using secret sharing for searching in encrypted data
DESCRIPTION
Using secret sharing for searching in encrypted data. Ring. F[x]/s(x) = {f(x) | deg(f(x)) < deg(s(x)) and coefficients of f(x) F } F q [ x ]/( x q-1 −1) (where q is a prime power q = p e . For the reader’s convenience, all proofs will be given for q prime) - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Using secret sharing for searching in encrypted data](https://reader030.vdocuments.us/reader030/viewer/2022032612/568132b1550346895d99674d/html5/thumbnails/1.jpg)
Using secret sharing for searching in encrypted data
![Page 2: Using secret sharing for searching in encrypted data](https://reader030.vdocuments.us/reader030/viewer/2022032612/568132b1550346895d99674d/html5/thumbnails/2.jpg)
Ring
• F[x]/s(x) = {f(x) | deg(f(x)) < deg(s(x)) and
coefficients of f(x) F }
• FFq[x]/(xq-1−1)
(where q is a prime power q = pe.
For the reader’s convenience, all proofs will be given for q prime)
• ex: when q = 5 (x-3)((x-2)(x-4))2
≡88x3-252x2+353x-207(mod x4-1) 3x3+3x2+3x+3
![Page 3: Using secret sharing for searching in encrypted data](https://reader030.vdocuments.us/reader030/viewer/2022032612/568132b1550346895d99674d/html5/thumbnails/3.jpg)
Ring
• ZZ[x]/(r(x)) : (where r(x) is an irreducible polynomial)– If f(x)=g(x)h(x) ( f(x) has degree 2 ) ≧
( g(x),h(x) has degree 1≧ )
we call f(x) reducible.
• ex: when r(x) = x2+1
(x-3)((x-2)(x-4))2
≡265x+45 (mod x2+1)
![Page 4: Using secret sharing for searching in encrypted data](https://reader030.vdocuments.us/reader030/viewer/2022032612/568132b1550346895d99674d/html5/thumbnails/4.jpg)
1. Define a mapping function
(map : tagnames → ZZ )
2. Transform the tree of tag names into a tree of polynomials
3. Using ring to reduce
4. Data sharing
5. Querying
![Page 5: Using secret sharing for searching in encrypted data](https://reader030.vdocuments.us/reader030/viewer/2022032612/568132b1550346895d99674d/html5/thumbnails/5.jpg)
(x-2)(x-4)
(x-4)
(x-3)((x-2)(x-4))2
(x-4)
(x-2)(x-4)client
name
customers
name
client
tagname
customersclientname
324
ZZ
(a) XML example (b) Mapping from tagname to numbers
(c) Data representation in non-compressed form
![Page 6: Using secret sharing for searching in encrypted data](https://reader030.vdocuments.us/reader030/viewer/2022032612/568132b1550346895d99674d/html5/thumbnails/6.jpg)
Data sharing
+=
Pseudorandom generator
![Page 7: Using secret sharing for searching in encrypted data](https://reader030.vdocuments.us/reader030/viewer/2022032612/568132b1550346895d99674d/html5/thumbnails/7.jpg)
Querying
• ex : //client.
This XPath expression means that we want to find ‘client’ elements somewhere in the tree.
![Page 8: Using secret sharing for searching in encrypted data](https://reader030.vdocuments.us/reader030/viewer/2022032612/568132b1550346895d99674d/html5/thumbnails/8.jpg)
Querying
1. translate ‘client’ to x = 2
2. The server evaluates the polynomials in the given point (x = 2) and sent back to the client.
tagname
customersclientname
324
ZZ
![Page 9: Using secret sharing for searching in encrypted data](https://reader030.vdocuments.us/reader030/viewer/2022032612/568132b1550346895d99674d/html5/thumbnails/9.jpg)
Querying3. The client does the same thing on its own side and calculates
the sum of the client element and the server element. sum = 0, i.e. the element contains a factor (x − 2) sum ≠ 0, The branch is dead
the client informs the server so that the server can stop evaluating polynomials for elements in the tree starting with that branch.
![Page 10: Using secret sharing for searching in encrypted data](https://reader030.vdocuments.us/reader030/viewer/2022032612/568132b1550346895d99674d/html5/thumbnails/10.jpg)
Querying
4. Each zero element in the sum tree that does not have a zero sub element represents an answer to the query.
0
3
0
3
0
sum
![Page 11: Using secret sharing for searching in encrypted data](https://reader030.vdocuments.us/reader030/viewer/2022032612/568132b1550346895d99674d/html5/thumbnails/11.jpg)
Querying
• To reconstruct the element value, let f – sum of the polynomials
q1, . . . , qn– the combined polynomials of all its direct children.
i.e.
f = (x-t)Πi=1n qi (mod r)
f(x) = 0 solve t → check the correctnes
s(in example : t = 2)
![Page 12: Using secret sharing for searching in encrypted data](https://reader030.vdocuments.us/reader030/viewer/2022032612/568132b1550346895d99674d/html5/thumbnails/12.jpg)
• Theorem 2 proves that there is just a single solution for t.
d = d(r)
q1. . .qn(x − t) = 0 (mod r)
ad-1xd-1+ad-2xd-2+…+a1x+a0 = 0
ad-1(t) = 0 …
a0(t) = 0
![Page 13: Using secret sharing for searching in encrypted data](https://reader030.vdocuments.us/reader030/viewer/2022032612/568132b1550346895d99674d/html5/thumbnails/13.jpg)
advanced querying
• More elaborate XPath queries can be performed.
