A New Privacy-Preserving Searching Model on Blockchain

Abstract

It will be convenient for users if there is a market place that sells similar products provided by different suppliers. In physical world, this may not be easy, in particular, if the suppliers are from different regions or countries. On the other hand, this is more feasible in the virtual world. The Global Big Data Exchange in Guiyang, China, which provides a market place for traders to buy and sell data, is a typical example. However, these virtual market places are owned by third parties. The security/privacy is a concern in addition to the expensive service charges. In this work, we propose a new privacy-preserving searching model on blockchain which enables a decentralized and secure virtual search-and-match market place. The core technical contribution is a new searchable encryption scheme for blockchain. We adopt the similarity preserving hash and leverage smart contracts to protect the system from the forgery attack and double-rewarding attack. We formally prove the security and privacy of our protocol, and evaluate our scheme on the private net of Ethereum platform. Our experimental results show that our protocol can work efficiently.

A Proof of Theorem 1

Proof

The simulator \(\mathcal {S}\) is given leakage \(\mathcal {L}\) to simulate the view of the adversary via imitating the real protocol. We generate the proof string \(proof'=((\varDelta _{d,u}^{k_{d,w_i}})', (c_{d,w_i})', BlockNum, Index)\) and \((C_{d})'\) as follows:

1. Simulating \((\varDelta _{d,u}^{k_{d,w_i}})'\): Given \(\mathcal {L}\), \(\mathcal {A}\) choose a composite random key \(k_s\) that \(k_s=k_{s_1}\cdot k_{s_2}\), and compute \((\varDelta _{d,u}^{k_{d,w_i}})'=(\varDelta _{d,u}^{k_{d,w_i}})^{k_s}\).

2. Simulating \((c_{d,w_i})'\): For each keyword query \(w_i\), \((c_{d,w_i})'\) is consist of three parts.

• Simulating \((H(w_i)^h)'\): compute \((H(w_i)^h)'=(H(w_i)^h)^{k_s}\).

• Simulating \((H(w_i)^s)'\): compute \((H(w_i)^s)'=(H(w_i)^s)^{k_{s_1}}\).

• Simulating \(r'\): compute \(r'=r^{k_{s_2}}\).

3. Simulating \((C_{d})', BlockNum', Index'\): Use the same value in the response of real execution.

It follows by construction that response with \(proof'\) will also match the search token \(tk_w\) if proof does because:

Therefore, Left = Right if proof matches \(tk_w\).

We now claim that no polynomial-size distinguisher can distinguish between the distributions \(proof'\) and proof. Note that in the simulation above, \(\varDelta _{d,u}^{k_{d,w_i}}\) and \((\varDelta _{d,u}^{k_{d,w_i}})'\) as well as all the components in \(c_{d,w_i}\) and \((c_{d,w_i})'\) can be regarded as the problem to distinguish between \(g^{ab}\) and \(g^{abc}\). For example, \(c_1\) in \(c_{d,w_i}\) equals to \(H(w_i)^h=g_1^{ah}\) and \(c_1'\) in \((c_{d,w_i})'\) equals to \(H(w_i)^{hk_s}=g_1^{ahk_s}\). Then, we make the following Lemma 1.

Lemma 1

If \(g^{ab}\) and \(g^{abc}\) are indistinguishable from random numbers in the same groups respectively, then \(g^{ab}\) and \(g^{abc}\) are indistinguished from each other.

Since \(g^{ab}\) and \(g^{abc}\) are of the same structure, we only need to prove the distinguishability of anyone of them. For contradiction, we assume that there is a PPT adversary \(\mathcal {D}\) that distinguishes \(g^{ab}\) and \(R \xleftarrow {\$} G\), then we show how to construct a PPT reduction \(\mathcal {B}\) that can use Exp to break the DDH assumption. breaks DDH.

Experiment

• Given a (multiplicative) cyclic group G of order p, and with generator g.

• \(\mathcal {B}\) receives \((g^a, g^b, g^{ab})\) and \((g^a, g^b, R)\), \(R \xleftarrow {\$} G\). \(\mathcal {B}\) passes \(g^{ab}\) and R to \(\mathcal {D}\).

• \(\mathcal {B}\) guesses the same as \(\mathcal {D}\).

Finally, \((C_{d}), BlockNum, Index\) and \((C_{d})', BlockNum', Index'\) are identical, therefore, no polynomial-size distinguisher can distinguish between the outputs of real execution and simulated execution.