Breach-Resistant Structured Encryption Ghous Amjad, Seny Kamara & Tarik Moataz
2
Databases “A database is an organized collection of data” --- Wikipedia 3
Encrypted Database Enc K 4
Q : can we encrypt DBs even in use? 5
Efficiency Functionality Leakage 6
Tradeoffs: Functionality vs. Efficiency Functionality ORAM-based SQL PPE-based FHE-based SK-FE-based NoSQL STE-based PK-FE-based Efficiency 7
Tradeoffs: Efficiency vs. Security Efficiency STE-based PPE-based STE+ORAM-based skFE-based STE+ORAM-based pkFE-based ORAM-based FHE-based Leakage 8
Background: Data Structures • DXs map labels to values • MMs map labels to tuples Multi-map MM Dictionary DX id 1 w 1 id 1 id 3 id 4 w 1 id 3 w 2 id 3 w 2 id 2 w 3 id 2 id 4 w 3 • Get: MM[w 3 ] returns (id 2 , id 4 ) • Get: DX[w 3 ] returns id 2 9
Structured Encryption [CK’10] DS = EDS = E MM MM tk = w i ans = id 3 id 3 Query(EDS, tk ) ⟾ ans Setup ( 1 k , DS ) ⟾ (K, EDS) Token (K , q ) ⟾ tk 10
Background: Encrypted Data Structures [CK’10] Single-keyword SSE = = Encrypted Inverted [SWP’00], [Goh’03], Encrypted Multi-Map Index [CGKO’06], [CK10], [KPR’12], [KP’13], [CJJKRS’13], [CJJJKRS’14], [Bost’16] … Encrypted relational DB Encrypted NoSQL DB Encrypted Graph DB 11
Adaptive Security for STE [CGKO’06,CK’10] Real Ideal L S ( MM ) Multi-map MM Multi-map MM Encrypted Multi-map EMM Encrypted Multi-map EMM L Q ( MM, w i ) w i w i w i w i L U ( MM, u i ) u i u i u i u i 12
Forward Privacy [SPS’14] • Informally [SPS’14] “Updates cannot be correlated to previous queries” • Formally [Bost’16] � � MM , (op , w, v ) = # v L Q 13
Security of Encrypted Structures [CGKO’06,CK’10] • Definition guarantees security vs. adversary that • Holds encrypted structure & executes queries • Models an untrusted cloud provider • Data breaches can occur even when server is trusted • Storage is compromised • Malicious employee • Government subpoena • Adversary holds encrypted structure but does not see queries 14
Snapshot Security • Adversary holds encrypted structure but does not see queries • Discussed and formalized in [ LW’16] for PPE • Discussed in [PBP’16, GRS’17] but never formalized for STE 15
Q : What is snapshot security? 16
Snapshot Security Real Ideal MM 0 MM 0 L S ( MM 0 ) E MM 0 E MM 0 L S ( MM 1 , op ) w i w i E MM 1 E MM 1 L S ( MM 2 , op ) u i u i E MM 2 E MM 2 17
Snapshot Security and Breach-Resistance • Informally “Breach-resistant leakage reveals at most the size of the current structure” • Formally X L Snp ( MM , op 1 , . . . , op i ) = L S ( MM i ) = # MM i [ w ] w ∈ W 18
Tradeoffs: Efficiency vs. Security vs. Persistent Adversary! Efficiency STE-based PPE-based skFE-based pkFE-based ORAM-based FHE-based Leakage 19
Tradeoffs: Efficiency vs. Security vs. Snapshot Adversary Efficiency STE-based PPE-based skFE-based pkFE-based ORAM-based FHE-based Leakage 20
Snapshot Security Static Structures Dynamic Structures X L S ( MM ) = # MM [ w ] Forward privacy Breach-resistance w ∈ W Insertion independence Write-only obliviousness Breach- (variant of history independence) resistance 21
Q : Can we design breach-resistant & forward-private EMMs? 22
Dual-Secure EMMs • [SPS’14] • Query complexity ✓ ✓ X ◆◆ # MM [ w ] · polylog # MM [ w ] O w ∈ W Q : Can we design efficient dual-secure EMMs? 23
Setup π dyn [CJJJKRS’14] EMM EMM.Setup 1 k , , EMM MM 24
Setup π dyn [CJJJKRS’14] En crypted MM F Kw1 (1) id 1 F Kw1 (2) id 3 Multi-map MM F Kw1 (3) id 4 EMM.Setup 1 k , , w 1 id 1 id 3 id 4 F Kw2 (1) id 3 w 2 l 2 id 3 w 3 id 2 id 4 F Kw3 (1) id 2 F Kw3 (2) id 4 * PRF and Enc keys are different but derived from w i 25
Get π dyn [CJJJKRS’14] w i = K w1 , EMM K w1 EMM.Get id 1 id 3 id 4 , DX 1. DX.Get F Kw1 (1) id 1 , DX 2. DX.Get F Kw1 (2) id 3 , DX 3. DX.Get F Kw1 (3) id 4 , DX 4. DX.Get ⊥ F Kw1 (4) 26
Get π dyn [CJJJKRS’14] , DX Dictionary DX F Kw1 (1) 1. DX.Get id 1 F Kw1 (1) id 1 , F Kw1 (2) id 3 DX F Kw1 (2) 2. DX.Get id 3 = F Kw1 (3) id 4 , K w1 EMM.Get , DX F Kw2 (1) id 3 F Kw1 (3) 3. DX.Get id 4 F Kw3 (1) id 2 , F Kw3 (2) id 4 DX ⊥ F Kw1 ( 4 ) 4. DX.Get 27
