lower bounds for encrypted multi maps and searchable
play

Lower Bounds for Encrypted Multi-Maps and Searchable Encryption in - PowerPoint PPT Presentation

Mar 27, 2023 •298 likes •1.11k views

Lower Bounds for Encrypted Multi-Maps and Searchable Encryption in the Leakage Cell Probe Model Sarvar Patel*, Giuseppe Persiano** and Kevin Yeo* *Google **University of Salerno Key k i was queried. Privacy-Preserving Storage Protocols Key k i

  1. Lower Bounds for Encrypted Multi-Maps and Searchable Encryption in the Leakage Cell Probe Model Sarvar Patel*, Giuseppe Persiano** and Kevin Yeo* *Google **University of Salerno

  2. Key k i was queried. Privacy-Preserving Storage Protocols Key k i k 1 V 1 k 2 V 2 ... ... k n V n V i

  3. Key k 2 was never queried. Privacy-Preserving Storage Protocols k 1 V 1 Key k 15 was most frequently queried. k 2 V 2 ... ... k n V n

  4. What was the requested key? Privacy-Preserving Storage Protocols Key k i k 1 V 1 ... k 2 V 2 ... ... k n V n V i

  5. Privacy Spectrum for Maps Plaintext Maps

  6. Plaintext Maps Classic dictionary problem with many solutions! ● Perfect Hashing: Static [FKS’84], Dynamic [DKM+’94] ○ Cuckoo Hashing [PR’01] ○ … and many more ○

  7. Plaintext Maps Classic dictionary problem with many solutions! ● Perfect Hashing: Static [FKS’84], Dynamic [DKM+’94] ○ Cuckoo Hashing [PR’01] ○ … and many more ○ Efficiency : O(1) overhead, O(n) storage ● Privacy: None -- Leaks all keys and values. ●

  8. Privacy Spectrum for Maps Structured Plaintext Maps Encryption Efficiency : O(1) Leakage : Everything

  9. Structured Encryption Idea: Encrypt a data structure while maintaining operations ● Example: Searchable encryption = Encrypt a search index ○ Many works in the past two decades: ● Static [SWP’00], [BDOP’04], [CGKO’11], ... ○ Dynamic [CJJ+’14], [SPS’14], ... ○ Forward and Backward Privacy [Bost’16], [BMO’17], ... ○

  10. Structured Encryption Idea: Encrypt a data structure while maintaining operations ● Example: Searchable encryption = Encrypt a search index ○ Many works in the past two decades: ● Static [SWP’00], [BDOP’04], [CGKO’11], ... ○ Dynamic [CJJ+’14], [SPS’14], ... ○ Forward and Backward Privacy [Bost’16], [BMO’17], … ○ Efficiency: Typically O(1) but can be higher depending on leakage ● Privacy: Some well-defined leakage function ● Number of values associated with keys, Key-equality between operations, Number of operations, etc. ○

  11. Privacy Spectrum for Maps Structured Plaintext Maps Oblivious RAM Encryption Efficiency : O(1) Efficiency : O(1) Leakage : Everything Leakage : Non-trivial Leakage Function

  12. Oblivious RAM Introduced by Goldreich and Ostrovsky [GO’96] ● Also, many works in the past decade [PR’10], [SSS’11], [MMOT’12], [SvDS’13], [PPR Y ’18], .... ○ … leading to optimal O(log n) overhead construction [AKL+’20] ○

  13. Oblivious RAM Introduced by Goldreich and Ostrovsky [GO’96] ● Also, many works in the past decade [PR’10], [SSS’11], [MMOT’12], [SvDS’13], [PPR Y ’18], .... ○ … leading to optimal O(log n) overhead construction [AKL+’20] ○ Efficiency: O(log n), which is tight due to [GO’96, LN’18] ● Privacy : Adversary cannot distinguish two sequences of same length ● Leakage function is (upper bound on) length of operational sequence ○

  14. Privacy Spectrum for Maps Structured Plaintext Maps Oblivious RAM Encryption Efficiency : O(1) Efficiency : O(1) Efficiency : O(log n) Leakage : Everything Leakage : Non-trivial Leakage : Length of Leakage Function operational sequence

  15. What leakage functions inherently cost Ω(log n) like Privacy Spectrum for Maps ORAM? Structured Plaintext Maps Oblivious RAM Encryption Efficiency : O(1) Efficiency : O(1) Efficiency : O(log n) Leakage : Everything Leakage : Non-trivial Leakage : Length of Leakage Function operational sequence

  16. Privacy Spectrum for Maps Structured Plaintext Maps Oblivious RAM Encryption Efficiency : O(1) Efficiency : O(1) Efficiency : O(log n) Leakage : Everything Leakage : Non-trivial Leakage : Length of Leakage Function operational sequence

