Efficient Asymmetric Index Encapsulation Scheme for Anonymous Content Centric Networking

al.


Introduction
Conventional networking protocols designed to support endto-end communications between nodes which are uniquely identified through an IP address may fail in wireless environments due to dynamic changes caused by the mobility.Content Centric Networking is an emerging networking architecture with the goal of becoming an alternative to the IP-based Internet.Communication in CCN adheres to the pull model.Its primary characteristic is that content and routable content in the network are always named.Interests represent the willingness of the consumer to retrieve certain content, independently of its location.A consumer who wishes to obtain content first issues an interest by name, which is then routed to the producer or router that is capable of satisfying the request.The corresponding content carrying the same name is then sent to the consumer along the reverse path.
The CCN architecture has some innate privacy friendly features; for example, the source addresses of contents are hard to trace.However, support for name privacy is not a standard feature.Names reveal significantly more information about content than IP addresses [1].
ANDaNA [2] and AC 3 N [3] are the initial attempt to provide anonymous communication in CCN.They are inspired by Tor, using onion-like encryption to wrap interests, and forwarded by participating anonymizing routers.However, caching mechanism as one of the most important features of CCN could not be used in these designs due to the lack of an cryptographic primitive keeping the name private while ensuring accessibility and routability.
In this paper we propose a new cryptographic scheme called Asymmetric Index Encapsulation (AIE) to hide the name except the entity which is given appropriate token.Token can be viewed as a kind of encrypted interest; it can only be generated from the authorized consumers and the functionality of the token kept secret even during the name and interest match procedure.We believe AIE is a positive answer to the open question raised in [1,4].AIE is proved to be secure based on the DBDH/CDH assumption in the random oracle with tight reduction, while the encapsulated header and the token in our system consist of 2 Security and Communication Networks only three elements.Moreover, AIE is applicable in any CCN incarnation, for example, CCNx and NDN [5].
1.1.Organization.The rest of this paper is organized as follows.The next section shows the related work of our paper.Section 3 gives an overview of CCN.The scheme description is presented in Section 4. Definitions of security model are given and discussed in Section 5.The reduction proofs are shown in Sections 6 and 7. Then we show implementation and provide an analysis of the performances of the proposed schema in Section 8. Finally, we conclude with related work and future work in Section 9.

Related Work
Symmetric searchable encryption with adaptive security against chosen-keyword attacks was first considered explicitly in [6], where symmetric index encapsulation was first considered explicitly by [7].Unlike in asymmetric settings, securely encapsulating a single keyword/index is nearly trivial in symmetric settings.In these schemes and subsequent work [8][9][10][11], researchers focus on how to handle full text indices and try to improve efficiency.Another line of work uses deterministic encryption [8,12].It only provides security for data and queries that have high entropy.
One of the key goals of CCN projects is "security by design" [21].In contrast to today's Internet, where security problems were identified along the way, the research community stresses both awareness of issues and support for features and countermeasures from the outset.To this end, a few of papers investigate various attacks and solutions in CCN or CON [1,2,5].However, to the best of our knowledge, there is an absence of cryptographic perspective.The major contribution of our paper is in defining a new cryptographic primitive known as Asymmetric Index Encapsulation scheme.
A preliminary version of this paper [22], which concentrated on solving the related fundamental cryptographic problem, appeared at ProvSec 2016, while this paper focuses more on solving practical problem of CCN network.The extra contents mainly are shown in Sections 8 and 9.

CCN Overview
We now review the building blocks of Content Centric Networking.There are three types of entities in CCN: All CCN communication is initiated by a consumer that sends an interest for a specific content [23].When a router receives an interest, it looks up its PIT to determine whether an interest for the content is pending: (i) If the desired name in the PIT, the interest does not need to be forwarded further.If the arrival entity is new, the router just updates the PIT entry by adding a new incoming entity.
(ii) Otherwise, the router looks up its CS for a matching content.If it succeeds, the cached content is returned and no new PIT entry is needed.If no matching content is found, the router creates a new PIT entry and forwards the interest using its FIB.
During receipting of the interest, the producer distributes requested content among the network, thus satisfying the interest.Then, the content is forwarded towards the consumer, by the path of the preceding interest, in reverse.

