This document summarizes a research paper that proposes an encrypted search scheme using an inverted index to allow for multi-keyword queries on encrypted data. The key contributions are: (1) supporting the reuse of the same encrypted index for multiple queries while preserving query privacy, (2) enabling conjunctive multi-keyword searches, and (3) providing efficiency by only using multiplication and exponentiation operations. The proposed scheme uses an encrypted inverted index along with trapdoor generation and private set intersection techniques to enable accurate yet private searches on outsourced encrypted data.
Inverted Index Based Multi-Keyword Public-key Searchable Encryption with Strong Privacy Guarantee
1. Inverted Index Based
Multi-Keyword Public-key
Searchable Encryption with
Strong Privacy Guarantee
Bing Wang, Wei Song, Wenjing Lou, Y. Thomas Hou
INFOCOM 2015
SWIM Seminar
October 21, 2016
Mateus Cruz
4. Introduction Preliminaries Proposal Experiments Conclusion
OVERVIEW
Search encrypted data
Use of inverted index
Preserve query privacy
Efficiency using cheap operations
1 / 21
5. Introduction Preliminaries Proposal Experiments Conclusion
CONTRIBUTIONS
Use the same index more than once
Support conjunctive multi-keyword queries
Trapdoor unlinkability
The same query have multiple trapdoors
Efficiency
Only use multiplication and exponentiation
No use of pairing
2 / 21
6. Introduction Preliminaries Proposal Experiments Conclusion
RELATED WORK
Bloom filter index
Only supports single keyword search
Self-designed indices
Not compatible with each other
One-time-only search limitation
Leaks query information from trapdoor
No support for multi-keyword search
3 / 21
8. Introduction Preliminaries Proposal Experiments Conclusion
INVERTED INDEX
Multiple inverted lists: I = (Iw1,Iw2,...,Iwm)
The list Iwi
has all documents containing wi
Efficient for large datasets
Can be extended
Result ranking
Phrase search
4 / 21
9. Introduction Preliminaries Proposal Experiments Conclusion
PRIVATE SET INTERSECTION
Only reveals the intersection
No other information is leaked
FNP protocol1
Uses Paillier cryptosystem
– E(a1 +a2) = E(a1)E(a2)
1Freedman, Nissim and Pinkas: “Efficient private matching and set
intersection” (EUROCRYPT 2004)
5 / 21
10. Introduction Preliminaries Proposal Experiments Conclusion
FNP PROTOCOL
1 Alice represents her set A as a polynomial
f (x) = ai∈A (x−ai)
2 Alice encrypts the coefficients using Paillier
3 Alice sends f (x) = Enc(f (x)) to Bob
4 Bob calculates R : {rj = f (bj)+h bj}
bj ∈ B
5 Bob sends R to Alice
6 Alice decrypts R as R
7 Alice obtains A ∩B from calculating A ∩R
6 / 21
16. Introduction Preliminaries Proposal Experiments Conclusion
SYSTEM INITIALIZATION
Done by the data owner
Receives security parameter k
Generate key pair for the Paillier algorithm
Secret key sk
Public key pk
Output master key MK = {sk,f ,M}
f : Pseudorandom permutation
M: Invertible matrix of degree m
11 / 21
17. Introduction Preliminaries Proposal Experiments Conclusion
ENCRYPTED INDEX GENERATION
Done by the data owner
Receives master key MK and index I
Transform inverted lists into polynomials
Encrypt coefficients using pk
