WO2018070932A1 - System and method for querying an encrypted database for documents satisfying an expressive keyword access structure - Google Patents

System and method for querying an encrypted database for documents satisfying an expressive keyword access structure Download PDF

Info

Publication number
WO2018070932A1
WO2018070932A1 PCT/SG2017/050362 SG2017050362W WO2018070932A1 WO 2018070932 A1 WO2018070932 A1 WO 2018070932A1 SG 2017050362 W SG2017050362 W SG 2017050362W WO 2018070932 A1 WO2018070932 A1 WO 2018070932A1
Authority
WO
WIPO (PCT)
Prior art keywords
keyword
document
trapdoor
expressive
parameters
Prior art date
Application number
PCT/SG2017/050362
Other languages
French (fr)
Inventor
Hui CUI
Zhiguo WAN
Robert H. Deng
Guilin Wang
Original Assignee
Huawei International Pte. Ltd.
Singapore Management University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei International Pte. Ltd., Singapore Management University filed Critical Huawei International Pte. Ltd.
Publication of WO2018070932A1 publication Critical patent/WO2018070932A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • H04L9/3073Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions

Definitions

  • This invention relates to a system and method for searching an encrypted database for documents satisfying an expressive keyword access structure.
  • the invention enables encrypted documents stored in a database to be searched to determine if there are documents that contain public-key encrypted keywords that satisfy an expressive keyword access structure, which contains conjunctive, disjunctive or any monotonic Boolean formulas whereby the search process is carried out without disclosing the underlying plaintext of the keywords in the encrypted documents.
  • This problem may be addressed by encrypting the information contained within the documents and storing the documents in the data servers in an encrypted format. By doing so, only the owner of the document and authorized users are able to access the information contained within the documents as the user would be the only one who would possess the secret key to decrypt the document.
  • it is highly desirable to have a searchable encryption scheme which allows the database provider to search through encrypted documents stored in its database on behalf of authorized users without gleaning information about the underlying plaintext contained therein.
  • Searchable encryption schemes that have been proposed thus far include a method that utilizes private-key encryption.
  • This private-key encryption scheme only allows a single user to search and retrieve their data. As such, such a scheme is not suitable for use in cases whereby the encrypted documents are to be shared and/or has to be searchable by multiple authorized data users and/or data providers.
  • Another approach that has been proposed involves the use of private information retrieval (PIR) protocols. These protocols allow users to retrieve certain data-items from a database and the database publicly stores the data without revealing the data-item to the database administrator. This approach is not ideal as it requires the data to be made publicly available and this increases the likelihood of leaks occurring.
  • Other searchable encryption schemes that are commonly used in the art only support single or conjunctive keyword searches. Existing schemes that are able to perform expressive keyword searches are typically computationally inefficient as these schemes are based on bilinear pairings over the composite-order groups.
  • a first advantage of embodiments of systems and methods in accordance with embodiments of the invention is that the proposed system and method results in a scheme that is much faster than existing solutions.
  • a second advantage of embodiments of systems and methods in accordance with embodiments of the invention is that encrypted documents containing an expressive keyword access structure may be retrieved from a cloud server without revealing the contents of the encrypted documents to the cloud server.
  • a third advantage of embodiments of systems and methods in accordance with embodiments of the invention is that keywords associated with the generated trapdoors will not be readable by unauthorized users even though the trapdoors are transmitted through public channels.
  • a method for querying an encrypted database for documents containing an expressive keyword access structure using a computer server comprises receiving public parameters from a trapdoor server , wherein the public parameter is constant; generating a public key g Y and a private key ⁇ based on the received public parameters where g is a generator for group G and ⁇ is a random element; receiving a trapdoor T M,P associated with the expressive keyword access structure, wherein the trapdoor T M,P comprises: trapdoor parameters, a Linear Secret Sharing Scheme (LSSS) matrix M having 1 rows and n columns, and a function p mapping the rows of the LSSS matrix M to generic names in a keyword set W associated with the expressive keyword access structure, wherein the keyword set W comprises the generic names and keyword values, and; processing documents in the encrypted database that are pre-tagged with corresponding generic names N and corresponding ciphertext CT, wherein the processing the documents comprises: retrieving documents from the encrypted database tagged with at least one of the generic names contained in the keyword set W
  • the public parameter is constant rather than linear to the number of keywords, so the method can be used to support the search of large number of keywords. This is very meaningful in a cloud storage system, where data are from different parties. If the keyword number allowed in the system is limited, then it is difficult cover all the keywords that might appear in the documents to meet the searching requirements from all kinds of users.
  • the public parameters received from the trapdoor server is defined by:
  • H is a collision-resistant hash function mapping elements in G1 to elements in G
  • G is a group of prime order p with the generator g, e: G x G G1 is a symmetric bilinear pairing function, where ⁇ , ⁇ , ⁇ are random group elements in
  • the received trapdoor T M,P associated with the expressive keyword access structure is defined by the following equation: whereby the trapdoor parameters are defined as:
  • a ciphertext CT pre-tagged to a document in the encrypted database is defined by the following equation: whereby m is the size of the keyword set of the document, and the first value C of the ciphertext CT is defined as:
  • W is the i-th keyword value in a keyword set of the document
  • W 1; ... , W m are the corresponding keyword values of the keyword set of the document
  • search token for a retrieved document is computed based on the following equation: search token
  • the public parameters received from the trapdoor server is defined by:
  • G is a group of prime order p with the generator is an asymmetric bilinear pairing function, where u, h, a) are random group elements in
  • the received trapdoor T M,P associated with the expressive keyword access structure is defined by the following equation:
  • trapdoor parameters are defined as:
  • i £ ⁇ 1 , . . . , 1 ⁇ whereby 1 is the total number of rows in LSSS matrix M, v ; is the value associated with a row M ; of the LSSS matrix M, M ; is the i-th row of LSSS matrix M , where where Zp are non ⁇
  • a ciphertext CT pre-tagged to a document in the encrypted database is defined by the following equation:
  • m is a size of the keyword set of the document
  • a first parameter C of the ciphertext CT is defined as:
  • W is the i-th keyword value in a keyword set of the document
  • W 1; ... , W m are the corresponding keyword values of the keyword set of the document
  • Zp are non-zero residuals of a modular positive
  • search token for a retrieved document is computed based on the following equation: search token
  • the public key g Y is g and the private key ⁇ is 1 .
  • the public key g Y is g and the private key ⁇ is 1 .
  • Figure 1 illustrating a block diagram of a system for searching an encrypted database for an expressive keyword access structure in accordance with embodiments of the invention
  • FIG. 2 illustrating a block diagram representative of processing systems providing embodiments in accordance with embodiments of the invention
  • FIG. 3 illustrating an exemplary access tree for converting a monotonic Boolean formula into an equivalent Linear Secret Sharing Scheme (LSSS) Matrix in accordance with embodiments of the invention
  • FIG. 4 illustrating a flow diagram of a process for querying an encrypted database of documents containing an expressive keyword access structure in accordance with embodiments of the invention.
  • This invention relates to a system and method for searching an encrypted database for documents satisfying an expressive keyword access structure whereby the expressive keyword access structure may include conjunctive, disjunctive or any monotonic Boolean formulas of a set of keywords.
  • the invention enables public-key encrypted documents stored in a database to be searched for such expressive keyword access structures whereby the search process, which may be initiated by any one of a plurality of authorized users, is carried out without disclosing the underlying plaintext of the words in the encrypted documents.
  • Figure 1 illustrates a block diagram of a system that includes modules and devices that execute processes to provide a method for searching an encrypted database for expressive keyword access structures in accordance with embodiments of the invention.
  • System 100 as illustrated in Figure 1 comprises encryption module 1 10, cloud server 1 15, trapdoor server 120, and searching server 125.
  • Module 1 10, servers 1 15, 120 and 125 may all be connected through wired connections or may be wirelessly connected to each other either through direct means such as fibre-network connections or indirect means - that is via the Internet.
  • Module 1 10 may be provided within, but is not limited to, any device that is able to carry out computing and wireless communicative functions such as a smart phone, a computer, a tablet computer, a mobile computer, a netbook, a wearable electronic device such as smart watch, smart plugs, or transceivers that may be found in smart devices or Internet of Things (loT) enabled devices, and etc.
  • LoT Internet of Things
  • servers 1 15, 120 and 125 these servers may comprise secure cloud servers or remotely located secure servers which are able to communicate wirelessly with module 1 10 and multiple data owners and/or authorized users either through the Internet or through other communicative means.
  • These communicative means may comprise wired networks or wireless networks such as, but are not limited to, cellular networks, satellite networks, telecommunication networks, Wide Area Networks (WAN), Wireless-Fidelity (Wi-Fi), Bluetooth, or Near Field Communication (NFC).
  • WAN Wide Area Networks
  • Wi-Fi Wireless-Fidelity
  • NFC Near Field Communication
  • servers 1 15, 120 and 125 are also configured to store encrypted documents in a database and/or store private keys.
  • each of servers 1 15, 120 and 125 may be provided at different locations for increased security.
  • Figure 2 illustrates a block diagram representative of components of module 200 that may be provided within module 1 10 and servers 1 15, 120 and 125 for implementing embodiments in accordance with embodiments of the invention.
  • module 200 may be provided within module 1 10 and servers 1 15, 120 and 125 for implementing embodiments in accordance with embodiments of the invention.
  • the exact configuration of each module provided within the electronic devices or the servers may be different and the exact configuration of module 200 may vary and Figure 2 is provided by way of example only.
  • module 200 comprises controller 201 and user interface 202.
  • User interface 202 is arranged to enable manual interactions between a user and module 200 and for this purpose includes the input/output components required for the user to enter instructions to control module 200.
  • components of user interface 202 may vary from embodiment to embodiment but will typically include one or more of display 240, keyboard 235 and track-pad 236.
  • Controller 201 is in data communication with user interface 202 via bus 215 and includes memory 220, processor 205 mounted on a circuit board that processes instructions and data for performing the method of this embodiment, an operating system 206, an input/output (I/O) interface 230 for communicating with user interface 202 and a communications interface, in this embodiment in the form of a network card 250.
  • Network card 250 may, for example, be utilized to send data from electronic device 200 via a wired or wireless network to other processing devices or to receive data via the wired or wireless network.
  • Wireless networks that may be utilized by network card 250 include, but are not limited to, Wireless-Fidelity (Wi-Fi), Bluetooth, Near Field Communication (NFC), cellular networks, satellite networks, telecommunication networks, Wide Area Networks (WAN) and etc.
  • Memory 220 and operating system 206 are in data communication with CPU 205 via bus 210.
  • the memory components include both volatile and non-volatile memory and more than one of each type of memory, including Random Access Memory (RAM) 220, Read Only Memory (ROM) 225 and a mass storage device 245, the last comprising one or more solid- state drives (SSDs).
  • RAM Random Access Memory
  • ROM Read Only Memory
  • Mass storage device 245 the last comprising one or more solid- state drives (SSDs).
  • SSDs solid- state drives
  • Memory 220 also includes secure storage 246 for securely storing secret keys, or private keys. It should be noted that the contents within secure storage 246 are only accessible by a super-user or administrator of module 200 and may not be accessed by any user of module 200.
  • the memory components described above comprise non-transitory computer-readable media and shall be taken to comprise all computer-readable media except for a transitory, propagating signal.
  • the instructions are stored as program code in the memory components but can also be hardwired.
