Park et al. EURASIP Journal on Wreless Communcatons and Networkng 20, 20:64 http://jwcn.euraspjournals.com/content/20//64 RESEARCH Open Access PKIS: practcal keyword ndex search on cloud datacenter Hyun-A Park, Jae Hyun Park 2 and Dong Hoon Lee * Abstract Ths paper hghlghts the mportance of the nteroperablty of the encrypted DB n terms of the characterstcs of DB and effcent schemes. Although most pror researches have developed effcent algorthms under the provable securty, they do not focus on the nteroperablty of the encrypted DB. In order to address ths lack of practcal aspects, we conduct two practcal approaches effcency and group search n cloud datacenter. The process of ths paper s as follows: frst, we create two schemes of effcency and group search practcal keyword ndex search I and II; second, we defne and analyze group search secrecy and keyword ndex search prvacy n our schemes; thrd, we experment on effcent performances over our proposed encrypted DB. As the result, we summarze two major results: ()our proposed schemes can support a secure group search wthout re-encryptng all documents under the group-key update and (2)our experments represent that our scheme s approxmately 935 tmes faster than Golle s scheme and about 6 tmes faster than Song s scheme for 0,000 documents. Based on our experments and results, ths paper has the followng contrbutons: () n the current cloud computng envronments, our schemes provde practcal, realstc, and secure solutons over the encrypted DB and (2) ths paper dentfes the mportance of nteroperablty wth database management system for desgnng effcent schemes. Keywords: keyword ndex search, encrypted document, group settng, DBMS, ndex lst table, normalzaton, prmary key, foregn key, group search secrecy, keyword ndex search prvacy, cloud datacenter Introducton Cloud computng technologes have become a central ssue n order to open a new dgtalzed nformaton socety by heterogeneous servces and convergence of technologes. In the era of cloud computng, personal computer and storage have changed ther functons and features n soco-techncal perspectves: the functons of personal computers have changed ther concerns from ndvdual to centralzed manageral ones; the features of storage have also transformed ts boundares from personal databases or Enterprse Resource Plannng (ERP) severs to the datacenter n socal storage systems [,2]. In the cloud computng era, securty research also encounters a varety of challenges and ssues. Because the datacenter s made up of complex prvate nformaton, and the datacenter s faced wth the rsks of * Correspondence: donghlee@korea.ac.kr Graduate School of Informaton and Securty, Korea Unversty, 5-Ka, Anamdong, Sungbuk-ku, Seoul 36-70, Korea Full lst of author nformaton s avalable at the end of the artcle nformaton leakages and ntruders or nsders attacks. Wth these reasons, pror researchers have consdered encrypton as the most substantal way for protectng senstve nformaton as the last lne of database defense.. Problem dentfcaton In DB encrypton, prevous researchers have conducted the keyword ndex search over encrypted documents wth varous scenaros; however, the keyword ndex search scheme s neffcent and mpractcal aspects n a real world. The keyword ndex search enables a legtmate queres to search the encrypted documents wth an encrypted keyword over the encrypted ndexes wthout revealng any nformaton on the query and documents, even to the server. In most pror research, we fnd that the ndexes of each data are stored by a row, not by a feld (column) as another neffcent respect. The keyword ndex search schemes requre at least a verfyng test for every row of each data, so that the computatonal complexty of the 20 Park et al; lcensee Sprnger. Ths s an Open Access artcle dstrbuted under the terms of the Creatve Commons Attrbuton Lcense (http://creatvecommons.org/lcenses/by/2.0), whch permts unrestrcted use, dstrbuton, and reproducton n any medum, provded the orgnal work s properly cted.
Park et al. EURASIP Journal on Wreless Communcatons and Networkng 20, 20:64 http://jwcn.euraspjournals.com/content/20//64 Page 2 of 6 prevous schemes requres at least O(n) f the total number of stored data s n. The computaton or scannng over many felds wthn one row s not fast, whle the computaton or scannng wthn one feld s relatvely faster than n one row. Moreover, encrypton algorthm needs many random factors, whch makes t hard to apply effcent DB schema a to encrypted databases. Our schemes are n the lne of the keyword ndex search area, and ths paper focuses on more practcal approaches over the encrypted database to resolve the problems the effcency and group search of the encrypted database n the cloud datacenter servce. In ths paper, we extend the search scope from between a server and a sngle user to the search between a server and group members (multple users) n the cloud datacenter servces, because current changng cloud computng technologes call for a varety of collaboratons and cooperaton among users n a certan socal networkng envronment. These changng socal networkng envronments requre multple users nformaton sharng n a certan organzaton; therefore, we propose the group key search of database encrypton, when a group member shares hs or her senstve nformaton among multple users. Especally, sharng senstvenformatonshouldbeencryptedbyagroupkeyn group search of database encrypton. On the other hand, a group key has some problems to be used as a search key, because the group key has a dynamc property,.e., a person may jon or leave from the group. When a member leaves from a group, all data accessble to the group should not be accessble any more. It could be resolved by updatng a group key, and the leavng member must not compute a new group key. On the other hand, when a member jons a group, he or she should obtan all of the prevous group keys n order to access all of the group data. Ths problem, a member jons a group, makes desgn much harder. A nave soluton s to decrypt all documents of the group and re-encrypt the documents by the new group key accordng to every membershp change. Yet ths soluton entals a large amount of computatonal overheads. In pror research, most schemes have not consdered practcal usages, whle [3,4] worked on the search schemes of dynamc group membershp changes wthout re-encryptng documents. Park et al. s scheme [3] s relatvely faster than that of Wang et al. [4]. Wang et al. s s based on blnear, whle Park et al. utlzed the reversed hash key chans and bloom flters. The faster Park et al. s scheme has a potental problem related to group member leave. Ths paper, therefore, seeks to fx ths proposed problem from Park et al. s scheme the reversed hash key chans, and t also develops novel effcent schemes wth the experments..2 Key dea and contrbuton The prevous schemes have focused on the development of new encrypton algorthms, whle we apply general DB schema to the encrypted database nstead of developng an effcent encrypton algorthm. Based on ths key dea, we devse two tables and store all ndexes for all documents n one feld (column). The two tables enable to buld database normalzaton b by applyng prmary keys and foregn keys nto the tables. These propertes of two tables enable the server to drectly access the data that a user wants to search wthout any verfcaton processes for every row. Based on these two tables for effcency, we construct PKIS-I wth the reversed one-way hash key chan and PKIS-II wth the key matchng table, for the group search. Through PKIS-I and PKIS-II, we summarze the results as follows: ) Effcency Compared to computatonal complexty durng the search process, our schemes s O(), whle other prevous papers s at least O(n). Our experments represent our scheme s approxmately 935 tmes faster than Golle s scheme and about 6 tmes faster than Song s scheme for 0,000 documents. 2) Group search By re-encryptng keywords or documents wth the group manager (GM) s secret key k c, we resolved the encrypted database group search problem n cloud servce. Whenever every membershp change, our schemes can support a secure group search wthout reencryptng all documents. 3) Securty We made defntons on group search secrecy and keyword ndex search prvacy and analyzed them. Therefore, ths paper has two contrbutons as follows: () our schemes provde practcal and realstc encrypted DB solutons n the cloud computng envronments and (2) ths paper dentfes the mportance of nteroperablty wth DBMS as well as developng algorthms, to desgn effcent schemes..3 Related works The search systems research of encrypted data has been regarded as an actve area wth varous scenaros. In ths
