To achieve searching security and privacy, it is necessary to encrypt the search keywords; however, a fixed keyword ciphertext may suffer from a statistical analysis attack, and then extract the user's private information. To resolve this problem, we use the techniques of expansion and substitution, converting a fixed keyword ciphertext into a random and non-stationary keyword ciphertext, which we call an unlinkable search pattern with a random and non-fixed key ciphertext. In this mechanism, each unlinkable search pattern is random and unique. Therefore, an attacker cannot obtain relevant information through a statistical analysis. The following description of the Lin et al. mechanism [37] is divided into two phases: the encryption and storage phase, and the search and decryption phase.
3.1 Encryption and Storage Phase
In this phase, the user determines how their data should be encrypted and stored.
Using segmentation, data and keyword ciphertexts are divided into a number of blocks and stored in the cloud space. The size of the blocks is closely related to the search collisions. Table 1 lists the symbols used in this stage, and Figure 2 shows the overall process.
Table 1. Symbols used in encryption and storage phase
(1) The user encrypts plaintext P into ciphertext C using a symmetric key system( ie,
23
Bk(P) = C ), and then the user decides the keywords(kt, 1≦t≦n) corresponding to P. Finally he computes the hash value of kt through a one-way hash function ( ie, h(kt)= mt, 1≦t≦n ), where each mt is 512 bits.
(2) Mt is divided into 32 blocks ( ie, mt = m(t1) || m(t2)||……||m(t32)), each m(tj), 1<=j<=32, is 16 bits in size. Ciphertext C is also divided into 32 blocks ( ie, C = C(1) || C(2)||……||C(32)), each Ci, 1≦i≦32. In addition each Ci is given the same ciphertext identifier; Cid. The user then sends ( ID, Cid, Ci, m(tj), 1≦i,j≦32, 1≦t
≦n ) to the cloud server through a secure channel (authenticated channel).
(3) When the cloud server receives the data from the user, the data ( Cid, Ci, m(tj), 1≦
i,j≦32, 1≦t≦n ) are stored based on the user’s ID.
Figure 2. Encryption process and storage phase
24
3.2 Search and Decryption Phase
For this phase, we describe how to use an extension and permutation to construct an unlinkable search pattern, and show how user can search for servers and obtain ciphertext for decryption. Table 2 lists the symbols used during this stage, and Figure 3 shows the process of this phase.
Table 2.Symbols used in search and decryption phase
(1) When a user with identity ID wants to search for a ciphertext he stored on database, he first chooses some keywords. For easy to understand, assume he chooses one keyword kt. He hashes kt to be mt ( ie, h(kt)= mt ), and then randomly generates a random number R with a size of mt( ie, R = 512 bits ). In addition, mt and R are both divided into 32 blocks, m(tj) and Rj ( ie, 1≦j≦32 ), where each block is 16 bits. The user randomly permutates (RP) these 64 blocks to form a new search pattern G ( ie, G = G1||G2||……||G64, |Gi| = 16 bits, 1<=i<=64. For detail, see Figure 3). The user then submits ( ID, G ) to the server to launch a keyword search.
(2) Upon receiving ID and G, the server uses each Gi to search for the corresponding ciphertext block Ci from it's database. W.l.o.g, assume G = G1||G2||……||G64 = mt1||mt2||……||mt32||R1||R2||……||R32. For each Gi, the search result will be a “hit”
when i is from 1 to 32 since Gi = mtj. So, Cj can be found when mtj is found. On the other hand, for the search result of Gi, 33<= i <= 64, it may be a hit or a miss since each Gi, 33<= i <= 64, is just a 16-bit random number. When the result is a
25
hit and Gi is a random number, it is a collision.
(3) The reply of the server will depend on the following two cases.
No collision: The server will generate 32 16-bit random blocks, RC1,…,Rc32, together with Cj corresponding to the search block m(tj), and reply to the user with a total of 64 ciphertext blocks( i.e, C1||C2||…||C32||RC1||RC2||..||RC32).
Notice that in this case each Ci will have the same Cid.
Collision: More than 32 Ci will be found in this case, but there are exactly 32 Ci with the same Cid. The server picks these 32 Ci and then does the same procedure as the previous case.
(4) When the user receives 64 ciphertext blocks, to recover the ciphertext blocks in their original order, the corresponding reverse random permutation( RP-1) is first applied, and the first 32 ciphertext blocks are decrypted.
Figure 3. Decryption process and search phase
26
3.3 Dynamic Maintenance
User data in a cloud may change at any time. Such changes include modification of the data content, and the addition and reduction of keywords. The mechanism we propose to deal with this situation and conduct the corresponding data operations for the modified data is only conducted during the encryption and storage stage.
(1) Modify Data Content: The user uses a symmetric key system to make changes to plaintext P’ encrypted ciphertext C'; ciphertext C' is divided into 32 blocks, where each block, C'i, is still accompanied by the original ciphertext identifier, Cid, and sent to the cloud server for updating.
(2) Add Keywords: The user makes new keywords, Keyword', through a one-way hash function by calculating m', which is divided into 32 16-bit blocks, m'(tj), and ID, Cid, and m'(tj) are sent to the cloud server for updating.
(3) Reduce Keywords: The user creates unused keywords, Keyword', through a one-way hash function calculating m', in which m' is divided into 32 16-bit blocks, m'(tj), and ID, Cid, and m'(tj) are sent to the cloud server for updating.
3.4 Conjunctive Keyword Search
When the user tries to use a conjunctive keyword for a search, the proposed mechanism only generates a conjunctive keyword search pattern during the search and decryption phase. The server still depends on the corresponding search pattern replies, and the results do not affect the mechanism itself.
(1) When the user wants to use conjunctive keywords (e.g., Keyword1 AND Keyword2) to search a ciphertext, and the hash value of Keyword1 and Keyword2
are m1 and m2( ie : h(kt)= mt ), and two random numbers, R1 and R2, are randomly generated with the same sized m. In addition, m1 and R1 will form a search pattern
27
G1, and m2 and R2 will form a search pattern G2. Finally, the user submits G1, G2, and the user ID to the server for the search.
(2) When the server receives G1, G2, and the ID, it uses both m(tj) and R(tj) of G1 and G2 to search for the user's data and find the corresponding ciphertext block, Ci.
3.5 What are Unlinkable Search and Ciphertext Patterns?
3.5.1 Unlinkable Search Pattern
Search pattern G is randomly arranged by m and R, which are made up of a total of 64 blocks. Because each R is always randomly generated, even for the same keyword search, search pattern G is still different each time.
Figure 4. Unlinkable search pattern
28
3.5.2 Unlinkable Ciphertext Pattern
For the same keyword search, if the search pattern has no connectivity, the reply ciphertext is still the same, and an attacker can still easily obtain certain information from an unlinkable search pattern. A ciphertext pattern also includes a random block Rc, and is thus also unlinkable.
Figure 5. Unlinkable ciphertext pattern
29