  • processor 205 may be provided by any suitable logic circuitry for receiving inputs, processing them in accordance with instructions stored in memory and generating outputs (for example to the memory components or on display 240).
  • processor 205 may be a single core or multi-core processor with memory addressable space.
  • processor 205 may be multi-core, comprising— for example— an 8 core CPU.
  • trapdoor server 120 will first generate public parameters pars and master private key msk. Trapdoor server 120 then provides public parameters pars to encryption module 1 10 and searching server 125. It should be noted that the master private key msk is only kept by trapdoor server 120 and is not transmitted to any other entity.
  • trapdoor server 120 In order to generate public parameters pars and master private key msk, trapdoor server 120 first takes the security parameter as its input and then randomly chooses a
  • trapdoor server 120 also randomly chooses a , and computes ⁇
  • H is a collision-resistant hash
  • both G and G 1 are understood to comprise two groups of prime order p, and g is a generator of G.
  • the function e : G x G ⁇ G l is understandably identified as a bilinear map if it has the following properties:
  • G is also identified as a bilinear group if the group operation in G is efficiently computable and there exists a group Gi and an efficiently computable bilinear map as above.
  • searching server 125 Upon receiving the public parameter pars from trapdoor server 120, searching server 125 will then randomly choose y £ Z p , and based on thus selected parameter, search server 125 will then compute the public and private key pair (pk s , sk s ) as (g Y ,y). Once the key pair has been computed, this key pair is then provided to trapdoor server 120 from searching server 125. Trapdoor server 120 will utilize these parameters later on in the generation of trapdoors for expressive keyword access structures as requested by authorized data users.
  • documents 105 illustrate a set of documents, from Document 1 - n, that have been appended with their respective keyword sets.
  • each keyword value in W(i) may be represented by an numerical value such as, but not limited to, the keyword's equivalent ASCII value.
  • any references made to a keyword access structure, an access policy or a search predicate all refer to monotone type access structures.
  • other types of general access structures may be realized in embodiments of this invention if the attribute universe were to be split in half and by treating the attributes of one half as the negated (NOT) version of the attributes in the other half.
  • NOT negated
  • the keyword access structures may be described in terms of monotonic Boolean formulas and these formulas may be converted into a corresponding Linear Secret Sharing Scheme (LSSS) matrix. This will be described in greater detail with reference to Figures 3 and 4 in the later sections.
  • LSSS Linear Secret Sharing Scheme
  • documents 105 comprising Documents 1 -n with their respective appended keyword sets are then provided to encryption module 1 10.
  • encryption module 1 10 would have received and stored the public parameters pars that were provided by trapdoor server 120.
  • the content or plaintext in Documents 1 -n may be encrypted using any encryption scheme known to a person skilled in the art and that ciphertext contained in Documents 1 -n may subsequently be decrypted using a corresponding decryption scheme known to a person skilled in the art.
  • the encryption of the content of Documents 1 -n may take place within encryption module 1 10.
  • encryption module 1 10 Upon receiving documents 105 (comprising Documents 1 -n with their respective appended keyword sets), encryption module 1 10 will then select a first document together with its appended keyword set, i.e. Document 1 that has been appended with Keyword Seti .
  • Document 1 that has been appended with Keyword Seti .
  • Keyword Seti comprises of two groups of plaintext - a first group comprising of generic names and a second group comprising of the generic names' corresponding keyword values.
  • only the plaintext contained in the keyword values are encrypted into ciphertext using encryption module 1 10.
  • each individual keyword value may be represented by a numerical value.
  • An integer m is then used to denote the overall size of keyword value W, and is used to represent the values of W.
  • each encrypted document stored in cloud server 1 15 would be appended with its tagged or appended keyword set whereby each keyword set contains a list of generic names and its ciphertext CT.
  • access structure 133 When an authorized user wishes to obtain all encrypted documents stored in cloud server 1 15 that contains a set of keywords SW that satisfy expressive keyword access structure 133, access structure 133 that contains keywords SW will first have to be converted into a Linear Secret Sharing Scheme (LSSS) matrix M.
  • LSSS Linear Secret Sharing Scheme
  • access structure 133 comprises a monotonic Boolean formula and this Boolean formula is converted into an equivalent LSSS matrix by the authorized user.
  • the Boolean formula may be represented as an access tree, of which the interior nodes comprise "AND” and “OR” logic operators or gates, and the leaf nodes represent the corresponding attributes.
  • the values in the vector (1 , 0, 0) are denoted as the sharing vector for the LSSS matrix.
  • the root node of the tree is labeled with a vector of length 1 , which is vector (1 ), and that each node is labeled with a vector determined by the vector assigned to its parent node.
  • a global counter variable c which is preset to 1 .
  • the parent node is an OR gate labelled by a vector v
  • its children will be labelled by v as well, and the value of its global counter variable c remains the same.
  • the parent node is an AND gate labelled by a vector v
  • v will be padded with 0s at the end, if required, in order to increase its length to c.
  • One of its children will then be labelled with the vector v
  • 0. Once this is done, the value of c is increased by one i.e. c c + 1.
  • the vectors labelling the leaf nodes form the rows I of the LSSS matrix. If these vectors forming these rows are of different lengths, the shorter vectors will be padded with 0s at the end so that all the vectors will be equal in length.
  • the LSSS matrix for this access structure 133 is generated as follows.
  • the global counter variable c is increased to 2.
  • node 320 For the left and right child of node 320, as node 320 is an AND gate labelled with (0- 1 ), the global counter variable c will be increased to 3.
  • the left child 325 of the AND node 320 corresponding to Illness Diabetes, is then labelled as (0, -1 , 1) because this node is labelled with (0,-1
  • 1 ), and the right child 330, corresponding to Gender Male, is then labelled as (0, 0, -1) because this node is labelled with (0,0
  • the vectors in nodes 305 and 31 5 will be padded with 0s at the end and this results in node 305 being represented as (1 , 1 , 0) and node 315 being represented as (0, -1 , 0).
  • the resulting LSSS matrix M for this example is:
  • access structure 133 containing keywords SW has been converted into LSSS matrix M
  • the access structure 1 33 may then be represented as LSSS access structure instead where, p is a function that associates the rows of M to the generic
  • keywords SW names in keywords SW, and are the corresponding keyword values in keywords SW.
  • M is the i-th row of M for i e ⁇ , . , . , ⁇ , and P (i) is the generic keyword name associated with this row by the mapping p.
  • Trapdoor server 120 randomly chooses a vector where
  • trapdoor server 120 compute the trapdoor
  • trapdoor T M p when the trapdoor T M p is computed, trapdoor T M p only includes the partial hidden access structure (M, p ) and the actual names of the keyword values are omitted.
  • the trapdoor T M p is then transmitted at step 136 from trapdoor server 120 to the authorized user.
  • the authorized user then transmits the trapdoor T M p for LSSS access structure to searching server 125 at step 138 so that searching server 125
  • server 125 will retrieve documents appended with keyword sets that contain at least one of the generic names as found in the function p of the received trapdoor T M p . Such an initial matching of the generic keyword names greatly reduces the overall searching time of the documents.
  • Searching server 125 will then use the public parameter pars, the private key sk s , and the received trapdoor T M p for the LSSS access structure to test each retrieved
  • Searching server 125 will initiate this process by selecting a first retrieved document together with its appended keyword set containing its ciphertext CT. A search token is then computed for this first retrieved document whereby the search token is computed using the following equation:
  • search token equals to a "0" value if this equation is not satisfied and conversely, the search token equals to a "1 " if this equation is satisfied.
  • parameters used to compute the search token are obtained from the parameters contained in the ciphertext CT that is contained in the keyword set appended to the first retrieved document. Further, it should be noted that where is the set of all
  • the modules in system 100 may be adapted for an asymmetric bilinear pairing in which bilinear pairings may be calculated faster than the
  • system 100 may be transformed from symmetric bilinear maps to asymmetric bilinear maps.
  • trapdoor server 120 performs the similar steps as described above except that the previously used parameters will be
  • searching server 125 will repeat the similar steps as described above except that the public and private key pair (pk s ,sk s ) is computed as
  • trapdoor server 120 computes the trapdoor using the equation
  • module 1 10 computes the ciphertext CT
  • the similar equation as previously described is utilized except that the term is replaced with the term This replacement takes place in parameters D during
  • searching server 125 will compute the search token as described above except that the term H will be replaced by
  • a method for querying an encrypted database for documents containing an expressive keyword access structure using a computer server comprises the following four steps:
  • Step 1 receiving public parameters from a trapdoor server
  • Step 2 generating a public key g Y and a private key ⁇ based on the received public parameters where g is a generator for group G and ⁇ is a random element;
  • Step 3 receiving a keyword set W for the expressive keyword access structure, wherein the keyword set W comprises generic names and keyword values, and receiving a trapdoor T M,P associated with the expressive keyword access structure, wherein the trapdoor T M ,p comprises; trapdoor parameters, a Linear Secret Sharing Scheme (LSSS) matrix M having I rows and n columns, and a function p mapping the rows of the LSSS matrix M to the generic names in the keyword set W;
  • LSSS Linear Secret Sharing Scheme
  • Step 4 processing documents in the encrypted database that are pre-tagged with corresponding generic names N and corresponding ciphertext CT, wherein the processing the documents comprises: retrieving documents from the encrypted database tagged with at least one of the generic names contained in the keyword set W; computing a search token for each retrieved document, whereby each search token is computed based on parameters obtained from the ciphertext CT tagged to each document, parameters contained in the trapdoor T M,P , the private key ⁇ and the public parameters; determining, for each retrieved document, if the computed search token for the document matches with a first parameter in ciphertext CT tagged to the document, whereby if a match is determined, indicating the document contains the expressive keyword access structure.
  • FIG. 4 illustrates process 400 that is performed by a module or computer processor installed within an electronic device or server to query an encrypted database for documents containing an expressive keyword access structure in accordance with embodiments of this invention.
  • Process 400 begins at step 405 whereby process 400 receives the public parameters from a server.
  • the public parameters pars are stored in a secure memory or a secure database and are only accessible by process 400.
  • Process 400 then proceeds to generate public and private key pairs at step 410 using the parameters received at step 405.
  • Process 400 then receives the trapdoor at step 420 for the expressive keyword access structure.
  • a first document is then retrieved from the encrypted database by process 400 at step 425.
  • process 400 will add the retrieved document to a document list at step 435. Conversely, if the generic names contained within the trapdoor do not match with the generic names contained in the keyword set appended to the retrieved document at step 430, process 400 will proceed to step 440 instead and select a next document at this step. If at step 440 process 400 determines there is another document that has not yet been selected, process 400 will proceed to step 430 whereby steps 430 to 440 will repeat until all documents have been selected. Process 400 then proceeds to step 445.
  • step 430 if process 400 determines that a retrieved document has been added to a document list at step 435, process 400 will then proceed to step 440 to select the next document. Process 400 repeats steps 435 to 440 until all documents have been processed by process 400.
  • a first document from the retrieved document list is selected by process 400.
  • Process 400 then proceeds to compute a search token for the selected document. If process 400 determines at step 455 that the search token matches with the first parameter in the ciphertext appended or tagged to the selected document, process 400 will proceed to step 460 where it will indicate that the selected document contains the expressive keyword access structure. Process 400 then proceeds to step 465 to select another document.
  • process 400 determines at step 455 that the search token does not match with the first parameter C, in ciphertext CT, process 400 will proceed to step 465 instead.
  • process 400 will select the next document and if there is another document to select, process 400 repeats from step 465 to 455. Alternatively, if all the documents have been selected, process 400 then ends.

