# lncs 3378 - keyword search and oblivious pseudorandom ... keyword search. these protocols enable...

Post on 02-Jun-2020

10 views

Embed Size (px)

TRANSCRIPT

Keyword Search and Oblivious Pseudorandom Functions

Michael J. Freedman1, Yuval Ishai2, Benny Pinkas3, and Omer Reingold4

1 New York University mfreed@cs.nyu.edu

2 Technion yuvali@cs.technion.ac.il

3 HP Labs, Israel benny.pinkas@hp.com

4 Weizmann Institute of Science omer.reingold@weizmann.ac.il

Abstract. We study the problem of privacy-preserving access to a database. Particularly, we consider the problem of privacy-preserving keyword search (KS), where records in the database are accessed accord- ing to their associated keywords and where we care for the privacy of both the client and the server. We provide efficient solutions for vari- ous settings of KS, based either on specific assumptions or on general primitives (mainly oblivious transfer). Our general solutions rely on a new connection between KS and the oblivious evaluation of pseudoran- dom functions (OPRFs). We therefore study both the definition and construction of OPRFs and, as a corollary, give improved constructions of OPRFs that may be of independent interest.

Keywords: Secure keyword search, oblivious pseudorandom functions, private information retrieval, secure two-party protocols, privacy- preserving protocols.

1 Introduction

Keyword search (KS) is a fundamental database operation. It involves two main parties: a server, holding a database comprised of a set of records and their asso- ciated keywords, and a client, who may send queries consisting of keywords and receive the records associated with these keywords. A natural question in the area of secure computation is the design of protocols for efficient, privacy-preserving keyword search. These protocols enable keyword queries while providing privacy for both parties: namely, (1) hiding the queries from the database (client pri- vacy) and (2) preventing the clients from learning anything but the results of the queries (server privacy).

To be more specific, the private keyword-search problem may be defined by the following functionality. The database consists of n pairs {(xi, pi)}i∈[n]; we denote xi as the keyword and pi as the payload (database record). A query from

J. Kilian (Ed.): TCC 2005, LNCS 3378, pp. 303–324, 2005. c© Springer-Verlag Berlin Heidelberg 2005

mailto:mfreed@cs.nyu.edu mailto:yuvali@cs.technion.ac.il mailto:benny.pinkas@hp.com mailto:omer.reingold@weizmann.ac.il

304 M.J. Freedman et al.

a client is a searchword w, and the client obtains the result pi if there is a value i for which xi = w and obtains a special symbol ⊥ otherwise. Given that KS allows clients to input an arbitrary searchword, as opposed to selecting pi by an input i, keyword search is strictly stronger than the better-studied problems of oblivious transfer (OT) and symmetrically private information retrieval (SPIR).

1.1 Contributions

Our applied and conceptual contributions can be divided into the following:

– Specific Protocols for KS. We construct direct instantiations of KS pro- tocols, providing privacy for both parties, based on the use of oblivious poly- nomial evaluation and homomorphic encryption. The protocols have a com- munication complexity which is logarithmic in the size of the domain of the keywords and polylogarithmic in the number of records, and they require only one round of interaction, even in the case of malicious clients.1 All previous fully-private KS protocols either require a linear amount of com- munication or multiple rounds of interaction, even in the semi-honest model.

– KS Using Oblivious Pseudorandom Functions (OPRFs). We describe a generic, yet very efficient, reduction from KS to what we call semi-private KS, in which only the client’s privacy is maintained. Specifically, we show that any KS protocol providing (only) client privacy can be upgraded to provide server privacy as well, by using an additional oblivious evaluation of pseudorandom functions. This reduction is motivated by the fact that efficient semi-private KS is quite easy to obtain by combining PIR with a suitable data structure supporting keyword searches [20, 7].2 Thus, we derive a general construction of fully-private KS protocols based on PIR, a data structure supporting keyword searches, and an OPRF.

– New Notion of OPRF. Motivated by the KS application and the above general reduction, we put forward a new relaxed notion of OPRF which facil- itates more efficient constructions and is of independent theoretical interest.

