KR20090056078A - Key generating method for preventing dictionary attack and method of producing searchable keyword encryption and searching data using that - Google Patents

Abstract

A key generating method for preventing a dictionary attack, a method for producing searchable keyword encryption using the same, and a data searching method are provided to prevent the dictionary attack by generating the searchable keyword encryption using an index key in a reception side and generating a trap door using a search key in a reception side. A random number is selected according to a security parameter(202). A secret key is generated to be divided into a first secret key for generating the searchable keyword encryption and a second secret key for generating a trap door by using the selected random number(204). A public key for searching the data is generated by using the selected random number(206).

Description

KEY GENERATING METHOD FOR PREVENTING DICTIONARY ATTACK AND METHOD OF PRODUCING SEARCHABLE KEYWORD ENCRYPTION AND SEARCHING DATA USING THAT}

The present invention relates to a key generation method for preventing a dictionary attack, a searchable cipher text generation method and a data retrieval method using the same, and more particularly, to a searchable cipher text for each data keyword added to a plurality of encrypted data. When searching for a searchable ciphertext including a search keyword to be searched among (SKE: Searchable Keyword Encryption) using a trapdoor corresponding to the search keyword, a searchable ciphertext is generated using an index key of a receiver and a trapdoor A key generation method for preventing a dictionary attack, by using the search key on the receiving side to prevent a dictionary attack using a searchable ciphertext randomly generated by an attacker, and a search using the same. It relates to a possible cipher text generation method and a data retrieval method.

Recently, as the amount of large data such as multimedia increases rapidly, many people use online storage services. The online storage service includes a function of storing data of users and searching and searching for desired data when a user needs it. At this time, users want to encrypt and store data in order to protect privacy and confidentiality of important data. This is because there is a risk that the contents of the data are exposed to the server performing the search. If a lot of such data is stored in the server, a function is needed so that users can search only the desired data as needed. In other words, there is a need for a method that enables users to search for desired data without compromising the confidentiality of the encrypted data. A proposed search system is a searchable encryption system.

In 2000, "Dawn Xiaodong Song" et al. Proposed the first possible search method for a single keyword. This method uses symmetric key encryption. However, this symmetric key encryption method has a disadvantage in that it can be used only when the person who encrypts the data and transmits the same after the person who performs the search. That is, the symmetric key encryption method can be used only in the case of an online storage service used by an individual alone.

In 2004, "Dan Boneh" et al. Proposed the first searchable cryptographic system that enables the search of a single keyword using public key encryption. The searchable cryptographic system based on the public key encryption method can be used even when the person who encrypts the data and the person who wants to search it later have the advantage that the application fields are more diverse than when the symmetric key encryption method is used.

In 2004, "Philippe Golle" and others proposed the first method to enable the search (Conjunctive Search) for several keywords at the same time, this method uses a symmetric key encryption method. Also, in the same year, "Dong jin Park" and others proposed a method to search for several keywords at once using public key encryption.

On the other hand, since a searchable cryptographic system based on the conventional public key encryption method uses a public key of a data receiver or a person who wants to perform a search in an encryption algorithm, a malicious attacker can use the strings he or she wants. You can try the encryption algorithm. The keywords that are frequently used by users in real life are relatively low entropy strings. For example, in the case of an e-mail system, a keyword may be a name of an e-mail sender, an e-mail receiving date, and the like.

At this time, an attacker can make a list of strings that are likely as keywords and ciphertexts corresponding to the strings, and use them to attack encrypted data more easily. Such an attack is called a dictionary attack. do. In other words, in this conventional searchable cryptographic system, since the number of keywords frequently used in a real environment is limited, the size of the dictionary of ciphertexts to be made for a dictionary attack is relatively small. Therefore, in such a conventional encryption system, an attacker can easily obtain searchable ciphertexts for strings that are likely to be keywords, and there is a problem that they are relatively vulnerable to dictionary attacks.

Therefore, the prior art as described above has a problem that the attacker is relatively vulnerable to dictionary attack because the attacker can easily obtain searchable ciphertexts for strings that are likely to be keywords, and to solve such problems is an object of the present invention. to be.

Accordingly, the present invention provides a trapdoor corresponding to a search keyword for a searchable ciphertext including a search keyword to be searched among searchable keyword encryptions (SKE) for keywords of each data appended to a plurality of encrypted data. In the search by using a dictionary, a searchable ciphertext is generated using an index key of a receiver and a trapdoor is generated using a search key of a receiver, thereby making a dictionary attack using a searchable ciphertext randomly generated by an attacker. It is an object of the present invention to provide a key generation method for preventing a dictionary attack, a searchable cipher text generation method, and a data retrieval method using the same.

The objects of the present invention are not limited to the above-mentioned objects, and other objects and advantages of the present invention which are not mentioned above can be understood by the following description, and will be more clearly understood by the embodiments of the present invention. Also, it will be readily appreciated that the objects and advantages of the present invention may be realized by the means and combinations thereof indicated in the claims.

In order to solve the above problem, the present invention provides a searchable ciphertext including a search keyword to be searched among searchable keyword encryptions (SKE) for keywords of each data appended to a plurality of encrypted data. In the search using the corresponding trap door, the searchable cipher text is generated using the index key of the receiver and the trap door is generated using the search key of the receiver.

More specifically, the method of the present invention includes a random number selection step of randomly selecting a random number according to a security parameter in a key generation method for preventing a dictionary attack; Generating a private key using the selected random number, and generating a private key by dividing the private key into a first private key for generating a searchable ciphertext and a second private key for generating a trapdoor; And a public key generation step of generating a public key for data retrieval using the selected random number.

