analysingaccess pattern and volume leakage from range
play

AnalysingAccess Pattern and Volume Leakage from Range Queries on - PowerPoint PPT Presentation

Aug 27, 2022 •361 likes •859 views

AnalysingAccess Pattern and Volume Leakage from Range Queries on Encrypted Data Kenny Paterson @kennyog based on joint work with Paul Grubbs, Marie-Sarah Lacharit, Brice Minaud Information Security Group SuRI EPFL June 18, 2018

  1. AnalysingAccess Pattern and Volume Leakage from Range Queries on Encrypted Data Kenny Paterson @kennyog based on joint work with Paul Grubbs, Marie-Sarah Lacharité, Brice Minaud Information Security Group SuRI – EPFL – June 18, 2018

  2. Outsourcing Data to the Cloud Data upload Search query Matching records Update query Server Client • For encrypted database systems : • Data = collection of records in a database (e.g. health records). • Query examples = - Find records with a given value (e.g. patients aged 57). - Find records within a given range (e.g. patients aged 55 to 65). - … 2

  3. Security of Data Outsourcing Solutions Network adversary Query Matching records Adversarial server Client • Adversaries: • Network adversary= observes traffic on network. • Snapshot adversary= breaks into server, gets snapshot of memory. • Persistent adversary= corruptsthe server for a periodof time; seesall communication transcripts. Can beserver itself. • Security goal = privacy: Adversary learns as little as possible about the client’s data and queries. 3

  4. State of the Art • Network attacker apparently easy to defeat using network encryption, e.g. TLS. • For snapshot and persistent attackers: no perfect solution. Every solution is a trade-off between functionality and security . • Huge amount of literature. [AKSX04], [BCLO09], [PKV+14] , [BLR+15], [NKW15], [K15], [CLWW16], [KKNO16] , [RACY16], [LW16] … • A few “complete” solutions : Mylar (for web apps) ⚠ Controversial! CryptDB (handles most of SQL) ➔ Cipherbase (Microsoft), Encrypted BigQuery (Google), … • Very active area of research. 4

  5. Setting for this Talk: Schemes Supporting Range Queries Range = [40,100] 3 1 45 83 Server Client 3 4 1 2 45 6 83 28 • All known schemes leak to the server the set of matching records = access pattern . OPE, ORE schemes, POPE, [HK16], Blind seer, [Lu12], [FJKNRS15],… • Some schemes also leak # records below queried range endpoints = rank . FH-OPE, Lewi-Wu, Arx, Cipherbase, EncKV,… 5

  6. Setting for this Talk: Schemes Supporting Range Queries Range = [40,100] 3 1 45 83 “2 records” Server Client 3 4 1 2 45 6 83 28 • Could hide access pattern from server by using ORAM (at huge cost). • But volume of responses (number of records) would still leak to server. • Volume would also leak to network adversary unless traffic padding mechanisms were used; these are rare in practice (cf. AES-GCM in TLS). • Motivates consideration of volume attacks . 6

  7. Exploiting Leakage • Most schemes prove that nothing more leaks than their leakage model allows. • For example, leakage = volume, access pattern, or access pattern + rank. • What can we really learn from this leakage? Our goals : • Volume leakage only: distribution reconstruction (DR) = recover the number of times each value occurs in the database. • Access pattern (+ rank): full reconstruction = recover the exact value for every record. 7

  8. Exploiting Leakage –State of the Art [KKNO16] : If N denotes the number of distinct data items, then: O(N 2 log N) queries suffice for full reconstruction, using only access pattern • leakage. O(N 4 log N) queries suffice for distribution reconstruction, using only volume • leakage. (NB: In both cases, because of inherent symmetry, only reconstruction up to reflection is possible.) 8

  9. Exploiting Leakage – Highlights of Our Results [LMP18] (eprint 2017/701; S&P18): • O(N log N) queries suffice for full reconstruction, using only access pattern leakage. - where N is the number of possible values (e.g. 125 for age in years). - provided data is dense (every value occurs at least once). [GLMP]: O(N 2 log N) queries suffice for distribution reconstruction, using only volume • leakage. - provided the number of records R is larger than about N 2 /2. 9

