dynamic searchable encryption with small client storage
play

Dynamic Searchable Encryption with Small Client Storage Ioannis - PowerPoint PPT Presentation

Mar 18, 2024 •154 likes •561 views

Dynamic Searchable Encryption with Small Client Storage Ioannis Demertzis Javad Ghareh Chamani University of Maryland HKUST and Sharif University of Technology jgc@cse.ust.hk yannis@umd.edu Dimitrios Papadopoulos Charalampos Papamathou

  1. Dynamic Searchable Encryption with Small Client Storage Ioannis Demertzis Javad Ghareh Chamani University of Maryland HKUST and Sharif University of Technology jgc@cse.ust.hk yannis@umd.edu Dimitrios Papadopoulos Charalampos Papamathou HKUST University of Maryland dipapado@cse.ust.hk cpap@umd.edu

  2. What is Dynamic Searchable Encryption (DSE)? Untrusted ! "#$%& leakage: total leakage ! '%#() leakage---Search ? Cloud Client prior to query execution pattern: whether a search e.g. size of each encrypted file , query is repeated size of the encrypted index search query: keyword ! '%#() leakage---Access + pattern : encrypted document ids and files that satisfy the search query ! *&+,$# leakage : update query: keyword leakage during update execution Security (informal): The adversary does not learn anything beyond the above leakages!

  3. Update Leakage --- Forward Privacy Untrusted ? Cloud Client High-level idea: The server should not be able to relate an update with a previous operation! Time Add (F1, w1 ) 1 Query ( w1 ) + 2 Add (F2, w1 ) 3 Server should not learn that update in timestamp 3 is for the same keyword! • Definition: A DSE scheme is forward private if the update does not reveal any information • about the involved keyword, i.e., ! "#$%&' (w) = ! (op, id)

  4. Update Leakage --- Backward Privacy Untrusted High-level idea: The server should reveal controlled ? Cloud Client information about deleted files during search Time Add (F1, w1 ) 1 Add (F2, w1 ) 2 + Del (F1, w1 ) 3 Query ( w1 ) 4 !"#$%&(()) = { (,-, -) } !"#$%&(:) = {;iles @ABBCDEFG containing w and when they were stored} /0123$4 () ={ ), -, 5 } /0123$4 : = { timestamp of each update for w} %$67"43 : = {exactly which deletion cancels which addition } %$67"43(()) = {(), 5)}

  5. Update Leakage --- Backward Privacy Untrusted High-level idea: The server should reveal controlled ? Cloud Client information about deleted files during search Time Add (F1, w1 ) 1 Add (F2, w1 ) 2 + Del (F1, w1 ) 3 Query ( w1 ) 4 More Leakage ℒ 345678 w = ℒ(,)<.=! w ) !"#$%"&' (&)*"#+ ,+-. − 0: !"#$%"&' (&)*"#+ ,+-. − 00: ℒ ?45678 w = ℒ(,)<.=! w , A-'"B.C(w)) !"#$%"&' (&)*"#+ ,+-. − 000: ℒ 3DEFGH w = ℒ(,)<.=! w , A-'"B.C w , =.IJ)CB(w))

  6. Issues with Prior Forward & Backward DSE schemes Untrusted ? Cloud Client Require: The client to store an operation counter for each unique keyword !!! O(|W|) can be up to O(N) , Keyword Counter where N is the total DB size w1 3 + w2 2 O(|W|), where |W| w3 4 is the dictionary size … Synchronization issues: wM 5 if the client wants to access the encrypted DB from multiple devices

  7. Issues with Prior Forward & Backward DSE schemes Untrusted ? Cloud Client Outsourcing the operational counters to the server requires the use of Oblivious Indexes ~ extra O(log 2 N) overhead and O(logN) rounds of interaction! Keyword Counter E.g., an Oblivious w1 3 Hash Map ( OMAP ) + w2 2 w3 4 … wM 5

