可搜尋式加密和密文相等性驗證 - 政大學術集成

全文

(1)國立政治大學資訊科學系 Department of Computer Science National Chengchi University. 博士學位論文 Doctoral Dissertation 治. 立. 政. 大. ‧ 國. 學. 可搜尋式加密和密文相等性驗證. ‧. n. al. er. io. sit. y. Nat. Searchable Encryption and Equality Test over Ciphertext. Ch. engchi. i n U. v. 研究生：黃凱彬撰指導教授：左瑞麟博士. 2018年一月.

(2) . 立. 政治大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. i n U. v.





(7) . 誌謝. 首先我要感謝我的家人，爸媽的諄諄告誡和耐心栽培、哥哥的眾多幫忙和女友的貼心體諒，是我背後最大的支持。在學業方面，我要感謝許多貴人。感謝我的指導教授左瑞麟老師，不僅引導我進入現代密碼學領域，一路上更提供許多機會和幫助讓我可以更加精進。感謝元智大學陳昱圻教授的悉心鼓勵，讓我不至於半途而廢。感謝中央研究院鍾楷閔博士的指導，幫助我學習許多密碼學的理論。感謝 Surrey Centre of Cyber Security 團隊中的 Mark Manulis 教授和 Liqun Chen 教授，在我前往英國一年研究期間，給我許許多多的論文和技術指導，學習基於通行碼的現代密碼學技術。感謝同學威廷常邀我四處遊歷，豐富的見聞. 政治大謝同學俊翰長期在程式及資訊領域無私的指導，讓我受益良多、茅塞頓開。感謝明慶學長立啟發了許多研究的靈感。感謝致諺學長一直以來的照顧，研究之餘常常一起打球紓壓。感. ‧ 國. 學. 一直以來的照顧，常開車載我跟學弟們四處探訪美食。感謝學弟汪禹的情義相挺，陪我突破困難。感謝二舅舅一家，在我隻身於異鄉求學的數年間，有許許多多熱心慷慨的照顧。. ‧. 還要感謝很多很多實驗室內或其他實驗室的學弟妹們，你們的各種幫助我都點滴記在心頭。感謝科技部提供千里馬計劃獎學金，讓我得以走向國際，在英國 Surrey 大學進行一年的. Nat. sit. y. 國外研究，獲益匪淺。也感謝一起考雅思、一起出國的朋友們，大家互相鼓勵、一起逐夢. al. er. io. 踏實的過程十分勵志。最後，我要感謝到場指導的各位口試委員，你們寶貴的意見讓我和. v. n. 這篇論文都精進許多。感謝一路上所有的家人、師長、學長們、同學們、學弟妹們和各位. i n Ch 貴人們，博士班一路走來，承蒙你們照顧了。 engchi U.


(9) . 摘要. 本文深入探討許多基於公開金鑰密碼和通行碼的密文運算方案。首先第一個主題是「公開金鑰密碼」，從其基本架構和安全定義開始，透過文獻探討逐步地討論公開金鑰密碼學的各項特性、以及討論公開金鑰密碼中兩個常見的密文運算：同態加密系統和可交換性加密系統。同態運算是針對同一把公鑰加密的不同密文間的運算：兩個以同一把公鑰加密的密文可以在不解密的前提下進行運算，進而成為另一個合法密文。這個密文運算的結果等同於兩個明文做運算後再以該公鑰加密。可交換性加密系統是一個容許重複的加密系統：已. 政治大個主題圍繞著這兩個密文運算的技巧討論相關的加密方案。接下來第二個研究的的主題是立「基於公開金鑰密碼之密文相等性驗證」，「密文相等性驗證」是密文運算中一個基礎但用甲方公鑰加密的密文可以再度用乙方公鑰再加密，進而之成一個多收件者的密文。第一. ‧ 國. 學. 重要的功能，經授權的測試者可以在不解密密文的前提下，驗證兩個加密後的訊息是否相等。此外，除了相等或不相等之外，測試者無法得知密文中的其他訊息。「基於公開金鑰. ‧. 密碼之密文相等性驗證」相當於在「公開金鑰密碼」的基礎上，再加上「授權」和「密文. sit. y. Nat. 相等性驗證」的功能。其中「授權」的範圍和「授權」的設計，直接影響到該方案的實用. io. er. 性及安全性，本文提出三個關於「授權」的主題：「單一密文授權」、「相容性授權」和「語意安全授權」。第三個研究主題是「可搜尋式加密系統」，常被應用於以下情境：. n. al. Ch. i n U. v. 使用者一個檔案及數個「關鍵字」進行加密，然後儲存在雲端伺服器上。當使用者想要對. engchi. 加密檔案進行關鍵字搜尋時，他可以自訂幾個想搜尋的「關鍵字」並對雲端伺服器發出搜尋要求。在收到搜尋要求後，雖然關鍵字都是加密儲存，仍可利用「可搜尋式加密」技巧將符合關鍵字搜尋的檔案傳回給收件者。整個過程中檔案和關鍵字都被加密保護，伺服器無法得知其儲存及搜尋內容。本文提出兩個「可搜尋式加密系統」，分別是「子集合式多關鍵字可搜尋式加密系統」和「基於通行碼的可搜尋式加密系統」。. 關鍵字：密文運算、公開金鑰密碼、安全證明、密文相等性驗證、可搜尋式加密、基於通. 行碼的認證系統.


(11) . Abstract This dissertation addresses the research about ciphertext computation skills over public key encryption and password-authenticated cryptosystems. The first topic is related to the public key encryption, the framework and security notions for public key encryption are revised; and two common ciphertext-computable public key encryptions including homomorphic encryption and commutative encryption are following discussed. The homomorphic encryption denotes computations over ciphertexts encrypted using the same public key. The homomorphic operation over ciphertexts may be equal to the encryption of a new message computed between two original messages. In terms of commutative encryption, it stands for a repeated encryption system that. 政治大 will appear after the commutative 立encryption. Following, based on the public key encryption, the. Alice’s ciphertext can be duplicated encrypted using Bob’s public key. A dual-receiver ciphertext. ‧ 國. 學. second topic focuses on the public key encryption with equality test schemes, the basic and. fundamental ciphertext computation. Briefly, the user-authorized testers are able to verify the equivalence between messages hidden in ciphertexts after they acquire trapdoors from ciphertext. ‧. receivers; and the ciphertexts were never decrypted in the whole equality testing process. The. y. Nat. scope and architecture of the authorization directly influence the application and security for. sit. equality test schemes. Three authorizations including “cipher-bound authorization”, “compatible. al. er. io. authorization” and “semantic secure authorization” will be proposed. The third topic is keyword. iv n C keywords on a cloud file storage system; then, when needed, h e n g c h i U the user is able to request a search query to the file server, which is corresponding to some encrypted keywords. Although files and n. search. It works in the following scenario: a user outsources encrypted files and encrypted. keywords are encrypted, the server is still able to verify the match-up and return related files to the user. Two researches about keyword search are proposed: the subset multi-keyword search based on public key encryption, and the password-authenticated keyword search.. Keywords: ciphertext computation, public key encryption, security proof, equality test, searchable encryption, password-authenticated systems.


(13) . Content 1.. Introduction ............................................................................................................................. 1 1.1 Motivation ...........................................................................................................................................6 1.2 Contribution and organization .............................................................................................................8. 2.. Preliminaries and building blocks......................................................................................... 11 2.1 Algebra systems.................................................................................................................................12 2.1.1 Cyclic groups with composite modular......................................................................................12 2.1.2 Cyclic groups with prime modular .............................................................................................12 2.1.3 Bilinear mapping (pairing) .........................................................................................................14 2.2 Building blocks ..................................................................................................................................16 2.2.1 Hash function .............................................................................................................................16 2.2.2 Secret sharing .............................................................................................................................18 2.2.3 Commitment ...............................................................................................................................19 2.2.4 Key derivation function..............................................................................................................21 2.2.5 Pseudo random function .............................................................................................................21 2.2.6 Message authentication code......................................................................................................21. 政治大 3. Public key encryption ........................................................................................................... 23 立 3.1 Framework .........................................................................................................................................23 ‧. ‧ 國. 學. 3.1.1 Syntax .........................................................................................................................................24 3.1.2 Security notions ..........................................................................................................................25 3.2 Previous works ..................................................................................................................................29 3.2.1 RSA .............................................................................................................................................29 3.2.2 Paillier encryption ......................................................................................................................31 3.2.3 ElGamal encryption ...................................................................................................................33 3.2.4 Cramer Shoup encryption ..........................................................................................................34 3.3 Homomorphic encryption schemes ...................................................................................................36 3.3.1 Fully homomorphic encryption ..................................................................................................36 3.4 Commutative encryption schemes .....................................................................................................38 3.4.1 A commutative encryption scheme based on ElGamal encryption ...........................................41 3.4.2 One-time-commutative public key encryption...........................................................................47. n. er. io. sit. y. Nat. al. 4.. Ch. i n U. v. Public key encryption with equality test ............................................................................... 51. engchi. 4.1 Equality test among different users’ ciphertexts ...............................................................................55 4.2 The cipher-bound trapdoors ..............................................................................................................60 4.3 Equality test scheme with compatible trapdoors ...............................................................................67 4.4 Semantic secure equality test.............................................................................................................77. 5.. Public key encryption with keyword search ......................................................................... 85 5.1 Framework and previous works of PEKS .........................................................................................86 5.2 Public key encryption with subset keyword search ...........................................................................90 5.3 Password-authenticated keyword search ...........................................................................................96. 6.. Conclusion .......................................................................................................................... 121. References ................................................................................................................................... 123 Appendices.................................................................................................................................. 131.