  10. Attacks from Access Pattern Leakage [LMP18]

  11. Assumptions for Analysis 1. Data is dense: all values appear in at least one record. Can be relaxed in some of our attacks. 2. Range queries are uniformly distributed. Our algorithms don’t actually care though – the assumption is only used for computing upper bounds on required number of queries. 11

  12. Main Results from [LMP18] 1. Full reconstruction with O(N logN) queries from access pattern leakage – in fact, N · (3 + log N). 1. s 2. Approximate reconstruction with relative accuracy ε with O( N · (log 1/ ε )) queries. 3. Approximate reconstruction using an auxiliary distribution and rank leakage. – more efficient in practice, evaluation via simulation. 12

  13. Attack 1: Full Reconstruction

  14. Full Reconstruction with Rank Leakage • Adversary is observing query leakage… Hidden Leaked Query [x,y] a = rank(x-1) b = rank(y) Matching IDs [1,18] 0 1200 M 1 [2,10] 500 800 M 2 (Reordered for convenience) [7,98] 600 3000 M 3 [55,125] 2000 4000 M 4 0 500 1200 Rank #Records = 4000 … M 1 M 2 M 3 … M 4 14

  15. Full Reconstruction with Rank Leakage 1 … Rank #Records M 1 M 2 M 3 … M 4 f ! " ∖ (! % ∪ f ! " ∩ ! ' ∖ … … ! ' ∪ ! ( ) (! % ∪ ! ( ) • Order sets by rank. • Partition records into smallest possible sets using access pattern leakage. • If this partitions records into N sets, win ! Just match minimal sets with values. 15

  16. Full Reconstruction with Rank Leakage • Expected number of queries sufficient for full reconstruction is at most: N · (2 + log N) for N ≥ 27. • Essentially a coupon collector’s problem. • Expected number of necessary queries is at least: 1/2 · N · log N –O(N) for any algorithm. • This algorithm is “data-optimal”, i.e. it fails iff full reconstruction is impossible for any algorithm given the input data. 16

  17. Full Reconstruction without Rank Leakage • More general setting: now use only access pattern leakage. • Partition (as before), then sort (see slides ahead). • Expected number of sufficient queries is at most: N · (3 + log N) for N ≥ 26 - i.e. new sorting step is very cheap in terms of data. • Expected number of necessary queries is at least: 1/2 · N · log N –O(N) for any algorithm. • Still data-optimal! 18

  18. Full Reconstruction (without Rank Leakage): Sorting Step all records M 7 M 39 M 72 1 or N M 36 M 93 M 58 M 28 M 9 M 40 M 18 19 Interval of size N -1

  19. Full Reconstruction (without Rank Leakage): Sorting Step – Extending all records M 25 M 36 M 22 M 17 T T M 62 M 81 T … 20

  20. Full Reconstruction (without Rank Leakage): Sorting Step – Extending all records 21

  21. Full Reconstruction (without Rank Leakage): Sorting Step all records M 3 M 39 M 27 M 13 T M 52 T T M 99 T 22

  22. Full Reconstruction (without Rank Leakage): Sorting Step all records … T 23

  23. Full Reconstruction (without Rank Leakage): Proof Intuition • Hard part is to show that O(N log N) queries suffice, with a small constant. • Proof consists of showing that if certain favourable range queries are made, then partitioning succeeds in constructing N classes, and sorting succeeds in ordering them. • Coupon collecting bounds then establish that O(N log N) queries are enough. 24

  24. Attack 3: Reconstruction with Auxiliary Data

  25. Reconstruction with Auxiliary Data and Rank Leakage • As before, queries have ranges chosen uniformly at random. • Assume access pattern and rank are leaked. • We now also assume that an approximation to the distribution on values is known. “Auxiliary distribution”. From aggregate data, or from another reference source. • We show experimentally that, under these assumptions, far fewer queries are needed. 26

  26. Auxiliary Data Attack: Estimating Step Inverse CDF Rank- of auxiliary ordered distribution Values records 1 0 20% 20% Expected value Match x restricted to [x,y] a Point guess v ( or confidence y b interval) 4000 125 27