  8. Prior state-of-the-art Works & Our Contributions Search Update Search RT BP-Type ! ! Moneta O (a w logN + log 3 N) O (log 2 N) 2 Type-I O(a w + log 2 N) O(log 2 N) O(logN) Type-II OMAP + Mitra x SDa O(a w + logN) O(logN) (am.) 1 Type-II SDd O(a w + logN) O(log 3 N) 1 Type-II ORION O(n w log 2 N) O(log 2 N) O(logN) Type-I HORUS O(n w logd w logN + log 2 N) O(log 2 N) O(logN) Type-III QOS O(n w logi w + log 2 N) O(log 3 N) O(logN) Type-III N : total number of (file, keyword) pairs, a w : #updates for keyword w n w : #files currently containing keyword w , i w : #inserts for keyword w

  9. Prior state-of-the-art Works & Our Contributions Search Update Search RT BP-Type ! ! Moneta O (a w logN + log 3 N) O (log 2 N) 2 Type-I O(a w + log 2 N) O(log 2 N) O(logN) Type-II OMAP + Mitra SDa O(a w + logN) O(logN) (am.) 1 Type-II SDd O(a w + logN) O(log 3 N) 1 Type-II ORION O(n w log 2 N) O(log 2 N) O(logN) Type-I HORUS O(n w logd w logN + log 2 N) O(log 2 N) O(logN) Type-III QOS O(n w logi w + log 2 N) O(log 3 N) O(logN) Type-III SDa and SDd have 20x-85x faster search time than MITRA QOS has 14x-16531x faster search time than HORUS

  10. Prior state-of-the-art Works & Our Contributions Search Update Search RT BP-Type ! ! Moneta O (a w logN + log 3 N) O (log 2 N) 2 Type-I O(a w + log 2 N) O(log 2 N) O(logN) Type-II OMAP + Mitra SDa O(a w + logN) O(logN) (am.) 1 Type-II SDd O(a w + logN) O(log 3 N) 1 Type-II ORION O(n w log 2 N) O(log 2 N) O(logN) Type-I HORUS O(n w logd w logN + log 2 N) O(log 2 N) O(logN) Type-III QOS O(n w logi w + log 2 N) O(log 3 N) O(logN) Type-III QOS has better search time for deletion ratios between 40%-80%

  11. SDa scheme Untrusted ? Cloud Client High-level idea: Organize N updates in a collection of at most log 2 N independent encrypted indexes Add (F1, w1) 4 1

  12. SDa scheme Untrusted ? Cloud Client High-level idea: Organize N updates in a collection of at most log 2 N independent encrypted indexes Add (F4, w1) 4 1 1

  13. SDa scheme Untrusted ? Cloud Client High-level idea: Organize N updates in a collection of at most log 2 N independent encrypted indexes If we keep adding the Add (F4, w1) number of encrypted indexes will be O(N) 4 1 1

  14. SDa scheme Untrusted ? Cloud Client High-level idea: Organize N updates in a collection of at most log 2 N independent encrypted indexes Whenever two indexes of the same size exist, download them and merge them in a new index 4 1 1 2

  15. *Assuming that N is a power of 2 SDa scheme Untrusted ? Cloud Client High-level idea: Organize N updates in a collection of at most log 2 N independent encrypted indexes After N-1 updates … N/2 N/4 1 Update cost = O(log 2 N) (amortized) O(log 2 N ) encrypted indexes

  16. *Assuming that N is a power of 2 SDa scheme Untrusted ? Cloud Client High-level idea: Organize N updates in a collection of at most log 2 N independent encrypted indexes search query: keyword 1 Search cost = O(log 2 N + a w ) keyword search query: keyword 2 … N/2 N/4 1 … search query: keyword logN O(log 2 N ) encrypted indexes Intuition Forward/Backward privacy: Every index is built with a fresh key and the used static SE is response hiding!!!