• ex : //a/b//c/d/efollow these steps and increase efficiency
1. from the root node find all ‘a’ elements that have b, c, d and e elements somewhere deeper in the tree
2. from the found nodes find all direct children ‘b’ that have elements c, d and e as descendants
3. …
![Page 14: Using secret sharing for searching in encrypted data](https://reader030.vdocuments.us/reader030/viewer/2022032612/568132b1550346895d99674d/html5/thumbnails/14.jpg)
Fermat's little theorem
• if p is a prime number,
then for any integer a, (ap − a) will be evenly divisible by p.
i.e. ap ≡ a ( mod p )ap-1 ≡ 1 ( mod p ) (a,p)=1
![Page 15: Using secret sharing for searching in encrypted data](https://reader030.vdocuments.us/reader030/viewer/2022032612/568132b1550346895d99674d/html5/thumbnails/15.jpg)
Lemma 1.
• If p is prime then Πi=1
p-1 (x − i) ≡ xp-1 − 1 (mod p).
• Let f(x) = Πi=1p-1 (x − i) and g(x) = xp-1 − 1.
All elements of F*p = {1, . . . , p − 1} are roots of f(x). By Fermat’s little theorem, for p prime all these p−1 roots of f(x) are also roots for g(x). Thus the two polynomials are equal.
![Page 16: Using secret sharing for searching in encrypted data](https://reader030.vdocuments.us/reader030/viewer/2022032612/568132b1550346895d99674d/html5/thumbnails/16.jpg)
Lemma 2.
• Let p be prime and f(x) Fp[x]. ﹁ q→ ﹁ p
If f(x) is non-zero mod x−(p−1) p →q
then f(x) is also non-zero modulo xp-1 − 1.
• Since f(x) ≡ 0 (mod xp-1 −1) (xp-1 −1)|f(x)
and x−(p−1)| xp-1 −1 in Fp[x] ( from lemma 1 ) x−(p−1)|f(x)
f(x) ≡ 0 (mod x − (p − 1)).
![Page 17: Using secret sharing for searching in encrypted data](https://reader030.vdocuments.us/reader030/viewer/2022032612/568132b1550346895d99674d/html5/thumbnails/17.jpg)
Lemma 3.
• Let p be prime, and let f(x) Fp[x] be defined as
f(x) =
Then f(x) 0 (mod xp-1 − 1).
• Consider the evaluation of f(x) at p − 1:
f(p − 1) =
Because i {1, . . . , p − 2} : i p−1, f(p − 1) 0.
Thus x − (p − 1) cannot be a factor of f(x), and we have that f(x) 0 (mod x − (p − 1)).
By lemma 2 this implies that f(x) 0 (mod xp-1 − 1).
2
1
( ) i
pe
i
x i
2
1
(( 1) ) i
pe
i
p i
![Page 18: Using secret sharing for searching in encrypted data](https://reader030.vdocuments.us/reader030/viewer/2022032612/568132b1550346895d99674d/html5/thumbnails/18.jpg)
Theorem 1.
• Given a polynomial f(x) in Fp[x]/(xp-1 − 1)
(p prime) of an element node and all polynomials (q1, . . . , qn) of its children, the mapped value map(node) can be retrieved uniquely.
![Page 19: Using secret sharing for searching in encrypted data](https://reader030.vdocuments.us/reader030/viewer/2022032612/568132b1550346895d99674d/html5/thumbnails/19.jpg)
Proof• we know at least one solution exists for the equation
f(x) ≡ q1(x) · · · qn(x)(x − t) ( t − mapped value )
Suppose there are two solutions t1 and t2 : f(x) ≡ q1(x) · · · qn(x)(x− t1) and f(x) ≡ q1(x) · · · qn(x)(x− t2)
Then q1(x) · · · qn(x)(x− t1) ≡ q1(x) · · · qn(x)(x− t2) q1(x) · · · qn(x)(t1 − t2) ≡ 0 (mod p). q1(x) · · · qn(x) ≡ 0 (mod p) or (t1 − t2) ≡ 0 (mod p).
Since we know that q1(x) · · · qn(x) 0 (mod p) by lemma 3 (the qi’s match the required form by construction), we can conclude that t1 ≡ t2 (mod p).
![Page 20: Using secret sharing for searching in encrypted data](https://reader030.vdocuments.us/reader030/viewer/2022032612/568132b1550346895d99674d/html5/thumbnails/20.jpg)
Theorem 2.
• Given a polynomial f(x) in Z[x]/(r(x)) of an element node and all polynomials
(q1, . . . , qn) of its children, the mapped value map(node) can uniquely be retrieved.
![Page 21: Using secret sharing for searching in encrypted data](https://reader030.vdocuments.us/reader030/viewer/2022032612/568132b1550346895d99674d/html5/thumbnails/21.jpg)
Proof
• As in theorem 1 due to construction there exists at least one t that satisfies
f(x) ≡ q1(x) · · ·qn(x)(x − t) (mod p).
suppose there are two solutions t1 and t2.
Then q1(x) · · ·qn(x)(t1−t2) ≡ 0 (mod r(x)).
Since r(x) is irreducible, and none of the qi(x) are zero modulo r(x) (by construction), we have that t1 − t2 ≡ 0 (mod r(x)). Therefore t1 = t2.
![Page 22: Using secret sharing for searching in encrypted data](https://reader030.vdocuments.us/reader030/viewer/2022032612/568132b1550346895d99674d/html5/thumbnails/22.jpg)
Conclusion
• It has only a small penalty in storage space compared to the unencrypted case.
• a branch can be marked as a dead-end in a very early stage and only a small portion of the tree has to be examined.
• It cannot straightforwardly use the same method for the actual data.
![Page 23: Using secret sharing for searching in encrypted data](https://reader030.vdocuments.us/reader030/viewer/2022032612/568132b1550346895d99674d/html5/thumbnails/23.jpg)
Comment
• What kind of rings do we choose?
• Which one can be more efficient in our situation?