On the other hand, another method of the present invention, a searchable cipher text generation method for preventing a dictionary attack, the data encryption step of encrypting data; And a ciphertext generation step of generating a searchable ciphertext using a first private key among a keyword of the encrypted data and a private key of a receiving terminal.

The method may further include transmitting the encrypted data and the generated searchable ciphertext to a corresponding server.

Meanwhile, another method of the present invention provides a data retrieval method for preventing a dictionary attack, comprising: receiving a searchable ciphertext and encrypted data generated using a first private key at a transmitting terminal and receiving a ciphertext; A trap door receiving step of receiving a trap door generated using a second private key at a receiving terminal; And a search step of searching for a searchable ciphertext including the search keyword of the received trapdoor among the received searchable ciphertexts using the trapdoor and the public key of the receiving terminal.

In addition, another method of the present invention, according to the search for the searchable cipher text containing the search keyword of the trapdoor, a data transmission step of transmitting the encrypted data corresponding to the searched searchable cipher text to the receiving terminal It includes more.

In the present invention as described above, the sender generates a searchable keyword encryption (SKE) for the encrypted data and the corresponding keywords by using the receiving side's private key, so that an attacker can arbitrarily search for a dictionary attack. This has the effect of not being able to generate cipher text.

In addition, the present invention, by using the trap door on the server side to search the encrypted data in accordance with the presence or absence of the search keyword to be searched in the searchable ciphertext on the sending side, it is possible to facilitate the encrypted data while preventing the dictionary attack behavior by the attacker It has the effect of making it searchable.

In addition, the present invention, while the server side can only confirm whether the keyword for the searchable ciphertext of the encrypted data and the keyword of the trapdoor match, there is an effect that can not recognize the keyword for the searchable ciphertext. .

The above objects, features, and advantages will become more apparent from the detailed description given hereinafter with reference to the accompanying drawings, and accordingly, those skilled in the art to which the present invention pertains may share the technical idea of the present invention. It will be easy to implement. In addition, in describing the present invention, when it is determined that the detailed description of the known technology related to the present invention may unnecessarily obscure the gist of the present invention, the detailed description thereof will be omitted. Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings.

In the following embodiment, for the purpose of understanding the present invention, a key generation method for preventing a dictionary attack according to the present invention, and a searchable cipher text generation method and data using the same as an example of sending and receiving an email (email) as an example Although a search method will be described, the present invention is not limited thereto, and the present invention may be applied to an environment for exchanging data through the Internet using a file sharing server, an ISP (Internet Service Provider) server, and the like. have.

1 is a block diagram of an embodiment of an email system to which the present invention is applied.

As shown in FIG. 1, the email system 100 to which the present invention is applied includes a key generating device 110, an email server 120, a transmitting terminal 130, and a receiving terminal 140.

), 수신 단말(140)의 비공개키 중 제1 비공개키인 암호(Encryption) 알고리즘에 이용되는 인덱스키(

), 및 수신 단말(140)의 비공개키 중 제2 비공개키인 트랩도어(Trapdoor) 알고리즘에 이용되는 검색키(

)를 생성한다. 여기서, 공개키(

)는 수신 단말(140)의 공개키이며, 인덱스키(

)는 송신 단말(130)에서 인지하여 암호화(Encryption)에 이용할 수 있는 수신 단말(140)의 비공개키 또는 비밀키이며, 검색키(

)는 수신 단말(140)에서만 인지하고 있는 비공개키다. 한편, 키 생성 장치(110)에서 수행되는 키 생성 알고리즘은 수신 단말(140)에서도 수행될 수 있다.The key generation device 110 performs a key generation algorithm for generating a key required for the email system 100. That is, the key generation device 110 uses a public key (used in a test algorithm).

), An index key used in an encryption algorithm that is a first private key among the private keys of the receiving terminal 140 (

) And a search key used for a trapdoor algorithm, which is a second private key of the private keys of the receiving terminal 140 (

) Where public key (

) Is the public key of the receiving terminal 140, the index key (

) Is a private key or a secret key of the receiving terminal 140 that can be recognized and used by the transmitting terminal 130 for encryption.

) Is a private key recognized only by the receiving terminal 140. Meanwhile, the key generation algorithm performed by the key generation device 110 may also be performed by the reception terminal 140.

)를 이용하여 생성한다. 그리고 송신 단말(130)은 암호화된 이메일 데이터에 검색 가능 암호문을 덧붙여 이메일 서버(120)로 전송한다. 이때, 송신 단 말(130)이 전송하고자 하는 이메일 데이터를 암호화하는 것과 검색 가능 암호문을 생성하는 것은 서로 독립적으로 수행된다. 따라서 송신 단말(130)은 일반적인 공개키 암호화 방식을 이용하여 이메일 데이터를 암호화하고, 그 이메일 데이터의 키워드들에 해당하는 검색 가능 암호문을 생성하며, 그 둘을 덧붙여 이메일 서버(120)로 전송한다.The transmitting terminal 130 encrypts the e-mail data to be transmitted, and retrieves the searchable cipher text for the keywords of the encrypted e-mail data.

Create with). The transmitting terminal 130 transmits the searchable cipher text to the encrypted email data to the email server 120. At this time, the transmitting terminal 130 encrypts the email data to be transmitted and generates a searchable cipher text independently of each other. Therefore, the transmitting terminal 130 encrypts the email data using a general public key encryption scheme, generates a searchable cipher text corresponding to the keywords of the email data, and adds the two to the email server 120.

)와 자신이 검색하려는 검색 키워드들을 이용하여 트랩도어(Trapdoor)를 생성한다. 그리고 수신 단말(140)은 생성된 트랩도어를 이메일 서버(120)로 전송한다.Receiving terminal 140, when the e-mail server 120 wants to search the e-mail data containing a specific search keyword among the e-mail data received by the user, his search key (

) And trapdoors using the search keywords you want to search. The receiving terminal 140 transmits the generated trap door to the e-mail server 120.