Abstract

This document describes a system and method for searching an encrypted database for documents containing an expressive keyword access structure. In particular, this document describes a system and method that enables encrypted documents stored in a database to be searched for expressive keyword access structures that contain conjunctive, disjunctive or any monotonic Boolean formulas whereby the search process is carried out without disclosing the underlying plaintext of the keywords in the encrypted documents.

Description

SYSTEM AND METHOD FOR QUERYING AN ENCRYPTED DATABASE FOR DOCUMENTS SATISFYING AN EXPRESSIVE KEYWORD ACCESS STRUCTURE
Field of the Invention
This invention relates to a system and method for searching an encrypted database for documents satisfying an expressive keyword access structure. In particular, the invention enables encrypted documents stored in a database to be searched to determine if there are documents that contain public-key encrypted keywords that satisfy an expressive keyword access structure, which contains conjunctive, disjunctive or any monotonic Boolean formulas whereby the search process is carried out without disclosing the underlying plaintext of the keywords in the encrypted documents.
Summary of the Prior Art
Most users tend to store various types of documents, including documents that contain private and sensitive information, in remote data servers. Such data servers are typically managed and owned by an external entity. While contractual obligations would compel the external entity to take security measures to ensure that no unauthorized access of documents stored within the data servers occur, there may be little that prevents the external entity itself from accessing the sensitive information contained within these documents should they wish to do so. Further, although the external entity would have taken security measures to prevent unauthorized access to documents stored within the data servers, security breaches may still inadvertently occur resulting in access to the documents being granted accidentally.
This problem may be addressed by encrypting the information contained within the documents and storing the documents in the data servers in an encrypted format. By doing so, only the owner of the document and authorized users are able to access the information contained within the documents as the user would be the only one who would possess the secret key to decrypt the document. In order to facilitate the use and sharing of data contained within the encrypted documents with multiple authorized users, it is highly desirable to have a searchable encryption scheme which allows the database provider to search through encrypted documents stored in its database on behalf of authorized users without gleaning information about the underlying plaintext contained therein.
Searchable encryption schemes that have been proposed thus far include a method that utilizes private-key encryption. This private-key encryption scheme only allows a single user to search and retrieve their data. As such, such a scheme is not suitable for use in cases whereby the encrypted documents are to be shared and/or has to be searchable by multiple authorized data users and/or data providers. Another approach that has been proposed involves the use of private information retrieval (PIR) protocols. These protocols allow users to retrieve certain data-items from a database and the database publicly stores the data without revealing the data-item to the database administrator. This approach is not ideal as it requires the data to be made publicly available and this increases the likelihood of leaks occurring. Other searchable encryption schemes that are commonly used in the art only support single or conjunctive keyword searches. Existing schemes that are able to perform expressive keyword searches are typically computationally inefficient as these schemes are based on bilinear pairings over the composite-order groups.
For the above reasons, those skilled in the art are constantly striving to come up with a system and method that allows a user to search an encrypted database for documents containing a particular expressive keyword access structure in a computationally efficient manner. Summary of the Invention
We provide systems and methods to improve the efficiency of searchable encryption schemes for keyword search policies expressed in conjunction, disjunctive or monotonic Boolean formulas as set out by the embodiments in accordance with the invention.
A first advantage of embodiments of systems and methods in accordance with embodiments of the invention is that the proposed system and method results in a scheme that is much faster than existing solutions.
A second advantage of embodiments of systems and methods in accordance with embodiments of the invention is that encrypted documents containing an expressive keyword access structure may be retrieved from a cloud server without revealing the contents of the encrypted documents to the cloud server.
A third advantage of embodiments of systems and methods in accordance with embodiments of the invention is that keywords associated with the generated trapdoors will not be readable by unauthorized users even though the trapdoors are transmitted through public channels.
According to a first aspect of the invention, a method for querying an encrypted database for documents containing an expressive keyword access structure using a computer server comprises receiving public parameters from a trapdoor server , wherein the public parameter is constant; generating a public key gY and a private key γ based on the received public parameters where g is a generator for group G and γ is a random element; receiving a trapdoor TM,P associated with the expressive keyword access structure, wherein the trapdoor TM,P comprises: trapdoor parameters, a Linear Secret Sharing Scheme (LSSS) matrix M having 1 rows and n columns, and a function p mapping the rows of the LSSS matrix M to generic names in a keyword set W associated with the expressive keyword access structure, wherein the keyword set W comprises the generic names and keyword values, and; processing documents in the encrypted database that are pre-tagged with corresponding generic names N and corresponding ciphertext CT, wherein the processing the documents comprises: retrieving documents from the encrypted database tagged with at least one of the generic names contained in the keyword set W; computing a search token for each retrieved document, whereby each search token is computed based on parameters obtained from the ciphertext CT tagged to each document, parameters contained in the trapdoor TM,P, the private key γ and the public parameters; determining, for each retrieved document, if the computed search token for the document matches with a first parameter in ciphertext CT tagged to the document, whereby if a match is determined, indicating the document contains the expressive keyword access structure. In the setup phase of construction, the public parameter is constant rather than linear to the number of keywords, so the method can be used to support the search of large number of keywords. This is very meaningful in a cloud storage system, where data are from different parties. If the keyword number allowed in the system is limited, then it is difficult cover all the keywords that might appear in the documents to meet the searching requirements from all kinds of users.
With reference to the first aspect, in a first possible implementation manner of the first aspect, the public parameters received from the trapdoor server is defined by:
Figure imgf000006_0001
where H is a collision-resistant hash function mapping elements in G1 to elements in G, G is a group of prime order p with the generator g, e: G x G G1 is a symmetric bilinear pairing function, where ιι, η, ω are random group elements in
Figure imgf000007_0009
where where Z* are non-zero residuals of modular p.
Figure imgf000007_0007
Figure imgf000007_0008
With reference to the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, the received trapdoor TM,P associated with the expressive keyword access structure is defined by the following equation:
Figure imgf000007_0002
whereby the trapdoor parameters are defined as:
Figure imgf000007_0001
where whereby 1 is the total number of rows in LSSS matrix M, v; is the value
Figure imgf000007_0006
associated with a row M; of the LSSS matrix M, M; is the i-th row of LSSS matrix M ,
Figure imgf000007_0003
( where where are
Figure imgf000007_0004
Figure imgf000007_0005
residuals of modular p.
With reference to the second possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, a ciphertext CT pre-tagged to a document in the encrypted database is defined by the following equation:
Figure imgf000007_0010
whereby m is the size of the keyword set of the document, and the first value C of the ciphertext CT is defined as:
Figure imgf000008_0005
where,
Figure imgf000008_0001
where W; is the i-th keyword value in a keyword set of the document, W1; ... , Wm are the corresponding keyword values of the keyword set of the document, and
Figure imgf000008_0002
With reference to the third possible implementation manner of the first aspect, in a fourth possible implementation manner of the first aspect, the search token for a retrieved document is computed based on the following equation: search token
Figure imgf000008_0003
whereby where is the set of all minimum subsets satisfying (M, p) and
Figure imgf000008_0006
Figure imgf000008_0007
Figure imgf000008_0004
With reference to the first aspect, in a fifth possible implementation manner of the first aspect the public parameters received from the trapdoor server is defined by:
Figure imgf000008_0008
where G is a group of prime order p with the generator
Figure imgf000008_0011
is an asymmetric bilinear pairing function, where u, h, a) are random group elements in
Figure imgf000008_0012
where wherein the public key gY is replaced
Figure imgf000008_0009
Figure imgf000008_0010
by
Figure imgf000008_0013
With reference to the fifth possible implementation manner of the first aspect, in a sixth possible implementation manner of the first aspect, the received trapdoor TM,P associated with the expressive keyword access structure is defined by the following equation:
Figure imgf000009_0001
whereby the trapdoor parameters are defined as:
Figure imgf000009_0002
where i £ {1 , . . . , 1} whereby 1 is the total number of rows in LSSS matrix M, v; is the value associated with a row M; of the LSSS matrix M, M; is the i-th row of LSSS matrix M , where where Zp are non¬
Figure imgf000009_0003
Figure imgf000009_0004
zero residuals of a modular positive integer p.
With reference to the sixth possible implementation manner of the first aspect, in a seventh possible implementation manner of the first aspect, a ciphertext CT pre-tagged to a document in the encrypted database is defined by the following equation:
Figure imgf000009_0005