(14) . List of Figures Figure 1: The cloud computing services ......................................................................................... 1 Figure 2: The Caesar cipher ............................................................................................................ 2 Figure 3: The Enigma machine ....................................................................................................... 3 Figure 4: The encryption framework .............................................................................................. 4 Figure 5: The recursive requirements of key distributions in pure symmetric key systems........... 5 Figure 6: The complexity analysis of collision finding for existing hash functions..................... 17 Figure 7: Shamir secret sharing .................................................................................................... 19 Figure 8: The public key encryption ............................................................................................. 24 Figure 9: The OW and IND experiments for PKE security .......................................................... 25 Figure 10: Commutative public key encryption ........................................................................... 38 Figure 11: The security reduction from AE encryption to ElGamal ............................................. 43 Figure 12: Anonymous consensus system based on commutative encryption ............................. 45 Figure 13: Voting flowchart of AE based anonymous consensus................................................. 46 Figure 14: Public key encryption with equality test ..................................................................... 51 Figure 15: The plaintext distribution of ciphertext comparison ................................................... 54 Figure 16: The simulated OW-CCA2 game of CBA-PKEET. ....................................................... 64 Figure 17: The simulated IND-CCA2 game for CBA-PKEET. ..................................................... 65 Figure 18: The simulated OW-CCA2 game of PKE-AET. ............................................................ 71 Figure 19: The simulated IND-CCA2 game of PKE-AET. ........................................................... 74 Figure 20: The flowchart of filtered equality test ......................................................................... 77 Figure 21: The simulated IND-CCA2 game of PKE-FET. ........................................................... 83 Figure 22: The syntax of searchable encryption. .......................................................................... 86 Figure 23: The simulated PKE-CKA game of PE-MKS. .............................................................. 94 Figure 24: The dual server setting in PAKS schemes................................................................... 96 Figure 25: The correctness of password authenticated keyword search. ...................................... 98 Figure 26: Security notions for password authenticated keyword search schemes. ..................... 99 Figure 27: The outsource protocol of password authenticated keyword search. ........................ 102 Figure 28: The retrieve protocol of password authenticated keyword search. ........................... 103 Figure 29: Citations of publications............................................................................................ 133. 立. 政治大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. i n U. v.

(15) . List of Tables Table 1: Symbol table ................................................................................................................... 11 Table 2: Comparison of commutative encryption schemes .......................................................... 48 Table 3: The efficiency comparison between CBA-PKEET and previous PKEET schemes ........ 63 Table 4: An overall comparison between PKE-AET and previous PKEET schemes ................... 70 Table 5: Comparison between PKE-FET and previous PKEET schemes. ................................... 81 Table 6: Comparison between PE-MKS and previous subset keyword search scheme. .............. 93 Table 7: The comparison between PAKS and other password-based schemes. ......................... 105 Table 8: Journal publications ...................................................................................................... 131 Table 9: Conference publications ............................................................................................... 132. 立. 政治大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. i n U. v.

(16) . List of Theorems Theorem 1: A commitment cannot be both perfect hiding and perfect binding ........................... 20 Theorem 2: Homomorphic public key encryption schemes are not IND-CCA2 secure. ............. 37 Theorem 3: Commutative encryption schemes are not IND-CCA2 secure. ................................. 40 Theorem 4: AE encryption is as secure as the ElGamal encryption ............................................. 42 Theorem 5: OTC encryption is IND-CPA secure based on Ateniese’s assumption..................... 49 Theorem 6: CBA-PKEET is OW-CCA2 secure against type-I adversaries in RO model. .......... 63 Theorem 7: CBA-PKEET is IND-CCA2 secure against type-II adversaries in RO model.......... 65 Theorem 8: PKE-AET is OW-CCA2 secure against type-I adversaries in the RO model. .......... 71. 政治大 Theorem 10: PKE-FET is IND-CCA2 立 secure in the standard model. .......................................... 82 Theorem 9: PKE-AET is IND-CCA2 secure against type-II adversaries in the RO model. ........ 72. Theorem 11: PE-MKS is IND-CKA secure in the standard model. ............................................. 93. ‧ 國. 學. Theorem 12: PAKS is IND-CKA secure assuming the hardness of the DL, DDH problems and the security of KDF1, KDF2, PRF and MAC. .............................................................................. 108. ‧. Theorem 13: PAKS provides authentication based on the hardness of the DL, DDH problems and the security of KDF1, KDF2 and MAC. ................................................................................ 112. n. al. er. io. sit. y. Nat. Theorem 14: The PAKS construction offers Consistency based on the hardness of the DL, DDH problems and the security of KDF1, KDF2 and MAC. ................................................................ 116. Ch. engchi. i n U. v.

(17) . 1. Introduction With the development of cloud computing (illustrated in Figure 1, from literature [1]), a great number of services had been provided by cloud servers who own significant computational power and considerable storage space. For example, people would be willing to share their trips and check-ins via Facebook, post their photos to Instagram, and publish their CV through LinkedIn. Also, the number of users who enjoy online shopping on Amazon, eBay, Netflix or some other online merchants have been significantly increasing for decades. Nowadays, users can enjoy the cloud services everywhere with weaker computational power devices like smart phones and smart. 政治大. watches, instead of powerful ones because most computational and storage requirements have been. 立. outsourced to cloud service providers.. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. i n U. v. Figure 1: The cloud computing services. There are several pros and cons about the cloud services. On one hand, users really enjoy the highly convenience through endless mobile applications and web-based services; one the other hand, they also concern the security of outsourced private personal data. For social media cases, if users’ information were leaked, the service providers or a third-party advertiser might collect users’. 1.

(18) footprints and delivering annoying advertises afterward. Moreover, when talking about online shops like Amazon, banks or financial services such as PayPal or VISA, the credit card numbers and accounts are even more sensitive, which might cause unaffordable financial damages. So, the cryptosystems which guarantee data privacy have been attracting increasing attention along with the rapid development of cloud services.. The cryptosystem is a generic term that includes all systems that hides information in the ciphertext, and extracts the information from the ciphertext when needed. The data hiding functionality has been utilized for thousands of years. An ancient example is famous that there was a slave assigned. 治政 message on his head. After his hair grew up, he was sent to the 大country. In this scenario, even the slave was caught on his way, the立 message was kept secret if solders did not know the hiding place.. to deliver a message to another country. His leader shaved all the slave’s hair and wrote down the. ‧ 國. 學. Another case is the Caesar cipher [2], [3], named by the famous king Julius Caesar. According to the legend, the permutation and substitution based cryptosystem (see Figure 2, from literature [4]). ‧. was designed and applied by king Julius Caesar, and it has been spread so far as a prototype of some modern symmetric cryptosystems.. n. er. io. sit. y. Nat. al. Ch. engchi. i n U. v. Figure 2: The Caesar cipher. After its long-term history, a relatively recent case might be suitable to tell how the cryptosystems influence the whole world. At the famous second world war, Germany overwhelmingly occupied many European counties owing to its cutting-edge weapons and technology. The message delivering of Germany army were protected by Enigma (shown in Figure 3, from literature [5]),. 2.

(19) the most complex and intractable machine which implemented the top secure cryptographic algorithms at that age. Alan Tuning, one of the leading cryptographer, and his research team were employed by a section at Bletchley Park (the British World War II codebreaking station) in order to break the encoded German naval messages [6]. Fortunately, they did. One of the most vital factors that terminated the second world war was that Alan Tuning and his team broke the Enigma cryptosystem to acquire the secret military information. Definitely, that is the most successful case to introduce how cryptosystems make influence to the world, at least one of the most successful cases. Due to his great contribution, the best prize of computer science is named after him, the Tuning Award, which is regarded as the Nobel prize in the computer science fields. By the way, computers are also called Tuning machines, named after him as well.. 立. 政治大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. i n U. v. Figure 3: The Enigma machine. Let’s stop talking about history and come back to modern cryptography. It was talking about that users are willing to protect their data privacy when they outsource their personal information to cloud servers. A series of encoding and decoding procedures are required to guarantee the data privacy. This is exactly the purpose why the modern cryptography was designed. In general, two pillars of modern cryptography are symmetric encryption scheme like pretty good privacy (PGP) [7] and advanced encryption standard (AES) [8]; and asymmetric encryption schemes such as RSA [9], ElGamal [10], Cramer Shoup [11], [12] and Paillier encryption [13], [14]. The former one. 3.