), 및 송신 단말(130)로부터 전송되어 저장된 검색 가능 암호문을 이용하여, 트랩도어에 대한 키워드들을 모두 포함하는 검색 가능 암호문이 있는지 여부를 확인한다. 즉, 이메일 서버(120)는 다수의 이메일 데이터의 키워드들에 대한 검색 가능 암호문들 중에서 검색하려는 검색 키워드가 포함된 검색 가능 암호문을 트랩도어를 이용하여 검색한다. 이때, 이메일 서버(120)는 수신 단말(140)이 검색하려는 검색 키워드들을 확인할 수 없으며, 단지 테스트하는 이메일 데이터에 대한 검색 가능 암호문이 특정 검 색 키워드에 관련되어 있는지 여부만을 확인할 수 있다. 그리고 이메일 서버(120)는 검색된 결과 또는 특정 이메일 데이터를 수신 단말(140)로 전송한다.The e-mail server 120 stores the e-mail data transmitted from the transmitting terminal 130 and the corresponding searchable cipher text. In addition, the e-mail server 120 is a trapdoor transmitted from the receiving terminal 140, the public key of the receiving terminal 140 to search (

), And using the searchable ciphertext transmitted and stored from the transmitting terminal 130, it is checked whether there is a searchable ciphertext including all the keywords for the trapdoor. That is, the e-mail server 120 searches the searchable cipher text including the search keyword to search among the searchable cipher texts for the keywords of the plurality of e-mail data using the trapdoor. In this case, the e-mail server 120 may not check the search keywords to be searched by the receiving terminal 140, and may only check whether a searchable cipher text for the test e-mail data is related to a specific search keyword. The email server 120 transmits the searched result or the specific email data to the receiving terminal 140.

On the other hand, the receiving terminal 140 uses a keyword field that supports the search (Conjunctive Search) for several keywords at a time. The keyword field represents an attribute of each keyword. If the data to be encrypted is email data, "sender", "recipient", "receipt date", "title", etc. may be set as keyword fields.

)은

로 표기된다. 여기서,

은 m번째 키워드 필드의 키워드 필드값을 나타낸다. 이때, 모든 데이터는 m개의 키워드 필드를 가지며, 동일한 데이터의 서로 다른 키워드 필드는 다른 값을 가져야 한다고 가정한다.For example, in more detail, the keyword set for each data (

)silver

It is indicated by. here,

Indicates a keyword field value of the m th keyword field. In this case, it is assumed that all data have m keyword fields, and that different keyword fields of the same data should have different values.

The above two conditions (that is, all data has m keyword fields, and different keyword fields of the same data must have different values) can be easily satisfied through the following method.

First, when you give a keyword field value, give it in the form of "keyword field name: keyword to search for" such as "From: Alice" and "To: Bob". Each keyword field of the same data has a different value. do. In addition, when the number of search keywords is smaller than m, the value of the keyword field without a corresponding matter is set to "keyword field name: NULL".

)는 이메일을 전송하려는 송신 단말(130)만이 검색 가능 암호문을 생성할 시에 인지할 수 있어야 한다. 이는 공격 단말(도면에 도시되지 않음)이 수신 단말(140)의 인덱스키(

)를 이용하여 임의대로 검색 가능 암호문을 생성할 수 없도록 하기 위함이다. 이를 위하여, 송신 단말(130)은 수신 단말(140)의 인덱스키(

)를 미리 인지하거나 획득해야 한다. 그 방법들로는 사전 분배(Pre-distribution), 키 동의(Key agreement) 및 인증서(Certificate) 등이 있다. 이에 대한 상세한 설명은 [표 1]에서 설명하기로 한다.Meanwhile, the index key of the reception terminal 140 generated by the key generation device 110 (

) Should be recognizable when only the transmitting terminal 130 to transmit the email generates the searchable cipher text. This is because the attack terminal (not shown) shows the index key of the receiving terminal 140 (

) To make it impossible to generate a searchable ciphertext arbitrarily. To this end, the transmitting terminal 130 is the index key of the receiving terminal 140 (

) Should be recognized or acquired in advance. Such methods include pre-distribution, key agreement, and certificates. Detailed description thereof will be described in [Table 1].

)를 미리 공유하는 방식이다. 송신 단말(130)과 수신 단말(140)의 수가 적거나 고정되어 있는 경우에 적합한 방식으로, 수신 단말(140)의 검색키(

)는 수신 단말(140)에서만 저장되는 비공개키다.First, in the pre-distribution scheme in [Table 1], the transmitting terminal 130 and the receiving terminal 140 use the index key of the receiving terminal 140 (

) Is shared in advance. In a manner suitable for the case where the number of the transmitting terminal 130 and the receiving terminal 140 is small or fixed, the search key (

) Is a private key stored only in the receiving terminal 140.

) 및 검색키(

)를 생성한다. 키 동의(Key Agreement) 방식은 송신 단말(130)의 수가 적고 동적인 경우에 적합한 방식이다.Secondly, the key agreement method is a session key method. That is, the transmitting terminal 130 and the receiving terminal 140 generate a session key using a conventional key agreement protocol, and use the generated session key as a random seed to be necessary in the e-mail system 100. Index key of the receiving terminal 140 (

) And search key (

) The key agreement method is suitable when the number of transmitting terminals 130 is small and dynamic.