  17. SDa --- Amortized Update Cost Expensive Updates O(N) Cheap Updates O(1)

  18. SDd scheme Untrusted ? Cloud Client High-level idea: Let’s de-amortize the SDa construction Add (F1, w1) … 4 2 1 O(log 2 N ) encrypted indexes

  19. SDd scheme Untrusted ? Cloud Client OLDEST 1 OLDEST 2 OLDEST 4 OLDER 2 OLDER 4 OLDER 1 … OLD 1 OLD 4 OLD 2 NEW 2 NEW 4 NEW 1 1 2 4

  20. SDd scheme Untrusted ? Cloud Client OLDEST 1 OLDEST 2 OLDEST 4 OLDER 2 OLDER 4 OLDER 1 … OLD 1 OLD 4 OLD 2 Add (F1, w1) NEW 2 NEW 4 NEW 1 1 2 4 If NEW is full move it to the first empty OLDEST, OLDER or OLD index

  21. SDd scheme Untrusted ? Cloud Client OLDEST 1 OLDEST 2 OLDEST 4 OLDER 2 OLDER 4 OLDER 1 … OLD 1 OLD 4 OLD 2 Add (F2, w1) NEW 2 NEW 4 NEW 1 1 2 4

  22. SDd scheme Untrusted ? Cloud Client If OLDEST i and OLDER i are full start moving the updates to the NEW i+1 index OLDEST 1 OLDEST 2 OLDEST 4 OLDER 2 OLDER 4 OLDER 1 … OLD 1 OLD 4 OLD 2 NEW 2 NEW 4 NEW 1 1 2 4

  23. SDd scheme Untrusted ? Cloud Client For achieving Forward Privacy we need to use Oblivious MAPs (OMAP) OLDEST 1 OLDEST 2 OLDEST 4 OLDER 2 OLDER 4 OLDER 1 … OLD 1 OLD 4 OLD 2 NEW 2 NEW 4 NEW 1 1 2 4 OMAP 1 OMAP 2

  24. SDd scheme Untrusted ? Cloud Client Search cost = O(3*log 2 N + a w ) OLDEST 1 OLDEST 2 OLDEST 4 OLDER 2 OLDER 4 OLDER 1 … OLD 1 OLD 4 OLD 2 Query(w1) NEW 2 NEW 4 NEW 1 1 2 4 OMAP cost = O(log 2 N) OMAP 1 OMAP 2 Update cost = O(log 3 N)

  25. Prior state-of-the-art Works & Our Contributions Search Update Search RT BP-Type ! ! Moneta O (a w logN + log 3 N) O (log 2 N) 2 Type-I O(a w + log 2 N) O(log 2 N) O(logN) Type-II OMAP + Mitra SDa O(a w + logN) O(logN) (am.) 1 Type-II SDd O(a w + logN) O(log 3 N) 1 Type-II ORION O(n w log 2 N) O(log 2 N) O(logN) Type-I HORUS O(n w logd w logN + log 2 N) O(log 2 N) O(logN) Type-III QOS O(n w logi w + log 2 N) O(log 3 N) O(logN) Type-III Definition: A DSE scheme has optimal (resp. quasi-optimal) search time, if the asymptotic • complexity of Search is O(n w ) (resp. O(n w polylog(N) ).

  26. Motivation for Optimal/Quasi-optimal Search Untrusted SDd search cost ? Cloud Client Add (F1, w1 ) = O(log 2 N + a w ) Add (F2, w1 ) … + Add (FN, w1 ) Del (F1, w1 ) … w1 is contained only in Del (F N-1 , w1 ) File N , but the result has size O(a w ) ~= O(N) Query( w1 )

  27. QOS --- Main Idea Untrusted ? Cloud Client Idea: For each keyword w create a data structure that helps us avoid the deleted regions Next empty Add (F1, w1 ) leaf for w1 Add (F2, w1 ) Add (F5, w1 ) OMAP 1 2 3 4 5 Add (F10, w1 ) Add (F35, w1 ) Tree for keyword w1 (N=8)

  28. QOS --- Main Idea Untrusted ? Cloud Client Idea: For each keyword w create a data structure that helps us avoid the deleted regions Returns the leaf Del (F1, w1 ) that contains F1, w1 OMAP 1 2 3 4 5 Tree for keyword w1 (N=8)

  29. QOS --- Main Idea Untrusted ? Cloud Client Idea: For each keyword w create a data structure that helps us avoid the deleted regions Returns the leaf Del (F1, w1 ) that contains F2, w2 Del (F2, w1 ) OMAP 1 2 3 4 5 Tree for keyword w1 (N=8)

