# Efficient Asymmetric Index Encapsulation Scheme for Anonymous Content Centric Networking.

1. IntroductionConventional networking protocols designed to support end-to-end communications between nodes which are uniquely identified through an IP address may fail in wireless environments due to dynamic changes caused by the mobility. Content Centric Networking is an emerging networking architecture with the goal of becoming an alternative to the IP-based Internet. Communication in CCN adheres to the pull model. Its primary characteristic is that content and routable content in the network are always named. Interests represent the willingness of the consumer to retrieve certain content, independently of its location. A consumer who wishes to obtain content first issues an interest by name, which is then routed to the producer or router that is capable of satisfying the request. The corresponding content carrying the same name is then sent to the consumer along the reverse path.

The CCN architecture has some innate privacy friendly features; for example, the source addresses of contents are hard to trace. However, support for name privacy is not a standard feature. Names reveal significantly more information about content than IP addresses [1].

ANDaNA [2] and [AC.sup.3]N [3] are the initial attempt to provide anonymous communication in CCN. They are inspired by Tor, using onion-like encryption to wrap interests, and forwarded by participating anonymizing routers. However, caching mechanism as one of the most important features of CCN could not be used in these designs due to the lack of an cryptographic primitive keeping the name private while ensuring accessibility and routability.

In this paper we propose a new cryptographic scheme called Asymmetric Index Encapsulation (AIE) to hide the name except the entity which is given appropriate token. Token can be viewed as a kind of encrypted interest; it can only be generated from the authorized consumers and the functionality of the token kept secret even during the name and interest match procedure. We believe AIE is a positive answer to the open question raised in [1, 4]. AIE is proved to be secure based on the DBDH/CDH assumption in the random oracle with tight reduction, while the encapsulated header and the token in our system consist of only three elements. Moreover, AIE is applicable in any CCN incarnation, for example, CCNx and NDN [5].

1.1. Organization. The rest of this paper is organized as follows. The next section shows the related work of our paper. Section 3 gives an overview of CCN. The scheme description is presented in Section 4. Definitions of security model are given and discussed in Section 5. The reduction proofs are shown in Sections 6 and 7. Then we show implementation and provide an analysis of the performances of the proposed schema in Section 8. Finally, we conclude with related work and future work in Section 9.

2. Related Work

Symmetric searchable encryption with adaptive security against chosen-keyword attacks was first considered explicitly in [6], where symmetric index encapsulation was first considered explicitly by [7]. Unlike in asymmetric settings, securely encapsulating a single keyword/index is nearly trivial in symmetric settings. In these schemes and subsequent work [8-11], researchers focus on how to handle full text indices and try to improve efficiency. Another line of work uses deterministic encryption [8,12]. It only provides security for data and queries that have high entropy.

Starting with the work of Boneh et al. [13-15], searchable encryption has also been considered in the public key setting [10, 16-19]. The early works lack function privacy until the first definition was suggested very recently by Boneh et al. [20].

One of the key goals of CCN projects is "security by design" [21]. In contrast to today's Internet, where security problems were identified along the way, the research community stresses both awareness of issues and support for features and countermeasures from the outset. To this end, a few of papers investigate various attacks and solutions in CCN or CON [1,2, 5]. However, to the best of our knowledge, there is an absence of cryptographic perspective. The major contribution of our paper is in defining a new cryptographic primitive known as Asymmetric Index Encapsulation scheme.

A preliminary version of this paper [22], which concentrated on solving the related fundamental cryptographic problem, appeared at ProvSec 2016, while this paper focuses more on solving practical problem of CCN network. The extra contents mainly are shown in Sections 8 and 9.

3. CCN Overview

We now review the building blocks of Content Centric Networking. There are three types of entities in CCN:

(i) Consumer which issues interests for content

(ii) Producer which generates and publishes content to the network

(iii) Routers which forward interest messages and content between consumers and producers

CCN supports two types of packets:

(i) Named content: in CNN, contents are always named to facilitate data dissemination and search. A content name is a URI-like string composed of one or more variable-length segments.

(ii) Interest: to obtain content, consumer issues a request, called an interest message, with the name of the desired content. This interest will be satisfied by either a router or the content producer.

Name and interest matching in CCN is exact, for example, an interest for "/2017/news.txt" can only be satisfied by a content object named "/2017/news.txt."

Each CCN entity should maintain the following components:

(i) Forwarding Interest Base (FIB): this includes a lookup table used to determine entities for forwarding incoming interests.

(ii) Pending Interest Table (PIT): this include a lookup table of outstanding pending interests and a set of corresponding incoming entities.

