How to Search on Encrypted Data SENY KAMARA MICROSOFT RESEARCH
Encryption 2 Gen ( 1 k ) ⟾ K Secure Communiation Enc ( K , m ) ⟾ c Dec (K, c ) ⟾ m Alice Bob Eve
Encryption 3 Gen ( 1 k ) ⟾ K Secure Storage Enc ( K , m ) ⟾ c Dec (K, c ) ⟾ m Alice Eve
Encryption 4 Gen ( 1 k ) ⟾ K Secure Cloud Storage Enc ( K , m ) ⟾ c Dec (K, c ) ⟾ m Alice Eve
5 Encrypted Search
Encrypted Search 6 Enc K Enc K Enc K
Two Simple Solutions 7 Enc Enc ? id 2 Enc Enc Large local storage Large comm. Q : can we do better? complexity
More Advanced Solutions 8 Multi-Party Computation [Yao82, Goldreich-Micali-Wigderson87] Oblivious RAM [Goldreich-Ostrovsky92] Searchable symmetric encryption [Song-Wagner-Perrig01] Functional encryption [Boneh-di Crescenzo-Ostrovsky-Persiano06] Property-preserving encryption [Bellare-Boldyreva- O’Neill06 ] Fully-homomorphic encryption [Gentry09]
Encrypted Search 9 Enc K L 1 w L 2 EncK EncK
Encrypted Search 10 Size of EDB Storage leakage Search time Query leakage Rounds of interaction
Property-Preserving Encryption 11 Encryption that supports public tests Examples: Deterministic encryption [Bellare-Boldyreva- O’Neill06 ] Order-preserving encryption [Agrawal-Kiernan-Srikant-Xu04, Boldyreva-Chenette-Lee- O’Neill09 ] Orthogonality-preserving encryption [Pandey-Rouselakis12]
Deterministic Encryption 12 [Bellare-Boldyreva- O’Neill06 ] Enc K Gen ( 1 k ) ⟾ K = 〈 K 1 , K 2 〉 DET K DET K W 2 DETK W 3 W 1 DET ( K , w ) ⟾ 〈 F K2 (w), F K1 (F K2 (w)) ⊕ w 〉 EncK DETK DETK W 8 EDB W 2 Test ( c 1 , c 2 ) ⟾ c 1 =c 2 EncK Dec ( sk, c ) ⟾ F K1 (c 1 ) ⊕ c 2 DETK W 1 DETK W 4 FK W 2 EncK EncK
DET-Based Solution 13 Security Efficiency Search L 1 leakage Sub-linear in #DB #DB process EDB like DB equality Legacy PK: DB* L 2 leakage access pattern search pattern * Unless DB has high entropy
Functional Encryption 14 Encryption that supports private tests Examples: Identity-based encryption [Boneh-Franklin01, Boneh-diCrescenzo-Ostrovsky-Persiano06] Attribute-based encryption [Sahai-Waters05] Predicate encryption [Shen-Shi-Waters]
Identity-Based Encryption 15 EncK Gen ( 1 k ) ⟾ K IBE K ( w 1 , 1) IBE K ( w 2 , 1) IBE ( K , id , m ) ⟾ c EncK IBE K ( w 3 , 1) EDB Token ( K , id’ ) ⟾ t Dec (t, c ) ⟾ m if id=id’ EncK IBE K ( w 6 , 1) IBE K ( w 2 , 1) Token K ( f w ) EncK EncK
IBE-Based Solution 16 Security Efficiency Slow search L 1 leakage Linear in #DB #DB Equality PK: DB* L 2 leakage access pattern PK: keyword* * [Boneh-Raghunathan-Segev13]
Homomorphic Encryption 17 Encryption that supports computation Examples: Fully-homomorphic encryption [ Gentry09,… ] Somewhat homomorphic encryption [Boneh-Goh- Nissim05, … ]
Homomorphic Encryption 18 Gen ( 1 k ) ⟾ K Enc ( K , m ) ⟾ c EDB = FHE K Eval ( f , c 1 , …, c n ) ⟾ c ’ Dec ( sk, c’ ) ⟾ f ( Dec(c 1 ), …, Dec( c n ) ) FHE K (w) FHE K (id 4 , …, id 13 ) id 4 , …, id 13 EncK EncK
FHE-Based Solution (1) 19 Security Efficiency Very slow search L 1 leakage Interactive (1 round) #DB Linear in |DB| Equality PK: DB* L 2 leakage access pattern PK: keyword
FHE-Based Solution (2) 20 Security Efficiency Very very slow search L 1 leakage Interactive (1 round) #DB Linear in |Data| Equality PK: DB* L 2 leakage access pattern PK: keyword
Oblivious RAM 21 Encryption that supports private reads and writes Examples: Square-root scheme [Goldreich-Ostrovsky92] Hierarchichal scheme [Goldreich-Ostrovsky]
ORAM-Based Solution 22 OStruct ( 1 k , Mem ) ⟾ K, Ω EDB = OStruct ORead (( K , i ), Ω ) ⟾ ( Mem[i], ⊥ ) OWrite((K, i, v) , Ω ) ⟾ ( ⊥, Ω’ ) OStruct OSim(DB Search)
ORAM-Based Solution 23 Security Efficiency Very slow search L 1 leakage 1 R/W = polylog(n) R+W #DB Equality PK: DB* L 2 leakage access pattern PK: keyword
Tradeoffs 24 Efficiency PPE/DET SSE FEnc/IBE ORAM FHE-1 FHE-2 Security
25 Searchable Symmetric Encryption
Searchable Symmetric Encryption 26 Encryption that supports very slow search [Song-Wagner-Perrig01] Encryption that supports slow search [Song-Wagner-Perrig01, Goh03, Chang-Mitzenmacher05] Encryption that supports fast search [Curtmola-Garay-K.-Ostrovsky06] Very slow: linear in|Data| Slow: linear in #DB Fast: sub-linear in #DB