Park et al. EURASIP Journal on Wreless Communcatons and Networkng 20, 20:64 http://jwcn.euraspjournals.com/content/20//64 Page 3 of 6 secton, we revew the pror papers n search systems on encrypted database. Song et al. [5] frstly proposed a sequental scannng search algorthm, searchable symmetrc key encrypton, over entre documents by usng stream and block cphers. Followng ths dea, most researches have been conducted on the keyword ndex search. Boneh et al. [6] proposed a keyword search wth a publc key system, where they defned the concept of a publc key encrypton wth keyword search (PEKS) and showed that PEKS mples dentty-based encrypton; however, the converse s currently an open problem. Chang et al. [7] suggested two ndex search schemes wth the dea of pre-bult dctonares. Goh [8] formulated a securty model for ndexes known as semantc securty (or ndstngushablty) aganst an adaptve chosen keyword attack (IND- CKA), and they also proposed an secure ndex scheme n the model. Waters et al. [9] publshed the buldng of an encrypted and a searchable audt log, whch searches the encrypted log wth extracted keywords. Byun et al. [0] rased a serous vulnerablty of publc key-based keyword search schemes, whch are susceptble to an off-lne keyword guessng attack through much smaller space than passwords. In addton, some proposed schemes extend the types of encrypted data queres. Boneh and Waters [] suggested a publc key system n order to support queres for testng any predcate on encrypted data wth tokens produced by a secret key. They constructed comparson systems, subset queres, and conjunctve versons of these predcates, whch ntroduce a prmtve, hdden vector encrypton. Hacgumüs et al. [2] proposed the method of range queres on encrypted data n the Database As a Servce (DAS) model by usng prvacy homomorphsm that allows basc arthmetc (+, -, ) on encrypted data. Golle et al. [3] frstly proposed an effcent conjunctve keyword search over encrypted data and ther scheme constructs a keyword feld. Hwang et al. [4] constructed a conjunctve keyword search scheme for group users, based on the publc key. Wang et al. [4] developed threshold prvacy preservng keyword search scheme. These schemes cannot support dynamc groups, whle Park et al. [3] frstly proposed search schemes of dynamc groups, and ther search schemes deal wth membershp changes wthout reencryptng documents for each change of membershp. Later, Wang et al. [5] bult conjunctve keyword searches on encrypted data wthout keyword felds, and they appled these searches to the settng of dynamc groups. Zerr et al. [6] worked on the problem of supportng keyword search for senstve unstructured documents shared wthn collaboraton groups. They proposed r- confdental Zerber ndexng faclty for senstve documents, and they utlzed secret splttng and term mergng to provde tunable lmts on nformaton leakage, even under statstcal attacks. As they admtted, ths proposed ndexng scheme would be unattanable n practce, and ther scheme s neffcent. In successon, Zerr et al. [7] publshed Top-K retreval algorthm from ZERBER +R. In ths work, they focused on ranked keyword search, term frequences, and a novel relevance score transformaton functon. Here, the functon n novel relevance score transformaton hdes the termspecfc dstrbuton of relevance score values, and t makes the scores of dfferent terms ndstngushable. The authors of [8,9] also handled wth the same problems. Wang et al. [20] consdered the problem, concernng effectve yet secure ranked keyword search over encrypted cloud data. In order to acheve practcal performance, Wang et al. proposed a defnton for ranked searchable symmetrc encrypton and used order-preservng symmetrc encrypton. Yet [20] s not a desgn for the group search. Cao et al. frstly explored the problem of mult-keyword ranked search over encrypted cloud data (MRSE), and they establshed a set of strct prvacy requrements for such a secure cloud data utlzaton system to become a realty [2]. They proposed a basc MRSE scheme usng secure nner product and then mproved ths scheme n order to meet dfferent prvacy requrements n two levels of threat models. Addtonally, Zerr et al. s schemes are not Boolean operaton on multple keywords searches n tradtonal searchable encrypton schemes but they are ranked search operaton. The evaluaton methods and securty requrements such as term frequency c are dfferent. Hence, the comparsons wth our schemes are actually meanngless. As for the papers about encrypted data n cloud computng, addtonally, there are L et al. s [22] and Yu et al. s [23]. L et al. handled wth the problem of authorzed prvate keyword searches (APKS) over encrypted data n cloud computng, where multple data owners encrypt ther records along wth a keyword ndex to allow searches by multple users. Ther two novel solutons for APKS are based on herarchcal predcate encrypton, whch uses parng-based cryptography. Yu et al. proposed a secure and scalable fne-graned data access control scheme for cloud computng. In order to acheve ths goal, they combned the technques of attrbute-based encrypton, proxy re-encrypton, and lazy reencrypton, whch are also parng-based cryptography. 2 Prelmnares 2. Keyword ndex search scheme In general, keyword ndex search schemes consst of setup and searchng processes. In the setup process, a clent uploads encrypted data together wth ts ndexes
Park et al. EURASIP Journal on Wreless Communcatons and Networkng 20, 20:64 http://jwcn.euraspjournals.com/content/20//64 Page 4 of 6 (also called searchable nformaton) on a database server, and the ndexes are encrypted keywords for searchng the data. To search data wth a keyword n the searchng process, a user generates a trapdoor and sends t to the server. Here, the trapdoor s the encrypton of the keyword and provdes only search capabltes to the server wthout revealng any nformaton about the keyword. The database manager runs the test algorthm wth the ndexes and the trapdoor as nput to fnd the correspondng data. That s, ths searchng verfcaton s performed on the ndexes rather than on the encrypted data. The results are returned to the clent, and the clent fnally decrypts the results and sends them back to the user. 2.2 System envronments 2.2. Multple user settng Our system s devsed for a certan group organzaton, whch ncludes many departments such as government offces, organzatons, or enterprses. Ths group ncludes subgroups (g, g 2,..., g 7 ) and ther members (p, p 2,..., p 5 ). Ths paper dentfes a group as a set of people wth the same ams, and the group organzes the people workng together. In ths paper, we focus on a group search, because prvate search s possble through the same process as well. 2.2.2 Cloud datacenter servce and modfed DAS model Our applcaton storage system s a datacenter for the cloud storage servce. d The users of group members store ther sharng documents n a datacenter, not ther own server. In ths case, we cannot guarantee that the datacenter server managers are trust; therefore, we utlze the cryptographc method for the data. Ths s smlar to DAS model of [2]. In the DAS model, a clent s trustworthy, whle users data are stored n and managed by an untrustworthy server. A clent has a restrcted computatonal power and storage and reles on the server for a mass computatonal power and storage. A server can be an nsde attacker and s not allowed to read the data. Hence, the encrypton key should not be known to the server (or the database admnstrator). Data prvacy s assured under the condtons that a clent does not share encrypton keys, metadata or orgnal data wth any party. Here, we modfy the DAS model nto our applcaton system. Our scheme s made up of three partes: () users of group members, (2) a group manager GM, and (3) a datacenter server DS. Users of group members are the owners of documents, and they are regstered n ther organzaton. GM plays a smlar role of a clent server, and t s a trusted party n our scheme. In our scheme, the GM manages the group sesson keys and the search keys of all groups, for secure communcaton and secure keyword ndex search. DS s not a trustable party n our scheme. Hence, all of the documents n a server should be encrypted and queryng keywords should be also encrypted. One of the most mportant thngs s that there s no decrypton by a server through all processes. 2.3 Notatons TG: a huge herarchcal group g : th small group of G g j : a small group g at jth sesson D n : nth documents W n : keywords lst of D n w n : th keyword of W n d n : dentfer of D n gk : group sesson key of a small group g k : ndex generaton key of a small group g dk : documents encrypton key of a small group g gk j : group sesson key of g at jth sesson k j : ndex generaton key of g at jth sesson dk j : documents encrypton key of g at jth sesson k c :GM s secret key f ( ): pseudorandom functon (PRF) h( ): one-way hash functon 2.4 Defntons Defnton. One-Way Hash Key Chan It s generated by selectng the last value at random and applyng a one-way hash functon h repeatedly. Note that the ntally chosen value s the last value of the key chan. The followngs are two propertes of a one-way hash chan [24]. Property : Anybody can deduce that an earler value k belongs to the one-way key chan by usng the later value k j of the chan and by checkng h j- (k j ) whch equals k wth the later value k j. Property 2 : Gven the latest released value k of a one-way key chan, an adversary cannot fnd a later value k j such that h j- (k j )equalsk.evenwhenvalue k + s released, the second pre-mage collson resstant property prevents an adversary from fndng k + dfferent from k + such that h(k + ) equals k. Defnton 2. PRF We say that F : K f X Y s (t, q, e)-secure PRF f every oracle algorthm A makng at most q oracle queres and wth runnng tme at most t has advantage Adv A <e. The advantage s defned as Adv A = Pr[A F k =] Pr[A R =] where R represents a random functon selected unformly from the set of all
