Inverted Index Based Multi-Keyword Public-key Searchable Encryption with Strong Privacy Guarantee

Inverted Index Based
Multi-Keyword Public-key
Searchable Encryption with
Strong Privacy Guarantee
Bing Wang, Wei Song, Wenjing Lou, Y. Thomas Hou
INFOCOM 2015
SWIM Seminar
October 21, 2016
Mateus Cruz

Introduction Preliminaries Proposal Experiments Conclusion
OUTLINE
1 Introduction
2 Preliminaries
3 Proposal
4 Experiments
5 Conclusion

OVERVIEW
Search encrypted data
Use of inverted index
Preserve query privacy
Efﬁciency using cheap operations
1 / 21

CONTRIBUTIONS
Use the same index more than once
Support conjunctive multi-keyword queries
Trapdoor unlinkability
The same query have multiple trapdoors
Efﬁciency
Only use multiplication and exponentiation
No use of pairing
2 / 21

RELATED WORK
Bloom ﬁlter index
Only supports single keyword search
Self-designed indices
Not compatible with each other
One-time-only search limitation
Leaks query information from trapdoor
No support for multi-keyword search
3 / 21

INVERTED INDEX
Multiple inverted lists: I = (Iw1,Iw2,...,Iwm)
The list Iwi
has all documents containing wi
Efﬁcient for large datasets
Can be extended
Result ranking
Phrase search
4 / 21

PRIVATE SET INTERSECTION
Only reveals the intersection
No other information is leaked
FNP protocol1
Uses Paillier cryptosystem
– E(a1 +a2) = E(a1)E(a2)
1Freedman, Nissim and Pinkas: “Efﬁcient private matching and set
intersection” (EUROCRYPT 2004)
5 / 21

FNP PROTOCOL
1 Alice represents her set A as a polynomial
f (x) = ai∈A (x−ai)
2 Alice encrypts the coefﬁcients using Paillier
3 Alice sends f (x) = Enc(f (x)) to Bob
4 Bob calculates R : {rj = f (bj)+h bj}
bj ∈ B
5 Bob sends R to Alice
6 Alice decrypts R as R
7 Alice obtains A ∩B from calculating A ∩R
6 / 21

SYSTEM ARCHITECTURE
Honest-but-curious cloud server
Trusted users
7 / 21

THREAT MODEL
Conﬁdentiality of documents
Index privacy
Trapdoor privacy
Access pattern privacy
8 / 21

NOTATIONS
Document collection: Σ = (σ1,σ2,...,σn)
Keyword collection: D = (w1,w2,...,wm)
Inverted index: I = (Iw1,Iw2,...,Iwm)
Iwi
contains Σi = (σi1,σi2,...,σip)
– Σi ⊂ Σ
– wi ∈ σij,1 ≤ j ≤ p
Encrypted index I based on I
Query: Q ⊂ D
Trapdoor for query Q: TQ
9 / 21

STEPS OVERVIEW
10 / 21

SYSTEM INITIALIZATION
Done by the data owner
Receives security parameter k
Generate key pair for the Paillier algorithm
Secret key sk
Public key pk
Output master key MK = {sk,f ,M}
f : Pseudorandom permutation
M: Invertible matrix of degree m
11 / 21

ENCRYPTED INDEX GENERATION
Done by the data owner
Receives master key MK and index I
Transform inverted lists into polynomials
Encrypt coefﬁcients using pk
I = Enc(I)
Construct a dictionary matrix MD
Encrypt MD as MD = M ·MD
Send MD and I to the server
12 / 21

12 / 21

TRAPDOOR GENERATION
Pre-compute a polynomial for all keywords
m
1 (x−wi)
Generate a polynomial for user query Q
PQ(x) = PD/ wi∈Q(x−wi)
Apply padding to hide the query length
Send trapdoor TQ to the server
TQ = {(am,am−1,...,a1)·M−1
,Enc(a0)}
13 / 21