Recommend

Dynamic Searchable M. Naveed, Encryption via Blind M. Prabhakaran, C.A. Gunter Storage

Dynamic Searchable M. Naveed, Encryption via Blind M. Prabhakaran, C.A. Gunter Storage

Dynamic Searchable M. Naveed, Encryption via Blind M. Prabhakaran, C.A. Gunter Storage Presented by: Keegan Sherman and Pardeep Banwait Searchable Symmetric Encryption Allows a user to store a collection of encrypted documents and

350 views • 24 slides
Searchable Encryption Prepared for 600.624 February 9, 2006 Outline Motivation of

Searchable Encryption Prepared for 600.624 February 9, 2006 Outline Motivation of

Searchable Encryption Prepared for 600.624 February 9, 2006 Outline Motivation of Searchable Encryption Searchable Encryption Constructions of Song, Wagner and Perrig Discussion Related Work Conjunctive Keyword

753 views • 51 slides
Backward Secure Dynamic Searchable Symmetric Encryption with Efficient Updates Hyung Tae Lee

Backward Secure Dynamic Searchable Symmetric Encryption with Efficient Updates Hyung Tae Lee

Backward Secure Dynamic Searchable Symmetric Encryption with Efficient Updates Hyung Tae Lee Chonbuk National University, Republic of Korea June 14, 2019@ Workshop on Modern Trends in Cryptography Table of contents 1. Introduction 2.

537 views • 25 slides
Efficient Dynamic Searchable Encryption with Forward Privacy Mohammad Alptekin Charalampos

Efficient Dynamic Searchable Encryption with Forward Privacy Mohammad Alptekin Charalampos

Efficient Dynamic Searchable Encryption with Forward Privacy Mohammad Alptekin Charalampos David Kp Etemad Papamanthou Evans Efficient Dynamic Searchable Encryption with Forward Privacy Etemad, Kp , Papamanthou, Evans, PETS

1.57k views • 90 slides
FORWARD PRIVATE SEARCHABLE ENCRYPTION &amp; BEYOND 22/02/2017 MIT - RAPHAEL BOST DATE

FORWARD PRIVATE SEARCHABLE ENCRYPTION &amp; BEYOND 22/02/2017 MIT - RAPHAEL BOST DATE

FORWARD PRIVATE SEARCHABLE ENCRYPTION &amp; BEYOND 22/02/2017 MIT - RAPHAEL BOST DATE Searchable Encryption Outsource data securely keep search functionalities Generic Solutions Fully Homomorphic Encryption, MPC, ORAM

578 views • 37 slides
Dynamic Searchable Symmetric Encryption DSSE INTRODUCTION TO CYBER SECURITY ESTR 4306 | LIU

Dynamic Searchable Symmetric Encryption DSSE INTRODUCTION TO CYBER SECURITY ESTR 4306 | LIU

Dynamic Searchable Symmetric Encryption DSSE INTRODUCTION TO CYBER SECURITY ESTR 4306 | LIU YICUN Motivating Problem The clients want a encrypted database which can update dynamically. The clients want to do the updates without re-encrypting

898 views • 25 slides
The Locality of Searchable Symmetric Encryption David Cash Stefano Tessaro Rutgers U UC Santa

The Locality of Searchable Symmetric Encryption David Cash Stefano Tessaro Rutgers U UC Santa

The Locality of Searchable Symmetric Encryption David Cash Stefano Tessaro Rutgers U UC Santa Barbara 1 Outsourced storage and searching Browser only downloads documents matching query. Avoids downloading all 6 GB. 2 End-to-end

477 views • 47 slides
Sophos and Diane Searchable Symmetric Encryption with (Very) Low Overhead Raphael Bost, Brice

Sophos and Diane Searchable Symmetric Encryption with (Very) Low Overhead Raphael Bost, Brice

Sophos and Diane Searchable Symmetric Encryption with (Very) Low Overhead Raphael Bost, Brice Minaud RHUL ISG seminar, November 24th 2016 Plan 1. Symmetric Searchable Encryption. 2. Leakage and Forward-Privacy. 3. Sophos and Diane schemes. 4.