)를 선택하고 선택한 인덱스키(

)를 송신 단말(130)의 공개키를 이용하여 암호화한다. 그리고 암호화된 인덱스키(

)를 자신의 인증서에 덧붙여 송신 단말(130)로 전송한다. 그러면, 송신 단말(130)은 수신 단말(140)의 인증서로부터 수신 단말(140)의 인덱스키(

)를 획득한다. 예를 들어, "Bob"이 "Alice"에게 이메일을 보내고자 한다면 "Bob"은 먼저 "Alice"의 인증서를 수신한다. 그리고 "Bob"은 수신한 인증서로부터 "Alice"의 인덱스키(

)를 획득한다. 그리고 "Bob"은 획득된 "Alice" 인덱스키(

)를 이용하여 검색 가능 암호문을 만들어 "Alice"에게 전송한다. 이러한 인증서(Certificate) 방식은 송신 단말(130) 및 수신 단말(140)의 수가 많은 경우에도 사용할 수 있는 장점이 있다.Third, the certificate method is a method using a public key and a certificate of the transmitting terminal 130. That is, the receiving terminal 140 has its index key (

) And select the index key (

) Is encrypted using the public key of the transmitting terminal 130. And the encrypted index key (

) Is added to its own certificate and transmitted to the transmitting terminal 130. Then, the transmitting terminal 130 is the index key of the receiving terminal 140 from the certificate of the receiving terminal 140 (

). For example, if "Bob" wants to send an email to "Alice", "Bob" first receives a certificate of "Alice". "Bob" is the index key of "Alice" from the received certificate (

). "Bob" is the obtained "Alice" index key (

) To create a searchable ciphertext and send it to Alice. Such a certificate scheme has an advantage that can be used even when the number of the transmitting terminal 130 and the receiving terminal 140 is large.

Hereinafter, prior to explaining the present invention in more detail, the mathematical knowledge as a background will be described in brief.

)과 그 그룹(

)의 원소(a)가 존재할 때, 하기의 [수학식 1]을 만족하는 원소(a)를 그룹(

)의 생성자라 한다. First, random groups (

) And its group (

When element (a) of) is present, group (a) that satisfies Equation 1

Is called the constructor.

이 항등원이 되는 가장 작은 양의 정수(m)를 그룹(

)의 위수(Order)라 한다.Where Z represents a set of integers,

The smallest positive integer (m)

Is called the Order.

과

) 사이에 성립하는 바이리니어 맵(bilinear map)은 하기의 [수학식 2]로 표현되며, 하기의 세 가지 특성을 만족한다.In this case, the first and the second group having any large prime number p as a rank (

and

The bilinear map, which holds between), is expressed by Equation 2 below, and satisfies the following three characteristics.

는 페어링(Pairing) 연산을 나타낸다.here,

Denotes a pairing operation.

)의 모든 원소

와

(

)에 대해 상기의 [수학식 3]을 만족하면 바이리니어(Bilinear)하다고 말한다.Firstly, for Bilinear, the first group (

All elements of)

Wow

(

If the above Equation 3 is satisfied, it is said to be bilinear.

는 제1 그룹(

)의 모든 원소,

는 정수(Z)에 속하는 원소를 나타낸다.here,

Is the first group (

All elements of),

Represents an element belonging to the integer Z.

원소가 제1 그룹(

)의 생성자면,

는 제2 그룹(

)의 생성자이다.Secondly, for non-degenerate,

Element is the first group (

If you are a constructor of)

Is the second group (

) Constructor.

)의 모든 원소(

)에 대해서

를 효율적으로 계산할 수 있는 알고리즘이 존재한다.Third, for Computable, the first group (

All elements of)

)about

There is an algorithm that can efficiently calculate.

)에서의 바이리니어 디피 헬만(Bilinear Diffie-Hellman) 문제는 제1 그룹(

)의 원소인

가 입력으로 주어졌을 때, 제2 그룹(

)의 원소인

를 계산하는 것이다. 본 발명의 안전성은 상기 바이리니어 디피 헬만(Bilinear Diffie-Hellman) 문제에 기반한다.On the other hand, when looking at the Bilinear Diffie-Hellman problem, the first group (

Bilinear Diffie-Hellman problem in the

Element of

When is given as input, the second group (

Element of

Will be calculated. The safety of the present invention is based on the Bilinear Diffie-Hellman problem.

Hereinafter, a searchable encryption method for preventing dictionary attack according to the present invention will be described in more detail with reference to the above description.

2 is a flowchart illustrating a key generation method for preventing a dictionary attack according to the present invention.

"로 표현되는 보안 매개 변수(Security Parameter)를 입력으로 받고, 입력받은 보안 매개 변수(Security Parameter)에 따라 제1 그룹(

)과 제2 그룹(

)의 위수(p)의 크기를 결정하고, 그에 따른 난수를 선택할 때마다 랜덤하게 선택한다(202). 즉, 키 생성 장치(110)는 0 내지 p-1까지의 정수 집합(

)의 원소인

과

와,

의 크기를 갖는 이진 문자열(

)을 랜덤하게 선택하고, 제1 그룹(

)의 생성자(

)를 선택한다.First, the key generation device 110 is "

Receives a security parameter expressed as "as an input, and according to the received security parameter (Security Parameter) the first group (

) And the second group (

The magnitude of the power p is determined and randomly selected every time the random number is selected (202). That is, the key generating device 110 is a set of integers from 0 to p-1 (

Element of

and

Wow,

Binary string with size of (

) Is randomly selected, and the first group (

) Constructor

Select).