– Constructions of OPRF. We show a construction of an OPRF protocol based on the DDH assumption. In addition, one of the our main contribu- tions is a general construction of (relaxed) OPRF from OT. This construction is based on techniques from [23, 25], yet improves on these works as (1) it preserves privacy against (up to t) adaptive queries, (2) it is obliviously eval- uated in constant number of rounds, and (3) it handles exponential domain size. These improvements are partially relevant also in the context of t-out- of-n OT, as originally studied in [23, 25]. We note that this is a black-box

1 In the case of malicious parties, we use a slightly relaxed notion of security, following one suggested in the context of OT [1, 23] (see Section 2).

2 In fact, if we allow a setup phase with linear communication complexity, we can obtain a semi-private KS supporting adaptive queries by simply sending the entire database to the client.

Keyword Search and Oblivious Pseudorandom Functions 305

construction of t-time OPRF from OT. From a theoretical point-of-view, one of the most interesting open questions left by our work is to find an efficient black-box construction of fully-adaptive OPRF and KS (supporting an arbitrary number of queries) which only makes a black-box use of OT. In contrast, such a construction is easy to obtain by making a non-black-box use of OT. Thus, we have a rare example of a non-black-box construction in cryptography for which no black-box construction is known, even in the random-oracle model. In fact, we are not aware of any other such simple and natural example that fully resides in the semi-honest model.

1.2 Related Work

The work of Kushilevitz and Ostrovsky [20], which was the first to suggest a single-server PIR protocol, described how to use PIR together with a hash function for obtaining a semi-private KS protocol (we denote a KS protocol as “semi-private” if it does not ensure server privacy). Chor et al. [7] described how to implement semi-private KS using PIR and any data structure supporting keyword queries, and they added server privacy using a trie data structure and many rounds. Our reduction from KS to semi-secure KS provides a more efficient and general alternative, requiring only a small constant number of rounds.

Ogata and Kurosawa [27] show an ad-hoc solution for KS for adaptive queries, using a setup stage with linear communication. The security of their main con- struction is based on the random oracle assumption and on a non-standard assumption (related to the security of blind signatures). The system requires a public-key operation per item for every new query.

A problem somewhat related to KS is that of “search on encrypted data” [30, 3]. The scenario involves giving encrypted data to a third party. This party is later given a trapdoor key, enabling it to search the encrypted data for specific keywords, while hiding any other information about the data. This problem seems easier than ours since the search key is provided by the party which previously encrypted the data. Furthermore, there are protocols for “search on encrypted data” (e.g., [30]) which use only symmetric-key crypto. therefore it is unlikely that they can be used for implementing KS, as KS implies OT.

Another related problem is that of “secure set intersection” [10], where two parties whose inputs consist of sets X, Y privately compute X∩Y . KS is a special case of this problem with |X| = 1. On the other hand, set intersection can be reduced to KS by running a KS invocation for every item in X. Thus, our results can be applied to obtain efficient solutions to the set-intersection problem.

Cryptographic Primitives. We make use of several standard cryptographic primitives that can be defined as instances of private two-party computation be- tween a server and a client, including oblivious transfer (OT) [29, 9], single-server private information retrieval (PIR) [8, 20], symmetrically-private information re- trieval (SPIR) [11, 23], and oblivious polynomial evaluation (OPE) [23]. Some specific constructions for non-adaptive KS require a semantically-secure homo- morphic encryption system.

306 M.J. Freedman et al.

1.3 Organization

The remainder of this paper is structured as follows. We provide definitions and variants of keyword search in Section 2. Section 3 describes some direct constructions of (non-adaptive) KS protocols based on OPE and homomorphic encryption. In Section 4 we introduce our new relaxed notion of OPRF and use it to obtain a reduction from fully-private KS to semi-private KS. We conclude by providing efficient implementations of OPRFs in Section 5.

2 Preliminaries

This section defines the private keyword search problem and some of its variants. We assume the reader’s familiarity with standard simulation-based definitions of secure computation (cf. [5, 13]).

2.1 Private Keyword Search

The system is comprised of a server S and a client C. The server’s input is a database X of n pairs (xi, pi), each consisting of a keyword and a payload. Key- words can be strings of an arbitrary length and payloads are padded to some fixed length. We may also assume, without loss of generality,