1 - PowerPoint PPT Presentation

About This Presentation

Title:

1

Description:

GMail, Yahoo Mail etc... Q: How do we store sensitive data on an untrusted server? ... hides all partial information about data ... – PowerPoint PPT presentation

Number of Views:41

Avg rating:3.0/5.0

Slides: 37

Provided by: csU5

Learn more at: http://web.cs.ucla.edu

Category:

Tags: yahoomail

more less

Transcript and Presenter's Notes

Title: 1

1
Searchable Symmetric Encryption Improved
Definitions and Efficient Constructions

Reza Curtmola Juan Garay Seny Kamara
Rafail Ostrovsky
Johns Hopkins Bell Labs
Johns Hopkins UCLA

2
Remote Storage

Remote storage is ubiquitous
data backups
GMail, Yahoo Mail etc...
Q How do we store sensitive data on an untrusted
server?
A Encryption
hides all partial information about data
client must download all data, decrypt and
perform operations locally
Can we enable the server to help ?

3
Outline

Motivation
Brief overview of different models for private
searching
Our focus Searchable Symmetric Encryption (SSE)
Revisiting security definitions for SSE
point out subtle (but serious) issues with
previous definitions
Two new notions of security for SSE
Non-adaptive security
Adaptive security
Two new constructions
Extensions

4
Private Searching

MPC general, but inefficient Yao82, GMW87,
BGW88, CCD88
Searching (explicitly) -- different settings
public data unencrypted (e.g., stock-quotes,
news articles)
client wishes to hide which element is accessed
PIR and its variants CGKS,KO97,...
user-owned data symmetrically encrypted
client can upload additional encrypted data
structures to help search
Oblivious RAMs, searchable symmetric encryption
O90, OG96, SWP00, Goh03, CM05
third-party data public-key encrypted
data comes encrypted to server from users other
than client BKOS07
public-key searchable encryption BDOP05,BW06...

5
Searchable Symmetric Encryption

We consider the following scenario
client has a collection of documents that
consists of a set of words
encrypts document collection together with
additional data structure
sends everything to server
Functionality server should support the
following types of queries
find all documents that contain a particular
keyword
Privacy allow server to help, but reveal as
little as possible

6
Prior work on SSE

SSE can be achieved using oblivious RAMs Ost,
GO
functionality can simulate any data structure in
a hidden way, and can support conjunctive
queries, B-trees etc...
privacy hides everything, even the access
pattern
efficiency logarithmic number of rounds per each
read/write
Q Can we search over encrypted data in
single/constant rounds?
with absolute privacy, recently solved by
Boneh-Kushilevitz-Ostrovsky-Skeith wish sqrtDB
communication.
This paper what if we relax the security
requirements to get better performance?

7
How do we relax the security definition ?

Informal answer
leak the access pattern but nothing else
What does it mean to leak the access pattern but
nothing else ?
defining this formally is delicate
in fact, there are issues with 3 previous attempts

8
Constant-round SSE with relaxed security

3 previous constant-round solutions that leak
access pattern
Practical techniques for searches on encrypted
data SWP00
Secure Indexes Goh03
Privacy-preserving keyword searches on remote
encrypted data CM05
BKOS-07 is constant round but sqrt(DB)
communication

9
Outline

Motivation
Overview of privacy-preserving searching
Searchable symmetric encryption
Revisiting security definitions for SSE
Non-adaptive definitions and construction
Adaptive definitions and construction
Extensions

10
Revisiting SSE security definitions

SWP00,Goh03,CM05 A secure SSE scheme should
not leak anything beyond the outcome of a search
search outcome memory addresses of documents
that contain a hidden keyword (precise definition
later)
Important to note different keyword requests may
lead to the same search outcome
search pattern whether two queries were for
the same keyword or not
A (slightly) better intuition
A secure SSE scheme should not leak anything
beyond the outcome and the pattern of a search

11
Issues with SWPs security definition

SWP00 implicitly use indistinguishability
GM84 as a security definition
any function of the plaintext that can be
computed from the ciphertext can be computed from
the length of the plaintext
Issue adversary gets to see search outcomes and
search pattern
SWP00 does not model the fact that this
additional information is revealed.
There are also issues with definitions in
Goh03,CM05, but to explain these well need to
define the model more precisely

12
SSE Algorithms

Keygen(1k) outputs symmetric key K
BuildIndex(K, D1, ..., Dn) outputs secure
index I
Trapdoor(K, w) outputs a trapdoor Tw
Search(I, Tw) outputs identifiers of documents
containing w (id1, ..., idm)