  17. Hash-and-Encrypt Compiler Consider any plaintext map with operations: ● Insert(k, v) ○ Get(k) ○ Delete(k) ○

  18. Hash-and-Encrypt Compiler k 1 V 1 k 2 V 2 ... ... K k n V n

  19. Hash-and-Encrypt Compiler H(K, k 1 ) V 1 H(K, k 2 ) V 2 ... ... K H(K, k n ) V n

  20. Hash-and-Encrypt Compiler H(K, k 1 ) Enc(K, V 1 ) H(K, k 2 ) Enc(K, V 2 ) ... ... K H(K, k n ) Enc(K, V n )

  21. Hash-and-Encrypt Compiler (Query) Key k i H(K, k 1 ) Enc(K, V 1 ) H(K, k i ) H(K, k 2 ) Enc(K, V 2 ) ... ... Get(H(K, k i )) K H(K, k n ) Enc(K, V n ) Enc(K, V i )

  22. Hash-and-Encrypt Compiler (Insert) Key k i H(K, k 1 ) Enc(K, V 1 ) Value V i H(K, k i ), Enc(K, V i ) H(K, k 2 ) Enc(K, V 2 ) ... ... Insert(H(K, k i ), Enc(K, V i )) K H(K, k n ) Enc(K, V n )

  23. Hash-and-Encrypt Compiler (Insert) Key k i H(K, k 1 ) Enc(K, V 1 ) Value V i H(K, k i ), Enc(K, V i ) H(K, k 2 ) Enc(K, V 2 ) H(K, k i ) Enc(K, V i ) Insert(H(K, k i ), Enc(K, V i )) K H(K, k n ) Enc(K, V n )

  24. Leakage of Hash-and-Encrypt Insert H(K, “cat”) Enc(K, “01”)

  25. Leakage of Hash-and-Encrypt Insert Insert H(K, “cat”) H(K, “dog”) Enc(K, “01”) Enc(K, “00”)

  26. Leakage of Hash-and-Encrypt Insert Insert Query Insert Query H(K, “cat”) H(K, “dog”) H(K, “dog”) H(K, “cat”) H(K, “cat”) ... Enc(K, “01”) Enc(K, “00”) Enc(K, “00”) Enc(K, “11”) Enc(K, “01”) Enc(K, “11”)

  27. Leakage of Hash-and-Encrypt Type of operation performed ●

  28. Leakage of Hash-and-Encrypt Insert Insert Query Insert Query H(K, “cat”) H(K, “dog”) H(K, “dog”) H(K, “cat”) H(K, “cat”) ... Enc(K, “01”) Enc(K, “00”) Enc(K, “00”) Enc(K, “11”) Enc(K, “01”) Enc(K, “11”)

  29. Leakage of Hash-and-Encrypt Type of operation performed ● Length of Query response ●

  30. Leakage of Hash-and-Encrypt Insert Insert Query Insert Query H(K, “cat”) H(K, “dog”) H(K, “dog”) H(K, “cat”) H(K, “cat”) ... Enc(K, “01”) Enc(K, “00”) Enc(K, “00”) Enc(K, “11”) Enc(K, “01”) Enc(K, “11”)

  31. Leakage of Hash-and-Encrypt Type of operation performed ● Length of Query response ● Key-Equality Pattern ●

  32. Leakage of Hash-and-Encrypt Insert Insert Query Insert Query H(K, “cat”) H(K, “dog”) H(K, “dog”) H(K, “cat”) H(K, “cat”) ... Enc(K, “01”) Enc(K, “00”) Enc(K, “00”) Enc(K, “11”) Enc(K, “01”) Enc(K, “11”)

  33. Leakage of Hash-and-Encrypt Insert Insert Query Insert Query H(K, “cat”) H(K, “dog”) H(K, “dog”) H(K, “cat”) H(K, “cat”) ... Enc(K, “01”) Enc(K, “00”) Enc(K, “00”) Enc(K, “11”) Enc(K, “01”) Enc(K, “11”)

  34. Leakage of Hash-and-Encrypt Insert Insert Query Insert Query H(K, “cat”) H(K, “dog”) H(K, “dog”) H(K, “cat”) H(K, “cat”) ... Enc(K, “01”) Enc(K, “00”) Enc(K, “00”) Enc(K, “11”) Enc(K, “01”) Enc(K, “11”)

  35. Leakage of Hash-and-Encrypt Type of operation performed ● Length of Query response ● Key-Equality Pattern ●

  36. Leakage of Hash-and-Encrypt Type of operation performed ● Length of Query response ● Key-Equality Pattern ● Surprisingly, this matches leakage of best STE O(1) schemes!!!