Park et al. EURASIP Journal on Wreless Communcatons and Networkng 20, 20:64 http://jwcn.euraspjournals.com/content/20//64 Page 5 of 6 maps from X to Y, n whch the probabltes are taken over the choce of k and R [5]. 2.5 Algorthm SysPara( k ). It takes an nput as a securty parameter k and outputs a system parameter l. l determnes elements n order to set the encrypted database system such as the sze of database, encrypton/decrypton algorthm, functons, the sze of parameters, and so on. KeyGen(l). Takngl as an nput, ths algorthm generates users group sesson key set {g k }, ndex generaton key set {k}, and document encrypton key set {dk}. IndGen(k, W). Inputs of algorthm IndGen are an ndex generaton key k and a keyword set W. Output s ndex lst table. DocEnc(dk, D). Gven a document encrypton key dk and a document D, ths algorthm outputs an encrypted document. TrapGen(w, k). Ths algorthm takes a keyword w and ndex generaton key k. It encrypts the keyword w wth ndex generaton key k and returns the encrypton value, whch s the trapdoor T w for the keyword w. Retreval(T w ). Ths algorthm takes nput as trapdoor T w. If there exst matchng values to the trapdoor T w n an ndex lst, then t outputs the encrypted documents that are mapped to the dentfers of the matchng values n the ndex lst table. Dec(E(D), dk). Gven a document encrypton key dk and encrypted document E(D), t outputs a plantext document D. 3 Constructon Of Practcal Keyword Index Search-I (PKIS-I) Our scheme PKIS largely comprses of two parts; () uploadng phase and (2) downloadng phase. The uploadng phase conssts of four algorthms of SysPara; KeyGen; IndGen; DocEnc. The downloadng phase s composed of three algorthms of TrapGen; Retreval; Dec. PKIS-I s group key generaton method s based on [3]. However, n [3], SIS-G has a bg potental problem. If one of group members would reveal hs/her group key to a server, the server could know all of the prevous documents of the group members. In order to resolve ths problem, we add a re-encrypton process through GM and propose a new practcal scheme wth normalzed database tables over encrypted documents n a keyword ndex search protocol area. 3. Uploadng phase 3.. SysPara( k ) constructon Wth the algorthm SysPara( k ), GM generates system parameter l =(f ( ), h( ), q). f : {0, } k {0,}* {0, } k s a PRF and h :{0,}* {0, } k s one-way hash functon. q s the length of one-way hash key chan. 3..2 KeyGen(l) constructon In ths constructon, group search keys are generated. Wth system parameter l, GM generates group sesson keys {gk j },ndexgeneratonkeys{kj },anddocument encrypton keys {dk j }, where ndex generaton keys and document encrypton keys are called as search keys. The search keys are reversely generated by one-way hash key chans. At frst, the last key of a key chan s selected (. e. k q and dkq, f the length of a key chan s q). GM apples the last key to a hash functon repeatedly and computes all other keys untl the frst key comes out. It can be expressed lke ths: k = h(k+ ), dk = h(dk+ ) where Î [,q -]. In more detal; {k } = {kq R{0, } k, h(k q )=kq, h(k q )=k q 2,... h(k 4 )=k3, h(k 3 )=k2, h(k 2 )=k }. {dk } = {dkq R{0, }k, h(dk q )=dkq, h(dk q )=dk q 2,... h(dk 4 )=dk3, h(dk 3 )=dk2, h(dk 2 )=dk }. For example, f an event of a sesson-change happens for a subgroup g, the frst sesson s changed nto the second sesson and then the group sesson key, a document encrypton key, and an ndex generaton key are changed lke ths: gk gk2, dk dk2, k k2. One-way hash functon h plays the mportant role of group search key n PKIS-I. One-wayness property of hash functon can prohbt a leavng member from computng new keys after leavng the group. But any newly jonng member can obtan all prevous keys through applyng the current key to hash functon h repeatedly.
Park et al. EURASIP Journal on Wreless Communcatons and Networkng 20, 20:64 http://jwcn.euraspjournals.com/content/20//64 Page 6 of 6 Ths elmnates decrypton and re-encrypton of the prevous documents. These search keys are dstrbuted to all of the group members every membershp change. For example, n the second sesson, a member of subgroup g receves a new group sesson key gk 2 at frst. Ths group sesson key can be dstrbuted by GM wth well-known group key protocols, such as one n [25]. Then, dk 2 and k2,whch are computed n advance by the hash key chan, are encrypted wth gk 2 and transferred to all members of subgroup g. It s llustrated n Fgure. 3..3 IndGen(k, W) and DocEnc(dk, D) constructon When a user stores documents D n and ts keywords W n ={w n,, w n,2,...} n a server, he encrypts the document and keywords wth the algorthms DocEnc and IndGen. For a member of a small group g n the jth sesson, the encrypted document and ndexes are generated as follows; {d n, f dk j f k j (D n ), f k j (w n, ), f j k (w n,2 ),...} (w n, ), f j k (w n,2 ),... are ndexes that are the encrypted keywords. The user sends the encrypted document and ndexes to GM. 3..4 Database update Recevng the encrypted document and ts ndexes, GM re-encrypts them wth hs securty key k c.afterths, GM sends them to a datacenter server DS. DS adds the receved data to the tables of Index Lst and Encrypted Document every uploadng tme. Index Lst s composed of ndexes and ther document dentfers as follows: f kc (f j k (w n, )), f kc (d n ); f kc (f j k (w n,2 )), f kc (d n ), f kc (d n ). Table shows some parts of ndex lst table. Then, DS stores an dentfer f kc (d n ) and encrypted documents f kc (f dk 2 (D n )) n a row lke Table 2. Namely, PKIS s composed of two tables, where f kc (d n ) plays a role of a ponter as well as an dentfer of D n. Snce an ndex lst s made by ths way, we can make a relatonal DB by applyng prmary key and foregn key nto PKIS. The Index and Identfer of Document of Table are defned as prmary key, and Identfer of Document of Table 2 s defned as foregn key. There s no computaton to test and to search n a datacenter server. We can dmnsh the gap from general plantext search systems through mnmzng computatonal overhead n the retreval stage and applyng effcent DB schema. 3.2 Downloadng phase 3.2. TrapGen(w, k) constructon Algorthm TrapGen(w, k) outputs trapdoors for a keyword w. Weassumeaganthattheuserofgroupg at the second sesson wants to search a keyword w. The keyword w may be ncluded n the document at the second sesson or/and the frst sesson. Therefore, the user has to generate two trapdoors encrypted wth k and k 2. That s, a user has to generate the trapdoors as many as the number of sesson-changes, whch s possble because a user can compute all the prevous search keys by applyng the current search key to hash functon h repeatedly. Then, the user computes trapdoors usng the same method as ndex generaton and sends them to GM. GM re-encrypts them wth hs secret key and then queres a datacenter server DS wth the trapdoors. For a member of a small group g n the jth sesson, the trapdoors for a keyword w are as follows; T w = {f kc (f k s (w)), s j} = {f kc (f k (w)), f kc (f k 2 (w)),..., f kc (f j k (w))} 3.2.2 Retreval(T w ) and Dec(E(D), dk) constructon By the algorthm Retreval, at frst, DS searches the same values as the queryng trapdoors n the Index feld of Table and fnds out the matchng values to Index and Identfer of Document. Then, DS searches thesamevaluesas Identfer of Document n Table 2 and returns the matchng Encrypted Document s to GM. GM decrypts them wth hs secure key k c and sends them to the user agan. The user decrypts them wth hs/her group document encrypton key. Fgure descrbes the whole process of PKIS-I. 4 Constructon Of Practcal Keyword Index Search II (PKIS-II) In PKIS-II, the man dfference from PKIS-I s that the search keys are not changed but fxed, rrespectvely of membershp changes. GM keeps the key matchng nformaton for groups, whch conssts of all of the group sesson keys and group search keys for each group. All users of group members do not know ther group search keys. The only thng they know s a group sesson key. Instead, GM takes users places for search processes. The operatve processes are smlar to PKIS-I. 4. Uploadng phase 4.. SysPara( k ) constructon Ths process s the same as PKIS-I. 4..2 KeyGen(l) constructon GM generates group sesson keys, ndex generaton keys, and document encrypton keys for each group and stores them n a key matchng table. In PKIS-II, f a sesson-change happens, for example of a subgroup g from the frst sesson to the second sesson, then the group sesson key s changed from gk to gk2.however,the search keys of document encrypton key dk and ndex encrypton key k are unchanged and reman stll as dk