whereby m is a size of the keyword set of the document, and a first parameter C of the ciphertext CT is defined as:
Figure imgf000009_0006
where,
Figure imgf000010_0005
where W; is the i-th keyword value in a keyword set of the document, W1; ... , Wm are the corresponding keyword values of the keyword set of the document, and where Zp are non-zero residuals of a modular positive
Figure imgf000010_0006
integer p.
With reference to the seventh possible implementation manner of the first aspect, in an eighth possible implementation manner of the first aspect, the search token for a retrieved document is computed based on the following equation: search token
Figure imgf000010_0001
whereby where is the set of all minimum subsets satisfying (M, p) and
Figure imgf000010_0003
Figure imgf000010_0004
Figure imgf000010_0002
With reference to the first aspect, in a ninth possible implementation manner of the first aspect, the public key gY is g and the private key γ is 1 .
With reference to the fifth possible implementation of the first aspect, in a tenth possible implementation manner of the first aspect, the public key gY is g and the private key γ is 1 .
Brief Description of the Drawings
The above advantages and features in accordance with this invention are described in the following detailed description and are shown in the following drawings: Figure 1 illustrating a block diagram of a system for searching an encrypted database for an expressive keyword access structure in accordance with embodiments of the invention;
Figure 2 illustrating a block diagram representative of processing systems providing embodiments in accordance with embodiments of the invention;
Figure 3 illustrating an exemplary access tree for converting a monotonic Boolean formula into an equivalent Linear Secret Sharing Scheme (LSSS) Matrix in accordance with embodiments of the invention; and
Figure 4 illustrating a flow diagram of a process for querying an encrypted database of documents containing an expressive keyword access structure in accordance with embodiments of the invention.
Detailed Description
This invention relates to a system and method for searching an encrypted database for documents satisfying an expressive keyword access structure whereby the expressive keyword access structure may include conjunctive, disjunctive or any monotonic Boolean formulas of a set of keywords. In particular, the invention enables public-key encrypted documents stored in a database to be searched for such expressive keyword access structures whereby the search process, which may be initiated by any one of a plurality of authorized users, is carried out without disclosing the underlying plaintext of the words in the encrypted documents. Figure 1 illustrates a block diagram of a system that includes modules and devices that execute processes to provide a method for searching an encrypted database for expressive keyword access structures in accordance with embodiments of the invention. System 100 as illustrated in Figure 1 comprises encryption module 1 10, cloud server 1 15, trapdoor server 120, and searching server 125. Module 1 10, servers 1 15, 120 and 125 may all be connected through wired connections or may be wirelessly connected to each other either through direct means such as fibre-network connections or indirect means - that is via the Internet. Module 1 10 may be provided within, but is not limited to, any device that is able to carry out computing and wireless communicative functions such as a smart phone, a computer, a tablet computer, a mobile computer, a netbook, a wearable electronic device such as smart watch, smart plugs, or transceivers that may be found in smart devices or Internet of Things (loT) enabled devices, and etc.
As for servers 1 15, 120 and 125, these servers may comprise secure cloud servers or remotely located secure servers which are able to communicate wirelessly with module 1 10 and multiple data owners and/or authorized users either through the Internet or through other communicative means. These communicative means may comprise wired networks or wireless networks such as, but are not limited to, cellular networks, satellite networks, telecommunication networks, Wide Area Networks (WAN), Wireless-Fidelity (Wi-Fi), Bluetooth, or Near Field Communication (NFC). In addition to being configured to carry out computing and wireless communicative functions, servers 1 15, 120 and 125 are also configured to store encrypted documents in a database and/or store private keys. In embodiments of the invention, for increased security, each of servers 1 15, 120 and 125 may be provided at different locations for increased security. Figure 2 illustrates a block diagram representative of components of module 200 that may be provided within module 1 10 and servers 1 15, 120 and 125 for implementing embodiments in accordance with embodiments of the invention. One skilled in the art will recognize that the exact configuration of each module provided within the electronic devices or the servers may be different and the exact configuration of module 200 may vary and Figure 2 is provided by way of example only.
In embodiments of the invention, module 200 comprises controller 201 and user interface 202. User interface 202 is arranged to enable manual interactions between a user and module 200 and for this purpose includes the input/output components required for the user to enter instructions to control module 200. A person skilled in the art will recognize that components of user interface 202 may vary from embodiment to embodiment but will typically include one or more of display 240, keyboard 235 and track-pad 236.
Controller 201 is in data communication with user interface 202 via bus 215 and includes memory 220, processor 205 mounted on a circuit board that processes instructions and data for performing the method of this embodiment, an operating system 206, an input/output (I/O) interface 230 for communicating with user interface 202 and a communications interface, in this embodiment in the form of a network card 250. Network card 250 may, for example, be utilized to send data from electronic device 200 via a wired or wireless network to other processing devices or to receive data via the wired or wireless network. Wireless networks that may be utilized by network card 250 include, but are not limited to, Wireless-Fidelity (Wi-Fi), Bluetooth, Near Field Communication (NFC), cellular networks, satellite networks, telecommunication networks, Wide Area Networks (WAN) and etc. Memory 220 and operating system 206 are in data communication with CPU 205 via bus 210. The memory components include both volatile and non-volatile memory and more than one of each type of memory, including Random Access Memory (RAM) 220, Read Only Memory (ROM) 225 and a mass storage device 245, the last comprising one or more solid- state drives (SSDs). Memory 220 also includes secure storage 246 for securely storing secret keys, or private keys. It should be noted that the contents within secure storage 246 are only accessible by a super-user or administrator of module 200 and may not be accessed by any user of module 200. One skilled in the art will recognize that the memory components described above comprise non-transitory computer-readable media and shall be taken to comprise all computer-readable media except for a transitory, propagating signal. Typically, the instructions are stored as program code in the memory components but can also be hardwired. Memory 220 may include a kernel and/or programming modules such as a software application that may be stored in either volatile or non-volatile memory.
Herein the term "processor" is used to refer generically to any device or component that can process such instructions and may include: a microprocessor, microcontroller, programmable logic device or other computational device. That is, processor 205 may be provided by any suitable logic circuitry for receiving inputs, processing them in accordance with instructions stored in memory and generating outputs (for example to the memory components or on display 240). In this embodiment, processor 205 may be a single core or multi-core processor with memory addressable space. In one example, processor 205 may be multi-core, comprising— for example— an 8 core CPU.
With reference to Figure 1 , before any documents may be encrypted by module 1 10 and uploaded into cloud server 1 15, trapdoor server 120 will first generate public parameters pars and master private key msk. Trapdoor server 120 then provides public parameters pars to encryption module 1 10 and searching server 125. It should be noted that the master private key msk is only kept by trapdoor server 120 and is not transmitted to any other entity.
In order to generate public parameters pars and master private key msk, trapdoor server 120 first takes the security parameter as its input and then randomly chooses a
Figure imgf000015_0009
group G of prime order p, a generator g and random group elements u, h, w e G. In addition, trapdoor server 120 also randomly chooses a , and computes ^
Figure imgf000015_0007
Figure imgf000015_0008
Finally, based on the above, trapdoor server 120 then
Figure imgf000015_0005
generates the master private key and publishes the public parameter
Figure imgf000015_0006
where H is a collision-resistant hash
Figure imgf000015_0013
function that maps an element belonging G1 to an element belonging G.
It should be noted at this stage, that the following computational assumptions are used in embodiments of the invention. For example, when the bracket "[ ]" is used to encapsulate a positive integer n, it shall be understood that [n] denotes the set of all positive integers less or equal to It shall also be understood that the term
Figure imgf000015_0004
Figure imgf000015_0003
represents all residuals of a modular positive integer
Figure imgf000015_0002
while denotes the set of all non-zero residuals of modular
Figure imgf000015_0001
Bilinear Pairing Functions:
For this function, both G and G1 are understood to comprise two groups of prime order p, and g is a generator of G. Hence, the function e : G x G→ Gl is understandably identified as a bilinear map if it has the following properties:
• Computable: ) can be computed efficiently.
Figure imgf000015_0010
• Bilinear:
Figure imgf000015_0011
• Non-degenerate: where 1 is the identity of group Gu
Figure imgf000015_0012
In this example, G is also identified as a bilinear group if the group operation in G is efficiently computable and there exists a group Gi and an efficiently computable bilinear map as above.
Figure imgf000016_0008
Decisional Bilinear Diffie-Hellman Assumption:
For any probabilistic polynomial-time algorithm, given
Figure imgf000016_0003
it is difficult to distinguish ftom Z, where g is a generator of G, and and a, b, c∈ Zp, are
Figure imgf000016_0009
Figure imgf000016_0012
chosen independently and uniformly at random, while is a computable
Figure imgf000016_0011