(20) utilizes the same key for encoding and decoding (it is said encrypting and decrypting in cryptography), while the latter one uses a pair of secret key and public key for decryption and encryption, respectively. The scenario is illustrated in Figure 4. If key A is equal to key B, that is a symmetric encryption; otherwise, it is an asymmetric encryption which is also named public key encryption.. 立. 政治大. Nat. sit. y. ‧. ‧ 國. 學 Figure 4: The encryption framework. Despite the fact of that this work majorly concerns the asymmetric encryption, the symmetric. io. er. encryption is going to be introduced first, and the asymmetric encryption will be formally. al. n. iv n C h e nkeygencryption efficiency when they are compared to public c h i Uschemes. Hence, most applications. introduced in chapter 3. In general, the symmetric key encryption schemes provide overwhelming prefer to adopt the symmetric key encryption for hundreds of times better efficiency. However,. the key storage and agreement of symmetric key encryption schemes are difficult problems. For example, in a community composed of 𝑛 users, if every two users need to share a key in order to communicate with each other, there will be 𝑛(𝑛 − 1) 2 keys in total, while in the same scenario there is only 𝑛 public keys in the asymmetric key encryption setting. Definitely the symmetric key cannot be duplicated between any pair of residents because that allows other people to obtain messages it shouldn’t read. The key storage is a problem, and the key distribution is a bigger problem. Because the symmetric keys themselves cannot be publicly transmitted so that secure channels are required to deliver the symmetric keys. In the network environment, it is pretty hard. 4.

(21) to share a key with each other face to face. Maybe the connection is set cross half earth. Assume the secure channel is set through the network, then there should be a key to establish the encrypted secure channel. In the pure symmetric key system, it is infeasible because of the recursive requirement that the key distribution needs a secure channel, and the establishment of a secure channel requires a key (see Figure 5). A common and practical solution that makes it eligible and meanwhile improves the efficiency is implemented by jointly utilizing the public key encryption and the symmetric key encryption schemes. The symmetric key is firstly treated as a message, encrypted using the receiver’s public key and delivered to the receiver. After receiving the encrypted symmetric key, the receiver decrypts it to obtain the symmetric key. Finally, other communications, files and data can be protected by the symmetric encryption scheme.. 立. 政治大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. i n U. v. Figure 5: The recursive requirements of key distributions in pure symmetric key systems. Another key distribution issue of the symmetric keys is how to carry on the keys and login with different devices. With the spread of mobile devices, users own several devices such as personal computers, laptops, mobile phones, smart watches and so on. How the same cloud services could be accessed through different devices, so called device-agnostic, has to be considered nowadays. Whereas, on one hand, the transmission of symmetric keys give rise to security concerns; on the other hand, existing symmetric keys are too long and meaningless to be memorized. The password based encryption schemes [15]–[19], a variant of symmetric key encryption, is a common solution in this scenario, which the password is a human-memorable short secret usually composed of the. 5.

(22) combination and permutation of 8 to 12 capital letters, lowercase letters or digits. For most webbased services, users first create accounts, then they outsource personal information, preference and other settings on the cloud server; later, they can login to enjoy customized cloud services after being authenticated by their passwords. Definitely, passwords are relatively short secrets compared to the symmetric keys or asymmetric secret keys so that there will be other problems that have to be solved. For example, the passwords are too short to be secure so that they are vulnerable against the dictionary attacks including online attacks and offline attacks. This vulnerability does not rule out the contribution of password-based schemes; but they should be handled much carefully. The online dictionary attacks can be prevented through other network mechanisms like the login trial times limit so that password-based schemes are not required to be. 政治大 property of passwords. On the other hand, the prevention against offline dictionary attack are much 立. free from it, or honestly it could be said that they are not able to because of the low min-entropy. more difficult for all password-based schemes because the computational power is significantly. ‧ 國. 學. increasing nowadays. The detail security definitions, attacking models, mechanisms and designs of password-based schemes will be formalized in latter sections.. ‧ y. sit. Nat. 1.1 Motivation. io. er. After a short review above, the cryptography is quite helpful to protect personal data. The data privacy will be guaranteed if users encrypt their personal data before outsourcing to cloud servers.. n. al. i n U. v. However, there will be several problems when users outsource encrypted data to cloud servers.. Ch. engchi. One and the most important one problem is that the encrypted ciphertext is not computable. For example, there are several database routines that were executed regularly to optimize the searching efficiency such as sorting, clustering, indexing, classification and so on. If data is encrypted, how could it be implemented? In the viewpoint of servers, the encrypted data is even not recognizable. This is a hazard that has to be solved by making choices: the computability or the privacy. Intuitively, most security systems exist a trade-off between the availability and the security. If everyone unplugs the Ethernet cable and gives up the Internet, the security problems will mostly be solved; but it loses the whole Internet availability.. 6.

(23) In principle, several kinds of ciphertext computations skills are expected to achieve a balance between the computability and the data privacy. Several scenarios are listed below to explain when and why the ciphertext computation is required, and it might be more convincible if it is considered in servers’ viewpoints. 1. The equality tests over ciphertexts which is the basic and fundamental functionality. a. Two millionaires try to authorize a server to compare their money. For this server, it acquires one result from equal or different, while the amount is still unavailable. For all other users or servers, nothing will be revealed while eavesdropping the whole process. This is a basic version of the famous millionaires’ problem [20].. 政治大 record is up to date. No personal medical record will be leaked along with this 立 verification, there is only yes or no at the end.. b. The clinic links to a healthcare institute to ensure whether one patient’s medical. ‧ 國. 學. c. A cloud file management system like Dropbox or Google Drive tries to optimize its storage space by merging the files with the same content. Owing to the fact that. ‧. files are encrypted using probabilistic encryption algorithms, even the same file. y. Nat. encrypted with the same public key will be encrypted into different ciphertexts. If. sit. the equality test is available, it will help release the storage space on both user and. er. io. server sides.. al. n. iv n C issue encrypted search requests tohcloud some corresponding keywords. Those i U e nservers g c hwith. 2. The keyword search. Based on the equality test skills, the keyword search allows users to documents which match the queried encrypted keywords will be returned to the user.. a. The most common-seeing example is the SMTP mail system. Let a user’s emails is sealed by a sender in a user-specified envelop (in practical, encrypts them using the user’s cryptographic key). In this case, the content of emails will be invisible in the viewpoints of mail servers. Meanwhile, the mails can be searched and returned when the user requests search queries with encrypted keywords like invitation, urgent or notification. How could it be possible to make ciphertext searchable? b. A pattern management server stores users’ pattern documents where the users are the inventors of some highly-valuable commercial pattern expected to be known by. 7.

(24) as few parties as possible. Definitely the pattern documents will be encrypted before outsourcing to the server. Based on the privacy guarantee, how to efficiently find and return the desired pattern documents to users has become a cruel challenge.. Some computational techniques over ciphertexts are urgently required in the modern cloud computing environment. However, in some cases, the computable properties unavoidably damage the security notions of the applied encryption schemes. For example, if one ciphertext could be equality testable, it is hard to be indistinguishable against chosen plaintext attack. The security notions of those ciphertext computation skills will be discussed in later sections.. 立. 政治大. 1.2 Contribution and organization. ‧ 國. 學. In this dissertation, a series of researches focusing on the ciphertext computations will be gradually discussed. In the beginning, some preliminaries like the algebra systems and building blocks will be formalized in chapter 2. Following, three main catalogs about ciphertext computation will be. ‧. gradually discussion in three individual sections.. sit. y. Nat. er. io. Public key encryption will be formally introduced in chapter 3 which includes its syntax, secure notions and some common previous works. Also, the most popular computable property over. n. al. Ch. i n U. v. ciphertext called homomorphism is discussed after the definitions of public key encryption. engchi. schemes, which denotes the computations over ciphertexts encrypted in the same public key. Two ciphertexts can be computed into a new ciphertext encrypted under the same public key, and the homomorphic ciphertext computation is equal to the encryption of some other computation over two original plaintexts. Besides the homomorphic encryption, the commutative encryption schemes will be formally discussed, which denotes the encrypted ciphertext could be regarded as another plaintext to be encrypted again and again with other public keys; finally, a “multi-receiver ciphertext” will be outputted after commutative encryptions.. The public key encryption with equality test is second topic discussed in chapter 4. It aims to focus on solving the problems in scenario 1 in the motivation phase. Roughly speaking, the equality test. 8.