  27. Auxiliary Data Attack: Experimental Evaluation • Ages, N = 125 (0 to 124). • Health records from US hospitals (NIS HCUP 2009). • Target: age of individual hospitals' records. • Auxiliary data: aggregate of 200 hospitals' records. • Measure of success: proportion of records with value guessed within ε. 28

  28. Auxiliary Data Attack: Results for Typical Target Hospital 29

  29. Auxiliary Data Attack: Results with Perfect Auxiliary Distribution 30

  30. Summary of Attacks from [LMP18] Full reconstruction in ≈N log N queries with only access pattern. Efficient, data-optimal algorithms + matching lower bound. Attack Req'd leakage Other req'ts Suff. # queries O(N 2 log N) KKNO16 AP Density Full AP + rank Density N · (log N + 2) AP Density N · (log N + 3) ε-approximate AP Density 5/4 N · (log 1/ε) + O(N) Auxiliary AP + rank Auxiliary dist. Experimental • For N = 125, about 800 queries suffice for full reconstruction! • If an auxiliary distribution + rank leakage is available, after only 25 queries, 55% of records can be reconstructed to within 5 years. 31

  31. Attacks based on Volume Leakage

  32. Volume Leakage Range = [40,100] 3 1 45 83 “2 records” Server Client 3 4 1 2 45 6 83 28 • Now onlyvolumeof responses (number of records) leaks to server or network adversary. • Much tougher attack setting. • Target is distribution reconstruction : how many records have each value. 33

Recommend

Work-in-Progress: RWS A Roulette Wheel Scheduler for Preventing Execution Pattern Leakage

Work-in-Progress: RWS A Roulette Wheel Scheduler for Preventing Execution Pattern Leakage

Work-in-Progress: RWS A Roulette Wheel Scheduler for Preventing Execution Pattern Leakage Ying Zhang, Lingxiang Wang, Wei Jiang, Zhishan Guo Department of Computer Science, Missouri S&T Presenter: Zheng Dong* * Department of Computer

566 views • 9 slides
Improved Reconstruction Attacks on Encrypted Data Using Range Query Leakage Marie-Sarah

Improved Reconstruction Attacks on Encrypted Data Using Range Query Leakage Marie-Sarah

Improved Reconstruction Attacks on Encrypted Data Using Range Query Leakage Marie-Sarah Lacharit, Brice Minaud , Kenny Paterson Information Security Group IEEE Symposium on Security and Privacy, May 21, 2018 Outsourcing Data with Search

654 views • 62 slides
Digital Leakage Today Analog and Digital Leakage LTE interference Kendall Robinson Regional

Digital Leakage Today Analog and Digital Leakage LTE interference Kendall Robinson Regional

Digital Leakage Today Analog and Digital Leakage LTE interference Kendall Robinson Regional Account Director Arcom Digital < HOME Digital Leakage Outline Digital Leakage Traditional Leakage LTE Ingress and Egress issues

877 views • 68 slides
Improved reconstruction attacks using range query leakage Marie-Sarah Lacharit Brice Minaud

Improved reconstruction attacks using range query leakage Marie-Sarah Lacharit Brice Minaud

Improved reconstruction attacks using range query leakage Marie-Sarah Lacharit Brice Minaud Kenny Paterson Information Security Group Application Setting Storing Records in the Cloud value of record ( N possible values) record identifier

615 views • 59 slides
Reconstructing Encrypted Data Using Range Query Leakage Marie-Sarah Lacharit, Brice Minaud,

Reconstructing Encrypted Data Using Range Query Leakage Marie-Sarah Lacharit, Brice Minaud,

Reconstructing Encrypted Data Using Range Query Leakage Marie-Sarah Lacharit, Brice Minaud, Kenny Paterson ePrint 2017/701, to appear S&P 2018. Information Security Group Workshop IoT+Cloud, Bochum, 7 Nov 2017. Outsourcing Data to the

699 views • 22 slides
Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions

Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions

SAC Summer School 2019 Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions allow us to prove that our schemes achieve a certain leakage profile but doesnt tell us if a leakage profile is

477 views • 22 slides
ORIGINAL ARTICLE ISRA MEDICAL JOURNAL | Volume 6 - Issue 4 | Oct - Dec 2014 AGE, PATTERN OF

