3 Review of Searchable Encryptions
3.3 Multi-user Searchable Data Encyrption
A Multi-user Searchable Data Encryption scheme (DGD) proposed by Dong et al.[9] is a cryptosystem that offers functionalities of sharing en-crypted data on a untrusted server among a group of authorized user, performing keyword search on encrypted data without decryption key, and adding/revoking users without restarting the service. Users rely on the data storage server to honestly perform searching calculation for them but do not trust the server with data content – the server is considered to be “honest but curious.” Three parties are involved in DGD system:
1. Users: The authorized users are able to read/write/search over en-crypted data on untrusted server. The authorized users are fully trusted. After revocation, the revoked user will no longer be able to access the data.
2. Server: The server is responsible for processing the received en-crypted data, storing the enen-crypted data, searching on receiving us-er’s query and return the encrypted data that contains the query keyword.
3. Key management server (KMS): The fully trusted KMS is respon-sible for generating/revoking user keys. Compare to untrusted data server, securing the KMS requires less effort. Also, the KMS can be kept offline most of the time.
Before introducing the multi-user searchable data encryption, we first in-troduce two definitions: negligible function and pseudorandom function.
Definition 3.2 (Negligible Function)
A function ( ) is negligible if for every positive polynomial ( ) there exists an integer such that for all ( )
( ) .
Definition 3.3 (Pseudorandom Function)
A function { { { is a pseudorandom function if for all probabilistic polynomial time algorithm , there exists a negligible function such that
| [ ( ) ] [ ( ) ]| ( )
where random key ← { and function { { .
Now let’s see the definition of the DGD scheme.
Definition 3.4 (Multi-user Searchable Data Encryption)
A searchable encryption scheme that consists of the following probabilis-tic polynomial time randomized algorithms:
1. ( ): The KMS takes the security parameter and outputs pub-lic key and a master key set .
2. ( ): The KMS takes the master key set and a user’s identity , generates the secret key set . User side key is then securely sent to the user , and server side key is sent to the server.
3. ( ( )): The user uses his user side key to
en-crypt a document with a set of associated keywords ( ). The output is user-side ciphertext ( ( )).
4. ( ( ( ))) : On receiving the ciphertext ( ( )) from user , the server fetches the server side key
, and outputs re-encrypted ciphertext ( ( )).
5. ( ): The user uses his user side key to gen-erate a trapdoor ( ) related to a keyword
6. ( ( ) ( ) ): The server takes as input the trapdoor ( ) and user’s identity , then test for each ( ( )) ( ) if keyword ( ). If ‘yes’, the server invokes pre-decrypt al-gorithm to obtain ( ) and send ( ) to the user .
7. ( ( )): The user takes his user key , and decrypts ( ) to obtain data .
8. ( ): Given , the data server updates the user-key mapping set ( ).
The DGD scheme is based on proxy cryptography. In the following sec-tions, we will first review ElGamal encryption scheme , then describe the proxy encryption scheme using the algorithm in ElGamal encryption scheme . Next, the keyword encryption scheme is defined. Fi-nally, with and schemes, the Multi-user Searchable Data En-cryption are presented.
3.3.1 ElGamal Proxy Encryption
Before defining ElGamal proxy encryption scheme, the ElGamal encryp-tion scheme is defined as follows:
( )
Choose prime numbers such that | , a cyclic group with generator such that is the unique order subgroup of . Choose ← and compute . Outputs the public key ( ) and private key .
( )
Choose ← and output ciphertext ( ) ( ).
( )
Decrypt ciphertext as ( ) .
The proxy encryption scheme consists of 6 algorithms:
( )
KMS runs ( ) to obtain ( ), then it outputs public parameters ( ), and master key .
( )
For each user chooses ← and computes . Then the KMS securely transmits to the user and ( )
to the proxy server.
( )
The user chooses ← and outputs ciphertext ( ) ( ). Then the user sends the ciphertext to the proxy server.
( ( ))
In this proxy re-encryption algorithm, the proxy server finds ( ) where is user‘s server side key, and computes ( )
. The stored ciphertext becomes ( ) ( ).
( ( ))
In this proxy side decryption algorithm, the proxy server finds ’s server side key and computes ( ) . The ciphertext is partially decrypted as ( ) ( ) and is sent to user .
( ( ))
User fully decrypts the ciphertext as ( ) .
3.3.2 Keyword Encryption
Derived from the proxy encryption scheme, the keyword encryption scheme is capable of securely encrypting keywords, allowing user to search over the encrypted data by generating trapdoors. The keyword en-cryption scheme is defined as follows:
( )
The KMS runs ( ) to obtain ( ) . Compute and choose hash function , a pseudorandom function and a random key for . Then the KMS outputs public parameters ( ), and master key ( ).
( )
For each user , the KMS runs ( ) to obtain
. Then the KMS securely transmits ( ) to the user and ( ) to the proxy server.
( )
The user chooses ← . The user side trapdoor for keyword is encrypted as ( ) ( ̂ ̂ ̂ ) ( ( ̂ ) ( )) where ( ). Then the user sends the ciphertext ( ) to the proxy server.
( ( ))
The proxy server computes trapdoor ( ) ( ) such that ( ̂ ) ̂ ̂ ( ) and ( ).
Because the keyword encryption scheme is used to generate searchable encryption which does not need to be decrypted, hence there is no de-crypting algorithm.
3.3.3 Multi-user Searchable Data Encryption
Combining the previous and algorithms, the Multi-user Searchable Data Encryption is described as the following 8 algo-rithms.
( )
The KMS runs ( ) to obtain public parameters ( ), and master key ( ).
( )
For each user , the KMS runs ( ) to obtain . Then the KMS securely transmits to the user and ( ) to the proxy server. The server side user-key mapping set is updated as ( ).
( ( ))
The user calls ( ) ( ) to encrypt data , and compute ( ) ( ( )) for each for keyword ( ). The user side ciphertext is
( ( )) ( ( ) ( ) ( )) where | ( )|
( ( ( )))
The proxy server finds ( ), the server side key of user . Then the server invokes ( ) ( ( )) , and the server calls ( ) ( ( )) for
each ( ) . The re-encrypted data
( ( )) ( ( ) ( ) ( )) is then inserted into the data storage ( ) ( ) ( ( )).
( )
The user chooses random number ← and uses his user side key ( ) to compute a trapdoor ( ) ( ) for a keyword , where ,
, and ( ).
( ( ) ( ) )
The server perform search on receiving trapdoor ( ) ( ) from the user with . The server first compute
. Then for each keyword cipher ( ) ( ) ( ( )) in every ciphertext ( ( )) ( ), test if ( ); ‘true’ implies great probability, or say, a match is found. The server then partially decrypt all matched encrypted data ( ) by invoking ( ) ( ( )). Note that ( ) does not need to be decrypted.
( ( ))
The server runs ( ) ( ( )) to partially decrypt the encrypted ciphertext and sends ( ) to user .
( ( ))
User fully decrypts the pre-decrypted ciphertext ( ) by calling ( ( )).
( )
To revoke user , the data server simply updates the user-key map-ping set ( ).
The correctness of the searching algorithm depends on the collision re-sistance of hash function . Hence, there exists a negligible function such that
[ ] ( )