(25) is a computation over ciphertext that authorized tester can verify the equivalence between two plaintexts hidden in ciphertexts without decryption. Besides the fundamental definitions of syntax and security notions, some related works will be introduced. Following, how can data owners authorize their privilege to testers to enable equality tests will be formally discussed, which includes how many ciphertexts will be authorized equality testable, and how to avoid losing secrecy along with the ciphertext computation.. In chapter 5, the keyword search skills will be applied to address the problems in scenario 2 in the motivation phase. The keyword search addresses the match-up between outsourced encrypted. 治政 computation over both encrypted keywords. Its preimages like 大syntax, security notions and some 立 first. Then, from the original single-keyword search to famous related works will be described. keywords and the requested encrypted searching keywords afterward. It is also a ciphertext. ‧ 國. 學. modern multi-keyword search, the evolution of public key encryption based keyword search, symmetric key encryption based keyword search, even password based keyword search will be. ‧. covered in this research topic.. y. Nat. sit. Finally, a brief conclusion will be described in chapter 6 to summarize this work. In addition, some. al. er. io. unsolved problems were left as open problems, and these open problems might be solvable based. v. n. on some particular assumptions or cryptographic tools. At the end, some potential solutions will be listed for further researches.. Ch. engchi. 9. i n U.

(26) . 立. 政治大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. 10. i n U. v.

(27) . 2. Preliminaries and building blocks First of all, some commonly used symbols are defined in Table 1. Table 1: Symbol table. a string with any length a 𝑛-bit string an adversary a simulator the password dictionary the message space the keyword space the key space an oracle a proof in CS encryption divides the concatenation operation the null token the dot ∙ denotes a parameter inputted to the function 𝑓 the greatest common divisor the Euler’s function the least significant 𝑛-bits the most significant 𝑛-bits a homomorphic operation a homomorphic operation logical XOR operation logical AND operation logical OR operation a key derivation function a pseudo random function a message authentication code. 𝑞 𝑝 𝑁 𝑔 ℎ 𝑒 𝑟 𝐶 𝑇 𝐷 𝐻 𝜋 ℕ ℤ∗W. the prime order of group 𝐺, 𝑞| 𝑝 − 1 a prime modular of group 𝐺 a composite modular of group 𝐺 the generator of group 𝐺 another generator of group 𝐺 the bilinear mapping operation a random number a ciphertext a trapdoor a document a hash function a password the positive integer group integers in [1, 𝑞 − 1] which are relatively prime to 𝑞 all integers from 𝑎 to 𝑏 the floor of number 𝑛 bold variables mean groups or sets the order or size of 𝒂 bit-length of elements in 𝔾 is 𝑞 bit-length of elements in ℤ∗W is 𝜅 the probability of event 𝑒 the advanced probability a very small probability in 𝜅 operating time of XOR operating time of exponential operating time of pairing. 立. 政治大. [𝑎, 𝑏] 𝑛 𝒂 |𝒂| 𝔾 =𝑞 ℤ∗W = 𝜅 Pr [𝑒] 𝐴𝑑𝑣 𝜀(𝜅) 𝑡s 𝑡2 𝑡v. engchi. 11. ‧. Ch. 學. al. n. a multiplicative cyclic group. io. gcd (∙) 𝜙(∙) 𝐿𝑆𝐵? (∙) 𝑀𝑆𝐵? (∙) ° ⨀ ⨁ ∧ ∨ 𝐾𝐷𝐹 𝑃𝑅𝐹 𝑀𝐴𝐶. 𝔾. Nat. {0, 1}∗ {0, 1}? 𝒜 𝒮 𝒟 ℳ 𝒲 𝒦 𝒪 𝜉 | || ⊥ 𝑓(∙). be defined as. y. 123. definition a secure parameter. sit. token 𝜅. er. $. definition be randomly chosen from. ‧ 國. token. i n U. v.

(28) . 2.1 Algebra systems Two main algebra systems adopted in cryptosystems will be introduced in this section, which include the cyclic groups and bilinear mapping. The cyclic group computation is popular in cryptosystems, which is composed of a group of elements and a specific operation like addition {𝔾, +} or multiplication {𝔾,∙}.. 2.1.1 Cyclic groups with composite modular Let {𝔾,∙} be a multiplicative cyclic group with a composite modular 𝑁 and an order 𝜙 (𝑁). The group 𝔾 = ℤ∗x is composed of all integers [1, 𝑁 − 1] which are relatively prime to 𝑁. By the. 政治大 For clear expression, the modular operation 𝑔 𝑚𝑜𝑑 𝑁 is simplified as 𝑔 at the rest of this paper. 立 The modular number is omitted throughout this dissertation unless extra mentioned. Under this. Fermat’s little theorem [21], all elements 𝑔 ∈ 𝔾 satisfiy the relationship that 𝑔z (x) ≡ 1 𝑚𝑜𝑑 𝑁. ~. ~. ‧ 國. 學. algebra, if the order 𝑞 is big enough, it is said 𝑞 = 𝑞 (𝜅), where 𝜅 is a secure parameter, the hardness assumption below is computationally difficult.. ‧ sit. y. Nat. The factoring problem. er. io. Given a big composite number 𝑁 = 𝑁 2𝜅 = 𝑝𝑞, it is computationally hard to obtain 𝑝 or 𝑞. Here 𝜅 is a secure parameter; and 𝑝, 𝑞 are two big prime numbers. The probability of breaking the. n. al. Ch. factoring problem is described as follow. 3•€•‚ƒ„?…. 𝐴𝑑𝑣𝒜. (𝜅). 123. engchi. i n U. v. Pr [𝑁 = 𝑝𝑞: 𝑝, 𝑞 ← 𝒜 𝑁 ]. (1). 2.1.2 Cyclic groups with prime modular Let {𝔾,∙} be a multiplicative cyclic group with a prime modular 𝑝 and an order 𝑞, where 𝑞 | 𝑝 − 1. The group 𝔾 is composed of all integers in [1, 𝑝 − 1]. By the Fermat’s little theorem [21], all elements 𝑔 ∈ 𝔾 satisfiy the relationship that 𝑔W ≡ 1 𝑚𝑜𝑑 𝑝. For clear expression, the modular operation 𝑔~ 𝑚𝑜𝑑 𝑝 is simplified as 𝑔~ at the rest of this paper. The modular number is omitted throughout this dissertation unless extra mentioned. On the other hand, group 𝔾 stands for a. 12.

(29) multiplicative cyclic group throughout this dissertation unless it is additionally noted. Under this algebra, if the prime order 𝑞 is big enough, it is said 𝑞 = 𝑞 (𝜅), where 𝜅 is a secure parameter, several hardness problems below are computationally difficult.. The discrete logarithm problem, DL Given a generator 𝑔 and an element 𝑔ˆ ∈ 𝔾, where 𝛼 ∈ ℤ∗W is unknown, it is computationally difficult to find 𝛼. The probability of breaking the DL problem [10], [22], [23] is regulated as follow: Š‹ 𝐴𝑑𝑣𝒜,𝔾 (𝜅). Pr [𝛼 ←治 𝒜 𝑔, 𝑔 ] 政大. 123. 立. (2). ˆ. ‧ 國. 學. The computational Diffie-Hellman problem, CDH. Given a generator 𝑔 and two elements 𝑔ˆ , 𝑔Œ ∈ 𝔾, where integers 𝛼, 𝛽 ∈ ℤ∗W are unknown, it is. ‧. computationally difficult to find the element 𝑔ˆŒ . The only known solution to solve the CDH. al. n. ŽŠ• 𝐴𝑑𝑣𝒜,𝔾 (𝜅). 123. er. io. sit. The probability of breaking the CDH problem is regulated as follow.. y. Nat. problem is to solve the DL problem so that the CDH problem is weaker than the DL problem [24].. Pr [𝑔ˆŒ ← 𝒜(𝑔, 𝑔ˆ , 𝑔Œ )]. Ch. n engchi U. iv. (3). The decisional Diffie-Hellman problem, DDH Given a generator 𝑔 and three elements 𝑔ˆ , 𝑔Œ , 𝑔• ∈ 𝔾, where integers 𝛼, 𝛽, 𝛾 ∈ ℤ∗W are unknown, it is computationally difficult to determine whether 𝛾 = 𝛼𝛽 𝑚𝑜𝑑 𝑞 or not. The only known solution to solve the DDH problem is to solve aforementioned CDH problem [24]. The probability of breaking the DDH problem is regulated as follow. ŠŠ• 𝐴𝑑𝑣𝒜,𝔾 ( 𝜅). 123. |Pr [(𝛾 = 𝛼𝛽) ← 𝒜 𝑔, 𝑔ˆ , 𝑔Œ , 𝑔• ] −Pr [(𝛾 ≠ 𝛼𝛽) ← 𝒜 𝑔, 𝑔ˆ , 𝑔Œ , 𝑔• ]|. 13. (4).