479 views • 45 slides
Lower Bounds for Encrypted Multi-Maps and Searchable Encryption in the Leakage Cell Probe Model

Lower Bounds for Encrypted Multi-Maps and Searchable Encryption in the Leakage Cell Probe Model

Lower Bounds for Encrypted Multi-Maps and Searchable Encryption in the Leakage Cell Probe Model Sarvar Patel*, Giuseppe Persiano** and Kevin Yeo* *Google **University of Salerno Key k i was queried. Privacy-Preserving Storage Protocols Key k i

1.11k views • 81 slides
Searching on/Testing Encrypted Data Lecture 23 Searchable Encryption Searchable Encryption A

Searching on/Testing Encrypted Data Lecture 23 Searchable Encryption Searchable Encryption A

Searching on/Testing Encrypted Data Lecture 23 Searchable Encryption Searchable Encryption A test key T w that allows one to test if Dec SK (C) = w Searchable Encryption A test key T w that allows one to test if Dec SK (C) = w No other

1.62k views • 116 slides
in Searchable Symmetric Encryption Kaoru Kurosawa and Yasuhiro Ohtaki Ibaraki University, Japan

in Searchable Symmetric Encryption Kaoru Kurosawa and Yasuhiro Ohtaki Ibaraki University, Japan

How to Update Documents Verifiably in Searchable Symmetric Encryption Kaoru Kurosawa and Yasuhiro Ohtaki Ibaraki University, Japan Outline (1) Introduction (2) Our (previous) verifiable SSE scheme (3) Extend it to a dynamic SSE scheme (but

1.13k views • 70 slides
Searchable Symmetric Encryption Seny Kamara Advanced Topics in Network Security Spring 2006 1

Searchable Symmetric Encryption Seny Kamara Advanced Topics in Network Security Spring 2006 1

Searchable Symmetric Encryption Seny Kamara Advanced Topics in Network Security Spring 2006 1 Yesterday Motivation for searchable encryption First SSE scheme [SWP00] Attacks on [SWP00] Conjunctive SSE [GSW04,PKL04,BKM05] 2

703 views • 24 slides
Two-Client and Multi-client Functional Encryption for Set Intersection and Variants Tim van de

Two-Client and Multi-client Functional Encryption for Set Intersection and Variants Tim van de

Two-Client and Multi-client Functional Encryption for Set Intersection and Variants Tim van de Kamp David Stritzl Willem Jonker Andreas Peter ACISP 2019 Functional Encryption for Set Operations n evaluate i = 1 S i S 1 S 2 S n

707 views • 32 slides
Searchable Encryption From Theory to Implementation Raphael Bost Direction Gnrale de

Searchable Encryption From Theory to Implementation Raphael Bost Direction Gnrale de

Searchable Encryption From Theory to Implementation Raphael Bost Direction Gnrale de lArmement - Maitrise de lInformation &amp; Universit de Rennes 1 ECRYPT NET Workshop - Crypto for the Cloud &amp; Implementation - 28/06/2017

793 views • 43 slides
Understanding and Mitigating Leakage-Abuse Attacks against Searchable Encryption Raphael Bost 1 ,

Understanding and Mitigating Leakage-Abuse Attacks against Searchable Encryption Raphael Bost 1 ,

Understanding and Mitigating Leakage-Abuse Attacks against Searchable Encryption Raphael Bost 1 , Pierre-Alain Fouque 2 , Brice Minaud 3 1 Direction Gnrale de lArmement - Matrise de lInformation 2 Universit de Rennes 1 3 INRIA &amp;

836 views • 45 slides
Searchable Symmetric Encryption: Optimal Locality in Linear Space via Two-Dimensional Balanced

Searchable Symmetric Encryption: Optimal Locality in Linear Space via Two-Dimensional Balanced

Searchable Symmetric Encryption: Optimal Locality in Linear Space via Two-Dimensional Balanced Allocations Gilad Asharov Cornell-Tech (Hebrew University) Moni Naor Weizmann Gil Segev