Edit + π dyn [CJJJKRS’14] , F Kw1 (4) id 9 EMM EMM EMM.Edit + , DX DX 1. DX.Put 28
Edit + π dyn [CJJJKRS’14] Dictionary DX Dictionary DX F Kw1 (1) id 1 F Kw1 (1) id 1 F Kw1 (2) id 3 F Kw1 (2) id 3 F Kw1 (3) id 4 F Kw1 (3) id 4 , EMM.Edit + F Kw1 (4) id 9 F Kw1 (4) id 9 F Kw2 (1) id 3 F Kw2 (1) id 3 F Kw3 (1) id 2 F Kw3 (1) id 2 F Kw3 (2) id 4 id 4 F Kw3 (2) 29
Edit - π dyn [CJJJKRS’14] , F Kw1 (4) id 3 EMM EMM EMM.Edit - , DX DX 1. DX.Put 30
Edit - π dyn [CJJJKRS’14] Dictionary DX Dictionary DX F Kw1 (1) id 1 F Kw1 (1) id 1 F Kw1 (2) id 3 F Kw1 (2) id 3 F Kw1 (3) id 4 F Kw1 (3) id 4 , EMM.Edit - F Kw1 (4) id 3 F Kw1 (4) id 3 F Kw2 (1) id 3 F Kw2 (1) id 3 F Kw3 (1) id 2 F Kw3 (1) id 2 F Kw3 (2) id 4 id 4 F Kw3 (2) 31
Get π dyn [CJJJKRS’14] w i = K w1 , EMM K w1 EMM.Get id 1 id 3 id 4 id 4 , DX 1. DX.Get F Kw1 (1) id 1 , DX 2. DX.Get F Kw1 (2) id 3 O (# MM [ w ] + dels 0 ( w )) , DX 3. DX.Get F Kw1 (3) id 4 , DX 4. DX.Get F Kw1 (4) id 4 32
Forward-Private π dyn • Why is not forward-private? π dyn • new pairs encrypted under same key used for search, • K wi := F K (w i ||1) • so previously searched w’s can be linked to new pairs • Making forward-private π dyn • use keys with version number that rotates at each search • K wi := F K (w i ||version||1) • To search send keys for all versions • F K (w i ||version1||1), …, F K (w i ||version8||1) 33
Efficiency • Most dynamic EMM constructions handle deletes naively • forward-private or not • Query complexity O (# MM [ w ] + dels 0 ( w )) • Storage complexity X ! # MM [ w ] + dels 0 ( w ) O w ∈ W 34
Rebuilding • Rebuild operation • Executed throughout lifetime of encrypted structure • Removes/prunes delete pairs ✓ X ◆ • Cost # MM [ w ] Ω w ∈ W • Query complexity Storage complexity ✓ X ◆ # MM [ w ] + dels r ( w ) O � � # MM [ w ] + dels r ( w ) O w ∈ W 35
Rebuilding Encrypted Structures • Ideally a zero-leakage operation • Approach #1 • Client queries for each keyword and recovers encrypted id’s • Removes deleted id’s • Re-inserts new encrypted keywords and id’s • Leakage ✓✓ ◆ ✓ ◆ ◆ L R ( MM ) = L G ( MM , w ) L U ( MM , ( w, id ) , w ∈ W w ∈ W Leaks new information ✓ ◆ to persistent Adv: query = f ( w ) , # MM [ w ] + dels r ( w ) , g ( w ) , # MM [ w ] leakage of unsearched w ∈ W keywords 36
Rebuilding Encrypted Structures • Ideally a zero-leakage operation • Approach #2 • Keep track of searched and unsearched • Use Approach #1 for searched • For unsearched sample pair uniformly at random & re-insert ✓ ! ◆ • Leakage X L R ( MM ) = f ( w ) , # MM [ w ] + dels r ( w ) , g ( w ) , # MM [ w ] # MM [ w ] , w ∈ S w ∈ U ✓ ! ◆ Already leaked X = f ( w ) , # MM [ w ] , dels r ( w ) , g ( w ) # MM [ w ] , during queries w ∈ S w ∈ U 37
Rebuilding Encrypted Structures • What about Snapshot security? X L Snp ( MM ) = L S ( MM ) = # MM [ w ] w ∈ W • Rebuild is not de-amortized • Variant with de-amortized rebuild • When de-amortized rebuild occurs impacts snapshot leakage • Executed during Updates • Requires stash at client 38
Forward-Private EMMs Forward Search Client Storage Snapshot Privacy ✓ �◆ SPS’14 O (# W ) Yes Yes � # MM [ w ] · polylog # MM O O (# MM [ w ] + dels 0 ( w )) B’16 Yes No O (# W ) O (# MM [ w ] + dels 0 ( w )) O (# W ) BMO’17 Yes No EKPE’17 � � Yes/No No # MM [ w ] + dels s ( w ) O O (# W ) 39 This work O (# MM [ w ] + dels r ( w )) Yes Yes O (# W + ML )
Implementation • Forward-private & response-hiding variant of π dyn • de-amortized rebuild with λ = 3 • Java (1114 LOC) • Clusion encrypted search library • Lucene, Bouncy Castle • HMAC-SHA256 for PRFs and ROs 40
Experimental Setup • Amazon EC2 c3.8xlarge instantce • 32 vCPUs and 60GB of RAM • Wikipedia • 26.5GB & 2,681,795 files • Experiments (in memory) • time to setup EMM in function of pairs • Size of EMM & size of client state in function of pairs • Server query time in function of pairs for different selectivities • Server update time in function of pairs for different λ • Effect of rebuild on query time 41
Setup Time & Sizes 42
Query & Update Time 43
Thank you 44
Recommend
More recommend