(iii) Content Store (CS): this is a buffer used for content caching and retrieval. Each network entity can provide content caching, which is limited only by resource availability. Note that this is different from packet buffers in today's routers, as cache size is expected to be several orders of magnitude bigger in CCN.

All CCN communication is initiated by a consumer that sends an interest for a specific content [23]. When a router receives an interest, it looks up its PIT to determine whether an interest for the content is pending:

(i) If the desired name in the PIT, the interest does not need to be forwarded further. If the arrival entity is new, the router just updates the PIT entry by adding a new incoming entity.

(ii) Otherwise, the router looks up its CS for a matching content. If it succeeds, the cached content is returned and no new PIT entry is needed. If no matching content is found, the router creates a new PIT entry and forwards the interest using its FIB.

During receipting of the interest, the producer distributes requested content among the network, thus satisfying the interest. Then, the content is forwarded towards the consumer, by the path of the preceding interest, in reverse.

4. Scheme Description

Formally, AIE is specified by a quadruple of probabilistic polynomial-time algorithms:

(i) The setup algorithm Setup is run by the central authority, takes a security parameter [1.sup.[lambda]], and outputs the public system parameters pp together with a master secret key mk. The system parameters will be publicly known, while the master key will be known only to the key generation algorithm.

(ii) The index (a.k.a. name) encapsulation algorithm Enc is run by the producer, takes as input an index x, and outputs encapsulated header h[d.sub.x].

(iii) The token generation algorithm Gen is run by the central authority, takes as input the master secret key mk and an interest y, and outputs a related token t[k.sub.y].

(iv) The test algorithm Test is run by the router, takes as input a header h[d.sub.x] and a token t[k.sub.y], and outputs a value which indicates the matching relationship between t[k.sub.y] and h[d.sub.x], "1" for matching and "0" on the contrary. Usage of this algorithm is to show the linkability between headers and tokens.

To deploy AIE in CCN, we should introduce a trusted central authority which is in charge of issuing token. As illustrated in Figure 1, if a consumer plans to request a content named x, instead of sending the plain interest packet, it should use the token issued by Gen(x) from the central authority. Token is like a private key of public encryption scheme. However, its functionality is not decrypting but testing.

When a producer generates new content named y, it encrypts the content at first. The encryption algorithm used by consumers to conceal content should be secure against adaptive chosen ciphertext (CCA) attacks. Then, the producer runs encapsulation algorithm Enc to encapsulate the name y. We call the output of Enc(y) the encapsulated header of y. Finally, a signature binds the encrypted content with its encapsulated header and provides origin authentication no matter how or from where it is retrieved. For any adversary without the correct token, this signed and encrypted packet will lose no information under our security model (discussed in Section 5.4).

When a token is received and there are no same pending tokens in its cache, router runs Test algorithm to find an encapsulated header which matches the token. If there is no such encapsulated header, the router forwards this new token to the neighbor routers. When the desired content is returned or there is already an encapsulated header matching this token in the cache, the router forwards it out on all neighbors and flushes the corresponding cache entry.

Since adversary can mount a guessing attack, exhaustively testing the known token, we give a reasonable security model in Section 5.5 to ensure that there is no more obviously effective attack better than the brute force method.

4.1. Construction. Let GroupGen be a probabilistic polynomial-time algorithm taking [1.sub.[lambda]] as security parameter and outputs (G, [G.sub.T], p, g, e), where G and [G.sub.T] are groups of prime order p, [2.sup.[lambda]] < p < [2.sup.[lambda+1]], g is a generator of group G, and e : G x G [right arrow] [G.sub.T] is a nondegenerate efficiently computable bilinear map. See [24] for a description of the properties of such pairings. We present AIE scheme as follows; the design inspiration comes from [20, 25].

(i) Setup([1.sub.[lambda]]): on input security parameter [1.sub.[lambda]], the setup algorithm works as follows:

(1) Generate (p, G, [G.sub.T], g,e) [left arrow] GroupGen([1.sup.[lambda]]).

(2) Randomly sample a [left arrow] [Z.sup.*.sub.p].

(3) Compute [g.sub.a] [left arrow] [g.sup.a].

(4) Choose two cryptographic hash functions H and F : [{0,1}.sup.*] [right arrow] G. The security analysis will view H, F as random oracles.

(5) Output a as master key and (g, [g.sub.a]) as public parameters.