(30) The CONF problem Given a generator 𝑔 and two elements 𝑔ˆ , 𝑔ˆŒ ∈ 𝔾, where integers 𝛼, 𝛽, 𝛼𝛽 ∈ ℤ∗W are unknown, it is computationally difficult to acquire 𝑔Œ . The CONF problem is proved reduced to the CDH problem [22], and the probability of breaking the CONF problem is regulated as follow. Ž“x” 𝐴𝑑𝑣𝒜,𝔾 ( 𝜅). 123. (5). Pr [𝑔Œ ← 𝒜 𝑔, 𝑔ˆ , 𝑔ˆŒ ]. 2.1.3 Bilinear mapping (pairing) The bilinear mapping is also called pairing operation [25]–[27], which is generalized as an. 政治大. operation 𝑒: 𝔾• × 𝔾— → 𝔾 ™ . Among these, 𝔾• , 𝔾— and 𝔾 ™ are three cyclic groups with the same. 立. order 𝑞. Then, three fundamental properties should be satisfied by all kinds of pairing operations.. ‧ 國. 學. 1. Bilinear: For all 𝛼, 𝛽 ∈ ℤ∗W , all generators 𝑔• ∈ 𝔾• and 𝑔— ∈ 𝔾— , Œ. 𝑒 𝑔•ˆ , 𝑔— = 𝑒(𝑔• , 𝑔— )ˆŒ. ‧. 2. Non-degenerate: Let 𝐼™ be the identity of 𝔾 ™ , for all generators 𝑔• ∈ 𝔾• and 𝑔— ∈ 𝔾— ,. Nat. n. al. Ch. engchi. sit er. io. 3. Computable: It should be efficiently computable.. y. 𝑒(𝑔• , 𝑔— ) ≠ 𝐼™. i n U. v. The bilinear mapping could be classified into three types depending on the relationships between 𝔾• and 𝔾— . If 𝔾• = 𝔾— , this is a symmetric pairing, or so called the type-I pairing; otherwise, it’s an asymmetric pairing. In the asymmetric pairing system (𝔾• ≠ 𝔾— ), if there exists an isomorphic function 𝜓: 𝔾• → 𝔾— , it is named the type-II pairing; otherwise, it is the type-III pairing.. In the bilinear mapping systems, some hardness problems in the cyclic groups are no longer difficult. For example, the DDH problem in the type-I pairing is obviously easily distinguishable due to the bilinear property defined above. Whereas, in some particular case, the DDH problem remains difficult in the bilinear mapping systems.. 14.

(31) The symmetric external Diffie-Hellman problem, SXDH Œ. •. Given generators 𝑔• ∈ 𝔾• , 𝑔— ∈ 𝔾— and three elements 𝑔„ˆ , 𝑔œ , 𝑔~ , where the index 𝑖, 𝑗, 𝑘 ∈ {1,2} and integers 𝛼, 𝛽, 𝛾 ∈ ℤ∗W are unknown, the SXDH problem is to determine whether 𝛾 = 𝛼𝛽 𝑚𝑜𝑑 𝑞 or not. The difficulty of the SXDH problem depends on the permutation between index 𝑖, 𝑗, 𝑘 and three types of pairing computations [28] (it is called XDDH problem in [28]). •. In type-I pairing, the SXDH problem is not hard.. •. In type-II pairing, it is hard only when 𝑖 = 𝑗 = 𝑘 = 1.. •. In type-III pairing, it is not hard when 𝑗 = 2.. 立. 政治大. Only the last two conditions above are computationally hard which are as difficult as the DDH 𝑗 = 𝑘 = 1 in the type-III pairing. 123. Œ. •. | Pr 𝛾 = 𝛼𝛽 ← 𝒜 𝑔• , 𝑔— , 𝑔„ˆ , 𝑔œ , 𝑔~ Œ. •. (6). er. io. sit. Nat. Pr [(𝛾 ≠ 𝛼𝛽) ← 𝒜 𝑔• , 𝑔— , 𝑔„ˆ , 𝑔œ , 𝑔~ ]|. −. y. ¢£Š• 𝐴𝑑𝑣𝒜,𝔾 ,𝔾¡ 𝜅. ‧. ‧ 國. 學. problem in cyclic groups [28]. In particular, the SXDH problem adopted in this work is that 𝑖 =. al. n. iv n C hinethe There is another case that a hard problem cyclic group ng c h i Ualgebra remains hard computable in Ateniese’s assumption. the bilinear mapping algebra: the Ateniese’s assumption [29], or it could be realized as a decisional CONF problem in the Type-I pairing systems. Given a Type-I pairing 𝑒: 𝔾• × 𝔾• → 𝔾 ™ and ˆŒ. •. elements 𝑔• , 𝑔•ˆ , 𝑔• ∈ 𝔾• , 𝑔™ ← 𝑒(𝑔• , 𝑔• ) , 𝑔™ ∈ 𝔾 ™ , output whether 𝛽 = 𝛾 or not, where variables 𝛼, 𝛽, 𝛾 ∈ ℤ∗W are unknown. Ateniese’s assumption is regarded as hard as the DDH assumption in cyclic groups. The probability of breaking Ateniese’s assumption is regulated as follow. Ateniese 𝐴𝑑𝑣𝒜, 𝔾1 ,𝔾𝑇 (𝜅). 123. ˆŒ. ˆŒ. •. Pr [(𝛾 ≠ 𝛽) ← 𝒜 𝑔• , 𝑔•ˆ , 𝑔• , 𝑔™ ]|. •. |Pr [(𝛾 = 𝛽) ← 𝒜 𝑔• , 𝑔•ˆ , 𝑔• , 𝑔™ ] −. 15. (7).

(32) . 2.2 Building blocks Some technologies are frequently regarded as building blocks to construct the encryption schemes. These techniques are often adopted as a black or white box; that is, their functionalities and security notions are commonly utilized while omitting the implementation details. In this section, several building blocks are defined for further constructions.. 2.2.1 Hash function In modern cryptosystems, hash functions [30] like MD5, SHA-1, SHA-256 are frequently adopted. 政治大 cryptosystems like [12], [31], [32] 立employee the mapping properties to include different kind of in cryptosystems to efficiently map numbers from its domain to co-domain space. Some. messages like ID, serial number or timestamp into the cryptosystems. In addition, a secure hash. ‧ 國. 學. function is able to construct a fixed-length strong hashed value on input any infinite-length messages; and in a very high probability that no collision will occur among distinct input messages. ‧. so that the outputted hash values can be regarded as message digits which asserts the integrity of. y. Nat. the transmitted messages. There are several security requirements related to hash function such as. sit. the avalanche effect which denotes that two very similar inputs with tiny difference (perhaps only. al. functions is discussed in the following two aspects:. iv n C One-wayness: A hash function 𝐻 if any polynomial-time adversary has hisecalled n g one-way chi U n. •. er. io. one bit) will lead to two totally indistinguishable outputs. Rigorously, the security of hash. only negligible probability to extract the input value 𝑥 from the output value 𝐻(𝑥). In most. cases, the domain size is much larger than the co-domain so that the multi-to-one mapping makes it not difficult to be one-way. “ª 𝐴𝑑𝑣𝒜,• (𝜅). •. 123. Pr [𝑥 ← 𝒜(𝐻(𝑥))]. (8). Collision-resistant: A hash function 𝐻 is said to be collision-resistant if it is computationally difficult to find two different inputs that are hashed to the same output. Actually, most hash functions take infinite-length input and output fixed-length message. 16.

(33) digits. By the pigeonhole principle, no hash function is absolutely collision-resistant since the domain size is far larger than the co-domain size. Whereas, the co-domain size is also big enough so that the collisions happen with only negligible probability if the computation result is uniformly distributed in the co-domain space. Ž« 𝐴𝑑𝑣𝒜,• (𝜅). 123. Pr [(𝑥 ≠ 𝑦) ⋀ (𝐻 𝑥 = 𝐻 𝑦 ): (𝑥, 𝑦) ← 𝒜(𝐻)]. (9). Some properties of hash functions are omitted here, such as the hiding property and the puzzlefriendly property, both of which play vital roles in the block chain and Bitcoin systems [33], [34].. 政治大 them are believed collision-resistant and generally utilized until some collisions were found. A 立 famous example is that the SHA-1 hash function had been widely used for several years until a It is worthy to note that the hash functions are seldom proved collision-resistant. Instead, most of. ‧ 國. 學. collision was found and announced by Google Inc. in February 2017 [35]. In this report, the complexity of breaking MD5 and SHA-1 are estimated as 30 seconds in a smart phone and 1 year. ‧. among 110 GPU processors, respectively (see Figure 6).. n. er. io. sit. y. Nat. al. Ch. i n U. v. Figure 6: The complexity analysis of collision finding for existing hash functions. engchi. Random oracle model Another spotlight of the cryptographic hash functions is the random oracle model [36]–[38]. In a high-level description, no output of hash functions is truly random. It is an assumption that assumes the outputs of a hash function is good enough to be replaced by a random oracle. In the security proof procedures (which will be introduced in chapter 3), the adversary in the random oracle model is not allowed to directly access hash functions. The hash values are obtained through requesting hash queries to the hash oracle 𝒪• controlled by the simulator. Relatively, it is called in the standard model if the adversary can compute the hash values itself.. 17.

