2024年4月6日发(作者:碧高歌)
PracticalTechniquesforSearchesonEncryptedData
DawnXiaodongSongDavidWagnerAdrianPerrig
dawnsong,daw,perrig@
UniversityofCalifornia,Berkeley
Abstract
Itisdesirabletostoredataondatastorageserverssuch
asmailserversandfileserversinencryptedformtoreduce
susuallyimpliesthatone
hastosacrifimple,ifa
clientwishestoretrieveonlydocumentscontainingcertain
words,itwasnotpreviouslyknownhowtoletthedatastor-
ageserverperformthesearchandanswerthequerywithout
lossofdataconfidentiality.
Inthispaper,wedescribeourcryptographicschemes
fortheproblemofsearchingonencrypteddataandpro-
e
provablysecure:theyprovideprovablesecrecyforencryp-
tion,inthesensethattheuntrustedservercannotlearn
anythingabouttheplaintextwhenonlygiventhecipher-
text;theyprovidequeryisolationforsearches,meaning
thattheuntrustedservercannotlearnanythingmoreabout
theplaintextthanthesearchresult;theyprovidecontrolled
searching,sothattheuntrustedservercannotsearchforan
arbitrarywordwithouttheuser’sauthorization;theyalso
supporthiddenqueries,sothattheusermayasktheun-
trustedservertosearchforasecretwordwithoutrevealing
orithmswepresentaresim-
ple,fast(foradocumentoflength
,theencryptionand
streamcipherandblocksearchalgorithmsonlyneed
cipheroperations),andintroducealmostnospaceandcom-
municationoverhead,andhencearepracticaltousetoday.
cally,foradocumentoflength,theencryptionand
searchalgorithmsonlyneednumberofstream
emesin-
troduceessentiallynospaceandcommunicationover-
ealsoflexibleandcanbeeasilyextended
tosupportmoreadvancedsearches.
Ourschemesalltaketheformofprobabilisticsearching:
asearchforthewordreturnsallthepositionswhere
occursintheplaintext,aswellaspossiblysomeotherer-
ontrolthenumberoferrors
byadjustingaparameterintheencryptionalgorithm;
eachwrongpositionwillbereturnedwithprobabilityabout
,sofora-worddocument,weexpecttoseeabout
rwillbeabletoeliminateall
thefalsematches(bydecrypting),soinremotesearching
applications,falsematchesshouldnotbeaproblemsolong
astheyarenotsocommonthattheyoverwhelmthecom-
municationchannelbetweentheuserandtheserver.
firstintroduce
theproblemofsearchingonencrypteddatainSection2and
briefl
thendescribeoursolutionforthecaseofsearchingwith
ussfurtherissuessuch
discussrelatedworkinSection6andfinallyweconcludein
ixApresentstheproofsforallofproofs
ofsecurityfortheseschemes.
2SearchingonEncryptedData
Wefirstdefinetheproblemofsearchingonencrypted
data.
AssumeAlicehasasetofdocumentsandstoresthem
mple,Alicecouldbea
mobileuserwhostoresheremailmessagesonanuntrusted
eBobisuntrusted,Alicewishestoen-
cryptherdocumentsandonlystoretheciphertextonBob.
Eachdocumentcanbedividedupinto‘words’.Each‘word’
maybeanytoken;itmaybea64-bitblock,anEnglish
word,asentence,orsomeotheratomicquantity,according
plicity,wetyp-
icallyassumethese‘words’havethesamelength(otherwise
wecaneitherpadtheshorter‘words’orsplitlonger‘words’
tomakeallthe‘words’tohaveequallength,orusesome
simpleextensionsforvariablelength‘words’;seealsoSec-
tion5.3).BecauseAlicemayhaveonlyalow-bandwidth
networkconnectiontotheserverBob,shewishestoonly
-
dertoachievethisgoal,weneedtodesignaschemesothat
afterperformingcertaincomputationsovertheciphertext,
Bobcandeterminewithsomeprobabilitywhethereachdoc-
umentcontainsthewordwithoutlearninganythingelse.
sibil-
ityistobuildupanindexthat,foreachword
ofinterest,
rnativeistoper-
antageof
usinganindexisthatitmaybefasterthanthesequential
advantageof
usinganindexisthatstoringandupdatingtheindexcanbe
pproachofusinganindex
ismoresuitableformostly-read-onlydata.