bilinear map as defined above. Decisional (q-2) Assumption:
For any probabilistic polynomial-time algorithm, given
Figure imgf000016_0010
g,g ,g ,g ,g , and it js difficult to distinguish from
Figure imgf000016_0001
Figure imgf000016_0002
Z, where q is a given integer, g is a generator of G, andZ GG,, and x, y, z, b!,...,bq £ Zp, are chosen independently and uniformly at random, while e:GxG→Gl is a computable bilinear map as defined above.
Decisional Linear Assumption:
For any probabilistic polynomial-time algorithm, given and it is difficult
Figure imgf000016_0004
Figure imgf000016_0005
to distinguish from Z, where q is a given integer, g is a generator of G, andZ e G1, and
Figure imgf000016_0007
are chosen independently and uniformly at random, while e:GxG→G1 is
Figure imgf000016_0006
a computable bilinear map as defined above. Upon receiving the public parameter pars from trapdoor server 120, searching server 125 will then randomly choose y £ Zp , and based on thus selected parameter, search server 125 will then compute the public and private key pair (pks, sks) as (gY,y). Once the key pair has been computed, this key pair is then provided to trapdoor server 120 from searching server 125. Trapdoor server 120 will utilize these parameters later on in the generation of trapdoors for expressive keyword access structures as requested by authorized data users.
Before a document owner uploads an encrypted document to be stored in cloud server 1 15, the document owner will first have to append each encrypted document with encrypted keyword sets. This is accomplished with the owner first identifying key terms/phrases or index terms that may be used to identify the content of a document. These key/index terms or phrases are then appended to the document as a keyword set. In Figure 1 , documents 105 illustrate a set of documents, from Document 1 - n, that have been appended with their respective keyword sets. It should be noted that each keyword in a keyword set is divided into a generic name N = {N(1 ),...N(i)} and a keyword value W = {W(1 ),...,W(i)} whereby the value (i) illustrates the relationship between a particular generic name with a particular keyword value. For example, the keyword seti for Document 1 may be taken to contain "Affiliation = City Hospital", "Department = Medicine", "Illness = Diabetes", and "Gender = Male". The generic names N for this keyword seti would be N(1 ) = Affiliation, N(2) = Department, N(3) = Illness and N(4) = Gender while the keyword values W for this keyword seti would be W(1 ) = City Hospital, W(2) = Medicine, W(3) = Diabetes and W(4) = Male. Further, in embodiments of the invention, each keyword value in W(i) may be represented by an numerical value such as, but not limited to, the keyword's equivalent ASCII value. By dividing each keyword contained within a keyword set into a generic name and a keyword value, an authorized user of system 100 may then later on search and subsequently retrieve all encrypted documents containing certain keywords that satisfy a certain keyword access structure. An example of a monotone type keyword access structure is "Affiliation = City Hospital AND (Department = Medicine OR (Illness = Diabetes AND Gender = Male))".
In this description, any references made to a keyword access structure, an access policy or a search predicate all refer to monotone type access structures. However, it should be noted that other types of general access structures may be realized in embodiments of this invention if the attribute universe were to be split in half and by treating the attributes of one half as the negated (NOT) version of the attributes in the other half. A person skilled in the art will also note that the keyword access structures may be described in terms of monotonic Boolean formulas and these formulas may be converted into a corresponding Linear Secret Sharing Scheme (LSSS) matrix. This will be described in greater detail with reference to Figures 3 and 4 in the later sections.
Once all the keyword sets containing keywords (and their corresponding generic names and keyword values) have been appended to each respective document, documents 105 comprising Documents 1 -n with their respective appended keyword sets are then provided to encryption module 1 10. To recap, as the initial setup procedures have been completed as previously discussed, encryption module 1 10 would have received and stored the public parameters pars that were provided by trapdoor server 120. At this stage, it should be noted that the content or plaintext in Documents 1 -n may be encrypted using any encryption scheme known to a person skilled in the art and that ciphertext contained in Documents 1 -n may subsequently be decrypted using a corresponding decryption scheme known to a person skilled in the art. The encryption of the content of Documents 1 -n may take place within encryption module 1 10.
Upon receiving documents 105 (comprising Documents 1 -n with their respective appended keyword sets), encryption module 1 10 will then select a first document together with its appended keyword set, i.e. Document 1 that has been appended with Keyword Seti . As previously discussed, each keyword contained within each keyword set is divided into a generic name and a keyword value. Hence, Keyword Seti comprises of two groups of plaintext - a first group comprising of generic names and a second group comprising of the generic names' corresponding keyword values. In embodiments of the invention, only the plaintext contained in the keyword values are encrypted into ciphertext using encryption module 1 10.
In order to encrypt the keyword values in Keyword Seti into ciphertext CTi , module 1 10 will initiate the process by retrieving the public parameter pars from its records and keyword values W = {W(1 ),..., W(m)} from Keyword Seti whereby "m" represents the mth keyword value of W in Keyword Seti . As mentioned above, each individual keyword value may be represented by a numerical value. An integer m is then used to denote the overall size of keyword value W, and is used to represent the values of W. Module
Figure imgf000019_0003
1 10 then randomly chooses values for elements and
Figure imgf000019_0002
computes a ciphertext C for the keyword values W using the following equation:
Figure imgf000019_0006
Figure imgf000019_0001
where
Figure imgf000019_0005
( ) 2
Figure imgf000019_0004
Once ciphertext has been computed for Keyword Setl 5 module 1 10 will then
Figure imgf000020_0001
replace all the keyword values in Keyword Seti with ciphertext C Document 1 will then be
Figure imgf000020_0002
transmitted to cloud server 1 15 at step 132 and it should be noted that at this step, the contents of Document 1 would have been encrypted and that this Document 1 is appended with Keyword
Figure imgf000020_0004
whereby Keyword Seti includes the generic names, which remain unencrypted, and ciphertext This process is then repeated for all the documents
Figure imgf000020_0003
contained within documents 105 until all the documents have been uploaded into cloud server 1 15 whereby each encrypted document stored in cloud server 1 15 would be appended with its tagged or appended keyword set whereby each keyword set contains a list of generic names and its ciphertext CT.
When an authorized user wishes to obtain all encrypted documents stored in cloud server 1 15 that contains a set of keywords SW that satisfy expressive keyword access structure 133, access structure 133 that contains keywords SW will first have to be converted into a Linear Secret Sharing Scheme (LSSS) matrix M. In this embodiment of the invention, access structure 133 comprises a monotonic Boolean formula and this Boolean formula is converted into an equivalent LSSS matrix by the authorized user.
In order to do so, it shall be assumed that the Boolean formula may be represented as an access tree, of which the interior nodes comprise "AND" and "OR" logic operators or gates, and the leaf nodes represent the corresponding attributes. The values in the vector (1 , 0, 0) are denoted as the sharing vector for the LSSS matrix. Further, it is also assumed that the root node of the tree is labeled with a vector of length 1 , which is vector (1 ), and that each node is labeled with a vector determined by the vector assigned to its parent node. In addition, there also exists a global counter variable c which is preset to 1 . If the parent node is an OR gate labelled by a vector v, then its children will be labelled by v as well, and the value of its global counter variable c remains the same. Alternatively, if the parent node is an AND gate labelled by a vector v, then v will be padded with 0s at the end, if required, in order to increase its length to c. One of its children will then be labelled with the vector v | 1 and the other with the vector (0, 0 | -1), where (0, 0) denotes the zero vector of length c. Note that these two vectors when summed equate to v|0. Once this is done, the value of c is increased by one i.e. c = c + 1. Once the labelling of the entire tree is finished, the vectors labelling the leaf nodes form the rows I of the LSSS matrix. If these vectors forming these rows are of different lengths, the shorter vectors will be padded with 0s at the end so that all the vectors will be equal in length.
For example, assume that keyword access structure 133 comprises the following: "Affiliation = City Hospital AND (Department = Medicine OR (Illness = Diabetes AND = Gender = Male))". With reference to Figure 3 and using the method described above, the LSSS matrix for this access structure 133 is generated as follows. As the parent node 302 is an AND gate labelled with the vector v=1 , the root AND node 302 of this tree will be labelled as (1 ) while its global counter variable c = 1 . For the left and right child of node 302, the global counter variable c is increased to 2. Its left child 305, the leaf node corresponding to Affiliation = City Hospital, is then labelled as (1 , 1 ) because this node is labelled with (v | 1 ), while its right child 310, the OR node, is labelled as (0, -1) because this node is labelled with (0 I -1) when c = 2.
For the left and right child of node 310, as the node 310 is an OR gate labelled with (0,-1 ), then its children will be labelled by (0,-1 ) as well, and the value of its global counter variable c remains the same at c = 2. The left child 315 of the OR node 310 corresponds to Department = Medicine and is labelled as (0, -1) while its right child 320 is an AND node that is then labelled as (0, -1 ).
For the left and right child of node 320, as node 320 is an AND gate labelled with (0- 1 ), the global counter variable c will be increased to 3. The left child 325 of the AND node 320 corresponding to Illness = Diabetes, is then labelled as (0, -1 , 1) because this node is labelled with (0,-1 | 1 ), and the right child 330, corresponding to Gender = Male, is then labelled as (0, 0, -1) because this node is labelled with (0,0 | -1).