ORIGINAL ARTICLE ISRA MEDICAL JOURNAL | Volume 6 - Issue 4 | Oct - Dec 2014 AGE, PATTERN OF

ORIGINAL ARTICLE ISRA MEDICAL JOURNAL | Volume 6 - Issue 4 | Oct - Dec 2014 AGE, PATTERN OF PRESENTATION AND RISK FACTOR FOR ENTERIC FEVER IN 2-15 YEARS OLD CHILDREN 1 2 3 4 NADIA WAHEED , ZESSHAN GHANI , ASMA YAQUB , ASIFA MURTAZA

83 views • 4 slides
Encrypted Search: Leakage Suppression Seny Kamara How Should we Handle Leakage? Approach #1:

Encrypted Search: Leakage Suppression Seny Kamara How Should we Handle Leakage? Approach #1:

SAC Summer School 2019 Encrypted Search: Leakage Suppression Seny Kamara How Should we Handle Leakage? Approach #1: ORAM simulation Store and simulate data structure with ORAM General-purpose Zero-leakage (if data is transformed

1.29k views • 60 slides
The Water Detective Q-Leak is a sensitive leakage detector which can be placed anywhere water

The Water Detective Q-Leak is a sensitive leakage detector which can be placed anywhere water

The Water Detective Q-Leak is a sensitive leakage detector which can be placed anywhere water leakage can occur . To prevent leakage-related damages it sends an alert whenever water is detected. The device also visualizes its status on the online

234 views • 10 slides
A Pattern Pattern Taxonomy Creational Behavioral Structural Pattern Pattern Pattern

A Pattern Pattern Taxonomy Creational Behavioral Structural Pattern Pattern Pattern

Podcast Ch08-15 Title : Template Design Pattern Description : Generic class diagram; examples; template vs. inheritance Participants : Barry Kurtz (instructor); Brandon Winters, Sara Hyde, Cheng Vue, Dan Baehr (students) Textbook

315 views • 3 slides
Carbon leakage: theory, evidence and policy PMR Webinar on Carbon Leakage John Ward November 24

Carbon leakage: theory, evidence and policy PMR Webinar on Carbon Leakage John Ward November 24

Carbon leakage: theory, evidence and policy PMR Webinar on Carbon Leakage John Ward November 24 and December 3, 2015 Vivid Economics Overview Definition Theory Evidence Addressing leakage Why? Which sectors? How? 2

408 views • 29 slides
A fA-Range Low-Power Multi-Channel Digital A fA-Range Low-Power Multi-Channel Digital Read-Out

A fA-Range Low-Power Multi-Channel Digital A fA-Range Low-Power Multi-Channel Digital Read-Out

DCIS 2010 Intro ROIC times Leakage Integ Test Conclusions 1/30 A fA-Range Low-Power Multi-Channel Digital A fA-Range Low-Power Multi-Channel Digital Read-Out Integrated Circuit for Differential Read-Out Integrated Circuit for

448 views • 30 slides
LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana Dachman-Soled, S. Dov

LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana Dachman-Soled, S. Dov

LEAKAGE - RESILIENT PUBLIC - KEY ENCRYPTION FROM OBFUSCATION Dana Dachman-Soled, S. Dov Gordon, Feng-Hao Lui, Adam, ONeill, and Hong-Sheng Zhou O UTLINE OF T ALK Leakage Models for PKE Bounded, Continual, and Continual w/ Leakage on

1.05k views • 102 slides
Volume Visualization Overview: Volume Visualization (1) Introduction to volume visualization On

Volume Visualization Overview: Volume Visualization (1) Introduction to volume visualization On

Volume Visualization Overview: Volume Visualization (1) Introduction to volume visualization On volume data Voxels vs. cells Interpolation Gradient Classification Transfer Functions (TF) Slice vs surface vs. volume rendering Overview:

1.35k views • 99 slides
Design of Mixed Gates for Design of Mixed Gates for Leakage Reduction Leakage Reduction Frank

Design of Mixed Gates for Design of Mixed Gates for Leakage Reduction Leakage Reduction Frank