Wefirstdescribeourschemeforsearchingonencrypted
heindex-basedschemesseem
torequirelesssophisticatedconstructions,wewilldefer
discussionofsearchingwithanindexuntiltheendofthe
paper(seeSection5.4).
3BackgroundandDefinitions
Ourschemerequiresseveralfundamentalprimitives
ewe
willproveourschemesecure,weuseonlyprimitiveswith
awell-defilistherethere-
quiredprimitives,aswellasreviewingthestandarddefini-
finitionsmaybeskipped
onfirstreadingforthoseuninterestedinourtheoretical
proofsofsecurity.
Weadoptthestandarddefinitionsofsecurityfromthe
provablesecurityliterature[2],andwemeasurethestrength
ofthecryptographicprimitivesintermsoftheresources
saythatanattack-breaks
acryptographicprimitiveiftheattackalgorithmsucceeds
inbreakingtheprimitivewithresourcesspecifiedby,and
wesaythatacryptoprimitiveis-secureifthereisnoal-
beanarbitraryalgorithmandletandberandomvari-
ablesdistributedon
.Thedistinguishingprobability
of—sometimescalledtheadvantageof—forand
is
Adv
Withthisbackground,ourlistofrequiredprimitivesis
asfollows:
,astreamcipher.
Wesaythat
isa-securepseu-
dorandomgeneratorifeveryalgorithmwithrun-
advantageofanadversaryisdefinedasAdv
,where
arerandomvariablesdistributeduniformly
on
.
hat
isa-securepseudorandomfunction
ifeveryoraclealgorithmmakingatmostoracle
2024年4月6日发(作者:碧高歌)
PracticalTechniquesforSearchesonEncryptedData
DawnXiaodongSongDavidWagnerAdrianPerrig
dawnsong,daw,perrig@
UniversityofCalifornia,Berkeley
Abstract
Itisdesirabletostoredataondatastorageserverssuch
asmailserversandfileserversinencryptedformtoreduce
susuallyimpliesthatone
hastosacrifimple,ifa
clientwishestoretrieveonlydocumentscontainingcertain
words,itwasnotpreviouslyknownhowtoletthedatastor-
ageserverperformthesearchandanswerthequerywithout
lossofdataconfidentiality.
Inthispaper,wedescribeourcryptographicschemes
fortheproblemofsearchingonencrypteddataandpro-
e
provablysecure:theyprovideprovablesecrecyforencryp-
tion,inthesensethattheuntrustedservercannotlearn
anythingabouttheplaintextwhenonlygiventhecipher-
text;theyprovidequeryisolationforsearches,meaning
thattheuntrustedservercannotlearnanythingmoreabout
theplaintextthanthesearchresult;theyprovidecontrolled
searching,sothattheuntrustedservercannotsearchforan
arbitrarywordwithouttheuser’sauthorization;theyalso
supporthiddenqueries,sothattheusermayasktheun-
trustedservertosearchforasecretwordwithoutrevealing
orithmswepresentaresim-
ple,fast(foradocumentoflength
,theencryptionand
streamcipherandblocksearchalgorithmsonlyneed
cipheroperations),andintroducealmostnospaceandcom-
municationoverhead,andhencearepracticaltousetoday.
cally,foradocumentoflength,theencryptionand
searchalgorithmsonlyneednumberofstream
emesin-
troduceessentiallynospaceandcommunicationover-
ealsoflexibleandcanbeeasilyextended
tosupportmoreadvancedsearches.