의 원소인

과

, 이진 문자열(

) 및 제1 그룹(

)의 생성자(

)를 이용하여, 제1 비공개키인 인덱스키(

) 및 제2 비공개키인 검색키(

)를 생성한다. 또한, 키 생성 장치(110)는 선택된 난수를 이용하여, 데이터 검색을 위한 공개키를 생성한다(206).The key generator 110 generates a private key using a random number (elements of an integer set, a binary string, a constructor of a first group), and generates a first private key and a trapdoor for generating a searchable ciphertext. Generated by dividing by a second private key for (204). That is, the key generation device 110 is selected

Element of

and

, Binary string (

) And the first group (

) Constructor

), The index key (the first private key)

) And the second private key, the search key (

) In addition, the key generation device 110 generates a public key for data retrieval using the selected random number (206).

), 공개키(

) 및 검색키(

)는 하기의 [수학식 4]에 나타나 있다.Index key generated by the key generation device 110 (

), Public key (

) And search key (

) Is shown in Equation 4 below.

)과 제2 그룹(

)의 위수,

과

는

의 원소,

는 제1 그룹(

)의 생성자,

는

의 크기를 갖는 이진 문자열,

는 정수 집합{0, 1, 2, …, p-1}을 나타낸다.Where p is the first group (

) And the second group (

),

and

Is

Element of,

Is the first group (

) Constructor,

Is

A binary string with the size of,

Is a set of integers {0, 1, 2,... , p-1}.

)는 3개의 값(

,

,

)을 포함한다. 여기서,

는 임의의 그룹(

)의 생성자(

)에 랜덤한 값(

)을 곱한 값(

)과 생성자(

)를 페어링 연산한 결과값,

는 생성자(

)에 랜덤한 값(

)을 곱한 값을 나타낸다.The public key of the receiving terminal 140 that is used when the email server 120 retrieves the desired email data by the receiving terminal 140 (

) Has three values (

,

,

). here,

Is a random group (

) Constructor

) Is a random value (

Multiplied by

) And constructor (

) Is the result of pairing

Is the constructor (

) Is a random value (

) Is multiplied by

로부터 랜덤한 값(

)을 계산하는 것은 수학적으로 풀기 어렵다고 알려져 있는 문제이기 때문에, 임의의 수신 단말(140)의 공개키를 알고 있다 하더라도 그 수신 단말(140)의 검색키(

) 성분을 알 수 없다.At this time,

Random value from

) Is a problem known to be difficult to solve mathematically, so even if the public key of any receiving terminal 140 is known, the search key () of the receiving terminal 140 is known.

) Ingredients are unknown.

)는 랜덤하게 선택한

크기의 이진 문자열(

)이다. 또한, 수신 단말(140)이 검색하고자 하는 키워드에 대한 트랩도어를 생성할 때 사용하는 검색키(

)는 인덱스키(

)의 이진 문자열(

),

및

인 3개의 값을 포함한다. 여기서,

는 제1 그룹(

)의 생성자(

)에 랜덤한 값(

)을 곱한 결과값이며, 랜덤한 값(

)도 검색키(

)의 원소가 된다.Index key of the receiving terminal 140 used when the transmitting terminal 130 generates a searchable cipher text (

) Randomly selected

Binary string of size (

)to be. In addition, a search key used when the receiving terminal 140 generates a trap door for a keyword to be searched (

) Is the index key (

) Binary string (

),

And

Contains three values: here,

Is the first group (

) Constructor

) Is a random value (

) Times the random value (

) Also search key (

) Element.

), 공개키(

) 및 검색키(

))를 이용하며, 검색 가능 암호문을 생성할 때 이용하는 인덱스키(

)는 정당한 송신 단말(130) 이외에는 획득할 수 없다. 따라서 수신 단말(140)의 공개키를 획득하여 임의의 검색 가능 암호문을 생성할 수 있었던 종래의 검색 가능 암호 시스템과는 달리, 본 발명은 정당한 송신 단말(130) 이외에는 검색 가능 암호문을 생성할 수 없기 때문에 사전 공격으로부터 보다 안전할 수 있다.Conventionally, when the transmitting terminal 130 generates a searchable ciphertext and the public key of the receiving terminal 140 used when the email server 120 searches, the receiving terminal 140 uses the generated trap door. Its own private key, ie two keys, is used. However, in the present invention, the key used when the transmitting terminal 130 generates the searchable cipher text and the key used by the e-mail server 120 to search are separated into a total of three keys (index ski (

), Public key (

) And search key (

Index key () to generate a searchable ciphertext.

) Can not be obtained other than the valid transmission terminal 130. Therefore, unlike the conventional searchable cipher system that could generate an arbitrary searchable ciphertext by acquiring the public key of the receiving terminal 140, the present invention cannot generate a searchable ciphertext other than the legitimate transmitting terminal 130. This makes it safer from dictionary attacks.

3 is a flowchart illustrating an example of a searchable cipher text generation method for preventing a dictionary attack according to the present invention.

First, the transmitting terminal 130 encrypts data to be stored (302).

)를 이용하여 검색 가능 암호문을 생성한다.In operation 304, the transmitting terminal 130 generates a searchable cipher text using a keyword of the encrypted data and a first private key (index key) among the private keys of the receiving terminal 140. That is, the transmitting terminal 130 may include keywords of the email data to be transmitted and an index key of the receiving terminal 140 generated by the key generating apparatus 110 (

) To create a searchable ciphertext.

The transmitting terminal 130 transmits the encrypted data and the generated searchable cipher text to the email server 120 (306).

에서 랜덤한 값(

)을 선택하고, 의사 난수(pseudo-random) 함수(F)를 이용하여 하기의 [수학식 5]와 같이 계산한다.Looking specifically at the "304" process, the transmitting terminal 130 is

Random value from

) Is calculated using the pseudo-random function (F) as shown in Equation 5 below.

