Security Against Client Adversaries

In this section we show security of Π1(E) against honest-but-curious client adversaries and

heuristically justify its security against malicious ones. Since theclienthas the DFA in its posses- sion, privacy of the DFA against aclientadversary is not a concern. The proof of security against theclienttherefore is concerned with the privacy of only the file. However, by the nature of what the protocol computes for theclient— i.e., the final state of a DFA match on the file — theclient can easily distinguish two files of its choosing simply by running the protocol correctly using a DFA that distinguishes between the two files it chose.

For this reason, we adapt the notion of indistinguishability to apply only to files that produce the same final state for the client’s DFA. So, in the experiment Exptc-file

Π1(E) (Fig. 3.5) that we

use to define file security against clientadversaries, the adversary C = (C1, C2) succeeds (i.e., Exptc-file

Π1(E)(C)returns1) only if the two fileshσ0kik∈[ℓ]andhσ1kik∈[ℓ]output byC1both drive the

DFAM, also output byC1, to the same final state (denotedM(hσ0kik∈[ℓ]) =M(hσ1kik∈[ℓ])).

This caveat aside, the experiment is straightforward: C1 receives public key pk, private-key

hσ0kik∈[ℓ]and hσ1kik∈[ℓ]and a DFA M. Depending on how bis then chosen, one of these files is

encrypted using pk and then provided to theserver, to which C2 is given oracle access (denoted

serverOr(pk,sk2, M.Σ,hckjik∈[ℓ],j∈[m])).

Adversary C2 can invoke serverOr first with a message containing an integer n(i.e., with a

message of the formm101), to whichserverOrreturnsℓ(m102). C2 can then invoke serverOrup

toℓ+ 1times. The firstℓsuch invocations take the formα,β,ρand correspond to messages of the formm103. Each such invocation elicits a response_hµσiiσ∈Σ,i∈[n](i.e., of the formm104). The last

clientinvocation is of the formα,β,ρand corresponds tom105. This invocation elicits a response γ∗ _{(i.e.,m106). Malformed or extra queries are rejected byserverOr.}

We show file privacy against honest-but-curious clientadversaries C = (C1, C2), i.e.,C2 in-

vokesserverOrexactly asΠ1(E)prescribes, using DFAM output byC1. We define the advantage

ofCto behbcAdvc_Π-₁file_(E)(C) = 2_·P

³

Exptc_Π-₁file_(E)(C) = 1´₋1andhbcAdvc_Π-₁file_(E)(t, ℓ, n, m) = maxCAdvcΠ-1file(E)(C) where the maximum is taken over honest-but-curious client adversaries C

running in total timetand producing files of lengthℓand a DFA ofnstates over an alphabet ofm symbols. We prove:

Theorem 3. Fort′=t+tGen+ℓm·tEnc+ (ℓ+ 1)·tDec,

hbcAdvc_Π-₁file_(Pai)(t, ℓ, n, m)_≤Advind_Pai-cpa(t′, ℓm(1 +n))

Proof. Given an adversaryC = (C1, C2)running in timetand selecting files of lengthℓsymbols

and a DFA ofnstates over an alphabet ofmsymbols, we construct an IND-CPA adversaryU that demonstrates the theorem as follows. On inputpkˆ =hN, gi,U generates(pk′,sk′)← Gen(1κ+2)

and d1 ←$ ZN2, and invokes C₁( ˆpk,sk₁,pk′)where sk₁ = hN, g, d₁i to obtain(ℓ,hσ_0ki_k∈[ℓ],

hσ1kik∈[ℓ],M,φ), whereM =hQ,Σ,qinit,δiis a DFA. Note thatd1 is chosen from a distribution

that is statistically indistinguishable from that from which d1 is chosen in the real system. For

k_∈[ℓ]andj_∈[m],Usetsckj ←Enc_pkˆbˆ((σ0k)j,(σ1k)j).

U then invokesC2(φ) and simulates responses toC2’s queries to serverOr as follows (ignor-

ing malformed invocations). In response to the initial query n, the adversaryU returns ℓand, in preparation for the subsequent serverOrinvocations byC2, setsq0 ← qinitandq1 ← qinit. For the k-th query of the formα, β, ρ(0 ≤k < ℓ), the adversaryU setsπ ←Dec_sk′(ρ),γ₀ ← π(q₀), and

γ1 ←π(q1), and then setsµσi←Enc ˆ b ˆ pk(((γ0) i_· RΛσ(σ0k),((γ1) i_· RΛσ(σ1k))forσ∈Σandi∈[n].

After this, Uupdatesq0 ←δ(q0, σ0k)andq1 ←δ(q1, σ1k), and returnshµσi,iσ∈Σ,k∈[n]toC2. For

the last queryα, β, ρ, adversaryUcomputesπ ←Dec_sk′(ρ)and returnsγ∗ =π(q₀) (=π(q₁))to C2. WhenC2outputsb′,Uoutputsb′, as well.

This simulation is statistically indistinguishable from the real system provided thatCis honest- but-curious, and so ignoring terms that are negligible inκ,hbcAdvc_Π-₁file_(Pai)(C) =Advind_Pai-cpa(U). Note thatUruns int′ _=t+t

Gen+ℓm·tEnc+ (ℓ+ 1)·tDec due to the need to generate(pk′,sk′) and sk1, to create the file ciphertexts hckjik∈[ℓ],j∈[m], and to perform ℓ+ 1 Paidecryption in the

simulation.Umakesnmoracle queries in order to respond to each of theℓoracle queries following the first, plus an additionalℓmqueries to create_hckjik∈[ℓ],j∈[m].

We have found extending this result to fully maliciousclientadversaries to be difficult for two reasons. First,Exptc_Π-₁file_(E) does not make sense for a maliciousclient, sinceC2is not bound to use

the DFAMoutput byC1. As such,C2can use a different DFA — in particular, one that enables it

to distinguish between the files output byC1. Second, even ignoring the final stateγ∗sent back to

theclient, we have been unable to reduce the ability of theclientadversary to distinguish between two files on the basis of m104 messages to breaking the IND-CPA security of _E; intuitively, the difficulty derives from the simulator’s inability to decryptαvalues provided byC2. (The ciphertext

ρ enables the simulator to “track” the plaintext of α in the honest-but-curious case, but ρ might contain useless information in the malicious case.)

Nevertheless, since onlyciphertexts for which theclientdoes not hold the decryption key are sent to theclientin those messages, we are confident in conjecturing that our protocol leaks no in- formation to even a maliciousclientabout the file, beyond what it gains from the protocol outputγ∗, assuming_Eis IND-CPA secure. Of course, the above proof difficulties for a maliciousclientcould be ameliorated by introducing zero-knowledge proofs to the protocol to enforce correct behavior, but with considerable added expense to the protocol. Instead, in Section 3.4 we introduce more novel (albeit still heuristic) approaches to detectingclient(orserver) misbehavior in our setting.