13
SSE System Operation

Secure index additional data structure that
helps the server to search (following Goh03
terminology)
Symmetrically encrypted data client performs
encryption himself
Trapdoors associate a trapdoor to keywords which
enables server to search while keeping keyword
hidden

keyword
14
Our model

History documents and keywords
View encrypted documents, index, trapdoors
Trace length of documents, search outcomes,
search pattern

15
Our Intuition

Previous intuition
A secure SSE scheme should not leak anything
beyond the outcome and the pattern of a search
A more formal intuition
any function about the documents and the
keywords that can be computed from the encrypted
documents, the index and the trapdoors can be
computed from the length of the documents, the
search outcomes and the search pattern

16
Issues with Gohs SSE security definition

IND2-CKA indistinguishability against
chosen-keyword attacks
any function of the documents that can be
computed from the encrypted documents and the
index can be computed from the length of the
documents and the search outcomes
Issue says nothing about keywords or trapdoors
Important Note Goh03 considers more than SSE
and notes that secure trapdoors is not necessary
for all the applications considered. Also Z-IDX
has secure trapdoors.
Why not prove index secure in the sense of
IND2-CKA and trapdoors secure using another
definition?
We show that there exists an SSE scheme that has
IND2-CKA indexes and trapdoors that are secure
but when taken together, adversary can recover
keyword

17
Issues with CMs SSE security definition

CM security
any function that can be computed about the
documents and keywords given the ciphertexts, the
index and the trapdoors can be computed from the
length of the documents and the search outcomes
Issues
leaves out search pattern (proofs assume unique
queries)
order of quantifiers implies that there will
always exist a simulator that can evaluate
function on documents and keywords
Only guarantees security against non-adaptive
adversaries

18
What is adaptiveness?

Non-adaptive adversaries make search queries
without seeing the outcome of previous searches
Adaptive adversaries can make search queries as a
function of the outcome of previous searches
What are the implications of adaptiveness?

19
Modeling adaptiveness
Non-Adaptive SWP00,Goh03,CM05,...
Adaptive (new)
20
Outline

Motivation
Overview of privacy-preserving searching
Searchable symmetric encryption
Revisiting security definitions for SSE
Non-adaptive definitions and construction
Adaptive definitions and construction
Extensions

21
Non-adaptive security

any function about the history that can be
computed from the view can be computed from the
trace
history documents and keywords
view encrypted documents, index, trapdoors,
trace document lengths, search outcomes, search
pattern

22
SSE-1

Building a Secure Index

23
SSE-1

Building a Secure Index

Austin Baltimore Washington
24
SSE-1

Building a Secure Index
P PRP
F PRF

F(Austin) KA
Austin
Baltimore
F(Baltimore) KB
Washington
F(Washington) KW
25
SSE-1

Searching

addr P(Baltimore)
key F(Baltimore)
Baltimore
26
Technical issues

We overlooked many technical details
padding and shuffling
Efficient storage of sparse tables
large address space small number of entries
FKS dictionaries Fredman-Komlos-Szemeredi84
storage O(entries)
lookup O(1)

27
Outline

Motivation
Overview of privacy-preserving computation
Searchable symmetric encryption
Revisiting security definitions for SSE
Non-adaptive definitions and construction
Adaptive definitions and construction
Extensions

28
Adaptive security

any function about the partial history that can
be computed from the partial view can be computed
from the partial trace
partial history documents and keywords
partial view encrypted documents, index,
trapdoors,
partial trace document lengths, search outcomes,
search pattern

29
Adaptive security

Do we need revised SSE constructions?
Are previous constructions adaptively secure?
Technical challenge simulator must be able to
fake trapdoors after having committed to index
Previous constructions do not have this property
Unfortunately, this is expensive!

30
SSE-2

Similar to SSE-1
Pre-processing and padding
simulator can commit to an index before query is
issued
and still build valid trapdoors after query is
issued
Constant blowup in
size of trapdoors
size of index
server search time

31
Comparison

n total of documents d of
documents that contain word

32
Outline

Motivation
Overview of privacy-preserving searching
Searchable symmetric encryption
Revisiting security definitions for SSE
Non-adaptive definitions and construction
Adaptive definitions and construction
Extensions

33
Multi-User SSE
34
Multi-User SSE

Indexes and trapdoors require same security
notions as single-user SSE
Revocation owner can revoke searching privileges
robust against user collusions
Anonymity server should not know who initiated
search
Simple construction that transforms single-user
SSE schemes to multi-user SSE schemes
broadcast encryption (revocation)
PRPs

35
Open Questions

Constant-round schemes that hide everything, even
the access pattern
Constant-round Searching for Boolean combinations
of keywords (note that with logarithmic rounds
already follows from Ost,GO.)
Conjunctive searchable encryption GSW04, PKL04,
BW06
Disjunctive ?

36
Conclusions