(ii) Enc(pp,x): given x, the index encapsulation algorithm does the following:

(1) Randomly sampling r [left arrow] [Z.sup.*.sub.p]

(2) Computing c [left arrow] [g.sup.r], T [left arrow] e[([g.sub.a], H(x)).sup.r], and R [left arrow] e[([g.sub.a], p(x)).sup.r]

(3) Outputting (c, T, R) as an encapsulated header

(iii) Gen(mk, y): on input master key a and an index y, the token generation algorithm does the following:

(1) If the same query for y is repeated twice, then the same token is provided.

(2) It randomly chooses u, v [left arrow] [Z.sup.*.sub.p]

(3) It computes d [left arrow][(H([y).sup.u]F[(y).sup.V]).sup.a].

(4) It outputs and records (d, u, v) as the token of y.

(iv) Test(hd, tk): given an encapsulated header hd and a token tk, the test algorithm does the following:

(1) It parses hd as (c, T, R) and t[k.sub.y] as (d, u, v).

(2) It checks if the following equation holds true:

e(c,d) = [T.sup.u] x [R.sup.v], (1)

and if it holds, output "1," meaning tk matches hd; else output "0."

Correctness. For any index x, we need to guarantee Test(h[d.sub.x], t[k.sub.x]) = 1, where h[d.sub.x] [left arrow] Enc(x,pp) and t[k.sub.x] [left arrow] Gen(x,mk). Denoting h[d.sub.x] = (c,T,R) and t[k.sub.x] = (d, u, v), that is clear since

[mathematical expression not reproducible]. (2)

5. Security Models

We give the precise formal definitions based on the above discussion.

5.1. Notation. We denote by X = ([X.sub.1], [X.sub.2], ..., [X.sub.q]) a joint distribution of q random variables, and by x = ([x.sub.1], [x.sub.2], ..., [x.sub.q]) a sample drawn from X. The min-entropy of a random variable X is H[T.sub.[infinity]](X) = -[log.sub.2]([max.sub.x]Pr[X = x]). A k-source is a random variable X with [T.sub.[infinity]] (X) [greater than or equal to] k x A (q, k)-block-source is a random variable X = ([X.sub.1], [X.sub.2], ..., [X.sub.q]),where, for each i [member of] {1, 2, ..., q}, ([x.sub.1], ..., [x.sub.i-x]) holds that [mathematical expression not reproducible] is k-source. The statistical distance between two random variables X and Y over a finite domain S is defined as

SD (X, Y) = 1/2 [N.summation over (x[member of]S=1)][absolute value of Pr [X = x]- Pr [Y = x]]. (3)

5.2. DBDH and CDH Assumption. Decisional bilinear Diffie-Hellman (DBDH) problem is to distinguish two distributions [P.sub.BDH] = [([g.sup.[alpha]], [g.sup.[beta]], [g.sup.[gamma]], e(g, g).sup.[alpha][beta][gamma]) and [R.sub.BDH] = ([g.sup.[alpha]], [g.sup.[beta]], [g.sup.[gamma]], R) for random [alpha], [beta], [gamma], and R. Computational Diffie-Hellman (CDH) problem is to compute [g.sup.[alpha][beta]] given [g.sup.[alpha]] and [g.sup.[beta]]. To state the assumption asymptotically we rely on the bilinear group generator algorithm GroupGen([1.sup.[lambda]]).

Definition 1. Let GroupGen([1.sup.[lambda]]) be a bilinear group generator. The DBDH assumption holds for GroupGen([1.sup.[lambda]]) if, for all probabilistic polynomial-time algorithm B, its BDDH advantage, denoted by

[mathematical expression not reproducible], (4)

is a negligible function of [lambda], where the probability is over (G, [G.sub.T], p, g, e) [left arrow] GroupGen([1.sup.[lambda]]), [alpha], [beta], [gamma] [left arrow] [Z.sup.*.sub.p], R [left arrow] [G.sub.T].

Definition 2. Let GroupGen([1.sup.[lambda]]) be a bilinear group generator. The CDH assumption holds for GroupGen([1.sup.[lambda]]) if, for all probabilistic polynomial-time algorithm B, its CDH advantage, denoted by

[Adv.sup.CDH.sub.B] ([lambda]) = Pr [B ([g.sup.[alpha]], [g.sup.[beta]]) = [g.sup.[alpha][beta]]], (5)

is a negligible function of [lambda], where the probability is over (G, [G.sub.T], p, g, e) [left arrow] GroupGen([1.sup.[lambda]]), [alpha], [beta], [gamma] [left arrow] [Z.sup.p.sub.*].

