π(2) 2 π(12) 2 π(22) 2π(3) 3 π(13) 3 π(23) 3π(4) 4 π(14) 4 π(24) 4π(5) 5 π(15) 5 π(25) 5π(6) dummy π(16) dummy π(26) dummyπ(7) dummy π(17) dummy π(27) dummyπ(8) dummy π(18) dummy π(28) dummyπ(9) dummy π(19) dummy π(29) dummyπ(10) dummy π(20) dummy π(30) dummy
address address address
131
![Page 132: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/132.jpg)
Since π is a PRP,
• This Index ≈ the real Index
132
![Page 133: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/133.jpg)
In the search phase, suppose that
t(keyword)
ClientSimulator
{1,3,5}
133
![Page 134: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/134.jpg)
In the 1st column,Sim finds {1,3,5,dummy,dummy}
π(1) 1 π(11) 1 π(21) 1π(2) 2 π(12) 2 π(22) 2π(3) 3 π(13) 3 π(23) 3π(4) 4 π(14) 4 π(24) 4π(5) 5 π(15) 5 π(25) 5π(6) dummy π(16) dummy π(26) dummyπ(7) dummy π(17) dummy π(27) dummyπ(8) dummy π(18) dummy π(28) dummyπ(9) dummy π(19) dummy π(29) dummyπ(10) dummy π(20) dummy π(30) dummy
address address address
134
![Page 135: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/135.jpg)
Sim returns their addresses
π(1) 1 π(11) 1 π(21) 1π(2) 2 π(12) 2 π(22) 2π(3) 3 π(13) 3 π(23) 3π(4) 4 π(14) 4 π(24) 4π(5) 5 π(15) 5 π(25) 5π(6) dummy π(16) dummy π(26) dummyπ(7) dummy π(17) dummy π(27) dummyπ(8) dummy π(18) dummy π(28) dummyπ(9) dummy π(19) dummy π(29) dummyπ(10) dummy π(20) dummy π(30) dummy
address address address
135
![Page 136: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/136.jpg)
That is,
t(keyword)= [π(1),π(3),π(5),π(6),π(7)]
ClientSimulator
{1,3,5}
136
![Page 137: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/137.jpg)
Next suppose that
t(keyword)
ClientSimulator
{2,4}
137
![Page 138: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/138.jpg)
In the 2nd column,Sim finds {2,4,dummy,dummy,dummy}
π(1) 1 π(11) 1 π(21) 1π(2) 2 π(12) 2 π(22) 2π(3) 3 π(13) 3 π(23) 3π(4) 4 π(14) 4 π(24) 4π(5) 5 π(15) 5 π(25) 5π(6) dummy π(16) dummy π(26) dummyπ(7) dummy π(17) dummy π(27) dummyπ(8) dummy π(18) dummy π(28) dummyπ(9) dummy π(19) dummy π(29) dummyπ(10) dummy π(20) dummy π(30) dummy
address address address
138
![Page 139: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/139.jpg)
Sim returns their addresses
π(1) 1 π(11) 1 π(21) 1π(2) 2 π(12) 2 π(22) 2π(3) 3 π(13) 3 π(23) 3π(4) 4 π(14) 4 π(24) 4π(5) 5 π(15) 5 π(25) 5π(6) dummy π(16) dummy π(26) dummyπ(7) dummy π(17) dummy π(27) dummyπ(8) dummy π(18) dummy π(28) dummyπ(9) dummy π(19) dummy π(29) dummyπ(10) dummy π(20) dummy π(30) dummy
address address address
139
![Page 140: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/140.jpg)
That is,
t(keyword)= [π(12), π(14), π(16),π(17), π(18)]
ClientSimulator
{2,4}
140
![Page 141: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/141.jpg)
This is indistinguishable from the real game
t(keyword)= [π(12), π(14), π(16),π(17), π(18)]
ClientSimulator
{2,4}
141
![Page 142: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/142.jpg)
Hence
• Our scheme satisfies privacy.
142
![Page 143: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/143.jpg)
Proof of reliability
• Suppose that there exists a server* who can forge
Client Server* C(keyword)*Tag*
143
![Page 144: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/144.jpg)
Proof of reliability
• We show a forger A who can break MAC by chosen message attack
Client Server* C(keyword)*Tag*
144
![Page 145: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/145.jpg)
• A runs Server* by playing the role of the client• A uses his MAC oracle to compute X
Client Server* C(keyword)*Tag*
MAC oracle
AX
145
![Page 146: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/146.jpg)
• We can show that A never queried C(keyword)* to the MAC oracle.
Client Server* C(keyword)*Tag*
MAC oracle
A
146
![Page 147: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/147.jpg)
• This means that A succeeds in breaking MAC
Client Server* C(keyword)*Tag*
MAC oracle
A
147
![Page 148: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/148.jpg)
Hence
• Our scheme satisfies reliability.
148
![Page 149: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/149.jpg)
Corollary
• Our scheme is UC-secure.
149
![Page 150: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/150.jpg)
Summary
Privacy Curtmola et al.Reliability Our paperUC security Our paper
150
![Page 151: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/151.jpg)
Preliminary version
• was presented at Financial Cryptography 2012• The paper is available from the homepage of
FC 2012
151
![Page 152: Cryptography for Cloud Storage Service](https://reader035.vdocument.in/reader035/viewer/2022062501/56816245550346895dd2803a/html5/thumbnails/152.jpg)
Thank you !!
152