(34) . Obviously, it is a very strong assumption so that the security in the standard model is much more reliable than that in the random oracle model. For example, Fujisaki and Okamoto proposed a generic construction [39] that shows all CCA secure PKE schemes could be proved CCA2 secure in the random oracle model through their enhancement1. Some literatures like [37] argue that the assumption is too strong so that the security under the random oracle model implies no security in the real world. Other scholars advocate the security in the random oracle model remains valuable since some reduction between them might be eligible; whereas, the reduction itself is in the similar level of the reduction between NP/P problems.. 2.2.2 Secret sharing. 立. 政治大. The secret sharing concept was firstly proposed by Adi Shamir [40], drawn in Figure 7. It was. ‧ 國. 學. proposed to satisfy the following scenario: Someone owns a secret 𝑠 and tries to share it with 𝑛 users. Then, two properties below are expected after sharing.. ‧. Any 𝑡 participants are able to reconstruct the secret.. •. Any permutation of insufficient (at most 𝑡 − 1) participants acquire no information about. y. sit. io. er. the secret 𝑠.. Nat. •. al. n. iv n C The original work proposed a sound 𝑡-out-of- 𝑛 secret sharing heng i U solution with perfect security. The h c secret owner firstly picks 𝑡 − 1 random numbers (𝑟 , 𝑟 , ⋯ , 𝑟 ) . Second, it samples a •. —. •°•. polynomial-function 𝑓(𝑥) with degree 𝑡 − 1 , which is uniquely determined by 𝑡 points { 0, 𝑠 , (1, 𝑟• ), (2, 𝑟— ), ⋯ , (𝑡 − 1, 𝑟•°• )} on the 2-D platform. Then, for all 𝑖 ∈ [1, 𝑛], the secret owner transmits a point (𝑖, 𝑓(𝑖)) to participant 𝑃„ through a secure channel to complete the secret sharing algorithm. Any 𝑡 participants can cooperate to rebuild the polynomial function 𝑓 𝑥 by gathering their points, and in addition to compute 𝑠 ← 𝑓(0) . On the other hand, any 𝑡 − 1 1. Public key encryption (PKE) and chosen ciphertext attacks (CCA) will be formally introduced in. chapter 3.. 18.

(35) participants cannot obtain the secret because 𝑡 points are necessary to recover a (𝑡 − 1)-degree polynomial function. That is, it is perfect secure against any insufficient participants. The secret sharing skill is widely adopted in numerous researches such as [41], [42]. In addition, it is also applied to secret key storage applications like Bitcoin [33], [34] and block chain systems.. 政治大. 立. ‧ 國. 學 ‧ sit. y. Nat. 2.2.3 Commitment. Figure 7: Shamir secret sharing. io. er. A cryptographic commitment [43], [44] acts like an envelope. Someone seals a value inside the envelope and leaves it on a public platform. So far, no one knows the content inside. Later, it can. n. al. i n U. v. open the envelope to publish the value. In this architecture, two properties are expected to hold:. Ch. engchi. the value keeps secret before opening and the value was not tampered while opening. The former one is called hiding and the latter one is binding in the cryptographic commitments. Let 𝑐 ← 𝑐𝑜𝑚𝑚𝑖𝑡(𝑥, 𝑟) be a commitment of value 𝑥 and a high min-entropy randomness 𝑟, two properties are formally regulated as follows. •. Hiding: Given 𝑐𝑜𝑚𝑚𝑖𝑡(𝑥, 𝑟), it is hard find 𝑥. The probability of breaking the hiding property of a commitment is estimated as: •„1„?…. 𝐴𝑑𝑣𝒜,€‚²²„• (𝜅). 123. Pr [𝑥 ← 𝒜(𝑐𝑜𝑚𝑚𝑖𝑡(𝑥, 𝑟))]. 19. (10).

(36) •. Binding: It is difficult to find two value-randomness (𝑥, 𝑟) pairs that were committed to the same commitment. That is: ³„?1„?…. 𝐴𝑑𝑣𝒜,€‚²²„• (𝜅). 123. Pr. 𝑐𝑜𝑚𝑚𝑖𝑡 𝑥• , 𝑟• = 𝑐𝑜𝑚𝑚𝑖𝑡 𝑥— , 𝑟— ∧ 𝑥• , 𝑟• ≠ 𝑥— , 𝑟— : 𝑥• , 𝑥— , 𝑟• , 𝑟— ← 𝒜. (11). Theorem 1: A commitment cannot be both perfect hiding and perfect binding Proof. At least, it is impossible in a two-party setting. The term perfect means even the adversary has unbounded computational power, the probability of breaking the hiding/binding property is. 治政 relationship between the domain and the co-domain fields if大 one commitment is perfect binding. Assume the co-domain size is 𝑛,立 it could be easily explained why the perfect hiding is infeasible. still 0. The proof is intuitive. First, by the pigeonhole principle, it has to be a one-to-one mapping. ‧ 國. 學. Given a value 𝑥 and its commitment 𝑐𝑜𝑚𝑚𝑖𝑡 𝑥, 𝑟 for some randomness 𝑟, all other values 𝑦 ≠ 𝑥 in this setting will not be perfect hiding because for all possible randomness 𝑟′, relationship. ‧. 𝑐𝑜𝑚𝑚𝑖𝑡 𝑥, 𝑟 = 𝑐𝑜𝑚𝑚𝑖𝑡 𝑦, 𝑟′ will definitely fail owing to the one-to-one mapping. In other words, there are at most 𝑛 − 1 possible value of 𝑐𝑜𝑚𝑚𝑖𝑡 𝑦, 𝑟′ , and the damaged probability. sit. y. Nat. directly indicates that the commitment with perfect hiding and perfect binding is infeasible in a two-party setting. By the way, in literature [43], an addition third party is employed to construct a. io. n. al. er. commitment with perfect hiding and perfect binding.. Pedersen commitments. Ch. engchi. i n U. v. Let 𝑔, ℎ be two generators in a multiplicative cyclic group 𝔾 with order 𝑞 , and the discrete logarithm problem between ℎ and base 𝑔 is unknown. For a commitment [44] is computed as 𝑐 ← 𝑔ƒ ℎ s where 𝑟. $. value 𝑥 ∈ ℤ∗W , the Pedersen. ℤ∗W and it is opened via providing (𝑥, 𝑟).. The Pederson commitment is computational binding based on the hardness of the DL problem. In Š‹ other words, the Pederson commitment is binding if 𝐴𝑑𝑣𝒜,𝔾 (𝜅) is negligible. On the other hand,. it is perfect hiding because for all commitment 𝑐 ← 𝑔ƒ ℎ s , the following relationship holds. ∀𝑥 ∈ ℤ∗W , ∃𝑟 ∈ ℤ∗W : 𝑐 = 𝑔ƒ ℎ s. 20. (12).