I = Enc(I)
Construct a dictionary matrix MD
Encrypt MD as MD = M ·MD
Send MD and I to the server
12 / 21
19. Introduction Preliminaries Proposal Experiments Conclusion
TRAPDOOR GENERATION
Pre-compute a polynomial for all keywords
m
1 (x−wi)
Generate a polynomial for user query Q
PQ(x) = PD/ wi∈Q(x−wi)
Apply padding to hide the query length
Send trapdoor TQ to the server
TQ = {(am,am−1,...,a1)·M−1
,Enc(a0)}
13 / 21
21. Introduction Preliminaries Proposal Experiments Conclusion
QUERYING
Calculate V = TQ[1]·MD = (v1,v2,··· ,vm)
For each vi, calculate vi = Enc(vi)+h TQ[2]
V = (v1,v2,...,vm)
Calculate result polynomial PR(x) = V ·IT
Return PR(x) to the user
14 / 21
23. Introduction Preliminaries Proposal Experiments Conclusion
RESULT DECRYPTION
Requires assistance of data owner
Find the roots of PR(x)
The roots are the IDs of the result documents
15 / 21
26. Introduction Preliminaries Proposal Experiments Conclusion
SYSTEM INITIALIZATION
Generation of public and private keys
512-bit: 0.40s
1024-bit: 3.03s
17 / 21
27. Introduction Preliminaries Proposal Experiments Conclusion
ENCRYPTED INDEX GENERATION
One-time process
1 Calculate polynomials for keyword lists
2 Encrypt polynomials
Cost increases with dictionary size
18 / 21
28. Introduction Preliminaries Proposal Experiments Conclusion
TRAPDOOR GENERATION
Matrix multiplication is the most expensive
Can be optimized
19 / 21
29. Introduction Preliminaries Proposal Experiments Conclusion
QUERYING
Multiply trapdoor with the dictionary matrix
Encryption is expensive
Can be parallelized
20 / 21
31. Introduction Preliminaries Proposal Experiments Conclusion
SUMMARY
Searchable encryption scheme
Public key
Based on inverted index
Multi-keyword queries
Prevents trapdoor linking
Hides the number of keywords in query
Efficiency
Uses only multiplication and exponentiation
21 / 21
33. PAILLIER CRYPTOSYSTEM
Key generation
pk = (n,g)
– n = pq,GCD(pq,(p−1)(q−1)) = 1
– g ∈ Z∗
n2
sk = (λ,µ)
– λ = LMC(p−1,q−1)
– µ = (
gλ mod n2−1
n )−1
mod n
Encrypt message m into ciphertext c
c = gm
·rn
mod n2
,r ∈ Zn
Decrypt ciphertext c into message m
m = cλ
mod n2
−1
n ·µ mod n
34. ENCRYPTED INDEX GENERATION [1/2]
For each keyword wi and its list Iwi
Generate tags for keywords: twi
= f (wi)
Generate tags for documents: tσi
= f (σi)
Generate random numbers Ri = {rj} for Iwi
rj ∈ Z∗
n,rj ∉ f (D)
Generate polynomial Pwi
(x) for Iwi
Pwi
(x) =
σj∈Iwi
(x−tσj
)
rj∈Ri
(x−rj)
Calculate a polynomial vector
I = (Pw1 ,Pw2 ,...,Pwm )T
35. ENCRYPTED INDEX GENERATION [2/2]
Encrypt coefficients of each Pwi
I = Enc(n,g)(I)
Construct dictionary matrix MD
MD =
tm
w1
tm
w2
··· tm
wm
tm−1
w1
tm−1
w2
··· tm−1
wm
...
... ... ...
tw1 tw2 ··· twm
Encrypt M as MD = M ·MD
Outsource MD and I to the cloud
36. TRAPDOOR GENERATION
Encrypt all keywords as PD(x) =
wi∈D
(x−twi
)
Receive a query request Q
Construct PQ(x) = PD/ wi∈Q(x−wi)
Generate PQ(x) by padding random terms
PQ
(x) = PQ(x)
m
q+1
(x−rj),q = |Q|,rj ∉ f (D)
Send trapdoor to user
TQ = {(am,am−q,...,a1)∗M−1
,Enc(n,g)(a0)}
– (am,am−q,...,a1) are the coefficients of PQ
(x)
37. COMPARISON WITH OTHER WORKS
P: Map-to-point hash
M: Multiplication
E: Exponentiation
e: Pairing