Park et al. EURASIP Journal on Wreless Communcatons and Networkng 20, 20:64 http://jwcn.euraspjournals.com/content/20//64 Page 7 of 6 User GM DS Uploadng. System Parameter Generaton λ =(f ( ), h( ), q) 2. Key Generaton f j(k j gk,dkj ) {gk}, {k, dk} Trans f er 3. Index Generaton and Document Encrypton {d n, f j(d n ), f j(w n, ), f j(w n,2 ),...} dk k k 4. Database Update Re encrypt; { f kc (d n ), f kc ( f j(d n )), f kc ( f j(w n, )),...} dk k Insert to Database Downloadng. Trapdoor Generaton T w =( f k (w),...,f j(w)) k Re encrypt; T w =( f kc ( f k (w)),...,f kc ( f j(w))) k 2. Retreval Index Lst 3. Decrypton {D t } Fgure The whole process of PKIS-I. Decrypt; { f dk s (D t )} Encrypted Document Return; { f kc ( f dk s (D t ))}
Park et al. EURASIP Journal on Wreless Communcatons and Networkng 20, 20:64 http://jwcn.euraspjournals.com/content/20//64 Page 8 of 6 Table Index lst Index Identfer of document f kc (f k (w n, )) f kc (d ) f kc (f k (w,2 )) f kc (d ) f kc (f k (w,t )) f kc (d ) f kc (f k 2 (w 2, )) f kc (d 2 ) f kc (f k 2 (w 2,2 )) f kc (d 2 ) f kc (f k 2 (w 2,t )) f kc (d 2 ) f kc (f k 3 (w 4, )) f kc (d 4 ) f kc (f k 3 (w 4,t )) f kc (d 4 ) f kc (f k s (w n,t )) f kc (d n ) and k. When needed, they can be encrypted wth GM s secret key k c. 4..3 IndGen(k, W) and DocEnc(dk, D) constructon When a user stores a document D n and ts keywords {w n,, w n,2,...} n a server, he encrypts the document and keywords wth hs group sesson key. For a member of a small group g n the jth sesson, the encrypted document and ndexes n PKI-II are generated as follows; {f gk j (d n ), f gk j (D n ), f gk j (w n, ), f j gk (w n,2 ),...} The user sends these to GM. 4..4 Database update Recevng the encrypted document and ts ndexes, GM decrypts them wth the group g s sesson key and then re-encrypts wth the group search keys (ndex encrypton key and document encrypton key) and GM s secret key. Then, GM sends them to a server as follows: {f kc (d n ), f dkj (D n ), f k (w n, ), f kj (w n,2 ),...} The next process s the same as PKIS-I. Table 2 Encrypted document Identfer of documents f kc (d ) f kc (f dk (D )) f kc (d 2 ) f kc (f dk 2 (D 2 )) f kc (d 7 ) f kc (f dk 3 (D 7 )) f kc (d 8 ) f kc (f dk 3 2 (D 8 )) f kc (d 9 ) f kc (f dk 2 3 (D 9 )) Encrypted document f kc (d 4 ) f kc (f dk 3 (D 4 )) f kc (d 56 ) f kc (f dk 22 8 (D 56 )) f kc (d n ) f kc (f dk s l n)) 4.2 Downloadng phase 4.2. TrapGen(w, k) constructon Man dfference from PKIS-I n the constructon of algorthm TrapGen(w, k) sthatpkis-iidoesnotneedto generate trapdoors as many as the number of sessonchanges. If a user wants to search a keyword w, the user encrypts the keyword wth hs group sesson key and sends the trapdoor to GM. Lke the Database Update Stage, GM decrypts and re-encrypts them. Then, GM queres DS wth t. For a member of a small group g, the trapdoor for a keyword w n PKIS-II s only one for every tme lke ths; T w =(f k (w)) 4.2.2 Retreval(T w ) and Dec(E(D), dk) constructon The retreval stage s also the same as PKIS-I. Recevng the results (encrypted documents) from DS, GM decrypts them wth data encrypton key dk and reencrypts wth group sesson key gk j.andthen,gm sends them to the user agan. The user decrypts them wth hs group sesson key gk j. Fgure 2 shows the whole process of PKIS-II. 5 Securty Analyss 5. Group search secrecy Our retreval system s the group key-based cryptographc searchng method on encrypted documents. Therefore, n ths secton, we dscuss group key secrecy. The followng are group key securty requrements n [26]. Group key secrecy: It must be computatonally nfeasble for a passve adversary to dscover any secret group key. Forward secrecy: Any passve adversary beng n possesson of a subset of old group keys must not be able to dscover any subsequent group key. Backward secrecy: Any passve adversary beng n possesson of a subset of subsequent group keys mustnotbeabletodscoveranyprecednggroup key. Key ndependence: Any passve adversary beng n possesson of any subset of group keys must not be able to dscover any other group key. Forward secrecy provdes securty for subtractve events (leave), snce t prevents former group members from computng the updated group key. Smlarly, backward secrecy provdes securty for addtve events (jon), because t prevents new members from dscoverng the prevously used group keys [27]. In ths paper, the term neglgble functon refers to a functon h :N R such that for any c Î N, there exsts n c Î N, such that η(n) < n c for all n n c [3].
Park et al. EURASIP Journal on Wreless Communcatons and Networkng 20, 20:64 http://jwcn.euraspjournals.com/content/20//64 Page 9 of 6 User GM DS Uploadng. System Parameter Generaton λ =(f ( ), h( ), q) 2. Key Generaton {gk} Trans f er Keep the KEY MATCHING Table 3. Index Generaton and Document Encrypton { f j(d n ), f j(d n ), f j(w n, ), f j(w n,2 ),...} gk gk gk gk 4. Database Update Decrypt Re encrypt; { f k c (d n), f dk (D n ), f k (w n, ),...} Insert to Database Downloadng. Trapdoor Generaton {g, f j(w)} gk Decrypt Re encrypt; T w = f k (w) 2. Retreval Index Lst 3. Decrypton {D t } Fgure 2 The whole process of PKIS-II. Decrypt Re encrypt; { f j(d t )} gk Encrypted Document Return; { f dk (D t )}
Park et al. EURASIP Journal on Wreless Communcatons and Networkng 20, 20:64 http://jwcn.euraspjournals.com/content/20//64 Page 0 of 6 However, group key-based search system should not follow the above propertes because a new joner to the group such as a company or a government offce should be able to search all of the prevous documents to perform ther successve tasks of the group. Namely, backward secrecy must not be a securty requrement for our group search system. In ths paper, we defne group search secrecy as follows. Forward search secrecy : For any group g j,the probablty that a partcpant p g j can generate vald trapdoors for (j +)th sesson s neglgble when the partcpant knows vald group search key K j, where p gj+ and 0 <j<q. k j and dkj fall under K j n PKIS-I and gkj falls under Kj n PKIS-II. It means that all leavng members from a group should not access to all of the next documents of the group any more. Backward search accessblty :Foranygroupg j, the probablty that a partcpant p g j can generate vald trapdoors for (j -l)th sesson s - h (n) when the partcpant knows vald group search key K j, where p g j l and 0 <l<j. k j and dkj fall under Kj n PKIS-I and gk j falls under Kj n PKIS-II. Namely, all jonng members to a group can access to all of the prevous documents of the group. Group search secrecy: For a datacenter server DS, when a revelaton of group search key K j happens, the probablty that DS can guess correctly the encrypted documents of group g at the jth sesson s neglgble. It must be computatonally nfeasble for DS to know or guess correctly the contents of the encrypted documents and trapdoors even f a leavng member or another member n a group reveals hs group search keys. 5.. PKIS-I In PKIS-I, group search keys are reversely generated by the one-way hash key chan. Our scheme PKIS-I satsfes wth Group Search Secrecy as follows. Forwardsearchsecrecy:BytheProperty2of Defnton, f the latest released group search key s K j, any partcpant cannot know a later value Kl such that h l j (K l)=kj. Therefore, the probablty that a partcpant p g j can generate vald trapdoors for the next (j + )th sesson s neglgble, where p g j+. Backward search accessblty: BytheProperty of Defnton, f the latest released group search key s K j, any partcpant can deduce an earler value K l by applyng the later value K j to one-way hash key chan lke ths; h j l (K j )=Kl. Therefore, the probablty that a partcpant p g j can generate vald trapdoors for (j -l)th sesson s - h(n), where p g j l and 0 <l<j. Group search secrecy: In PKIS-I, GM re-encrypts all documents and ndexes ncludng trapdoors wth hs secret key k c. Although one of group members reveals hs/her group search keys to a datacenter server DS, DS cannot learn anythng because DS does not know GM s secret key k c. Therefore, the probablty that DS can guess correctly the encrypted documents of group g at the jth sesson s neglgble when K j s revealed to DS. 5..2 PKIS-II Group search keys k and dk are unchangeable n PKIS-II and actual group search secrecy depends on group sesson key gk. When a user queres GM wth a keyword, the keyword s encrypted by hs/her group sesson key. If the user s a vald member of a certan group, GM can decrypt the queryng keyword and then can generate a vald trapdoor for the user wth hs/her group search key. In ths respect, t s proper that we regard a group sesson key as a group search key n PKIS-II. Thus, group search secrecy s up to the securty of a group key agreement protocol. Forward search secrecy: If membershp changes occur, a new group sesson key s generated and dstrbuted securely to vald members accordng to a gven protocol, and leavng members cannot get a new group sesson key. Hence, the leavng member cannot generate the vald trapdoor for a new sesson because GM decrypts a trapdoor wth the group s newly updated sesson key. We assume that a gven group key agreement protocol satsfes wth forward secrecy wth the probablty of - h (n). Then, the probablty that a partcpant p g j can generate vald trapdoors n the next (j +) sesson s neglgble (or follows neglgble functon) when the partcpant knows the jth vald group search key K j (= gkj ).