(37) . 2.2.4 Key derivation function A key derivation function (𝐾𝐷𝐹) [45], [46] is a particular function based on hash functions. With a high min-entropy randomness 𝑟, the 𝐾𝐷𝐹 deterministically outputs a high min-entropy key for other cryptosystems like encryption schemes or pseudo random functions. Let 𝛴 be a source of key material. A key derivation function 𝐾𝐷𝐹 is called (𝑡, 𝑞, 𝜀(𝜅))-secure with respect to 𝛴 if for any polynomial-time algorithm 𝒜 running in time 𝑡 with at most 𝑞 oracle queries the probability ¸Š” 𝐴𝑑𝑣𝒜 (𝜅) ≤ 𝜀(𝜅) for distinguishing the output of 𝐾𝐷𝐹(𝑘, 𝑐) from uniformly drawn random. strings of the same length, assuming that (𝑘, 𝛼) ← 𝛴 where 𝑘 is the secret key material and 𝛼 is some side information. It is assumed that 𝒜 knows 𝛼, has control over the context information 𝑐 and has oracle access to 𝐾𝐷𝐹(𝑘,·) which cannot be queried on 𝑐.. 立. 政治大. 2.2.5 Pseudo random function. ‧ 國. 學. A pseudo random function [47], [48] is a key driven function that takes a high min-entropy key and a seed as input in order to output a number that looks random. Let 𝑘 be a high min-entropy. ‧. key, any polynomial time adversary cannot distinguish value 𝑃𝑅𝐹(𝑘, 𝑠) from a random number. The formal security definition of the 𝑃𝑅𝐹 function is described in the follow experiment. 𝑃𝑅𝐹 is. y. Nat. sit. called (𝑡, 𝑞, 𝜀(𝜅))-secure if for any polynomial-time algorithm 𝒜 running in time 𝑡 with at most. al. er. io. »«” 𝑞 oracle queries the probability 𝐴𝑑𝑣𝒜 (𝜅) ≤ 𝜀(𝜅) for distinguishing the outputs of 𝑃𝑅𝐹(𝑘, 𝑠). n. from the outputs of a truly random function 𝑓 of the same length, assuming that 𝒜 has oracle. Ch. i n U. v. access to 𝒪»«” (·) which contains either 𝑃𝑅𝐹(𝑘,·) or 𝑓(·) and which cannot be queried on 𝑠.. engchi. 2.2.6 Message authentication code A message authentication code [49] is also a key driven technology frequently adopted to ensure the integrity of transmitted data. It is comprised of the algorithms. •. 𝑀𝐾𝐺𝑒𝑛(1¼ ): on input security parameter 𝜅, it outputs a key 𝑚𝑘 ← {0, 1}¼ .. •. 𝑇𝑎𝑔(𝑚𝑘, 𝑚): on input a key 𝑚𝑘 and a message 𝑚, output tag 𝜇 ← 𝑇𝑎𝑔(𝑚𝑘, 𝑚).. •. 𝑉𝑟𝑓𝑦(𝑚𝑘, 𝑚, 𝜇): on input a key 𝑚𝑘, a message 𝑚 and a tag 𝜇 outputs 1 if 𝜇 is valid or 0 otherwise.. 21.

(38) A message authentication code is secure if no polynomial time adversary can forge a legal message authentication code without knowing the corresponding key. Let 𝑚𝑘 ← 𝑀𝐾𝐺𝑒𝑛(κ), and oracle 𝒪»«” (·) returns 𝑇𝑎𝑔(𝑚𝑘, 𝑚), the security is formalized as the following probability estimation. The only limit is the outputted message 𝑚∗ has never been queried to oracle 𝒪»«” · . Ã?3‚ƒ…2. 𝐴𝑑𝑣𝒜,ÁÂŽ (𝜅). 123. Pr [1 = 𝑉𝑟𝑓𝑦 𝑚𝑘, 𝑚∗ , 𝜇∗ : (𝑚∗ , 𝜇∗ ) ← 𝒜𝒪ÄÅÆ (·) ]. 立. 政治大. ‧. ‧ 國. 學. n. er. io. sit. y. Nat. al. Ch. engchi. 22. i n U. v. (13).

(39) . 3. Public key encryption The public key encryption has been proposed for decades. Users in public key cryptosystems have a pair of public / private keys. Among these, the public key is publically available, which is designed to encrypt a message or to verify the digital signatures. On the other hand, the secret key is utilized to decrypt ciphertexts or to sign a signature over a message. Compared to symmetric encryption schemes, there are pros and cons about public key encryption. The advantage is that no key agreement or key distribution problems should be solved before message transmissions; and the disadvantage is most public key encryption systems require higher computational costs than. 治政 called public key infrastructure (PKI) is required to guarantee大 the relationship between public keys 立throughout this dissertation since it is another issue beside the and user identities, but it is omitted. symmetric encryption schemes. Another drawback of public key encryption is that a trusted party. ‧ 國. 學. main encryption / decryption functionalities. In this section, the framework including the syntax and the security notions will be introduced first. Then, several previous public key encryption. ‧. schemes will be revised. Following, two famous ciphertext computation skills for public key encryption schemes, homomorphic encryption and commutative encryption, will be briefly. sit. y. Nat. discussed. Finally, two research paper about the commutative encryption is going to be introduced. io. n. al. er. at the end of this section.. C3.1h FrameworkU n i engchi. v. As shown in Figure 8, the scenario of public key encryption could be realized as follows. A public key encryption is established by setting some public parameters. Then, each user picks a pair of public key and private key. The public key can be published to all users, while the secret key should be kept in a private manner. Assume a sender Alice desires to encrypt and deliver some message to a receiver Bob, she utilizes Bob’s public key to encrypt it. The encrypted ciphertext will be transmitted in public channels. Finally, Bob decrypts the ciphertext using his private key and gets the hidden message.. 23.

(40) . 政治大. Figure 8: The public key encryption. 立. ‧ 國. 學. 3.1.1 Syntax. The public key encryption (PKE) schemes are composed of four polynomial-time algorithms:. parameters 𝑝𝑝 which is published for further computations.. •. al. n. and a secret key 𝑠𝑘.. er. 𝐾𝐺𝑒𝑛(𝑝𝑝): On input 𝑝𝑝, a user probabilistically generates a pair of keys: a public key 𝑝𝑘. io. •. y. Nat. 𝑆𝑒𝑡𝑢𝑝 1É : On input a secure parameter, this algorithm probabilistically generates public. sit. •. ‧. 𝑆𝑒𝑡𝑢𝑝, 𝐾𝐺𝑒𝑛, 𝐸𝑛𝑐, and 𝐷𝑒𝑐, which are defined below.. Ch. engchi. i n U. v. 𝐸𝑛𝑐(𝑝𝑘, 𝑚): The sender encrypts a message 𝑚 into a ciphertext 𝐶 using the receiver’s public key 𝑝𝑘. In some cases, if the encryption is probabilistic which means randomness is taken into consideration in the encryption process, an abbreviation 𝐸𝑛𝑐(𝑝𝑘, 𝑚, 𝑟) denotes the encryption of message 𝑚 using public key 𝑝𝑘 and randomness 𝑟.. •. 𝐷𝑒𝑐(𝑠𝑘, 𝐶): The receiver deterministically decrypts the ciphertext 𝐶 to obtain the hidden message 𝑚 using his secret key 𝑠𝑘.. Correctness: The PKE scheme works properly if the following relationship holds: ∀κ ∈ ℕ, ∀m ∈ ℳ, 𝑝𝑝 ← 𝑆𝑒𝑡𝑢𝑝 1É , 𝑠𝑘, 𝑝𝑘 ← 𝐾𝐺𝑒𝑛 𝑝𝑝 : 𝐷𝑒𝑐 𝑠𝑘, 𝐸𝑛𝑐 𝑝𝑘, 𝑚. 24. =𝑚. (14).

(41) . ÎxŠ°²‚12°Ï ( ) 𝐸𝑥𝑝𝒜,»¸Ë κ 𝑝𝑝 ← 𝑆𝑒𝑡𝑢𝑝(1É ); (𝑠𝑘, 𝑝𝑘) ← 𝐾𝐺𝑒𝑛(𝑝𝑝); (𝑚Í , 𝑚• ) ← 𝒜 𝒪Ð (∙) (𝑝𝑝, 𝑝𝑘); 𝐶Ï ← 𝐸𝑛𝑐(𝑝𝑘, 𝑚Ï ); 𝑏′ ← 𝒜 𝒪Ð¡ (∙) (𝑝𝑝, 𝑝𝑘, 𝐶Ï );. if (𝑚𝑜𝑑𝑒 = 𝐶𝑃𝐴) 𝒪Š = 𝒪Š¡ =⊥; else if (𝑚𝑜𝑑𝑒 = 𝐶𝐶𝐴) 𝒪Š = 𝐷• ; 𝒪Š¡ =⊥; else if (𝑚𝑜𝑑𝑒 = 𝐶𝐶𝐴2) 𝒪Š = 𝐷• ; 𝒪Š¡ = 𝐷— ;. 立. “ª°²‚12 ( ) 𝐸𝑥𝑝𝒜,»¸Ë κ 𝑝𝑝 ← 𝑆𝑒𝑡𝑢𝑝(1É ); (𝑠𝑘, 𝑝𝑘) ← 𝐾𝐺𝑒𝑛(𝑝𝑝); 𝒜 𝒪Ð (∙) (𝑝𝑝, 𝑝𝑘); $. 𝑚∗ ← ℳ; 𝐶 ∗ ← 𝐸𝑛𝑐(𝑝𝑘, 𝑚∗ ); 𝑚′ ← 𝒜 𝒪Ð¡ (∙) (𝑝𝑝, 𝑝𝑘, 𝐶 ∗ );. 𝐷• (𝐶) return 𝐷𝑒𝑐(𝑠𝑘, 𝐶 );. 𝐷— (𝐶) if (𝐶 ≠ 𝐶Ï ) return 𝐷𝑒𝑐(𝑠𝑘, 𝐶 ); else return ⊥;. 政治大. ‧ 國. 學. Figure 9: The OW and IND experiments for PKE security. ‧. 3.1.2 Security notions. y. Nat. In terms of security, the most convincing framework is a game-based model [50], [51] between an. io. sit. adversary 𝒜 and a simulator 𝒮. Generally speaking, if there is an adversary who has advanced. n. al. er. Ì•²2°²‚12 probability 𝐴𝑑𝑣𝒜,»¸Ë (κ) to win the applied game, then this particular ability will be utilized. i n U. v. to break some hardness assumptions. 2 The internal reductions between the PKE schemes and the. Ch. engchi. 2 In fact, there are various security models to define the indistinguishability for PKE schemes. For example, one common model can be described as follows: an adversary 𝒜• interacts with the simulator through the decryption oracle 𝒪Š and it outputs (𝑚Í , 𝑚• ) ; another adversary 𝒜— interacts with the simulator through the decryption oracle 𝒪Š¡ and it outputs 𝑏′ . But two adversaries are forbidden to communicate with each other. This is a common adopted indistinguishability model for ciphertext computable schemes like equality test and homomorphic encryption. In this work, it is only discussed about the basic indistinguishability models: IND-CPA, IND-CCA and IND-CCA2. Owing to their simple definition, they are widely accepted and recognized as security standards.. 25.

