Dynamic Searchable M. Naveed, Encryption via Blind M. Prabhakaran, - PowerPoint PPT Presentation

Dynamic Searchable M. Naveed, Encryption via Blind M. Prabhakaran, C.A. Gunter Storage Presented by: Keegan Sherman and Pardeep Banwait

Searchable Symmetric Encryption • Allows a user to store a collection of encrypted documents and perform keyword searches on those documents. • The server storing the documents is required to not learn any information from interactions with the stored documents except for certain patterns. • Our Dynamic SSE allows for adding and removing documents throughout the life-time of the system in the face of an honest-but curious server.

Previous SSE Research • Basic Approach by R. Curtmola, et.al. from NJIT. • Keep index files that map keywords to lists of documents that contain it. Store index files as encrypted linked lists. Randomly sort the nodes for each list. • Approach by S. Kamara, et.al. from Microsoft. • Dynamic SSE based off inverted index approach with server side computation.

Blind Storage • Allows a server to store a set of encrypted files in such a way that the server does not know how many files are being stored nor the lengths of the files. • Server learns about the existence of a file when it is being retrieved but the file’s name and contents are kept hidden.

Blind Storage Parameters • - Upper bound on storage slack ratio γ • - Ratio between the number of blocks in a file and the α number of blocks downloaded/uploaded when a given file is accessed. • - The minimum number of blocks that can be downloaded/ κ uploaded from the server. • We use CRHF, a PRF, a FD-PRF, PRG, and a PRP all relying on an AES block-cipher . • K SSE = (K d , K id , K ID ).

Blind Storage 1 2 3 4 5 6 7 8 9 10 11 12 Free size = 4 blocks id data Occupied Generate seed for PRG: s = FD-PRF (id) K id 1 2 Generate indexes for a pseudorandom subset of size max( size , ) from PRG( s ). κ α ∗ 6 10 3 1 4 9 2 8 3 Check that needed number of blocks are free. If so choose the shortest subset, S, containing size free blocks. 10 3 4 2

Blind Storage Create blocks with necessary information. 4 v i H(id) data 0 v i H(id) data j size 5 } 10 3 4 2 Store blocks into S } 6 v i E j Encrypt blocks using PRF K d

Blind Storage Update 1 2 3 4 5 6 7 8 9 10 11 12 Free Our file Generate seed for PRG: s = FD-PRF (id) 1 K id Occupied 2 Generate indexes for a pseudorandom subset of size from PRG( s ). κ 6 10 3 1 v i E 0 H(id) size data 0 Find first block with our id using decryption. 3

Blind Storage Update 4 Output size to client and accept size’ as the size of the file after update. 5 Determine if < max( size , size’ ). If so calculate, download and decrypt κ α ∗ remaining pseudorandom blocks. 6 10 3 1 4 9 2 8 6 Determine blocks with our id’s and output them. 10 3 4 2 Accept data’ as updated document 7 If size < size’ download more pseudorandom blocks and store. 8

Clear Storage • Similar to blind storage except there is no encryption. • Uses a separate file system that stores header files indexing the last block of the pseudorandom subset occupied by a file. v i H(id) size data 0 v i H(id) data j Header File System Interface … … H(id) 2 } … … 10 3 4 2 Store blocks into S

Overview of BSTORE-SSE • All index files are stored in either blind storage or clear storage. • No server-side computation. • Architecture independent. • Highly parallelizable computation.

Operations of BSTORE-SSE • SSE.keygen: Generate keys • SSE.indexgen: Generates index files for each keyword that is in at least one document. Proceeds to fill the blind storage array with index files. Uploads array and encrypted documents. • SSE.remove: Removes a document from the system using a lazy delete strategy. • SSE.add: Adds a document to the system. Generates/updates keyword index files. • SSE.search: Search documents in BSTORE-SSE system for a given keyword.

Initialization • Operation of SSE.indexgen. Takes a set of (id f , data f ) tuples and K SSE . • Generate a document ID: E(id f ) = PRP (id f ). K ID • For each keyword present generate an index file that contains the E(id f ) of the documents that contain that keyword. • Store index files in blind storage system. • Store encrypted documents outside of blind storage system.

Removing Files • Operation of SSE.remove • Takes document id f • Compute document E(id f ), identical to how we did during initialization. • Check if document with E(id f ) exist in system. If so delete it and move E(id f ) to removed list. • Keyword index files are not updated until a subsequent search operation. (lazy-delete)

Adding Files • Operation of SSE.add • Takes tuple (id f , data f ) • Compute document E(id f ), identical to how we did during initialization. • Generate random tag t for the document. • Encrypt then prefix t to the document. • Upload document to server using label E(id f ).

Adding Files • For each keyword that is present in a document append a tuple (E(id f ), t ) to the index file in the clear storage system for that keyword. • Upload index files to the clear storage system.

Searching for Files • Operation of SSE.search • Takes keyword w . • Retrieves index files for w from both blind storage and clear storage using the first six stages of their update operations. • Search index files for E(id f )’s that are also in the remove list. • If found remove E(id f ) and finish update process. • User now has all id f ’s and can request the document they are looking for.

Security Analysis • During update we leak (op, v i , size ). • For clear store the server learns all encrypted documents containing a specific encrypted keyword. • During addition and removal of a document the updated remove list is revealed to the server. • During a search the server learns how many times a keyword has been searched.

Experimental Results Decreased per pair initialization time

Experimental Results Average time for initialization.

Experimental Results Time to search for a keyword excluding final decryption.

Future Research • Multiple client searches on single data-owner (shared) cloud storage. • Security against actively corrupt servers. • Multiple keyword searches.

Related Works • R. Curtmola, J. A. Garay, S. Kamara, and R. Ostrovsky, “Searchable symmetric encryption: improved definitions and efficient constructions,” in CCS, 2006, pp. 79–88. • S. Kamara, C. Papamanthou, and T. Roeder, “Dynamic searchable symmetric encryption,” in CCS, 2012, pp. 965–976.

Questions?