5.3. The Leftover Hash Lemma

Definition 3 (universal hash function). A collection H of function H with form U [right arrow] V is universal if for any x, x' [member of] U such that x = x the following holds:

[mathematical expression not reproducible]. (6)

Theorem 4 (leftover hash lemma for block-source; see [20]). Let H be a universal collection of functions H : U [right arrow] V; let X = ([X.sub.1], [X.sub.2], ..., [X.sub.q]) be (q,k)-block-source where k [greater than or equal to] log [absolute value of V] + 2 log(1/[epsilon]) + [THETA](1). Then there exists the distribution

([H.sub.1],[H.sub.1] ([X.sub.1]), [H.sub.2], [H.sub.2] ([X.sub.2]), ..., [H.sub.q], [H.sub.q] ([X.sub.q])), (7)

where ([H.sub.1], [H.sub.2], ..., [H.sub.q]) [left arrow] [H.sup.q] is eq-close to the uniform distribution over [(H x V).sup.q].

5.4. Security Model for Anonymity. AIE is anonymous if Enc(pp, x) leaks no information about x. To capture the anonymity properties formally, a game between a challenger and an adversary A is defined as follows:

(i) Setup Phase: the challenger runs Setup([1.sup.[lambda]]) and sends pp to adversary A and keeps mk to itself.

(ii) Prechallenge Phase: in this phase, adversary A is allowed to make token extraction query. The challenger responds to the query about index y by sending A to the output of Gen(mk, y).

(iii) Challenge Phase: A submits two indices [x.sub.0], [x.sub.1], which is restricted to the indices that he did not request in prechallenge phase. The challenger flips a fair binary coin b and returns Enc(pp, [x.sub.b]) as challenge header.

(iv) Postchallenge Phase: this phase is repeat of prechallenge phase. The adversary issues additional adaptive queries with the restriction where it can not request token of [x.sub.0] or [x.sub.1].

(v) Guess Phase: finally, A submits a guess b' of b. The adversary wins if b' = b.

Definition 5 (anonymity of AIE). AIE is anonymous if, for any probabilistic polynomial-time algorithm A, its ANON advantage, denoted by

[Adv.sup.ANON.sub.A] ([lambda]) = [absolute value of Pr [b' = b}-1/2], (8)

is a negligible function of A, where the probability is over the random bits used by the challenger and the adversary.

5.5. Security Model for Function Privacy. Formalizing such a notion is not straightforward since adversary can mount a guessing attack. If adversary has some knowledge that the token comes from a small set, it can encapsulate each candidate index and run the legitimate Test procedure to learn the function embedded inside the token. We adapt the notion from [20] which requires that Gen(mk,y) is indistinguishable from a random token if y is chosen from a sufficiently high min-entropy distribution. The following security game parameterized by a distribution D helps us capture properties of function privacy:

(i) Setup Phase: the challenger runs Setup([1.sup.[lambda]]) and sends both master secret key mk and public parameters pp to adversary A.

(ii) Challenge Phase: in this phase, the challenger samples an indices vector ([x.sub.1], [x.sub.2], ..., [x.sub.q]) from the distribution D and then, for every i [member of] {1, 2, ...,n}, computes t[k.sub.i] = Gen(mk, x{) and returns (t[k.sub.1], ..., t[k.sub.q]) to A.

(iii) Guess Phase: finally, A submits a guess of the distribution challenger has used. It outputs "0" standing for uniform distribution; otherwise it outputs "1."

Definition 6 (privacy of AIE). AIE says private function if, for any probabilistic polynomial-time algorithm A and any (q, k)-block-source distribution D where q,k is a polynomial of [lambda], its PRIV advantage, denoted by

[mathematical expression not reproducible], (9)

is a negligible function of A where R stands for uniform distribution.

To gain reasonable high min-entropy in anonymous CCN, we suggest that data provider should assign a complicated name of the encrypted data. Since adversary can mount a guessing attack (exhaustively testing the token by using pairings), the definition of privacy actually guarantees that there is no more obviously effective attack better than the brute force method.

6. Proof of Anonymity

We use reduction to prove anonymity of our scheme under the DBDH assumption.

Lemma 7. Suppose there is an adversary A that can win the anonymity game with advantage e(X). Then there is an algorithm B which solves the DBDH problem with advantage e(X).

Given a tuple (([g.sub.[alpha]], [g.sub.[beta]], [g.sub.[gamma]], Z), which is either sampled from [P.sub.BDH] or from [R.sub.BDH], algorithm B interacts with adversary A as follows.

Setup Phase. B sets up public parameter pp = [g.sub.[alpha]].

Programming the Random Oracle. B simulates the random oracle for A as follows.