The labelling of the entire tree is now finished and the vectors labelling the leaf nodes, i.e. nodes 305, 31 5, 325, 330, form the rows I of the LSSS matrix, which in this example I = 4. For nodes 305 and 31 5, as the vectors forming these rows are of different lengths from nodes 325 and 330, the vectors in nodes 305 and 31 5 will be padded with 0s at the end and this results in node 305 being represented as (1 , 1 , 0) and node 315 being represented as (0, -1 , 0). Hence, the resulting LSSS matrix M for this example is:
Figure imgf000022_0001
Once access structure 133 containing keywords SW has been converted into LSSS matrix M, the access structure 1 33 may then be represented as LSSS access structure instead where, p is a function that associates the rows of M to the generic
Figure imgf000022_0002
names in keywords SW, and are the corresponding keyword values in keywords SW.
Figure imgf000022_0003
For example, for row 1 in LSSS matrix M, p(l)= "Affiliation" and
Figure imgf000022_0004
The LSSS access structure is then transmitted from the authorized user to trapdoor server 120 at step 1 34. Once trapdoor server 120 confirms that the request is from a user that has been authorized to use trapdoor server 120, trapdoor server 120 shall use the public parameter pars , the server public key pks = gY , the master private key msk and the LSSS access structure (M, p , {wP(i)}) to generate the trapdoor associated with this LSSS access structure, where M is an 1 x n matrix over Zp , the function p maps the rows of M to generic keyword names, and {Wp(i)} are the corresponding keyword values as previously discussed. To recap, M; is the i-th row of M for i e {Ι , . , . , Ι} , and P (i) is the generic keyword name associated with this row by the mapping p. Trapdoor server 120 randomly chooses a vector where
Figure imgf000023_0003
Figure imgf000023_0004
and based on these parameters, trapdoor server 120 compute the trapdoor
Figure imgf000023_0005
TM p using the following equation:
Figure imgf000023_0001
where
Figure imgf000023_0002
where v; = M; · y is the value associated with the row M; of M. It should be noted that when the trapdoor TM p is computed, trapdoor TM p only includes the partial hidden access structure (M, p ) and the actual names of the keyword values are omitted.
The trapdoor TM p is then transmitted at step 136 from trapdoor server 120 to the authorized user. The authorized user then transmits the trapdoor TM p for LSSS access structure to searching server 125 at step 138 so that searching server 125
Figure imgf000023_0006
may search through the encrypted documents and their respective appended keyword sets for documents that contain the set of keywords SW that satisfy expressive keyword access structure 133.
Upon receiving trapdoor for LSSS access structure , searching
Figure imgf000024_0004
Figure imgf000024_0003
server 125 will retrieve documents appended with keyword sets that contain at least one of the generic names as found in the function p of the received trapdoor TM p. Such an initial matching of the generic keyword names greatly reduces the overall searching time of the documents.
Searching server 125 will then use the public parameter pars, the private key sks, and the received trapdoor TM p for the LSSS access structure to test each retrieved
Figure imgf000024_0002
document to determine if the document contains the set of keywords SW that satisfies the expressive keyword access structure 133 sought by the authorized user. Searching server 125 will initiate this process by selecting a first retrieved document together with its appended keyword set containing its ciphertext CT. A search token is then computed for this first retrieved document whereby the search token is computed using the following equation:
Figure imgf000024_0001
where the search token equals to a "0" value if this equation is not satisfied and conversely, the search token equals to a "1 " if this equation is satisfied. It should be noted that the parameters used to compute the search token are obtained from the parameters contained in the ciphertext CT that is contained in the keyword set appended to the first retrieved document. Further, it should be noted that where is the set of all
Figure imgf000024_0006
Figure imgf000024_0007
minimum subsets satisfying
Figure imgf000024_0005
In another embodiment of the invention, in order to improve the performance efficiency of system 100, the modules in system 100 may be adapted for an asymmetric bilinear pairing in which bilinear pairings may be calculated faster than the
Figure imgf000025_0007
symmetric bilinear pairings used in the previously described embodiment. In particular, system 100 may be transformed from symmetric bilinear maps to asymmetric bilinear maps.
In this embodiment of the invention, trapdoor server 120 performs the similar steps as described above except that the previously used parameters will be
Figure imgf000025_0008
replaced by and H is
Figure imgf000025_0001
removed from the public parameter pars.
In this embodiment of the invention, searching server 125 will repeat the similar steps as described above except that the public and private key pair (pks,sks) is computed as
Figure imgf000025_0006
Similarly, when trapdoor server 120 computes the trapdoor using the equation
Figure imgf000025_0003
described above, in this embodiment of the invention, the parameters from the above equation are replaced with the following: and the
Figure imgf000025_0002
parameter T0 is removed from the trapdoor TM p.
In this embodiment of the invention, when module 1 10 computes the ciphertext CT, the similar equation as previously described is utilized except that the term
Figure imgf000025_0005
is replaced with the term This replacement takes place in parameters D during
Figure imgf000025_0004
the computation of ciphertext CT.
Finally, in this embodiment of the invention, searching server 125 will compute the search token as described above except that the term H will be replaced by
Figure imgf000025_0009
Figure imgf000025_0010
In accordance with an embodiment of the invention, a method for querying an encrypted database for documents containing an expressive keyword access structure using a computer server, comprises the following four steps:
Step 1 , receiving public parameters from a trapdoor server;
Step 2, generating a public key gY and a private key γ based on the received public parameters where g is a generator for group G and γ is a random element;
Step 3, receiving a keyword set W for the expressive keyword access structure, wherein the keyword set W comprises generic names and keyword values, and receiving a trapdoor TM,P associated with the expressive keyword access structure, wherein the trapdoor TM,p comprises; trapdoor parameters, a Linear Secret Sharing Scheme (LSSS) matrix M having I rows and n columns, and a function p mapping the rows of the LSSS matrix M to the generic names in the keyword set W;
Step 4, processing documents in the encrypted database that are pre-tagged with corresponding generic names N and corresponding ciphertext CT, wherein the processing the documents comprises: retrieving documents from the encrypted database tagged with at least one of the generic names contained in the keyword set W; computing a search token for each retrieved document, whereby each search token is computed based on parameters obtained from the ciphertext CT tagged to each document, parameters contained in the trapdoor TM,P, the private key γ and the public parameters; determining, for each retrieved document, if the computed search token for the document matches with a first parameter in ciphertext CT tagged to the document, whereby if a match is determined, indicating the document contains the expressive keyword access structure.
In order to provide such a system or method, a process is needed for querying an encrypted database for documents containing an expressive keyword access structure. The following description and Figure 4 describes embodiments of processes that provide processes in accordance with this invention.
Figure 4 illustrates process 400 that is performed by a module or computer processor installed within an electronic device or server to query an encrypted database for documents containing an expressive keyword access structure in accordance with embodiments of this invention. Process 400 begins at step 405 whereby process 400 receives the public parameters from a server. The public parameters pars are stored in a secure memory or a secure database and are only accessible by process 400. Process 400 then proceeds to generate public and private key pairs at step 410 using the parameters received at step 405. Process 400 then receives the trapdoor at step 420 for the expressive keyword access structure. A first document is then retrieved from the encrypted database by process 400 at step 425. If the generic names contained within the trapdoor matches with the generic names contained in the keyword set appended to the retrieved document at step 420, process 400 will add the retrieved document to a document list at step 435. Conversely, if the generic names contained within the trapdoor do not match with the generic names contained in the keyword set appended to the retrieved document at step 430, process 400 will proceed to step 440 instead and select a next document at this step. If at step 440 process 400 determines there is another document that has not yet been selected, process 400 will proceed to step 430 whereby steps 430 to 440 will repeat until all documents have been selected. Process 400 then proceeds to step 445.
However, at step 430, if process 400 determines that a retrieved document has been added to a document list at step 435, process 400 will then proceed to step 440 to select the next document. Process 400 repeats steps 435 to 440 until all documents have been processed by process 400.
At step 445, a first document from the retrieved document list is selected by process 400. Process 400 then proceeds to compute a search token for the selected document. If process 400 determines at step 455 that the search token matches with the first parameter in the ciphertext appended or tagged to the selected document, process 400 will proceed to step 460 where it will indicate that the selected document contains the expressive keyword access structure. Process 400 then proceeds to step 465 to select another document.
Conversely, if process 400 determines at step 455 that the search token does not match with the first parameter C, in ciphertext CT, process 400 will proceed to step 465 instead. At step 465, process 400 will select the next document and if there is another document to select, process 400 repeats from step 465 to 455. Alternatively, if all the documents have been selected, process 400 then ends.
The above is a description of embodiments of a system and process in accordance with the present invention as set forth in the following claims. It is envisioned that others may and will design alternatives that fall within the scope of the following claims.