은 제1 그룹(

)의 생성자(

)에 송신 단말(130)이 랜덤하게 선택한 값(

)을 곱한 결과값,

는

를 연산한 결과값,

는 공개키(

)의 성 분인

,

은 송신 단말(130)이 검색 가능 암호문을 생성하기 위해 랜덤하게 선택한 값들을 나타내며, 각

는 전송하려는 이메일의 각 키워드(

)를 암호화하는데 이용되고,

는 m개의 키워드들을 암호화하는데 공통으로 이용된다.here,

Is the first group (

) Constructor

) Is a value randomly selected by the transmitting terminal 130 (

) Multiplied by

Is

Is the result of calculating

Is the public key (

A member of)

,

Represents values randomly selected by the transmitting terminal 130 to generate a searchable ciphertext,

Is the keyword of each email

Is used to encrypt

Is commonly used to encrypt m keywords.

에서

은 수신 단말(140)의 인덱스키(

)의 성분인 랜덤한 이진 문자열,

는 암호화하려는 키워드,

에서

는 수신 단말(140)의 공개키(

)의 성분을 나타낸다.Also,

in

Is the index key of the receiving terminal 140 (

A random binary string that is a component of

Is the keyword you want to encrypt,

in

Is the public key of the receiving terminal 140 (

) Component.

와

는 이메일 키워드 개수만큼 생성되는데,

에는 암호화하려는 키워드(

)와 수신 단말(140)의 인덱스키(

)인 이진 문자열(

)의 성분이 포함되므로 특정 수신 단말(140)의 인덱스키(

)를 모르면 정당한

를 생성할 수 없다. 또한,

에서

를 계산할 때 이용하는 랜덤한 값(

)을 동일하게 이용하여,

와

값에 서로 관련성이 존재하도록 한다.At this time,

Wow

Is generated by the number of email keywords.

Contains the keywords you want to encrypt (

) And the index key of the receiving terminal 140 (

Binary string ()

) Component is included, so that the index key (

Just don't know

Cannot be generated. Also,

in

Is a random value used to calculate

) Using the same,

Wow

Ensure that values exist in relation to each other.

A pseudo-random function (F) used in Equation 5 is expressed as Equation 6 below.

의 크기를 갖는 이진 문자열과 임의의 크기를 갖는 이진 문자열을 입력으로 받아 제1 그룹(

)의 랜덤한 원소를 출력하는 함수를 의미한다. 송신 단말(130)은 상기의 값을 하기의 [수학식 7]에 적용하여 검색 가능 암호문(S)을 생성한다.[Equation 6] is

The first group takes a binary string having a size of and a binary string having a size of

This function outputs a random element of). The transmitting terminal 130 generates the searchable cipher text S by applying the above value to Equation 7 below.

,

,

,

는 상기 [수학식 5]에 나타나 있다.here,

,

,

,

Is shown in Equation 5 above.

In the conventional algorithm for generating a searchable ciphertext, since the public key of the receiving terminal 140 is used when generating the searchable ciphertext, a malicious attacker could generate a legitimate searchable ciphertext for a keyword desired by the malicious attacker. Thus, when an attacker creates a list of searchable ciphertexts for frequently used keywords, the attacker can use them to find out which keywords the encrypted email data contains. However, in the algorithm for generating the searchable cipher text of the present invention, since only the legitimate transmitting terminal 130 can obtain the index key of the receiving terminal 140, the aforementioned dictionary attack is impossible.

4 is a flowchart illustrating a trapdoor generation method for preventing a dictionary attack according to the present invention.

)와 자신이 검색하고자 하는 키워드들을 이용하여 트랩도어를 생성한다. 수신 단말(140)에서 생성된 트랩도어는 수신 단말(140)의 검색키(

)를 획득하고 있는 수신 단말(140)에서만 생성될 수 있다. 이메일 서버(120)는 수신 단말(140)에서 생성된 트랩도어를 이용하여 수신 단말(140)이 원하는 이메일 데이터들을 검색한다.The receiving terminal 140 uses its own search key to search for specific email data among the received email data.

) And create a trapdoor using the keywords you want to search. The trapdoor generated by the receiving terminal 140 is a search key of the receiving terminal 140 (

) May be generated only in the receiving terminal 140 that is acquiring). The e-mail server 120 searches for e-mail data desired by the receiving terminal 140 using the trapdoor generated by the receiving terminal 140.

의 형태를 갖는다. 여기서, (

)는 검색하고자 하는 검색 키워드들,

는 검색하려는 키워드들의 위치에 대한 식별자들을 나타낸다. 예를 들어, "보내는 사람", "받는 사람", "수신 날짜", "제목"이 각 이메일의 키워드 필드로 주어져 있고, 특정 수신 단말은 자신이 받은 이메일들 중에서 “Alice”가 보낸 이메일들을 찾는다고 생각한다. 각 키워드 필드의 위치를 차례로 "보내는 사람: 1", "받는 사람: 2", "수신 날짜: 3", "제목: 4"로 설정한다면, 이때, 키워드들의 쿼리 정보(Q)는

이다.Here, if the receiver terminal 140 is query information for information about keywords to be searched, the query information Q is

Has the form of. here, (

) Matches the search keywords you

Denotes identifiers for locations of keywords to search for. For example, "From", "To", "Received", and "Subject" are given as keyword fields for each email, and a specific receiving terminal searches for emails sent by "Alice" among the emails it receives. I think that. If the location of each keyword field is set to "From: 1", "To: 2", "Received Date: 3", and "Title: 4" in turn, then the query information (Q) of the keywords is

to be.

에서 랜덤한 값인 난수(u)를 선택한다(402).Looking at the trap door generation process in detail, the receiving terminal 140

In step 402, a random value u is selected, which is a random value.