Scheme Description
Formally, AIE is specified by a quadruple of probabilistic polynomial-time algorithms: (i) The setup algorithm  is run by the central authority, takes a security parameter 1  , and outputs the public system parameters  together with a master secret key .The system parameters will be publicly known, while the master key will be known only to the key generation algorithm.(ii) The index (a.k.a.name) encapsulation algorithm  is run by the producer, takes as input an index , and outputs encapsulated header ℎ  .(iii) The token generation algorithm  is run by the central authority, takes as input the master secret key  and an interest , and outputs a related token   .
(iv) The test algorithm  is run by the router, takes as input a header ℎ  and a token   , and outputs a value which indicates the matching relationship between   and ℎ  , "1" for matching and "0" on the contrary.Usage of this algorithm is to show the linkability between headers and tokens.
To deploy AIE in CCN, we should introduce a trusted central authority which is in charge of issuing token.As illustrated in Figure 1, if a consumer plans to request a content named , instead of sending the plain interest packet, it should use the token issued by Gen() from the central authority.Token is like a private key of public encryption scheme.However, its functionality is not decrypting but testing.
When a producer generates new content named , it encrypts the content at first.The encryption algorithm used by consumers to conceal content should be secure against adaptive chosen ciphertext (CCA) attacks.Then, the producer runs encapsulation algorithm  to encapsulate the name .We call the output of Enc() the encapsulated header of .Finally, a signature binds the encrypted content with its encapsulated header and provides origin authentication no matter how or from where it is retrieved.For any adversary without the correct token, this signed and encrypted packet will lose no information under our security model (discussed in Section 5.4).
When a token is received and there are no same pending tokens in its cache, router runs  algorithm to find an encapsulated header which matches the token.If there is no such encapsulated header, the router forwards this new token to the neighbor routers.When the desired content is returned or there is already an encapsulated header matching this token in the cache, the router forwards it out on all neighbors and flushes the corresponding cache entry.
Since adversary can mount a guessing attack, exhaustively testing the known token, we give a reasonable security model in Section 5.5 to ensure that there is no more obviously effective attack better than the brute force method.

Construction.
Let  be a probabilistic polynomial-time algorithm taking 1  as security parameter and outputs (G, G  , , , ), where G and G  are groups of prime order , 2  <  < 2 +1 ,  is a generator of group G, and  : G × G → G  is a nondegenerate efficiently computable bilinear map.See [24] for a description of the properties of such pairings.We present AIE scheme as follows; the design inspiration comes from [20,25].

Security Models
We give the precise formal definitions based on the above discussion.

The Leftover Hash Lemma Definition 3 (universal hash function).
A collection H of function  with form  →  is universal if for any ,   ∈  such that  ̸ =   the following holds: Theorem 4 (leftover hash lemma for block-source; see [20]).

Security Model for Anonymity. AIE is anonymous if
Enc(, ) leaks no information about .To capture the anonymity properties formally, a game between a challenger and an adversary A is defined as follows: (i) Setup Phase: the challenger runs Setup(1  ) and sends  to adversary A and keeps  to itself.
(ii) Prechallenge Phase: in this phase, adversary A is allowed to make token extraction query.The challenger responds to the query about index  by sending A to the output of Gen(, ).
(iii) Challenge Phase: A submits two indices  0 ,  1 , which is restricted to the indices that he did not request in prechallenge phase.The challenger flips a fair binary coin  and returns Enc(,   ) as challenge header.
(iv) Postchallenge Phase: this phase is repeat of prechallenge phase.The adversary issues additional adaptive queries with the restriction where it can not request token of  0 or  1 .
(v) Guess Phase: finally, A submits a guess   of .The adversary wins if   = .

Definition 5 (anonymity of AIE). AIE is anonymous if, for any probabilistic polynomial-time algorithm A, its ANON advantage, denoted by
is a negligible function of , where the probability is over the random bits used by the challenger and the adversary.

Security Model for Function Privacy.
Formalizing such a notion is not straightforward since adversary can mount a guessing attack.If adversary has some knowledge that the token comes from a small set, it can encapsulate each candidate index and run the legitimate  procedure to learn the function embedded inside the token.We adapt the notion from [20] which requires that Gen(, ) is indistinguishable from a random token if  is chosen from a sufficiently high min-entropy distribution.The following security game parameterized by a distribution  helps us capture properties of function privacy: (i) Setup Phase: the challenger runs Setup(1  ) and sends both master secret key  and public parameters  to adversary A.
(iii) Guess Phase: finally, A submits a guess of the distribution challenger has used.It outputs "0" standing for uniform distribution; otherwise it outputs "1." Definition 6 (privacy of AIE).AIE says private function if, for any probabilistic polynomial-time algorithm A and any (, )-block-source distribution  where ,  is a polynomial of , its PRIV advantage, denoted by is a negligible function of  where  stands for uniform distribution.
To gain reasonable high min-entropy in anonymous CCN, we suggest that data provider should assign a complicated name of the encrypted data.Since adversary can mount a guessing attack (exhaustively testing the token by using pairings), the definition of privacy actually guarantees that there is no more obviously effective attack better than the brute force method.