Claims

CLAIMS:
1 . A method for querying an encrypted database for documents containing an expressive keyword access structure using a computer server, the method comprising: receiving public parameters from a trapdoor server, wherein the public parameter is constant; generating a public key gY and a private key γ based on the received public parameters where g is a generator for a group G and γ is a random element; receiving a trapdoor TM,P associated with the expressive keyword access structure, wherein the trapdoor TM,P comprises: trapdoor parameters, a Linear Secret Sharing Scheme (LSSS) matrix M having I rows and n columns, and a function p mapping the rows of the LSSS matrix M to generic names in a keyword set W associated with the expressive keyword access structure, wherein the keyword set W comprises the generic names and keyword values, and; processing documents in the encrypted database that are pre-tagged with corresponding generic names N and corresponding ciphertext CT, wherein the processing the documents comprises: retrieving documents from the encrypted database tagged with at least one of the generic names contained in the keyword set W; computing a search token for each retrieved document, whereby each search token is computed based on parameters obtained from the ciphertext CT tagged to each document, parameters contained in the trapdoor TM,P, the private key γ and the public parameters; determining, for each retrieved document, if the computed search token for the document matches with a first parameter in ciphertext CT tagged to the document, whereby if a match is determined, indicating the document contains the expressive keyword access structure.
2. The method according to claim 1 wherein the public parameters received from the trapdoor server is defined by:
Figure imgf000030_0005
where H is a collision-resistant hash function mapping elements in G1 to elements in G, G is a group of prime order p with the generator is a symmetric bilinear
Figure imgf000030_0006
pairing function, where
Figure imgf000030_0011
ω are random group elements in G, and g
Figure imgf000030_0007
where where are non-zero residuals
Figure imgf000030_0003
Figure imgf000030_0008
Figure imgf000030_0004
of modular p.
3. The method according to claim 2 wherein the received trapdoor TM,P associated with the expressive keyword access structure is defined by the following equation:
Figure imgf000030_0002
whereby the trapdoor parameters are defined as:
Figure imgf000030_0001
where
Figure imgf000030_0010
whereby I is the total number of rows in LSSS matrix M, vt is the value associated with a row Μ of the LSSS matrix M, Mt is the i-th row of LSSS matrix
Figure imgf000030_0009
are
Figure imgf000031_0003
residuals of modular p.
4. The method according to claim 3 wherein a ciphertext CT pre-tagged to a document in the encrypted database is defined by the following equation:
Figure imgf000031_0004
whereby m is a size of the keyword set of the document, and the first parameter in ciphertext CT comprises a first value C that is defined as:
Figure imgf000031_0005
where,
Figure imgf000031_0001
where is the i-th keyword value in a keyword set of the document, Wt, ... , Wm are the corresponding keyword values of the keyword set of the document, and
Figure imgf000031_0006
5. The method according to claim 4 wherein the search token for a retrieved document is computed based on the following equation:
Figure imgf000031_0007
whereby is the set of all minimum subsets satisfying (M, p) and
Figure imgf000031_0008
Figure imgf000031_0002
6. The method according to claim 1 wherein the public parameters received from the trapdoor server is defined by:
Figure imgf000031_0009
where G is a group of prime order p with the generator
Figure imgf000032_0009
is an asymmetric bilinear pairing function, where are random group elements in and
Figure imgf000032_0013
Figure imgf000032_0011
Figure imgf000032_0012
where where denotes the set of all
Figure imgf000032_0007
Figure imgf000032_0008
Figure imgf000032_0010
non-zero residuals of modular p, and wherein the public key
Figure imgf000032_0018
s replaced by
Figure imgf000032_0017
7. The method according to claim 6 wherein the received trapdoor TM,P associated with the expressive keyword access structure is defined by the following equation:
Figure imgf000032_0002
whereby the trapdoor parameters are defined as:
Figure imgf000032_0001
where i whereby is the total number of rows in LSSS matrix M, vt is the
Figure imgf000032_0015
Figure imgf000032_0016
value associated with a row of the LSSS matrix M, Mt is the i-th row of LSSS matrix
Figure imgf000032_0014
where where Zp are
Figure imgf000032_0003
Figure imgf000032_0004
non-zero residuals of a modular positive integer p.
8. The method according to claim 7 wherein a ciphertext CT pre-tagged to a document in the encrypted database is defined by the following equation:
Figure imgf000032_0005
whereby m is a size of the keyword set of the document, and a first parameter C of the ciphertext CT is defined as:
Figure imgf000032_0006
where,
Figure imgf000033_0001
where Wt is the i-th keyword value in a keyword set of the document, are the
Figure imgf000033_0005
corresponding keyword values of the keyword set of the document, and where denotes the set of all residuals of a
Figure imgf000033_0003
Figure imgf000033_0004
modular positive integer p.
9. The method according to claim 8 wherein the search token for a retrieved document is computed based on the following equation: search token
whereby where is the set of all minimum subsets satisfying (M, p) and
Figure imgf000033_0007
Figure imgf000033_0006
Figure imgf000033_0008
10. The method according to claim 1 wherein the public key is g and the private key y is 1 .
Figure imgf000033_0010
1 1 . The method according to claim 6 wherein the public key is g and the private key γ is 1 .
Figure imgf000033_0009
12. A computer server for querying an encrypted database for documents containing an expressive keyword access structure, the computer server comprising: a processing unit; and a non-transitory media readable by the processing unit, the media storing instructions that when executed by the processing unit, cause the processing unit to: receive public parameters from a trapdoor server , wherein the public parameter is constant; generate a public key gY and a private key γ based on the received public parameters where g is a generator for a group G and γ is a random element; receiving a trapdoor TM,p associated with the expressive keyword access structure, wherein the trapdoor TM,P comprises: trapdoor parameters, a Linear Secret Sharing Scheme (LSSS) matrix M having I rows and n columns, and a function p mapping the rows of the LSSS matrix M to generic names in a keyword set W associated with the expressive keyword access structure, wherein the keyword set W comprises the generic names and keyword values, and; process documents in the encrypted database that are pre-tagged with corresponding generic names N and corresponding ciphertext CT by, retrieving documents from the encrypted database tagged with at least one of the generic names contained in the keyword set W; computing a search token for each retrieved document, whereby each search token is computed based on parameters obtained from the ciphertext CT tagged to each document, parameters contained in the trapdoor TM,P, the private key γ and the public parameters; determining, for each retrieved document, if the computed search token for the document matches with a first parameter in ciphertext CT tagged to the document, whereby if a match is determined, indicating the document contains the expressive keyword access structure.
13. The computer server according to claim 12 wherein the public parameters received from the trapdoor server is defined by:
Figure imgf000034_0001
where H is a collision-resistant hash function mapping elements in G1 to elements in G, G is a group of prime order p with the generator
Figure imgf000035_0003
is a symmetric bilinear pairing function, where are random group elements in G, and
Figure imgf000035_0011
Figure imgf000035_0005
Figure imgf000035_0002
where where Zp * are non-zero residuals
Figure imgf000035_0004
of modular p.
14. The computer server according to claim 13 wherein the received trapdoor TM,P associated with the expressive keyword access structure is defined by the following equation:
Figure imgf000035_0006
whereby the trapdoor parameters are defined as:
Figure imgf000035_0001
where whereby I is the total number of rows in LSSS matrix M, vt is the
Figure imgf000035_0010
value associated with a row
Figure imgf000035_0009
of the LSSS matrix M, Mt is the i-th row of LSSS matrix
Figure imgf000035_0007
where where Zp are
Figure imgf000035_0008
residuals of modular p.
15. The computer server according to claim 14 wherein a ciphertext CT pre-tagged to a document in the encrypted database is defined by the following equation: ciphertext
Figure imgf000035_0012
whereby m is a size of the keyword set of the document, and the first parameter in ciphertext CT comprises a first value C that is defined as: where,
Figure imgf000036_0001
where W{ is the i-th keyword value in a keyword set of the document, Wt, ... , Wm are the corresponding keyword values of the keyword set of the document, and
Figure imgf000036_0002
16. The computer server according to claim 15 wherein the search token for a retrieved document is computed based on the following equation: search token
Figure imgf000036_0003
whereby where is the set of all minimum subsets satisfying (M, p) and
Figure imgf000036_0004
Figure imgf000036_0006
Figure imgf000036_0005
17. The computer server according to claim 12 wherein the public parameters received from the trapdoor server is defined by:
Figure imgf000036_0007
where G is a group of prime order p with the generator is an
Figure imgf000036_0010
asymmetric bilinear pairing function, where η, Κ, ω are random group elements in G, and where where Zv * denotes
Figure imgf000036_0008
the set of all non-zero residuals of modular p, and wherein the public key ^ris replaced
18. The computer server according to claim 17 wherein the received trapdoor TM,P associated with the expressive keyword access structure is defined by the following equation:
Figure imgf000037_0002
whereby the trapdoor parameters are defined as:
Figure imgf000037_0001
where whereby I is the total number of rows in LSSS matrix is the
Figure imgf000037_0003
Figure imgf000037_0011
value associated with a row of the LSSS matrix is the i-th row of LSSS matrix
Figure imgf000037_0009
Figure imgf000037_0010
where Z are
Figure imgf000037_0004
Figure imgf000037_0008
non-zero residuals of a modular positive integer p.
19. The computer server according to claim 18 wherein a ciphertext CT pre-tagged to a document in the encrypted database is defined by the following equation:
Figure imgf000037_0005
whereby m is a size of the keyword set of the document, and a first parameter C of the ciphertext CT is defined as:
where,
Figure imgf000037_0006
where W{ is the i-th keyword value in a keyword set of the document, Wt, ... , Wm are the corresponding keyword values of the keyword set of the document, and where Zp denotes the set of all residuals of a
Figure imgf000037_0007
modular positive integer p.
20. The computer server according to claim 19 wherein the search token for a retrieved document is computed based on the following equation: search token
Figure imgf000038_0001
whereby where is the set of all minimum subsets satisfying (M, p) and
Figure imgf000038_0003
Figure imgf000038_0004
Figure imgf000038_0002
21 . The computer server according to claim 12 wherein the public key gY is g and the private key γ is 1 .
22. The computer server according to claim 17 wherein the public key gY is g and the private key γ is 1 .
PCT/SG2017/050362 2016-10-14 2017-07-19 System and method for querying an encrypted database for documents satisfying an expressive keyword access structure WO2018070932A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
SG10201608619P 2016-10-14
SG10201608619P 2016-10-14