TRAPDOOR GENERATION
13 / 21

QUERYING
Calculate V = TQ[1]·MD = (v1,v2,··· ,vm)
For each vi, calculate vi = Enc(vi)+h TQ[2]
V = (v1,v2,...,vm)
Calculate result polynomial PR(x) = V ·IT
Return PR(x) to the user
14 / 21

QUERYING
14 / 21

RESULT DECRYPTION
Requires assistance of data owner
Find the roots of PR(x)
The roots are the IDs of the result documents
15 / 21

SETUP
Environment
Intel Core i3 3.3GHz 4GB RAM
Windows 8.1
Python
Dataset
Enron emails
16 / 21

SYSTEM INITIALIZATION
Generation of public and private keys
512-bit: 0.40s
1024-bit: 3.03s
17 / 21

One-time process
1 Calculate polynomials for keyword lists
2 Encrypt polynomials
Cost increases with dictionary size
18 / 21

TRAPDOOR GENERATION
Matrix multiplication is the most expensive
Can be optimized
19 / 21

QUERYING
Multiply trapdoor with the dictionary matrix
Encryption is expensive
Can be parallelized
20 / 21

SUMMARY
Searchable encryption scheme
Public key
Based on inverted index
Multi-keyword queries
Prevents trapdoor linking
Hides the number of keywords in query
Efﬁciency
Uses only multiplication and exponentiation
21 / 21

PAILLIER CRYPTOSYSTEM
Key generation
pk = (n,g)
– n = pq,GCD(pq,(p−1)(q−1)) = 1
– g ∈ Z∗
n2
sk = (λ,µ)
– λ = LMC(p−1,q−1)
– µ = (
gλ mod n2−1
n )−1
mod n
Encrypt message m into ciphertext c
c = gm
·rn
mod n2
,r ∈ Zn
Decrypt ciphertext c into message m
m = cλ
mod n2
−1
n ·µ mod n

ENCRYPTED INDEX GENERATION [1/2]
For each keyword wi and its list Iwi
Generate tags for keywords: twi
= f (wi)
Generate tags for documents: tσi
= f (σi)
Generate random numbers Ri = {rj} for Iwi
rj ∈ Z∗
n,rj ∉ f (D)
Generate polynomial Pwi
(x) for Iwi
Pwi
(x) =
σj∈Iwi
(x−tσj
)
rj∈Ri
(x−rj)
Calculate a polynomial vector
I = (Pw1 ,Pw2 ,...,Pwm )T

ENCRYPTED INDEX GENERATION [2/2]
Encrypt coefﬁcients of each Pwi
I = Enc(n,g)(I)
Construct dictionary matrix MD
MD =





tm
w1
tm
w2
··· tm
wm
tm−1
w1
tm−1
w2
··· tm−1
wm
...
... ... ...
tw1 tw2 ··· twm





Encrypt M as MD = M ·MD
Outsource MD and I to the cloud

TRAPDOOR GENERATION
Encrypt all keywords as PD(x) =
wi∈D
(x−twi
)
Receive a query request Q
Construct PQ(x) = PD/ wi∈Q(x−wi)
Generate PQ(x) by padding random terms
PQ
(x) = PQ(x)
m
q+1
(x−rj),q = |Q|,rj ∉ f (D)
Send trapdoor to user
TQ = {(am,am−q,...,a1)∗M−1
,Enc(n,g)(a0)}
– (am,am−q,...,a1) are the coefﬁcients of PQ
(x)

COMPARISON WITH OTHER WORKS
P: Map-to-point hash
M: Multiplication
E: Exponentiation
e: Pairing

Inverted Index Based Multi-Keyword Public-key Searchable Encryption with Strong Privacy Guarantee

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Viewers also liked

Viewers also liked (15)

Similar to Inverted Index Based Multi-Keyword Public-key Searchable Encryption with Strong Privacy Guarantee

Similar to Inverted Index Based Multi-Keyword Public-key Searchable Encryption with Strong Privacy Guarantee (20)

Recently uploaded

Recently uploaded (20)

Inverted Index Based Multi-Keyword Public-key Searchable Encryption with Strong Privacy Guarantee