Park et al. EURASIP Journal on Wreless Communcatons and Networkng 20, 20:64 http://jwcn.euraspjournals.com/content/20//64 Page of 6 Backward search accessblty: For jonng members, a new group sesson key s generated and dstrbuted securely to vald members accordng to a gven protocol, and the new joners can also retreve all of the prevous documents because group search keys k and dk are unchangeable n PKIS-II. If a joner s authentcated as a vald user wth hs/her group sesson key, GM queres DS wth a trapdoor nstead of the user. The trapdoor s encrypted by unchangeable ndex generaton key k. We assume agan that the gven group key agreement protocol satsfes wth backward secrecy wth the probablty of - h (n). Then, the probablty that a partcpant p g j can generate vald trapdoors for (j -l)-th sesson s - h(n) when the partcpant knows vald group search key K j (= gkj ), where p g j l and 0 <l<j. Group search secrecy: Members of a group cannot know ther group search keys k and dk n PKIS- II and only GM knows them. Even f a leavng member or another malcous member reveals hs group sesson key gk to DS, DS cannot know the contents of the documents or trapdoor because they are encrypted wth the group search keys k and dk that group members do not know. Therefore, the probablty that a datacenter server DS can guess correctly the encrypted data of a group g at the jth sesson s neglgble when K j (= gkj ) s revealed to DS. 5.2 Keyword ndex search prvacy Song et al. [5] frstly proposed a cryptographc scheme whch queres wth encrypted keyword over encrypted data wthout decryptng anythngbyaserver.they ntroduced four securty requrements under an untrustworthy server. They are provable secrecy (an untrustworthy server cannot learn anythng about the plantext gven only the cphertext), controlled searchng (an untrustworthy server cannot search for a word wthout the user s authorzaton), hdden queres (an user may ask the untrustworthy server to search for a secret word wthout revealng the word to the server), and query solaton (an untrustworthy server learns nothng more than the search result about the plantext). However, Song s scheme s not for an ndex search system so that ndstngushablty of ndexes have been consdered addtonally n other keyword ndex search schemes as well as the Song s requrements. In our scheme, we assume an untrustworthy server as an adversary and our goal s to prevent a server from revealng or msusng users nformaton wthout users consent. We accomplsh our goal by encryptng documents and queryng keywords. Wth relaton to ths goal, we defne our securty requrements usng the term of Prvacy. The prvacy s the ablty to control prvate nformaton, whch ncludes dentty and dentfers, and senstve nformaton [28],.e., self-control for hs/her nformaton. The followng s our defnton about keyword ndex search prvacy. 5.2. Retreval access control User access control. For partcpants p Î g, the probablty that p can search for the documents of gt s neglgble, where, t, t. It means that all of the users encrypt ther documents wth ther secret key and can retreve only ther documents. It s because only a legtmate user who has a vald key can generate vald trapdoors and decrypt the retreved data, where vald trapdoors mean the queryng keywords to GM, generated by vald users. ) PKIS-I: If a user p Î g tres to retreve some documents of a group g t n the second sesson, p should know k t, k2 t and dk t, dk2 t, whch are encrypted wth each group sesson keys and transferred to the group members of g t lke ths: f gk 2 t (k 2 t, dk2 t ), f gk 2(k2 t t, dk2 t ). Refer to Fgure 2. The only users that know the search keys k t and k 2 t can generate vald trapdoors. Then, the users query GM wth the trapdoors. Except for the members of a group g t, nobody knows the values k 2 t, k2 t and dk t, dk2 t because of the securty of PRF f. We assume that f s (t, q, e)-secure PRF and a user p Î g tres to retreve the documents of a group g t n the jth sesson, where, t, t. Then, by Defnton 2, we know AdvA < e j,0<e<. Therefore, we can say that the probablty of retreval s neglgble. In addton, f malcous leavng members from g t reveal ther group search keys to other groups members when a sesson s changed from the second to the thrd, other users can know only k t, k2 t and dk t, dk2 t. Because they cannot know new sesson s keysk 3 t, dk3 t,theycannot generate vald trapdoors for the thrd sesson so that they cannot be authentcated as vald users to GM. Ths problem falls under Forward Search Secrecy. 2) PKIS-II: A user p Î g should know gk j t to retreve the documents of a group g t n the jth sesson. Ths s because vald users generate trapdoors wth ther group sesson key and then query GM wth the trapdoors n PKIS-II. The group sesson keys are dstrbuted to the group members securely accordng to a gven group
Park et al. EURASIP Journal on Wreless Communcatons and Networkng 20, 20:64 http://jwcn.euraspjournals.com/content/20//64 Page 2 of 6 key agreement protocol. We assume that a gven group key agreement protocol s secure for key dstrbuton wth the probablty of - h(n). Therefore, the probablty that a partcpant p Î g can retreve the documents of g t follows neglgble functon h (n), where, t, t. Server search control. For a datacenter server DS, when DS generates trapdoors wth a random selected keyword and search keys, the probablty that a server succeeds n retrevng s neglgble. It s the smlar concept to controlled searchng of [5] and capablty of [3]. An untrustworthy server cannot search for a word wthout gven searchng ablty from users. In our schemes, the concept s the same meanng as a vald trapdoor. The vald trapdoor generaton requres that a user should know secret key values. Here, vald trapdoors mean the queryng keywords generated by GM to a datacenter server DS. ) PKIS-I: Vald trapdoors are generated by the secret values of each sesson n PKIS-I: an ndex generaton key k and GM s secret key k c.the two values are secret keys for PRF f. ByDefnton 2, f DS generates trapdoors wth a random selected keyword and search keys, the probablty that a server can succeed n retrevng s e 2, neglgble. 2) PKIS-II: Vald trapdoors are generated by an unchangng ndex generaton key k. In PKIS-II, k s the secret key whch any user does not know but only GM knows that. The key s also a secret key for PRF f. Therefore, by Defnton 2, f DS generates trapdoors wth a random selected keyword and search keys, the probablty that a server can succeed n retrevng s e, neglgble. 5.2.2 Unobservablty Generally, unobservablty means that when a user utlzes a resource or servce, the others cannot know the resource or servce s beng used [29]. If f s a pseudorandom functon, h s one-way hash functon, and all processes are performed accordng to the gven protocol, all attackers(ncludng nsders such as a datacenter server DS) cannot learn anythng about the contents of encrypted documents by queryng wth encrypted keywords. It s because all the search processes by DS are mplemented wthout decryptng anythng. We assume that f s (t, q, e)-secure PRF as we defne earler, h s (t, e h ) one-way hash functon such that any attack algorthm A runnng n tme t has success probablty at most e h, and a gven group key agreement protocol s secure wth the probablty of - h (n). We choose the key materal as descrbed above, and all processes are done accordng to the gven protocol. Then, our scheme PKIS-I can guarantee the securty at least -{e h +(2e 2 + e) +e 2 } through whole processes n that an adversary cannot learn anythng about the contents of encrypted documents except for the results. e PKIS-II can guarantee the securty at least - {h (n)+3e +2e}. 