Publications (1)

Publication Number Publication Date
WO2018070932A1 true WO2018070932A1 (en) 2018-04-19

Family

ID=59501506

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SG2017/050362 WO2018070932A1 (en) 2016-10-14 2017-07-19 System and method for querying an encrypted database for documents satisfying an expressive keyword access structure

Country Status (1)

Country Link
WO (1) WO2018070932A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109872787A (en) * 2019-02-02 2019-06-11 上海龙健信息技术科技有限公司 A kind of publication of distributed data and method for subscribing
CN110134718A (en) * 2019-03-21 2019-08-16 西安电子科技大学 A kind of support multiple key based on encryption attribute searches for method generally
CN111027084A (en) * 2019-12-09 2020-04-17 湖南大学 Fine-grained authorized keyword security query method based on attribute-based encryption
WO2020103631A1 (en) * 2018-11-23 2020-05-28 上海扈民区块链科技有限公司 Hidden-identity-based signcryption method employing asymmetric bilinear pairing
CN114003942A (en) * 2021-12-30 2022-02-01 北京金睛云华科技有限公司 Encrypted Boolean search method and system supporting dynamic update in cloud environment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090080658A1 (en) * 2007-07-13 2009-03-26 Brent Waters Method and apparatus for encrypting data for fine-grained access control
EP2464051A1 (en) * 2009-08-03 2012-06-13 Nippon Telegraph And Telephone Corporation Function cipher application system
US20120300936A1 (en) * 2011-05-24 2012-11-29 Zeutro, Llc Outsourcing the Decryption of Functional Encryption Ciphertexts
EP2582086A1 (en) * 2010-07-23 2013-04-17 Nippon Telegraph And Telephone Corporation Cryptosystem, cryptographic communication method, encryption device, key-generating device, decryption device, content server device, program, and recording medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090080658A1 (en) * 2007-07-13 2009-03-26 Brent Waters Method and apparatus for encrypting data for fine-grained access control
EP2464051A1 (en) * 2009-08-03 2012-06-13 Nippon Telegraph And Telephone Corporation Function cipher application system
EP2582086A1 (en) * 2010-07-23 2013-04-17 Nippon Telegraph And Telephone Corporation Cryptosystem, cryptographic communication method, encryption device, key-generating device, decryption device, content server device, program, and recording medium
US20120300936A1 (en) * 2011-05-24 2012-11-29 Zeutro, Llc Outsourcing the Decryption of Functional Encryption Ciphertexts

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020103631A1 (en) * 2018-11-23 2020-05-28 上海扈民区块链科技有限公司 Hidden-identity-based signcryption method employing asymmetric bilinear pairing
CN109872787A (en) * 2019-02-02 2019-06-11 上海龙健信息技术科技有限公司 A kind of publication of distributed data and method for subscribing
CN110134718A (en) * 2019-03-21 2019-08-16 西安电子科技大学 A kind of support multiple key based on encryption attribute searches for method generally
CN110134718B (en) * 2019-03-21 2023-07-07 西安电子科技大学 Fuzzy search method supporting multiple keywords based on attribute encryption
CN111027084A (en) * 2019-12-09 2020-04-17 湖南大学 Fine-grained authorized keyword security query method based on attribute-based encryption
CN114003942A (en) * 2021-12-30 2022-02-01 北京金睛云华科技有限公司 Encrypted Boolean search method and system supporting dynamic update in cloud environment

Similar Documents

Publication Publication Date Title
US20220368545A1 (en) Searchable encrypted data sharing method and system based on blockchain and homomorphic encryption
CN106127075B (en) Encryption method can search for based on secret protection under a kind of cloud storage environment
US10282448B2 (en) System and method for searching a symmetrically encrypted database for conjunctive keywords
WO2018070932A1 (en) System and method for querying an encrypted database for documents satisfying an expressive keyword access structure
CN111026788B (en) Homomorphic encryption-based multi-keyword ciphertext ordering and retrieving method in hybrid cloud
CN109361644B (en) Fuzzy attribute based encryption method supporting rapid search and decryption
US20090138698A1 (en) Method of searching encrypted data using inner product operation and terminal and server therefor
CN108092766B (en) Ciphertext search authority verification method and system
CN108197499B (en) Verifiable ciphertext data range query method
CN110866135B (en) Response length hiding-based k-NN image retrieval method and system
Huang et al. FSSR: Fine-grained EHRs sharing via similarity-based recommendation in cloud-assisted eHealthcare system
CN108259517B (en) Encryption method for realizing key isolation attribute of ciphertext strategy
CN114048448A (en) Block chain based dynamic searchable encryption method and device
CN108021677A (en) The control method of cloud computing distributed search engine
CN114826703A (en) Block chain-based data search fine-grained access control method and system
CN107086917B (en) The encryption method that a kind of parallelization and structuring public key can search for
CN105763324A (en) Controllable searchable encryption searching method being able to verify multi user-ends
CN115309861A (en) Ciphertext retrieval system, method, computer equipment and storage medium
CN115310125A (en) Encrypted data retrieval system, method, computer equipment and storage medium
CN115510490A (en) Method, device, system and equipment for inquiring encrypted data shared by non-secret keys
CN110851850B (en) Method for realizing searchable encryption system
CN108055256A (en) The platform efficient deployment method of cloud computing SaaS
Yang et al. Attribute-based keyword search over the encrypted blockchain
CN113158087A (en) Query method and device for space text
Ocansey et al. Searchable Encryption for Integrating Cloud and Sensor Networks with Secure Updates.

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17746212

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17746212

Country of ref document: EP

Kind code of ref document: A1