Initial Construction Without File Encryption

We denote the file stored at the server as consisting of charactersσ0,. . .,σℓ−1, where eachσk∈

Σ. Prior to storing this file at theserver, however, the data owner uses its private BLS signing key

hG_{1, xito producesk←BLSSign}

hG_1,xi(σk||k)for eachk∈[ℓ]— i.e., a per-file-character signature that incorporates the position of the character in the file1 — and stores these signed characters at theserver, instead. (Here, “_||” denotes concatenation.) Note that sincesk = H1(σk||k)x, anyone knowing the corresponding verification key_hp,G_1,G_{2, g, e, hi cannot only verifysk but can also}

extractσkandk, by simply testing for eachσ ∈Σandk∈[ℓ]whether e(H1(σ||k), h) =e(sk, g). As such, while in our initial protocol description, the data owner stores s0,. . .,sℓ−1at theserver,

this implicitly conveysσ0,. . .,σℓ−1,as well.

The basic structure of the protocol, which is similar toΠ1(E) in Fig. 3.1, involves theclient

encoding its DFA transition function δ as a bivariate polynomial f(x, y) over R _{where x is the}

variable representing a DFA state andyis the variable representing an input symbol. In our protocol, theclientandserverthen evaluate this polynomial together, using a single round of interaction per state transition (i.e., per file character), in such a way that the clientobserves only ciphertexts of states and file characters and theserverobserves only a randomly blinded state. More specifically, in our protocol, if the current DFA state isq, then theserverobserves onlyπ(q) +_Rϕforϕ _←$ R

chosen by theclientand whereπ :Q→ Rmaps DFA states to distinct ring elements. Theclient, with knowledge of π andϕ, can calculatef(x, y) so thatf(π(q) +_R ϕ, σ) = π(δ(q, σ))for each q ∈ Qand σ ∈ Σ. Then, starting with a ciphertext of π(q) for the DFA state q resulting from

1

The file name or other identifier could be included along with the character position, to detect the exchange of characters between files. Similarly, the lengthℓcan be included to detect file truncation. These issues are discussed further in Section 4.3.

processing file charactersσ0,. . .,σk−1,theclientcan interact with theserverto obtain a ciphertext off(π(q) +_Rϕ, σk)[73].

The central innovation in our protocol is a technique by which the client, without knowing sk, can compute an encoding of the file character σk that the server must use in round k of the evaluation. If theserver does not, it “throws off” the evaluation in a way that the server cannot predict. As a result, if theserver deviates from the protocol, the end result of the evaluation will be an unpredictable element of the ringR_{, which will not correspond toanystate of the DFA with}

overwhelming probability. To accomplish this, theclientdefines the encoding of characterσ _∈ Σ

and positionk _∈ [ℓ]to beτ(σ, k, ψk) = H2(e(H1(σ||k)ψk, h)), whereH2 is a hash function H2 :

G_{2 →}R_{(modeled as a random oracle) and whereψk ←}$ Z∗_{pis selected by theclientin the round}

for thek-th character. If theclientsendsΨk ←gψk to theserverin the round for thek-th character, then theservercan computeτ(σk, k, ψk)for the file characterσkasτ(σk, k, ψk) =H2(e(sk,Ψk)). However, withoutψktheserverwill be unable to compute the encodingτ(σ, k, ψk)for anyσ 6=σk. The final difficulty to overcome lies in the fact that theclient, by altering the encoding of each character σ ∈ Σper roundk, must also recompute f(x, y)to account for this new encoding. As such, theclientrecomputesf(x, y)to satisfyf(π(q) +_R ϕk, τ(σ, k, ψk)) =π(δ(q, σ))per roundk, for everyq _∈Qandσ _∈Σ. In our algorithm, we encapsulate this calculation as_haijii∈[n],j∈[m]←

ToPoly(Q,Σ, δ, π,k, ϕk, βk, ψk) where haijii∈[n],j∈[m] are the coefficients forming f, i.e., so that

f(x, y) = PRn_i=0−1 PR_jm₌₀−1a_ij ·R xi·R yj. (The valueβ_kwill become relevant in Section 4.2.3 and

can be ignored for now.)

This protocol is shown in Fig. 4.1. The protocol is written with the steps performed by the clientlisted on the left (lines c301–c320), with those performed by the server on the right (lines s301–s313), and with the messages exchanged between them in the middle (linesm301–m306). The clienttakes as input the data owner’s public verification key_hp,G_1,G_{2, g, e, hi, a public encryption}

keyek′, and its DFA _hQ,Σ, δ, qiniti. (For the moment, ignore the additional inputdk, which will be discussed in Section 4.2.3.) Theservertakes as input_hp,G_1,G_{2, g, e, hi, the DFA alphabetΣ,}

and the signed file characters s0, . . ., sℓ−1, i.e., signed with the data owner’s private keyhG1, xi

corresponding to_hp,G_1,G_{2, g, e, hi. (Again, please ignore thebk values for now. These will be}

discussed in Section 4.2.3.) Note that neither the clientnor the server receives any information about the private keydk′, and so values encrypted underek′ (θin linec304, andρin linec309) are

never decrypted or otherwise used in the protocol. These values are included in the protocol only to simplify its proof and need not be included in a real implementation of the protocol.

At the beginning of the protocol, the server generates the public/private key pair (pek,pdk)

(lines302) that defines the ringRfor the protocol run. Theserverconveyspek and the file length ℓto theclient(m301). Upon receiving this message, theclientselects an injection π : Q → R

at random from the set of all such injections, denotedInjs(Q → R_{) (c303). The clientsends the}

numbernof states in his DFA in messagem302. (To simplify our proofs, theclientalso sends the chosen injection π encrypted under ek′ toserver, denoted byθ. We will not discuss this further here.)

The heart of the protocol is the loop represented by lines c306–c317 for theclientand lines s304–s312for the server. Theclientbegins each iteration of this loop with a ciphertext α of the current DFA state, which it blinds with the blinding termϕk(c307) using the additive homomorphic property of Paillier encryption (c308). The client also selects ψk (c310) and creates Ψk (c311) as described above, and sends the now-blinded ciphertext α and Ψk to theserver (m303). After decrypting the blinded state γ (s305) and usingΨk andskto create the encoding η =τ(σ, k, ψk) for the characterσk being processed in this loop iteration (s306), theservercreates the encryption ofγi_·Rηj _{for eachi∈[n]andj ∈[m](s307–s311). After theserversends these values back to the} client(m304), theclientuses them together with the coefficients offthat it computed as described above (c313) to assemble a ciphertext of the new DFA state (c316).

After this loop iteratesℓtimes, theclientsends the state ciphertext to theserver (m305). The serverdecrypts the (random) state (s313) and returns it (m306). Theclientchecks to be sure that the result represents a valid state (c318) and, if so, returns the corresponding state as the result (c320).