5.2.3 Unlnkablty ndex ndstngushablty Unlnkablty means that when resources and servces are used by someone, the others cannot lnk these beng correlated or used together. In keyword ndex search system, t can be regarded as ndex ndstngushablty. Snce Goh [8] formulated IND-CKA for ndexes known as semantc securty, most researchers have followed Goh s securty defnton and proof n ths area. Indstngushablty for Indexes guarantees that an adversary cannot deduce data s contents from ts ndex lst. An adversary cannot know even the fact whether two documents have the common keyword or not. Gven two word lsts W 0 and W, we say that the search scheme provdes Index Indstngushablty f a server S cannot dstngush the ndex lst I 0 from I for W 0 and W wth non-neglgble advantage. However, our schemes do not guarantee ths property. In our scheme, the common keywords n dfferent documents for a certan group have the same ndex values. Even f an adversary does not know what the keywords mean, the adversary can know that the keywords have somethng n common. An adversary mght guess that two documents have somethng correlated. Ths s becauseweuseonlydetermnstc symmetrc functons that have the same encrypton value under the same data and the same key. And we dd not use any random factor n our schemes. It makes our schemes more effcent than any other schemes because we can apply the database schema of prmary key and foregn key. The detals are addressed n the next secton. Consequently, our schemes can guarantee Retreval Access Control and Unobservablty but not Unlnkablty. However, n a common real world, users would lke to choose practcal schemes under the approprate control of securty other than the scheme whch s hard to apply a real world due to neffcency from the hgh level of securty. 6 Experments Of Performance In ths secton, we descrbe the experments of our proposed schemes. 6. Settng of experments Our system processes the transactons on an Intel Pentum 4 CPU 2.66 GHz processor wth 52 MB RAM. We use MS SQL Server 2000 as the database system and use WnAPI C Lbrary and MS-SQL DB Lbrary for
Park et al. EURASIP Journal on Wreless Communcatons and Networkng 20, 20:64 http://jwcn.euraspjournals.com/content/20//64 Page 3 of 6 C. These experments use OpenSSL cryptography modules for cryptographc operatons such as SHA- and AES. Table 3 descrbes the detaled mplementaton parameters. We assume dfferent documents contan common keywords, and we set that a common keyword repeats at least every 435 documents among 0,000 documents. Through our experments, group search and effcency can be dentfed as prmary results of our schemes. Consequently, our experments consst of largely two parts: Sectons 6.2 and 6.3. Secton 6.2 deals wth the analyss of our schemes n group search. Secton 6.3 deals wth comparsons of our scheme PKIS-II wth other schemes n order to show the effcency of our schemes. 6.2 Analyss on PKIS-I and PKIS-II We experment wth respect to the number of documents and the number of sessons. For example, the search process of PKIS-I takes about 7.9 ms (0.0079 s) at the frst sesson and PKIS-II takes about 8.8 ms (0.0088 s) for 0,000 documents. Refer to Table 4. The man dfference between PKIS-I and PKIS-II s key management. In PKIS-I, group search keys k and dk are reversely generated wth hash key chans by GM, whch are dynamc to sesson-changes. The group search keys for each sesson are encrypted wth a group sesson key and then transferred to group members. Actual encrypton keys for ndexes and documents n database tables are made up of the group search keys and GM s secretkey. Thsmeansthatsecretvaluesaremanagedtogetherby group members and GM. Especally, the more number of sessons have passed, the more trapdoors for one keyword query should be generated n PKIS-I, because group search keys k and dk are updated dynamcally to sesson-changes. Nevertheless, the searchng tme of Table 4 Searchng tme accordng to sesson-changes (tme unt: ms) Scheme PKIS-I PKIS-II No. of sessons 0 00 000 2500 documents 5.8 8.0 9.9 38.6 6.8 5000 documents 6.9 0.3 3.9 42.6 7.8 7500 documents 7.4 3.9 6.3 49.3 8.4 0000 documents 7.9 3.9 8.3 52.7 8.8 PKIS-I s only wthn 53 ms (0.053 s) when a sesson s the 000th. In fact, the current sesson may be over 000 n some envronments such as moble envronments, and t would requre more tme and computatonal overheads. However, our applcatons are for organzatons such as companes or muncpal offces, so that our performance can manage these applcatons (group organzatons) suffcent. In PKIS-II, group search keys k and dk are unchangng rrespectvely of sesson-changes. GM keeps a key matchng nformaton for groups, where group search keys k and dk are matched to the dynamc group s sesson keys. When group members query GM wth some data, the data should be encrypted wth the group s sessonkey, whereby a group member can be authentcated as a vald group member. Once a member passes the authentcaton, most processes are mplemented by GM nstead of the member. Recevng some data from a group member or a server, GM decrypts and re-encrypts the receved data, so that GM gets to know all of the contents of documents and trapdoors every query tme. However, only one trapdoor s suffcent for one keyword due to unchangng group search keys ndependently of sessonchanges. The nvarable searchng tme s requred rrespectvely of sesson-changes. If the current number of sesson s hgh, the performance of PKIS-II s more effcent than PKIS-I as descrbed n Table 4. Table 3 Implementaton envronment and parameters Agent Processor Intel Pentum 4 CPU 2.66 GHz RAM 52 MB Language C++ Crypto. Eng. OpenSSL Crypto Lbrary(AES-CBC-28) Database Product MS SQL Server 2000 Interface WnAPI Lbrary MS-SQL DB Lbrary for C Cryptographc PRF AES (28 bts) Parameter Hash functon SHA- (60 bts) The number of keywords 7 Dataset The number of common keywords 435 The number of documents 2500 = 5000 = 7500 = 0000 The number of sessons = 0 = 00 = 000
Park et al. EURASIP Journal on Wreless Communcatons and Networkng 20, 20:64 http://jwcn.euraspjournals.com/content/20//64 Page 4 of 6 6.3 Comparson of our scheme wth other schemes 6.3. The results of mplementaton In order to evaluate our scheme s performance wth objectve valdty, we experment the followng four prevous schemes: () Song et al. s [5]; (2) Golle et al. s [3]; (3) Waters et al. s [9] varaton; and (4) Park et al. s [30]. Song et al. deal wth the symmetrc cryptographc method as a poneerng work n ths area. Golle et al. conduct the most secure scheme, whch satsfes query solaton and ndex ndstngushablty as well. Waters et al. deal wth audt log server; however, we assume that ther server s as a general database server, because ther keyword search technque on the encrypted data has wde applcatons beyond searchable audt logs. We experment only one, symmetrc scheme of ther two symmetrc and asymmetrc schemes, because symmetrc scheme s much faster. Park et al. s schemes also deal wth symmetrc methods. They work on smlarty search, and ther schemes are the encrypted characters by characters. The searchng method s approxmate strng matchng test by hammng dstance,.e., we can expect the schemes would be neffcent. However, Park et al. mantan Golle et al. s securty and mprove Golle et al. s neffcency n spte of the characterwse encrypton method. In ther paper [30], they dd not show the formal securty proof and the expermental proof. Therefore, ths paper compares Golle et al. s and Park et al. s wth our schemes. Although there are many papers as the recent schemes such as [8,20-23], [8,20,2] do not deal wth the Boolean operaton on keyword searches as the tradtonal searchable encrypton schemes, but the ranked search operaton. As we mentoned earler, the comparson wth our method s meanngless, because ther evaluaton