Proof of Anonymity
We use reduction to prove anonymity of our scheme under the DBDH assumption.

Lemma 7. Suppose there is an adversary A that can win the anonymity game with advantage 𝜖(𝜆). Then there is an algorithm B which solves the DBDH problem with advantage 𝜖(𝜆).
Given a tuple (  ,   ,   , ), which is either sampled from P BDH or from R BDH , algorithm B interacts with adversary A as follows.
Setup Phase.B sets up public parameter  =   .
Programming the Random Oracle.B simulates the random oracle for A as follows.
If the same query is repeated twice, then the same return value is provided, on issuing a fresh query for (), and B

Security and Communication Networks
On issuing a fresh query for (), B (1) samples Prechallenge Phase.On A issuing a token for index , algorithm B does the following: (1) If the same query for  is repeated twice, then the same token is provided.( 2 Correctness of Simulation.We argue that (, , V) is always a proper token corresponding to  since Challenge Phase.After A sends  0 and  1 , algorithm B does the following: (1) It picks a random bit  ← {0, 1}. ( Therefore, B simulates a perfect environment of A, and the probability of the event A winning the game is identical to .However, when  is uniformly random, the challenge header will not be legitimate.This is not a problem, and indeed it is crucial to the proof of security.
Lemma 8.If  is sampled from uniform random, the distribution of  is independent of the adversary's view, so the probability of event A winning the game is identical to 1/2.
Proof.Consider the joint distribution of the adversary's view.Note that the adversary is not allowed to make a token query for  0 and  1 ; from his view, only (  ), (  ), , and  may leak information about .What we need to prove is that, for any fixed   ,   ,   , , , ( 0 ), ( 0 ), ( 1 ), and ( 1 ), where the probability is over  1 ,  2 ,  3 ,  4 , and .That is clear because the four equations are linearly independent since, for any fixed , , , and ℎ, That concludes that A learns nothing about .
To summarize, when the input tuple is sampled from P BDH , then adversary's view is identical to its view in a real security game and therefore A satisfies |Pr[  = ] − 1/2| ≥ .index, and the performance of our scheme can be seen as a negligible constant, which is uncorrelated with the data size.

Conclusion
This work presents an initial attempt to provide privacy and anonymity in CCN by cryptographic protocol.We embed AIE scheme in the CCN to provide comparable anonymity with lower relative overhead.AIE is a new cryptographic primitive.There are at least two differences between Asymmetric Index Encapsulation and PEKS or identity based searchable encryption [13,20].Firstly, the goal of AIE scheme is to decouple index hiding and searching procedure from encryption scheme.There are independent application scenarios of index encapsulation.Identity based searchable encryption can be replaced by any combination of AIE and anonymous identity based encryption.Secondly, Asymmetric Index Encapsulation scheme does not imply public key encryption or identity based encryption.There is possibility of getting better security reduction and efficiency.
The security of our scheme relies on the DBDH/CDH assumption in prime-order groups and random oracle.An encapsulated header in our system consists of only three elements, while a token in our system also consists of only three elements.Besides the acceptable efficiency in practice, the scheme has tight security reduction against all kinds of adversaries.(A security reduction is said to be tight when breaking the scheme is exactly as hard as solving the underlying problem.) We introduce new adversarial models for anonymous CCN.The anonymity model captures the intuitive notion that an adversary should not be able to distinguish between the encapsulated header of two challenge indices of his choice, even if it is allowed to obtain tokens for any other indices.The privacy model requires any token belonging to index  to be indistinguishable from a random token if  is chosen from a sufficiently high min-entropy distribution.
An interesting open problem is to construct AIE schemes for other classes of functions.A possible starting point is to consider simple functionalities, such as wildcard [28] and inner-product testing [29].Another fascinating open problem is to design a scheme which is secure in the standard model as well as keeping the token size and header size constant.Finally, we leave it as an open problem to design an AIE scheme without pairing.

Figure 3 :Figure 4 :
Figure 3: Time cost of 100 experiments for  on 240-bit security parameter.