827 views • 56 slides
Searchable Symmetric Encryption: Optimal Locality in Linear Space via Two-Dimensional Balanced

Searchable Symmetric Encryption: Optimal Locality in Linear Space via Two-Dimensional Balanced

Searchable Symmetric Encryption: Optimal Locality in Linear Space via Two-Dimensional Balanced Allocations Gilad Asharov IBM Research Moni Naor Weizmann Gil Segev Hebrew

1.01k views • 42 slides
Forward Private Searchable Symmetric Encryption with Optimized I/O Efficiency Changyu Dong

Forward Private Searchable Symmetric Encryption with Optimized I/O Efficiency Changyu Dong

Forward Private Searchable Symmetric Encryption with Optimized I/O Efficiency Changyu Dong &lt;changyu.dong@newcastle.ac.uk&gt; Joint work with Xiangfu Song, Dandan Yuan, Qiuliang Xu, Minghao Zhao Motivation: Data Outsourcing Explosive

551 views • 29 slides
Encryption at Scale on AWS Matt Campagna campagna@amazon.com Agenda Describe the AWS Key

Encryption at Scale on AWS Matt Campagna campagna@amazon.com Agenda Describe the AWS Key

Encryption at Scale on AWS Matt Campagna campagna@amazon.com Agenda Describe the AWS Key Management Service Client Side Encryption AWS Encryption SDK Server Side Encryption S3 Object Encryption Amazon Simple Storage Service

387 views • 22 slides
Searchable Encryption with Optimal Locality: Achieving Sublogarithmic Read Efficiency Charalampos

Searchable Encryption with Optimal Locality: Achieving Sublogarithmic Read Efficiency Charalampos

Searchable Encryption with Optimal Locality: Achieving Sublogarithmic Read Efficiency Charalampos Papamanthou Ioannis Demertzis Dimitris Papadopoulos Hong Kong UST University of Maryland University of Maryland yannis@umd.edu

753 views • 26 slides
Searchable Encryption, Leakage-Abuse Attacks, and Statistical Learning Theory Paul Grubbs,

Searchable Encryption, Leakage-Abuse Attacks, and Statistical Learning Theory Paul Grubbs,

Searchable Encryption, Leakage-Abuse Attacks, and Statistical Learning Theory Paul Grubbs, Marie-Sarah Lacharit, Brice Minaud, Kenny Paterson eprint 2019/011 and IEEE S&amp;P 2019. (also eprint 2018/965, CCS 2018.) AriC crypto seminar, ENS

651 views • 48 slides
Tight Tradeoffs in Searchable Symmetric Encryption Gilad Asharov Gil Segev Ido Shahaf Cornell

Tight Tradeoffs in Searchable Symmetric Encryption Gilad Asharov Gil Segev Ido Shahaf Cornell

Tight Tradeoffs in Searchable Symmetric Encryption Gilad Asharov Gil Segev Ido Shahaf Cornell Hebrew Hebrew Tech University University The Efficiency of SSE [CT14] 2 Existing Schemes and Lower Bounds Space Locality Read efficiency

649 views • 12 slides
Some applications and protocols Internet Casino Identity-based encryption Commitment

Some applications and protocols Internet Casino Identity-based encryption Commitment

Some applications and protocols Internet Casino Identity-based encryption Commitment Functional encryption Shared coin flips Fully-homomorphic encryption APPLICATIONS AND PROTOCOLS Threshold cryptography Searchable

399 views • 11 slides
Encrypted Cloud Storage David Cash Paul Grubbs Jason Perry Tom Ristenpart Rutgers U Skyhigh

Encrypted Cloud Storage David Cash Paul Grubbs Jason Perry Tom Ristenpart Rutgers U Skyhigh

Security of Searchable Encrypted Cloud Storage David Cash Paul Grubbs Jason Perry Tom Ristenpart Rutgers U Skyhigh Networks Lewis U Cornell Tech Outsourced storage and searching client cloud provider give me all records containing

508 views • 36 slides

More recommend