)를 이용하여 트랩도어를 생성한다(404).In addition, the reception terminal 140 selects the selected random number u, the query information corresponding to the search keyword, and the search key (

Trap door is generated using 404.

The reception terminal 140 transmits the generated trapdoor to the email server 120 (406), and receives encrypted data corresponding to the trapdoor from the email server 120 in response (408).

)를 하기의 [수학식 8]에 적용하여 트랩도어(T)를 생성한다. 여기서, 수신 단말(140)에서 생성된 트랩도어(T)는

와 같은 구조를 가진다.Looking at the process "404" in detail, the receiving terminal 140 is selected random number (u), query information (Q) and the search key (

) Is applied to Equation 8 below to generate a trapdoor (T). Here, the trap door (T) generated in the receiving terminal 140 is

Has the same structure as

은 제1 그룹(

)의 생성자(

)에 트랩도어를 생성하는 수신 단말(140)에서 랜덤하게 선택된 값(u)을 곱한 값,

는 수신 단말(140)의 공개키(

)의 성분

와

의 계산에 사용된 랜덤한 값(u)을 곱한 값,

에서

는 수신 단말(140)의 인덱스키(

) 성분인 이진 문자열(

)과 검색하려는 키워드(

)를 의사 난수(pseudo-random) 함수(F)의 입력으로 넣었을 때의 출력 값,

는 이 값들과

,

계산에 이용된 랜덤한 값(u), 및 수신 단말(140)의 검 색키(

) 성분(

,

)이 이용되어 계산된 값을 나타낸다. 이때, 수신 단말(140)에서 선택된 랜덤한 값(u)은 트랩도어의 성분(

,

,

)을 계산할 때 공통으로 이용되기 때문에, 이 세 값들이 서로 관련성을 갖도록 한다. 또한, 트랩도어는 해당 수신 단말(140)만 알고 있는 검색키()를 이용하여 생성되기 때문에, 검색키(

)를 모르는 공격자는 정당한 트랩도어를 생성할 수 없다.here,

Is the first group (

) Constructor

) Multiplied by a random value u selected at the receiving terminal 140 generating a trapdoor,

Is the public key of the receiving terminal 140 (

Ingredients of

Wow

Multiplying the random value (u) used in the calculation of,

in

Is the index key of the receiving terminal 140 (

) A binary string (

) And the keywords you want to search (

) Is the output value when inputting the pseudo-random function (F),

With these values

,

A random value u used in the calculation, and a search key of the receiving terminal 140 (

) ingredient(

,

) Is used to represent the calculated value. At this time, the random value u selected by the receiving terminal 140 is a component of the trapdoor (

,

,

Since these values are commonly used in computing), make these three values related. In addition, the trap door is a search key (only known to the receiving terminal 140) ( Is generated using), so the search key (

An attacker who doesn't know) cannot create a legitimate trapdoor.

5 is a flowchart illustrating a data retrieval method for preventing a dictionary attack according to the present invention.

)가 이용되어 생성된 것이다.First, the e-mail server 120 receives the encrypted data and the searchable cipher text (S) from the transmitting terminal 130 (502). Here, the searchable ciphertext (S) is the index key (s) in the transmitting terminal 130

) Is generated using

)가 이용되어 생성된 것이다.In addition, the e-mail server 120 receives a trap door from the receiving terminal 140 (504). Here, the trap door is a search key (the receiving terminal 140)

) Is generated using

)를 이용하여 검색한다(506).Thereafter, the e-mail server 120 transmits the searchable ciphertext including the search keyword among the received searchable ciphertexts to the trapdoor and the public key of the receiving terminal 140.

(506).

The e-mail server 120 transmits the encrypted data for the retrieved searchable cipher text to the receiving terminal 140 (508). Then, the receiving terminal 140 decrypts the encrypted data and extracts the data to be transmitted.

)를 이용하여 하기의 [수학식 9]가 성립하는지 여부를 확인한다. Referring to the process "506" in detail, the e-mail server 120 searches for a searchable cipher text including all the search keywords to search among searchable cipher texts for the keywords of the plurality of e-mail data. That is, the e-mail server 120 stores the stored searchable cipher text (S), the trapdoor (T) transmitted from the receiving terminal 140 and the public key (

) To check whether the following Equation 9 is true.

,

는 이메일 서버에 저장된 검색 가능 암호문의 성분,

는 수신 단말(140)에서 생성된 트랩도어(T)의 성분을 나타낸다. 또한, 우변의

,

는 트랩도어의 성분,

는 검색 가능 암호문의 성분

중 트랩도어의 식별자

가 나타내는 위치의 값들을 나타내며,

도 동일한 값을 나타낸다. 예를 들어,

라고 한다면,

과

은 각각

와

를 의미한다.Where

,

Is a component of the searchable ciphertext stored on your email server,

Denotes a component of the trapdoor T generated by the receiving terminal 140. Also, on the right side

,

Is a component of the trapdoor,

Is a component of a searchable cipher

Trapdoor Identifier

Indicates the values of the location indicated by

Also shows the same value. E.g,

If you say,

and

Are each

Wow

Means.