Searchable Encryption 27 SSE (DB) ⟾ ( K, EDB ) Token ( K , w ) ⟾ t EDB = SSE Search ( EDB, t ) ⟾ (id 1 ,…, id m ) Dec (K, c ) ⟾ m Token K ( w ) EncK EncK
Security Definitions 28 Security against chosen-keyword attack [Goh03,Chang-Mitzenmacher05,Curtmola-Garay-K.-OstrovskyO06] CKA1: “Protects files and keywords even if chosen by adversary” Security against adaptive chosen-keywords attacks [Curtmola-Garay-K.-Ostrovsky06] CKA2 : “Protects files and keywords even if chosen by adversary, and even if chosen as a function of ciphertexts , index, and previous results”
Security Definitions 29 Universal composability [Kurosawa-Ohtaki12, Canetti01] UC: “Remains CKA2 - secure even if composed arbitrarily”
CKA2-Security 30 [Curtmola-Garay-K.-Ostrovsky06] Simulation -based definition ``The EDB and tokens are simulatable given the leakage generated by an adversarially- and adaptively- chosen DB and queries” Leakage access pattern: pointers to (encrypted) files that satisfy search query query pattern: whether a search query is repeated
CKA2-Security 31 [Curtmola-Garay-K.-Ostrovsky06] Game -based definition ``The EDBs and tokens generated from two adversarially- and adaptively-chosen DBs and query sequences with the same leakage are indistinguishable” Leakage access pattern: pointers to (encrypted) files that satisfy search query query pattern: whether a search query is repeated
CKA2-Security 32 [Curtmola-Garay-K.-Ostrovsky06] Simulation-based ⇒ Game -based Game- based ⇒ Simulation -based If given leakage, one can efficiently sample plaintext docs and queries with same leakage profile Similar to results for functional encryption [ O’Neill10, Boneh -Sahai-Waters11]
CKA2-Security 33 [Curtmola-Garay-K.-Ostrovsky06] Ideal World Real World L 1 Enc K EDB ?$s!l)csd@#C L 2 (w) w w t @#kj^%ks# Equivocation ⋮ ⋮
CKA2-Security 34 [Curtmola-Garay-K.-Ostrovsky06] Simulator “commits” to encryptions before queries are made requires equivocation and some form of non-committing encryption [Chase-K.10] Lower bound on token length (simulation + w/o ROs) ≈ [Nielsen02] Ω 𝜇 ∙ log n n: # of documents 𝜇 : max (over kw) # of documents w/ keyword Lower bound on FE token length (simulation + w/o ROs) Token proportional to maximum # of ciphertexts
35 Constructions
Searchable Symmetric Encryption 36 Scheme Updates Security Search Parallel Queries [SWP00] No CPA O(|Data|) O(n/p) Single [Goh03] Yes CKA1 O(#DB) O(n/p) Single [CM05] No CKA1 O(#DB) O(n/p) Single [CGKO06] #1 No CKA1 O(OPT) No Single [CGKO06] #2 No CKA2 O(OPT) No Single [CK10] No CKA2 O(OPT) No Single [vLSDHJ10] Yes CKA2 O(log #W) No Single [KO12] No UC O(#DB) No Single [KPR12] Yes CKA2 O(OPT) No Single [KP13] Yes CKA2 O( OPT∙log (n)) Single O( OPT p ∙log(n)) [CJJKRS13] No CKA2 O(OPT) Yes Boolean
SSE-1 37 [Curtmola-Garay-K.-Ostrovsky06] 1. Build inverted/reverse index MSFT F2 F10 F11 GOOG F2 F8 F14 Posting list AAPL F1 F2 IBM F4 F10 F12 2. Randomly permute array & nodes GOOG F11 F8 F2 F10 IBM F1 F4 F12 F10 AAPL F2 F2 F14 # MSFT
SSE-1 38 [Curtmola-Garay-K.-Ostrovsky06] GOOG 2. Randomly permute array & nodes F11 F8 F2 F10 IBM F1 F4 F12 F10 AAPL F2 F2 F14 # CPA or Anonymous MSFT 3. Encrypt nodes GOOG IBM AAPL MSFT
SSE-1 39 [Curtmola-Garay-K.-Ostrovsky06] 3. Encrypt nodes GOOG IBM AAPL MSFT 4. “Hash” keyword & encrypt pointer Enc G ( • , K ) F K (GOOG) Enc I ( • , K ) F K (IBM) Enc A ( • , K ) F K (AAPL) Enc M ( • , K ) F K (MSFT)
Limitations of SSE-1 40 Only CKA1-secure addressed in [Chase-K.10] Only static addressed in [K.-Papamanthou-Roeder12] High I/O complexity addressed in [K.-Papamanthou13] Single keyword search addressed in [Cash-Jarecki-Jutla-Krawczyk-Rosu-Steiner13]
Making SSE-1 Adaptively Secure 41 Idea #1 [Chase-K.-10] replace general CPA encryption with standard PRF-based encryption PRF-based encryption is non-committing Idea #2 [K.-Papamanthou-Roeder12] PRF-based encryption not enough for dynamic data Some add/delete patterns can make simulator commit to token before seeing outcome Tokens must be equivocable (i.e., non-committing) Use RO-based encryption
Recommend
More recommend