method and securty requrements are dfferent. In addton, these schemes of [22,23] are also not approprate to compare wth our schemes, because [22,23] deal wth asymmetrc schemes based on parng-based cryptography. Secton 6.3.3 demonstrates the detaled reasons. In order to evaluate the effcency of encrypted search systems more precsely, we also perform experments on the plantext verson (PKISIIP) wthout encrypton. We compared only PKIS-II wth other schemes, because our schemes take the multple user settng of group search. On the other hand, PKIS-II has the smlar search processes to other schemes, because t does not requre the group search key changes such as PKIS-I. Table 5 shows the result of our experments. The performance of our scheme s much better than the exstng schemes. For nstance, the performance of PKIS-II s about 935 tmes faster than Golle s scheme and about 6 tmes faster than Song et al. s scheme for 0,000 documents. Park et al. s schemes, SSS-I and SSS-II are Table 5 Searchng tme comparson wth other schemes (tme unt: ms) Song Golle Waters SSS- I SSS- II PKIS- II PKIS- IIP 2500 documents 47 2094 79 270 72 6.8 2.8 5000documents 62 4439 57 536 3269 7.8 3.8 7500documents 09 699 204 84 5088 8.4 4.3 0000documents 47 8229 297 969 6756 8.8 4.8 not fast but ther schemes are faster than Golle s as they clamed. In the search process, PKIS-II needs very slght computatonal overheads, wthn 0 ms (0.0 s). Wth the respect to tme consumpton, a search process s the most mportant factor. The search process of PKIS-II s smlar to general plantext search system because t can drectly access the data wthout verfyng for every row. It needs the addtonal tme only to generate a trapdoor and to decrypt returned documents. The used cryptographc functon n PKIS s also very fast. From the next subsecton, we analyze our results n two respects of the applcablty of DB schema and the nfluence of functons. 6.3.2 The applcablty of DB schema In most exstng schemes, the ndexes of each document are encrypted wth random factors for ndstngushabltyandtheencryptedndexesarestoredbyarow. Hence, a server should mplement at least one computaton for each document every row to verfy whether ths document contans the queryng keyword or not. Ths makes t dffcult to apply DB schemas nto encrypted database search systems. Accordngly, the computatonal complexty of prevous schemes requres at least O(n) f the number of documents s n. In addton, most prevous schemes store a document s ndexes by a row not n a feld (column). The computaton or scannng wthn one feld s relatvely faster than wthn one row. In contrast, the computaton or scannng for many felds wthn one row s not fast. Our schemes solved these problems by dfferent database structures from other schemes. In Table Index Lst, all of the ndexes for all documents are stored n one feld. Generally, the row sze lmtaton s strct but the feld sze of database s at least 4 TB or more,.e. relatvely unrestrcted. For example, the maxmum number of bytes per row of MS SQL 2000 s only 8 kb and MS SQL 2005 s 2 GB [3]. Hence, settng an ndex column for all ndexes does not have any problem n our schemes, and the encrypted documents and ther dentfers are stored n another table.
Park et al. EURASIP Journal on Wreless Communcatons and Networkng 20, 20:64 http://jwcn.euraspjournals.com/content/20//64 Page 5 of 6 We acheved database normalzaton wth prmary key and foregn key. Ths s possble because we use dfferent database table structure and determnstc functons. We do not use any random factors. Consequently, these propertes enable a server to drectly access the data that a user wants. Thus, there s no computaton to test whether ths document contans the queryng keyword or not for every row. 6.3.3 The nfluence of functon The knd of appled functons greatly nfluences on the search tme. There are many schemes dealng wth blnear functon such as [3,22,23,32-37] among the recently proposed keyword search schemes. For example, n the experment of [35], searchng 0,000 ndexes requres approxmately 720 s (720000 ms). Compared wth symmetrc cryptographc method, the calculaton of one parng takes much more tme. Consequently, blnear functon s not approprate for real-world applcatons. On the other hand, our proposed schemes are based on the only symmetrc cryptographc functon. 7 Concluson In cloud computng envronments, DAS model s the most realstc to manage senstve nformaton wth safety, because a server manager s consdered untrustworthy. Encrypton over database s also one of the most substantal ways n order to accomplsh the goal of the DAS model. Although the encrypton method has some negatve effects such as neffcency and hardness of applyng DB schemas, we should not hnder the performance or general operatons of database because of the encrypton for securty and prvacy. Consderng pror researchers endeavors n the ndvdual settng between a server and a user, ths paper focuses on more realstc applcatons and envronments wth two aspects: the group search and effcency. To do ths, frstly, we conduct a group search rather than a prvate settng. Ths group search does not requre re-encryptng all documents under the key update from sesson-change. Secondly, for more effcent applcaton n a real world, we develop the database table n order to apply the effcent DB schemas (normalzaton usng prmary key and foregn key) to encrypted documents. Also, we defne and analyze the group search secrecy and keyword ndex search prvacy. Moreover, ths paper represents our scheme s effcency through experments. Ths paper realzes effcent performances by developng two novel encrypted database tables. These two encrypted database tables make t possble a server to access data drectly. Pror papers computatonal complexty s at least O(n), whle our schemes computatonal complexty s O() durng a search process. Therefore, our scheme s approxmately 935 tmes faster than Golle s scheme and around 6 tmes faster than Song s scheme for 0,000 documents. As the result of our experments, we mantan the characterstcs of DB applcaton layers, whch supports the nteroperablty of DB applcatons n order to desgn effcent schemes. Ths paper has two contrbutons: () n the cloud datacenter servce envronments, our schemes provde practcal and realstc encrypted DB soluton and (2) dentfyng the mportance of nteroperablty wth DBMS for desgnng effcent schemes. For future works, we need to focus on the more experments of the performance n real moble applcatons. In cloud computng envronments, end-users requre varous types of usages wth moble applcatons such as PDA or moble phone as many as PCs. Therefore, we beleve nteroperablty of a moble applcaton and compatblty between moble and DB applcatons as mportant factors to mprove the effcency of schemes. 9 Endnotes a DB schema s the structure of a database system, descrbed n a formal language supported by the DBMS. In a relatonal database, the schema defnes the tables, the felds n each table, and the relatonshps. b Database normalzaton can be defned as the practce to optmze table structures. Partcularly concentratng on how these data are nterrelated, optmzaton s the result of a nvestgaton from the varous peces of data stored wthn the database. Consderng the analyss of ths data and ts correspondng relatonshps, t s advantageous n two ponts: frst, the analyss wll be the result of substantal mprovement of the speed when the tables are quered; second, t decreases the chance of the database ntegrty compromsed due to tedous mantenance procedures. c In ranked search, term frequency means a count of the number of tmes that term appears n that document [6]. d The perspectve of utlty computng. The cloud computng technologes and servces enables for provders and companes to offer a polcy: pay-forwhat-you-use such as that of electrcty, fuel, and water. Wth these economc strengths, cloud computng has become a leadng computng technology and expanded seamless servces; however, securty studes encounter new challenges and ssues n cloud computng era. Frst of all, the datacenter of cloud storage servces has hgh rsk of nformaton leakage by ntruders or nsders. Especally, t cannot guaranteed that datacenter managers are trustful. Storng confdental nformaton outsde (datacenter) makes the data center rsky n terms of the nfrngement of prvacy and securty. Cloud servces are broadly dvded nto three categores: Infrastructureas-a- Servce (IaaS), Platform-as-a-Servce (PaaS) and Software-as-a-Servce (SaaS) [38]. e The frst part wthn