(42) applied hardness assumptions will be implemented through experiments simulated by the simulator. As shown in Figure 9, to precisely formalize an experiment, games and modes are required to be defined first, which the former one defines how to win an experiment, and the latter one shows how much help will the adversary obtain.. Game models A game model between an adversary 𝒜 and a simulator 𝒮 defines the goal that the adversary tries to reach. If the adversary has non-negligible probability to achieve this goal, the adversary is said wins this game; otherwise, it is said the PKE scheme is secure in this game model. Two common. 政治大. seen game models are introduced as follows: •. 立. One-way (OW): A PKE scheme is called one-way secure if given a ciphertext 𝐶 ←. ‧ 國. 學. 𝐸𝑛𝑐(𝑝𝑘, 𝑚) and the public key 𝑝𝑘 which encrypts 𝐶, it is hard to find the hidden message 𝑚 from the ciphertext 𝐶. The detail steps are listed below for clear expression.. ‧. o Phase 1: The simulator produces the public parameters 𝑝𝑝 and a pair of keys. $. ℳ and encrypts it as 𝐶 ∗ ←. sit. Nat. o Phase 2: The simulator randomly picks 𝑚∗. y. (𝑠𝑘, 𝑝𝑘) and sends (𝑝𝑝, 𝑝𝑘) to the adversary.. n. al. er. io. 𝐸𝑛𝑐(𝑝𝑘, 𝑚∗ ). Then, 𝐶 ∗ is sent to the adversary as a challenge.. i n U. v. o Phase 3: The adversary outputs 𝑚′ at the end. The adversary wins if 𝑚∗ = 𝑚′; or it loses, otherwise. •. Ch. engchi. Indistinguishable (IND): A PKE scheme is called indistinguishable secure when an adversary has a correct guess of which one of his chosen two messages was encrypted as a challenge. Step by step, the detail of this game is discussed in three phases. o Phase 1: The simulator produces the public parameters 𝑝𝑝 and a pair of keys (𝑠𝑘, 𝑝𝑘) and sends (𝑝𝑝, 𝑝𝑘) to the adversary. o Phase 2: The adversary outputs two messages (𝑚Í , 𝑚• ) to the simulator on its choice. Then, the simulator randomly picks the 𝑏-th one and encrypts it as 𝐶Ï ← 𝐸𝑛𝑐(𝑝𝑘, 𝑚Ï ) where 𝑏. $. {0, 1}. Finally, 𝐶Ï is sent to the adversary as a challenge.. 26.

(43) o Phase 3: The adversary outputs a guess 𝑏′ at the end. The adversary wins if 𝑏 = 𝑏′; or it loses, otherwise.. These are two widely applied game models. Definitely, the one-way security is quite weaker than the indistinguishable security, and the reduction is intuitive: if one can break the one-way security to obtain the message, there is no doubt to break the indistinguishable security. On the contrary, an adversary who breaks the indistinguishability has no idea to output a whole message from the challenged ciphertext. In general, most PKE schemes only consider the indistinguishable security unless they are designed for some special purposes like equality test which will be formally. 政治大. discussed in latter sections.. ‧ 國. 學. Adversary modes. 立. In principle, the adversary modes are defined to describe how much extra help will be available. ‧. from the simulator side. In those games defined above, the simulator is responsible to generate the parameters 𝑝𝑝, a pair of keys (𝑠𝑘, 𝑝𝑘) and the challenge. The primitive games are additionally. y. Nat. enhanced with the adversary modes. More information will be provided to the adversary through. io. sit. oracle accesses which are maintained by the simulator. There are three modes including the chosen. n. al. er. plaintext attack (CPA), chosen ciphertext attack (CCA) and adaptive chosen ciphertext attack. i n U. v. (CCA2), which differ from the accessibility of oracles 𝒪Š and 𝒪Š¡ .. Ch. engchi. •. In CPA mode, 𝒪Š = 𝒪Š¡ =⊥.. •. In CCA mode, 𝒪Š = 𝐷• and 𝒪Š¡ =⊥.. •. In CCA2 mode, 𝒪Š = 𝐷• and 𝒪Š¡ = 𝐷— .. The both oracles can be requested for polynomial-many but not infinite times. Take the IND-CCA2 experiment for example, the adversary can request decryption queries to oracle 𝒪Š for polynomial-many times in Phase 1. Then, after outputting (𝑚Í , 𝑚• ) and receiving 𝐶Ï ← 𝐸𝑛𝑐(𝑝𝑘, 𝑚Ï ), it still can ask decryption queries to oracle 𝒪Š¡ for polynomial-many times in Phase. 27.

(44) 2. The only restriction is the challenge 𝐶Ï cannot be requested to oracle 𝒪Š¡ . The generic definition of the game-mode model is illustrated in Figure 9. Besides, functions 𝐷• and 𝐷— that were applied to implement oracles are also formalized inside Figure 9. Both these two security models can be regulated by mathematical expressions. A public key encryption is called OW“ª°ŽŽÂ— ÎxŠ°ŽŽÂ— CCA2 secure or IND-CCA2 secure if probability 𝐴𝑑𝑣𝒜,»¸Ë or 𝐴𝑑𝑣𝒜,»¸Ë is negligible,. respectively, where two probabilities are defined as follows. 𝑝𝑝 ← 𝑆𝑒𝑡𝑢𝑝 𝜅 ; 𝑠𝑘, 𝑝𝑘 ← 𝐾𝐺𝑒𝑛 𝑝𝑝 ; “ª°ŽŽÂ— 𝐴𝑑𝑣𝒜,»¸Ë 𝜅. 𝒜 𝒪Ð ⋅ 𝑝𝑝, 𝑝𝑘 ; 𝑚∗ ℳ; 𝐶 ∗ ← 𝐸𝑛𝑐 𝑝𝑘, 𝑚∗ ; 𝑚Ó ← 𝒜 𝒪Ð¡ ⋅ 𝑝𝑝, 𝑝𝑘, 𝐶 ∗ : 𝑚∗ = 𝑚Ó. 政治大立𝑝𝑝 ← 𝑆𝑒𝑡𝑢𝑝 𝜅 ; 𝑠𝑘, 𝑝𝑘 ← 𝐾𝐺𝑒𝑛 𝑝𝑝 ;. $ 𝒪Ð ⋅ 𝑚 , 𝑚 ← 𝒜 𝑝𝑝, 𝑝𝑘 ; 𝑏 0, 1 ; − 1 Í • Pr 2 𝐶Ï ← 𝐸𝑛𝑐 𝑝𝑘, 𝑚Ï ; 𝑏 Ó ← 𝒜 𝒪Ð¡ ⋅ 𝑝𝑝, 𝑝𝑘, 𝐶Ï : 𝑏 = 𝑏 Ó. (15). (16). ‧. ‧ 國. 𝜅. 123. $. Pr. 學. ÎxŠ°ŽŽÂ— 𝐴𝑑𝑣𝒜,»¸Ë. 123. sit. y. Nat. The most concerned model nowadays might be the IND-CCA2 security which is the strongest one among above discussions, it is also called the semantic security for PKE schemes. In a high-level. io. er. description, when an adversary who is given adaptive oracle accesses still has no idea to distinguish. al. n. iv n C h encryption the ciphertext. By the way, if a public key e n g c can h i beUproved IND-CCA2 secure, it denotes. the chosen message from the challenge, it is believed that almost no information is leaked from the forward security that no other encrypted ciphertext will be influenced even a specific ciphertext is broken.. Honest or malicious Besides the adversary modes, there is another model of adversary that is classified by the adversary’s behavior. Definitely, the behavior of adversary is not controllable. They are merely discussed in different classification. For example, an encryption scheme is called IND-CCA secure against honest adversaries, but when the adversary cheats, that encryption scheme might not be IND-CCA secure. Two common models are listed below:. 28.