If the same query is repeated twice, then the same return value is provided, on issuing a fresh query for H(x), and B

(1) samples [t.sub.1] [left arrow] [Z.sup.*.sub.p], [t.sub.2] [left arrow] [Z.sup.*.sub.p],

(2) stores tuple (x, [t.sub.1], [t.sub.2]) in table LH,

(3) returns [mathematical expression not reproducible],

On issuing a fresh query for F(x), B

(1) samples [t.sub.3] [left arrow] [Z.sup.*.sub.p], [t.sub.4] [right arrow] [Z.sup.*.sub.p],

(2) stores tuple (x, [t.sub.3], [t.sub.4] in table [L.sub.F],

(3) returns [mathematical expression not reproducible].

Prechallenge Phase. On A issuing a token for index y, algorithm B does the following:

(1) If the same query for y is repeated twice, then the same token is provided.

(2) If A has not made a query for H(y) and/or F(y), it programs H(y) and/or F(y) as mentioned above.

(3) It retrieves (y, [t.sub.1], [t.sub.2]) from [L.sub.H] and (y, [t.sub.3], [t.sub.4]) from [L.sub.F].

(4) It samples u [left arrow] [Z.sup.*.sub.p] and computes v [left arrow] -u x [t.sub.1]/[t.sub.3]. That is, it randomly samples u and v such that u x [t.sub.1] + [v.sub.2] = 0.

(5) It computes [mathematical expression not reproducible].

(6) It returns (d, u, v).

Correctness of Simulation. We argue that (d, u, v) is always a proper token corresponding to y since

[mathematical expression not reproducible]. (10)

Challenge Phase. After A sends [x.sub.0] and [x.sub.1], algorithm B does the following:

(1) It picks a random bit b [left arrow] {0,1}.

(2) If A has not made a query for H([x.sub.b]) and/or F([x.sub.b]), it programs H([x.sub.b]) and/or F([x.sub.b]) as mentioned above.

(3) It retrieves ([x.sub.b], [s.sub.1], [s.sub.2]) from [L.sub.H] and ([x.sub.b], [s.sub.3], [s.sub.4]) from [L.sub.F].

(4) It computes [mathematical expression not reproducible].

(5) It returns (c, T, W) as challenge header.

Postchallenge Phase. B responds as before in prechallenge phase.

Guess Phase. Finally A outputs a guess b' of b. B concludes its own game by outputting a guess as follows. if b' = b, B returns 1, else returns 0.

Analysis of Bs Behavior. Denote y = [log.sub.g][g.sub.[gamma]]. If Z is sampled from PBDH, that is, Z = e([g.sub.[alpha]], [g.sub.[beta]], then (c, T, W) is a perfectly legitimate header of [x.sub.b] since

[mathematical expression not reproducible]. (11)

Therefore, B simulates a perfect environment of A, and the probability of the event A winning the game is identical to e. However, when Z is uniformly random, the challenge header will not be legitimate. This is not a problem, and indeed it is crucial to the proof of security.

Lemma 8. If Z is sampled from uniform random, the distribution of b is independent of the adversary's view, so the probability of event A winning the game is identical to 1/2.

Proof. Consider the joint distribution of the adversary's view. Note that the adversary is not allowed to make a token query for [x.sub.0] and [x.sub.1] from his view, only H([x.sub.b]), F([x.sub.b]), T, and W may leak information about b. What we need to prove is that, for any fixed [g.sub.[alpha]], [g.sub.[beta]], [g.sub.[gamma]], T, W, H([x.sub.0]), F([x.sub.0]), H([x.sub.1]), and F([x.sub.1]),

[mathematical expression not reproducible]. (12)

where the probability is over [r.sub.1], [r.sub.2], [r.sub.3], [r.sub.4], and Z. That is clear because the four equations are linearly independent since, for any fixed T, W, f, and h,

[mathematical expression not reproducible]. (13)

That concludes that A learns nothing about b.

To summarize, when the input tuple is sampled from PBDH, then adversary's view is identical to its view in a real security game and therefore A satisfies [absolute value of Pr[b' = b]-1/2] [greater than or equal to] [epsilon].

When the input tuple is sampled from [R.sub.BDH], then Pr[b' = b] = 1/2. Therefore, we have that

[mathematical expression not reproducible]. (14)

We present our conclusion as the following statement.

Theorem 9. The AIE scheme one proposed is anonymous, assuming the DBDH assumption holds for the bilinear group generated by GroupGen.

7. Proof of Function Privacy

Proof. Denote ViewD by the distribution of A's view in the game [[PSI].sub.D]([lambda]) and [View.sub.R] by the distribution of A's view in the game [[PSI].sub.D]([lambda]). We prove that [View.sub.D] is statistically close to [View.sub.R] even for arbitrary fixed public parameters.