Ourschemesalltaketheformofprobabilisticsearching:
asearchforthewordreturnsallthepositionswhere
occursintheplaintext,aswellaspossiblysomeotherer-
ontrolthenumberoferrors
byadjustingaparameterintheencryptionalgorithm;
eachwrongpositionwillbereturnedwithprobabilityabout
,sofora-worddocument,weexpecttoseeabout
rwillbeabletoeliminateall
thefalsematches(bydecrypting),soinremotesearching
applications,falsematchesshouldnotbeaproblemsolong
astheyarenotsocommonthattheyoverwhelmthecom-
municationchannelbetweentheuserandtheserver.
firstintroduce
theproblemofsearchingonencrypteddatainSection2and
briefl
thendescribeoursolutionforthecaseofsearchingwith
ussfurtherissuessuch
discussrelatedworkinSection6andfinallyweconcludein
ixApresentstheproofsforallofproofs
ofsecurityfortheseschemes.
2SearchingonEncryptedData
Wefirstdefinetheproblemofsearchingonencrypted
data.
AssumeAlicehasasetofdocumentsandstoresthem
mple,Alicecouldbea
mobileuserwhostoresheremailmessagesonanuntrusted
eBobisuntrusted,Alicewishestoen-
cryptherdocumentsandonlystoretheciphertextonBob.
Eachdocumentcanbedividedupinto‘words’.Each‘word’
maybeanytoken;itmaybea64-bitblock,anEnglish
word,asentence,orsomeotheratomicquantity,according
plicity,wetyp-
icallyassumethese‘words’havethesamelength(otherwise
wecaneitherpadtheshorter‘words’orsplitlonger‘words’
tomakeallthe‘words’tohaveequallength,orusesome
simpleextensionsforvariablelength‘words’;seealsoSec-
tion5.3).BecauseAlicemayhaveonlyalow-bandwidth
networkconnectiontotheserverBob,shewishestoonly
-
dertoachievethisgoal,weneedtodesignaschemesothat
afterperformingcertaincomputationsovertheciphertext,
Bobcandeterminewithsomeprobabilitywhethereachdoc-
umentcontainsthewordwithoutlearninganythingelse.
sibil-
ityistobuildupanindexthat,foreachword
ofinterest,
rnativeistoper-
antageof
usinganindexisthatitmaybefasterthanthesequential
advantageof
usinganindexisthatstoringandupdatingtheindexcanbe
pproachofusinganindex
ismoresuitableformostly-read-onlydata.
Wefirstdescribeourschemeforsearchingonencrypted
heindex-basedschemesseem
torequirelesssophisticatedconstructions,wewilldefer
discussionofsearchingwithanindexuntiltheendofthe
paper(seeSection5.4).
3BackgroundandDefinitions
Ourschemerequiresseveralfundamentalprimitives
ewe
willproveourschemesecure,weuseonlyprimitiveswith
awell-defilistherethere-
quiredprimitives,aswellasreviewingthestandarddefini-
finitionsmaybeskipped
onfirstreadingforthoseuninterestedinourtheoretical
proofsofsecurity.
Weadoptthestandarddefinitionsofsecurityfromthe
provablesecurityliterature[2],andwemeasurethestrength
ofthecryptographicprimitivesintermsoftheresources
saythatanattack-breaks
acryptographicprimitiveiftheattackalgorithmsucceeds
inbreakingtheprimitivewithresourcesspecifiedby,and
wesaythatacryptoprimitiveis-secureifthereisnoal-
beanarbitraryalgorithmandletandberandomvari-
ablesdistributedon
.Thedistinguishingprobability
of—sometimescalledtheadvantageof—forand
is
Adv
Withthisbackground,ourlistofrequiredprimitivesis
asfollows:
,astreamcipher.
Wesaythat
isa-securepseu-
dorandomgeneratorifeveryalgorithmwithrun-
advantageofanadversaryisdefinedasAdv
,where
arerandomvariablesdistributeduniformly
on
.
hat
isa-securepseudorandomfunction
ifeveryoraclealgorithmmakingatmostoracle