)은

,

를 페어링 연산한 결과값을

로 나눈 값을 나타내며, 우변(

)은 검색 가능 암호문의 성분들인

의 합과 트랩도어 성분인

를 페어링 연산한 결과를 비슷한 형태의 페어링 연산한 결과로 나눈 값을 나타낸다. 이메일 서버(120)에서는 테스트하는 검색 가능 암호문이 수신 단말(140)이 원하는 이메일 데이터에 대한 검색 가능 암호문인지 확인하기 위해서는 3번의 페어링 연산이 필요하다. 이때, 각 페어링 연산에서 수신 단말(140)로부터 전송받은 트랩도어의 성분과 이메일 서버에 저장된 검색 가능 암호문의 성분이 모두 이용되기 때문에, 트랩도어와 검색 가능 암호문이 공통된 키워드들을 포함하고 있지 않으면 상기의 [수학식 9]가 성립하지 않는다.Left side in [Equation 9]

)silver

,

Pairing operation

Divided by the right hand side (

) Are components of a searchable cipher

Sum and trapdoor components

Represents the value obtained by dividing the result of the pairing operation by the result of a similar pairing operation. The e-mail server 120 requires three pairing operations to confirm whether the searchable ciphertext under test is a searchable ciphertext for the e-mail data desired by the receiving terminal 140. At this time, since the components of the trapdoor received from the receiving terminal 140 and the components of the searchable ciphertext stored in the e-mail server are used in each pairing operation, the trapdoor and the searchable ciphertext do not include the common keywords. Equation 9 does not hold.

The e-mail server 120 checks whether the corresponding searchable ciphertext includes all keywords to be searched by the receiving terminal 140 through the establishment process of Equation 9 above.

일 경우, 상기의 [수학식 9]이 성립되는지를 확인하는 과정은 하기의 [수학식 10]에 나타나 있다.

In this case, the process of checking whether the above [Equation 9] is established is shown in the following [Equation 10].

On the other hand, the method of the present invention as described above can be written in a computer program. And the code and code segments constituting the program can be easily inferred by a computer programmer in the art. In addition, the written program is stored in a computer-readable recording medium (information storage medium), and read and executed by a computer to implement the method of the present invention. The recording medium may include any type of computer readable recording medium.

The present invention described above is capable of various substitutions, modifications, and changes without departing from the technical spirit of the present invention for those skilled in the art to which the present invention pertains. It is not limited by the drawings.

1 is a configuration diagram of an embodiment of an email system to which the present invention is applied;

2 is a flowchart illustrating an embodiment of a key generation method for preventing a dictionary attack according to the present invention;

3 is a flow chart of an embodiment of a searchable cipher text generation method for preventing a dictionary attack according to the present invention;

4 is a flowchart illustrating an embodiment of a trapdoor generation method for preventing a dictionary attack according to the present invention;

5 is a flowchart illustrating a data retrieval method for preventing a dictionary attack according to the present invention.

* Explanation of symbols for the main parts of the drawings

100: email system 110: key generation device

120: email server 130: sending terminal

140: receiving terminal

Claims (15)

In the key generation method for preventing a dictionary attack, A random number selection step of randomly selecting a random number according to a security parameter; Generating a private key using the selected random number, and generating a private key by dividing the private key into a first private key for generating a searchable ciphertext and a second private key for generating a trapdoor; And A public key generation step of generating a public key for data retrieval using the selected random number Key generation method for the prevention of dictionary attacks, including. The method of claim 1, The private key generation step, And generating a first private key using a random binary string among the selected random numbers. The method of claim 2, The private key generation step, And a second private key is generated using the random binary string. The method according to any one of claims 1 to 3, The public key generation step, And generating a public key by pairing the selected random number. In the searchable ciphertext generation method for preventing a dictionary attack, A data encryption step of encrypting the data; And A ciphertext generation step of generating a searchable ciphertext using a first private key among the keyword of the encrypted data and a private key of a receiving terminal. Searchable cipher text generation method for the prevention of dictionary attacks comprising a. The method of claim 5, wherein A transmission step of transmitting the encrypted data and the generated searchable ciphertext to a corresponding server Searchable cipher text generation method for preventing a dictionary attack further comprising a. The method according to claim 5 or 6, The cipher text generation step, A searchable cipher text is generated by using a keyword field value of the keyword, a value obtained by applying a first private key of the receiving terminal to a pseudo random number function, and a randomly selected random number. How to create a pass phrase. The method of claim 7, wherein The cipher text generation step, And generating each component of the searchable ciphertext corresponding to each keyword field value of the keyword. The method of claim 8, The first private key of the receiving terminal, A searchable cipher text generation method for preventing a dictionary attack, which is shared in advance in both a transmitting terminal and the receiving terminal according to a dictionary distribution scheme. The method of claim 8, The first private key of the receiving terminal, According to a key agreement method, a searchable cipher text generation method for preventing a dictionary attack, wherein a session key generated according to a key agreement protocol between a transmitting terminal and the receiving terminal is generated as a random seed. . The method of claim 8, The first private key of the receiving terminal, A searchable ciphertext generation method for preventing a dictionary attack, characterized in that transmitted in addition to a certificate from the receiving terminal according to a certificate method. In the data retrieval method for preventing a dictionary attack, A data and ciphertext receiving step of receiving a searchable ciphertext and encrypted data generated using a first private key at a transmitting terminal; A trap door receiving step of receiving a trap door generated using a second private key at a receiving terminal; And A search step of searching for a searchable ciphertext including the search keyword of the received trapdoor among the received searchable ciphertexts using the trapdoor and the public key of the receiving terminal; Data retrieval method for the prevention of dictionary attacks, including. The method of claim 12, A data transmission step of transmitting encrypted data corresponding to the searched searchable ciphertext to the receiving terminal as the searchable ciphertext including the search keyword of the trapdoor is searched. Data retrieval method for the prevention of dictionary attacks further comprising. The method according to claim 12 or 13, The search step, Using both the components of the searchable ciphertext generated by using the first private key and each component of the trapdoor generated by using the second private key, the trapdoor and the searchable ciphertext include keywords in common Data retrieval method for preventing dictionary attacks, characterized by checking whether there is. The method according to claim 12 or 13, The trap door is, And query information about the search keyword of the trapdoor and the second private key are generated.

Images