Suppose A received tokens corresponding to ([x.sub.1], [x.sub.2], ..., [x.sub.q]) in the challenge phase. As A knows the master key and having fixed pp, we can assume that [View.sub.D] is equivalent to

[mathematical expression not reproducible], (15)

where [h.sub.i] = H([x.sub.i]) and [f.sub.i] = F([x.sub.i]) for each i [member of] {1, ..., q}.

Without loss of generality, we can assume that H and F are injective since they are modeled as random oracle. Assuming that H and F are injective guarantees that for any (q, k)-block-source X over [{0,1}.sup.[lambda]q] the fact that (([h.sub.1], [f.sub.1]), ..., ([h.sub.q], [f.sub.q])) is also a (q, k)-block-source over [G.sup.2q] holds.

Note that the collection of functions {[mathematical expression not reproducible] defined by [g.sub.u,V](h, f) = [h.sup.u] [f.sup.v] are universal (see [26]). This enables us to directly apply the leftover hash lemma on block-source, implying that the statistical distance between [View.sub.D] and the uniform distribution is negligible in A. The same holds also for [View.sub.R] since R is a (q, k)-block-source in particular. This completes the proof of function privacy.

We present our conclusion as the following statement.

Theorem 10. TheAIEscheme oneproposed is (computational) function privacy under random oracle model.

8. Implementation and Performance

We implement our AIE schema by JPBC Library [27]. JPBC Library provides cryptographic interface to perform the mathematical operations underlying pairing-based cryptosystems. Our experiments were deployed on Intel Xeon E3-1231, a 4-core 3.40 GHz CPU, with 8 GB of RAM. We calculate the average time cost of each algorithm run on security parameters with different length. The result is shown in Table 1.

As we introduced in Section 3, Setup is run by the central authority only once, when deploying the environment. When the producer generates new content, Enc is run by producer once. When a consumer plans to request a content, Gen is run by the central authority and Test is run by each router. Thus, the extra time a consumer would spend for AIE is no more than Time(Gen) + n-Time(Test), where n represents the hop count. Taking 120-bit security parameter as an example, assuming the hop count is 5 on average [2], the total extra time cost for a consumer is 39.09 + 4.61 x 5 = 62.14 ms on average. AIE schema brings only less than 5 ms latency on each hop.

The relationship between time cost and the length of security parameter is shown in Figure 2. The comparison of four groups of data with different length of security parameter is shown in the graph horizontally. Each bar represents an algorithm in AIE, which is Setup, Enc, Gen, and Test from left to right. The vertical axis represents the average time cost of each experiment. It concludes that the performance of AIE is satisfying with small size of security parameter. But the time cost increases by a large margin with the increase of security parameter size. However, it is not necessary to choose too large security parameter since no one can break DBDH and CDH assumption up to the present.

Finally we turn to study the stability of our protocols run time. Figures 3 and 4 show time cost of each independent call of Gen and Test with 240-bit security parameter. v-axis represents the index of each call and y-axis represents the time cost. Each point in the graph represents a result of one experiment. As expected, the result shows most calls of Gen and Test are very close to the average time cost.

The experimental results are quite different from other approaches [2,3]. The main time costs of [2,3] are used in the transmission of data. But since our scheme decouples index from data, the run time costs are used in encapsulating the index, and the performance of our scheme can be seen as a negligible constant, which is uncorrelated with the data size.

9. Conclusion

This work presents an initial attempt to provide privacy and anonymity in CCN by cryptographic protocol. We embed AIE scheme in the CCN to provide comparable anonymity with lower relative overhead.

AIE is a new cryptographic primitive. There are at least two differences between Asymmetric Index Encapsulation and PEKS or identity based searchable encryption [13, 20]. Firstly, the goal of AIE scheme is to decouple index hiding and searching procedure from encryption scheme. There are independent application scenarios of index encapsulation. Identity based searchable encryption can be replaced by any combination of AIE and anonymous identity based encryption. Secondly, Asymmetric Index Encapsulation scheme does not imply public key encryption or identity based encryption. There is possibility of getting better security reduction and efficiency.

The security of our scheme relies on the DBDH/CDH assumption in prime-order groups and random oracle. An encapsulated header in our system consists of only three elements, while a token in our system also consists of only three elements. Besides the acceptable efficiency in practice, the scheme has tight security reduction against all kinds of adversaries. (A security reduction is said to be tight when breaking the scheme is exactly as hard as solving the underlying problem.)

We introduce new adversarial models for anonymous CCN. The anonymity model captures the intuitive notion that an adversary should not be able to distinguish between the encapsulated header of two challenge indices of his choice, even if it is allowed to obtain tokens for any other indices. The privacy model requires any token belonging to index x to be indistinguishable from a random token if x is chosen from a sufficiently high min-entropy distribution.