Park et al. EURASIP Journal on Wreless Communcatons and Networkng 20, 20:64 http://jwcn.euraspjournals.com/content/20//64 Page 6 of 6 a brace s for key generaton, the second part s for database table, and the thrd part s for trapdoor. Acknowledgements Ths research was supported by the MKE (The Mnstry of Knowledge Economy), Korea, under the ITRC support program supervsed by the NIPA (Natonal IT Industry Promoton Agency) (NIPA-200-C090-00-0004). Author detals Graduate School of Informaton and Securty, Korea Unversty, 5-Ka, Anamdong, Sungbuk-ku, Seoul 36-70, Korea 2 Department of Informaton Systems, Weatherhead School of Management, Case Western Reserve Unversty, 0900 Eucld Avenue, Cleveland, OH 4406, USA Competng nterests ) The artcle-processng charge for ths manuscrpt was supported by ITRC support program supervsed by the NIPA (Natonal IT Industry Promoton Agency) of Korea. 2) The two encrypted tables to buld database normalzaton s Korean Regstered Patent by Hyun-A Park, Regstered No.(0-0839220), June.. 2008. Receved: 5 December 200 Accepted: 7 August 20 Publshed: 7 August 20 References. M Armbrust, A Fox, R Grffth, AD Joseph, RH Katz, A Konwnsk, G Lee, Above the clouds: a Berkeley vew of cloud computng. Techncal Report: EECS-2009-28 (February 0, 2009) 2. R Buyya, Market-orented cloud computng: vson, hype, and realty of delverng computng as the 5th utlty, n 9th IEEE/ACM Internatonal Symposum on Cluster Computng and the Grd, ccgrd, (2009) 3. H Park, J Byun, D Lee, Secure ndex search for groups, n TrustBus 2005, LNCS3592, 28 40 (2005) 4. P Wang, H Wang, J Peprzyk, Threshold prvacy preservng key word searches, n SOFSEM 2008, LNCS 490, 646 658 (2008) 5. D Song, D Wagner, A Perrg, Practcal technques for searches on encrypted data, n IEEE Symposum on Securty and Prvacy, 44 55 (2000) 6. D Boneh, GD Crescenzo, R Ostrovsky, G Persano, Publc-key encrypton wth keyword search, n Eurocrypt04, LNCS 3027, 506 522 (2004) 7. YC Chang, M Mtzenmacher, Prvacy preservng keyword searches on remote encrypted data. Cryptology (eprnt Archve) (2004) 8. E Goh, Secure ndexes. Cryptology (eprnt Archve) (2004) 9. B Waters, D Balfanz, G Durfee, D Smetters, Buldng an encrypted and searchable audt log, n NDSS04, The Internet Socety, 205 24 (2004) 0. J Byun, H Rhee, H Park, D Lee, Off-Lne Keyword Guessng Attacks on Recent KeywordSearch Schemes over Encrypted Data, n SDM2006, Lecture Notes n Computer Scence 465, 75 83 (2006). D Boneh, B Waters, Conjunctve, subset, and range queres on encrypted data, n Proceedngs of TCC 07 (2007) 2. H Hacgumus, B Iyer, S Mehrotra, Effcent executon of aggregaton queres over encrypted relatonal databases, n DASFAA 2004, LNCS 2793, 25 36 (2004) 3. P Golle, J Staddon, B Waters, Secure conjunctve keyword search over encrypted data, n ACNS04, LNCS 3089, 3 45 (2004) 4. Y Hwang, P Lee, Publc key encrypton wth conjunctve keyword search and ts extenson to a mult-user system, n Parng 2007, LNCS 4575, 2 22 (2007) 5. P Wang, H Wang, J Peprzyk, Keyword feld-free conjunctve keyword searches on encrypted data and extenson for dynamc groups, n CANS 2008, LNCS (2008) 6. S Zerr, E Demdova, D Olmedlla, W Nejdl, M Wnslett, S Mtra, Zerber: r- confdental ndexng for dstrbuted documents, n EDBT 08: Proceedngs of the th nternatonal conference on Extendng database technology, 287 298 (2008) 7. S Zerr, D Olmedlla, W Nejdl, W Sbersk, Zerber+R: top-k retreval from a confdental ndex, n EDBT 09: Proc. of the 2th Internatonal Conference on Extendng Database Technology: Advances n Database Technology, 439 449 (2009) 8. H Pang, X Dng, X Xao, Embellshng text search queres to protect user prvacy, PVLDB 3(), 598 607 (200) 9. A Swamnathan, Y Mao, G-M Su, H Gou, A Varna, S He, M Wu, D Oard, Confdentalty-preservng rank-ordered search, n Storage SS 07, n Proc. of the 2007 ACM workshop on Storage securty and survvablty, 7 2 (2007) 20. C Wang, N Cao, J L, K Ren, W Lou, Secure ranked keyword search over encrypted cloud data, n ICDCS 0, n Proc. of the 200 IEEE 30th Internatonal Conference on Dstrbuted Computng Systems, 253 262 (200) 2. N Cao, C Wang, M L, K Ren, W Lou, Prvacy-preservng multkeyword ranked search over encrypted cloud data, n IEEE INFOCOM (20) 22. M L, S Yu, N Cao, W Lou, Authorzed prvate keyword search over encrypted data n cloud computng, n Proc of IEEE ICDCS (20) 23. S Yu, C Wang, K Ren, W Lou, Achevng secure, scalable, and fne-graned data access control n cloud computng, n IEEE INFOCOM 0 (200) 24. Y Hu, A Perrg, DB Johnson, Effcent securty mechansms for routng protocols, n Network and Dstrbuted System Securty Symposum, NDSS 03, 57 73 (February 2003) 25. M Burrnester, Y Desmedt, A secure and effcent conference key dstrbuton system, The Advances n Cryptology EUROCRYPT (994) 26. Y Km, A Perrg, G Tsudk, Tree-based group key agreement. ACM Trans Inf Syst Secur. 7(), 60 96 (2004). do:0.45/984334.984337 27. L Lao, M Manuls, Tree-based group key agreement framework for moble ad-hoc networks. Fut Gener Comput Syst. 23(6), 787 803 (2007). do:0.06/j.future.2007.0.00 28. M Burmester, Y Desmedt, RN Wrght, A Yasnsac, Accountable Prvacy. Securty Protocols 2004, LNCS 3957, 83 95 (2006) 29. Ontaro, Offce of the Informaton and Prvacy Commssoner (IPC) and Netherlands Regstratekamer. Prvacy-Enhancng Technologes: The Path to Anonymty, Informaton and Prvacy Commssoner and Regstratekamer http://www.pc.on.ca/englsh/resources/dscusson-papers/dscusson- Papers-Summary/Default.aspx?d=329&prnt= (995) 30. H Park, B Km, D Lee, Y Chung, J Zhan, Secure smlarty search, Grc 2007, (IEEE ComputerSocety Press, 2007), pp. 598 604 3. http://blogs.msdn.com/msdnts/archve/2006/2/0/row-sze-lmtaton-n-sql- 2000-and-2005.aspx 32. M Abdalla, M Bellare, D Catalano, E Kltz, T Kohno, T Lange, J Malone-Lee, G Neven, P Paller, H Ash, Searchable encrypton revsted: consstency propertes, relaton to anonymous IBE, and extensons. Crypto05, LNCS 362 205 222 (2005) 33. S Bellovn, W Cheswck, Prvacy-enhanced searches usng encrypted bloom flters. Cryptology eprnt Archve, R eport2004/022 (February 2004) 34. L Ballard, M Green, B de Mederos, F Monrose, Correlaton-resstant storage va keyword-searchable encrypton, n SPAR Techncal Report. TR-SP-BGMM- 050705 35. L Ballad, S Kamara, F Monrose, Achevng effcent conjunctve keyword searches over encrypted data. n ICICS 2005, LNCS3783, 44 426 (2005) 36. W Ogata, K Kurosawa, Oblvous keyword search. J Complexty. 20, 356 37 (2004). do:0.06/j.jco.2003.08.023 37. H Park, J Hong, J Park, J Zhan, D Lee, Combned authentcaton based mult-level access control n moble applcaton for DalyLfeServce. IEEE Trans Moble Comput. 9(6), 824 837 (200) 38. H Park, J Park, J Cho, D Lee, Toward an ntegrated system between cloud computng and smartcard applcaton, n ICCIT 200 (IEEE Computer Socety Press, 200), pp. 580 587 do:0.86/687-499-20-64 Cte ths artcle as: Park et al.: PKIS: practcal keyword ndex search on cloud datacenter. EURASIP Journal on Wreless Communcatons and Networkng 20 20:64.