GLSVLSI 2007 17th edition of ACM Great Lakes Symposium on VLSI Design of Mixed Gates for Design of Mixed Gates for Leakage Reduction Leakage Reduction Frank Sill, Jiaxi You, Dirk Timmermann Institute of Applied Microelectronics and Computer

738 views • 32 slides
Awk, Awk Pattern matching and processing language Looks for pattern in file If pattern

Awk, Awk Pattern matching and processing language Looks for pattern in file If pattern

CSC209 Fall 2001 What is AWK? Awk, Awk Pattern matching and processing language Looks for pattern in file If pattern matches, do something Many details handled automatically very easy to one off (write and throw away)

673 views • 12 slides
I can interpret my answer in terms of the question. National 5 WB 26th Feb Statistics 3, 5, 5, 8,

I can interpret my answer in terms of the question. National 5 WB 26th Feb Statistics 3, 5, 5, 8,

National 5 WB 26th Feb Statistics Starter 2 1) The small box has a volume of 24cm . The boxes are similar. Find the new volume of the box. 3cm 9cm 2 2) What is the turning point of the graph y = (x - 9) + 4 Mean, Mode, Median and Range

205 views • 20 slides
solid Obtainable chip volume Q in steel up to max. 300 cm / min and a required spindel load Pc

solid Obtainable chip volume Q in steel up to max. 300 cm / min and a required spindel load Pc

Small inserts for a huge application area in steel, stainless steel, cast iron and aluminium Machining workpieces with average cutting loads: D.O.C. range 0.1 up to 4.0 mm Feed rate range 0.05 up to 0.2 mm 3 Axis or more simultaneous

496 views • 5 slides
HVAC System Air Leakage 2019 Presented By: Mark Terzigni Director of Engineering Technical

HVAC System Air Leakage 2019 Presented By: Mark Terzigni Director of Engineering Technical

HVAC System Air Leakage 2019 Presented By: Mark Terzigni Director of Engineering Technical Services SMACNA Learning Objectives Understand the difference between System leakage and Duct leakage Understand what information

841 views • 59 slides
1 Volume Graphics - Pros Volume Graphics - Cons Advantages: Disadvantages: Required

1 Volume Graphics - Pros Volume Graphics - Cons Advantages: Disadvantages: Required

Overview Volume Rendering Surface graphics is not enough for ... Introduction to volume graphics Volume rendering techniques Lecture 21 Contour surfaces Ray Casting Cell Projection Slides gathered from Roger Crawfis ,

670 views • 12 slides
Pattern Matching a b a c a a b 1 a b a c a b 4 3 2 a b a c a b Pattern

Pattern Matching a b a c a a b 1 a b a c a b 4 3 2 a b a c a b Pattern

Pattern Matching a b a c a a b 1 a b a c a b 4 3 2 a b a c a b Pattern Matching 1 Outline and Reading Strings (11.1) Pattern matching algorithms Brute-force algorithm (11.2.1) Boyer-Moore algorithm (11.2.2)

612 views • 14 slides
Pattern Review Pattern Name and Classification: A descriptive and unique name that helps in

Pattern Review Pattern Name and Classification: A descriptive and unique name that helps in

Pattern Review Pattern Name and Classification: A descriptive and unique name that helps in identifying and referring to the pattern. Intent: A description of the goal behind the pattern and the reason for using it. Also Known As: Other names for

352 views • 4 slides
The UK position on ETS reform Dan Doherty 1 Key policy issues for Phase IV 1. Carbon leakage

The UK position on ETS reform Dan Doherty 1 Key policy issues for Phase IV 1. Carbon leakage

The UK position on ETS reform Dan Doherty 1 Key policy issues for Phase IV 1. Carbon leakage 2. Innovation Fund 3. Modernisation Fund 4. Article 10 c 5. Simplification Principles of Carbon Leakage Reform In order for carbon leakage policy

339 views • 13 slides
Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model Jol Alwen, Yevgeniy

Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model Jol Alwen, Yevgeniy

Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model Jol Alwen, Yevgeniy Dodis, Daniel Wichs New York University Speaker: Daniel Wichs CRYPTO 09 Goal of Leakage-Resilient Crypto Model of Leakage Resilience

303 views • 29 slides

More recommend