An interesting open problem is to construct AIE schemes for other classes of functions. A possible starting point is to consider simple functionalities, such as wildcard [28] and inner-product testing [29]. Another fascinating open problem is to design a scheme which is secure in the standard model as well as keeping the token size and header size constant. Finally, we leave it as an open problem to design an AIE scheme without pairing.

https://doi.org/10.1155/2017/9248654

Disclosure

An extended abstract was presented at Provable Security 10th International Conference, ProvSec 2016 [22].

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

References

[1] A. Chaabane, E. De Cristofaro, M. A. Kaafar, and E. Uzun, "Privacy in content-oriented networking: threats and countermeasures," ACMSIGCOMM Computer Communication Review, vol. 43, no. 3, pp. 25-33, 2013.

[2] S. DiBenedetto, P. Gasti, G. Tsudik, and E. Uzun, "ANDaNA: Anonymous Named Data Networking Application," in Proceedings of the Proceedings of the Network and Distributed System Security Symposium (NDSS' 12), San Diego, Calif, USA, 2012.

[3] G. Tsudik, E. Uzun, and C. A. Wood, "AC3N: Anonymous communication in Content-Centric Networking," in Proceedings of the 13th IEEE Annual Consumer Communications and Networking Conference, CCNC 2016, pp. 988-991, Las Vegas, Nev, USA, January 2016.

[4] C. Ghali, G. Tsudik, and C. A. Wood, "(The futility of) data privacy in content-centric networking," in Proceedings of the 15th ACM Workshop on Privacy in the Electronic Society, WPES 2016, pp. 143-152, Vienna, Austria, 2016.

[5] P. Gasti, G. Tsudik, E. Uzun, and L. Zhang, "DoS and DDoS in named data networking," in Proceedings of the 2013 22nd International Conference on Computer Communication and Networks, ICCCN 2013, Nassau, Bahamas, August 2013.

[6] R. Curtmola, J. Garay, S. Kamara, and R. Ostrovsky, "Searchable symmetric encryption: improved definitions and efficient constructions," Journal of Computer Security, vol. 19, no. 5, pp. 895-934, 2011.

[7] E.-J. Goh, Secure Indexes, 2004.

[8] S. Kamara, C. Papamanthou, and T. Roeder, "Dynamic searchable symmetric encryption," in Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 965-976, USA, October 2012.

[9] D. Cash and S. Tessaro, "The locality of searchable symmetric encryption," in Advances in Cryptology - EUROCRYPT 2014, vol. 8441 of Lecture Notes in Computer Science, pp. 351-368, 2014.

[10] J. G. Li, Y. R. Shi, and Y. C. Zhang, "Searchable ciphertext-policy attribute-based encryption with revocation in cloud storage," International Journal of Communication Systems, 2015.

[11] J. G. Li, X. N. Lin, Y. C. Zhang, and J. G. Han, "KSF-OABE: outsourced attribute-based encryption with keyword search function for cloud storage," IEEE Transactions on Services Computing, vol. PP, no. 99, p. 1, 2016.

[12] M. Bellare, A. Boldyreva, and A. O'Neill, "Deterministic and efficiently searchable encryption," in Advances in Cryptology CRYPTO 2007, vol. 4622 of Lecture Notes in Computer Science, pp. 535-552, 2007.

[13] D. Boneh, G. Di Crescenzo, R. Ostrovsky, and G. Persiano, "Public key encryption with keyword search," in Advances in Cryptology - EUROCRYPT 2004, vol. 3027 of Lecture Notes in Computer Science, pp. 506-522, 2004.

[14] J. Li, Y. Guo, Q. Yu, Y. Lu, and Y. Zhang, "Provably secure identity-based encryption resilient to post-challenge continuous auxiliary input leakage," Security and Communication Networks, vol. 9, no. 10, pp. 1016-1024, 2016.

[15] J. Li, M. Teng, Y. Zhang, and Q. Yu, "A leakage-resilient CCA-secure identity-based encryption scheme," Computer Journal, vol. 59, no. 7, pp. 1066-1075, 2016.

[16] M. Abdalla, M. Bellare, D. Catalano et al., "Searchable encryption revisited: consistency properties, relation to anonymous IBE, and extensions," Journal of Cryptology, vol. 21, no. 3, pp. 350-391, 2008.

[17] J. Camenisch, M. Kohlweiss, A. Rial, and C. Sheedy, "Blind and anonymous identity-based encryption and authorised private searches on public key encrypted data," in Public Key Cryptography --PKC 2009, vol. 5443 of Lecture Notes in Computer Science, pp. 196-214, 2009.

[18] J. Baek, R. Safavi-Naini, and W. Susilo, "Public key encryption with keyword search revisited," in Computational Science and Its Applications-ICCSA 2008, vol. 5072 of Lecture Notes in Computer Science, pp. 1249-1259, Springer, Berlin, Germany, 2008.

[19] T. H. Yuen, Y. Zhang, S. M. Yiu, and J. K. Liu, "Identity-based encryption with post-challenge auxiliary inputs for secure cloud applications and sensor networks," in Computer Security ESORICS 2014, vol. 8712 of Lecture Notes in Computer Science, pp. 130-147, 2014.

[20] D. Boneh, A. Raghunathan, and G. Segev, "Function-private identity-based encryption: hiding the function in functional encryption," in Advances in Cryptology--CRYPTO 2013, vol. 8043 of Lecture Notes in Computer Science, pp. 461-478, 2013.

[21] A. Compagno, M. Conti, P. Gasti, and G. Tsudik, "Poseidon: Mitigating interest flooding DDoS attacks in named data networking," in Proceedings of the 38th Annual IEEE Conference on Local Computer Networks, LCN 2013, pp. 630-638, Sydney, NSW, Australia, October 2013.

[22] R. Ma and Z. Cao, "Efficient asymmetric index encapsulation scheme for named data," in Provable Security, vol. 10005 of Lecture Notes in Computer Science, pp. 191-203, 2016.

[23] C. Ghali, A. Narayanan, D. Oran, G. Tsudik, and C. A. Wood, "Secure fragmentation for content-centric networks," in Proceedings of the IEEE 14th International Symposium on Network Computing and Applications (NCA '15), pp. 47-56, Cambridge, Mass, USA, September 2015.

[24] D. Boneh and M. Franklin, "Identity-based encryption from the Weil pairing," SIAM Journal on Computing, vol. 32, no. 3, pp. 586-615, 2003.

[25] J.-S. Coron, "A variant of Boneh-Franklin IBE with a tight reduction in the random oracle model," Designs, Codes and Cryptography, vol. 50, no. 1, pp. 115-133, 2009.

[26] J. L. Carter and M. N. Wegman, "Universal classes of hash functions," Journal of Computer and System Sciences, vol. 18, no. 2, pp. 143-154, 1979.

[27] A. de Caro and V. Iovino, "jPBC: Java pairing based cryptography," in Proceedings of the 16th IEEE Symposium on Computers and Communications (ISCC '11), pp. 850-855, July 2011.

[28] M. Abdalla, J. Birkett, D. Catalano et al., "Wildcarded identity-based encryption," Journal of Cryptology, vol. 24, no. 1, pp. 42-82, 2011.

[29] J. Katz, A. Sahai, and B. Waters, "Predicate encryption supporting disjunctions, polynomial equations, and inner products," Journal of Cryptology, vol. 26, no. 2, pp. 191-224, 2013.

Rong Ma, (1) Zhenfu Cao, (2) and Xingkai Wang (1)

(1) Shanghai Jiao Tong University, Shanghai, China

(2) East China Normal University, Shanghai, China

Correspondence should be addressed to Rong Ma; marong.sjtu@gmail.com

Received 27 March 2017; Revised 27 June 2017; Accepted 30 July 2017; Published 11 September 2017

Academic Editor: Yacine Challal

Caption: Figure 1: Instantiating AIE in anonymous CCN.

Caption: Figure 2: Comparison of time cost on 120-, 160-, 200- and 240-bit security parameter over AIE.

Caption: Figure 3: Time cost of 100 experiments for Gen on 240-bit security parameter.

Caption: Figure 4: Time cost of 100 experiments for Test on 240-bit security parameter.

Table 1: Average time cost (ms) of each algorithm. Length Setup Enc Gen Test 120 5.41 36.46 39.09 4.61 160 10.08 68.88 74.16 8.08 200 17.47 117.12 127.34 13.84 240 29.04 187.74 207.54 21.08

Printer friendly Cite/link Email Feedback | |

Title Annotation: | Research Article |
---|---|

Author: | Ma, Rong; Cao, Zhenfu; Wang, Xingkai |

Publication: | Security and Communication Networks |

Article Type: | Report |

Date: | Jan 1, 2017 |

Words: | 6310 |

Previous Article: | Trusted Service Scheduling and Optimization Strategy Design of Service Recommendation. |

Next Article: | Building Secure Public Key Encryption Scheme from Hidden Field Equations. |

Topics: |