  37. Privacy Spectrum for Maps Structured Plaintext Maps Oblivious RAM Encryption Efficiency : O(1) Efficiency : O(1) Efficiency : O(log n) Leakage : Everything Leakage : Non-trivial Leakage : Length of Leakage Function operational sequence

  38. Can we do better? Type of operation performed ● Length of Query response ● Key-Equality Pattern ●

  39. Can we do better? Type of operation performed (Perform all possible operation types) ● Length of Query response ● Key-Equality Pattern ●

  40. Can we do better? Type of operation performed (Perform all possible operation types) ● Length of Query response ??? (Hard to do without increasing cost significantly) ● Padding Volume-Hiding STE schemes: [KM’19], [PP Y Y’19] ○ Key-Equality Pattern ●

  41. Can we do better? Type of operation performed (Perform all possible operation types) ● Length of Query response ??? (Hard to do without increasing cost significantly) ● Padding Volume-Hiding STE schemes: [KM’19], [PP Y Y’19] ○ Key-Equality Pattern ●

  42. Decoupled Key-Equality Insert Insert Query Insert Query H(K, “cat”) H(K, “dog”) H(K, “dog”) H(K, “cat”) H(K, “cat”) ... Enc(K, “01”) Enc(K, “00”) Enc(K, “00”) Enc(K, “11”) Enc(K, “01”) Enc(K, “11”)

  43. Decoupled Key-Equality Insert Insert Query Insert Query H(K, “cat”) H(K, “dog”) H(K, “dog”) H(K, “cat”) H(K, “cat”) ... Enc(K, “01”) Enc(K, “00”) Enc(K, “00”) Enc(K, “11”) Enc(K, “01”) Enc(K, “11”)

  44. Decoupled Key-Equality Insert Insert Query Insert Query H(K, “cat”) H(K, “dog”) H(K, “dog”) H(K, “cat”) H(K, “cat”) ... Enc(K, “01”) Enc(K, “00”) Enc(K, “00”) Enc(K, “11”) Enc(K, “01”) Enc(K, “11”)

  45. Decoupled Key-Equality Insert Insert Query Insert Query H(K, “cat”) H(K, “dog”) H(K, “dog”) H(K, “cat”) H(K, “cat”) ... Enc(K, “01”) Enc(K, “00”) Enc(K, “00”) Enc(K, “11”) Enc(K, “01”) Enc(K, “11”)

  46. Main Result Theorem. Any encrypted multi-map with leakage at most the decoupled key-equality pattern must have Ω (log n) overhead.

Recommend

Leakage in the Cell Probe Model Lower Bounds for Response Hiding Encrypted Multi-Maps Giuseppe

Leakage in the Cell Probe Model Lower Bounds for Response Hiding Encrypted Multi-Maps Giuseppe

Leakage in the Cell Probe Model Lower Bounds for Response Hiding Encrypted Multi-Maps Giuseppe Persiano Universit` a di Salerno June, 2019 Describing joint work with: Sarvar Patel and Kevin Yeo (Google LLC) Giuseppe Persiano (UNISA) June

1.15k views • 87 slides
Amit Chakrabarti Dartmouth College WAPMDS, IIT Kanpur, Dec 2009 Amit Chakrabarti 1 Multi-Pass

Amit Chakrabarti Dartmouth College WAPMDS, IIT Kanpur, Dec 2009 Amit Chakrabarti 1 Multi-Pass

Multi-Pass Lower Bounds Dec 20, 2009 Multi-pass Data Stream Lower Bounds via Round Elimination Amit Chakrabarti Dartmouth College WAPMDS, IIT Kanpur, Dec 2009 Amit Chakrabarti 1 Multi-Pass Lower Bounds Dec 20, 2009 Lower Bounds Paradigms

846 views • 70 slides
A Numerical Criterion for Lower bounds on K-energy maps of Algebraic manifolds Sean Timothy Paul

A Numerical Criterion for Lower bounds on K-energy maps of Algebraic manifolds Sean Timothy Paul

A Numerical Criterion for Lower bounds on K-energy maps of Algebraic manifolds Sean Timothy Paul University of Wisconsin , Madison stpaul@math.wisc.edu Outline Formulation of the problem : To bound the Mabuchi energy from below on the

622 views • 29 slides
Searching on/Testing Encrypted Data Lecture 23 Searchable Encryption Searchable Encryption A

Searching on/Testing Encrypted Data Lecture 23 Searchable Encryption Searchable Encryption A

Searching on/Testing Encrypted Data Lecture 23 Searchable Encryption Searchable Encryption A test key T w that allows one to test if Dec SK (C) = w Searchable Encryption A test key T w that allows one to test if Dec SK (C) = w No other

1.62k views • 116 slides
Dynamic Searchable M. Naveed, Encryption via Blind M. Prabhakaran, C.A. Gunter Storage

Dynamic Searchable M. Naveed, Encryption via Blind M. Prabhakaran, C.A. Gunter Storage

Dynamic Searchable M. Naveed, Encryption via Blind M. Prabhakaran, C.A. Gunter Storage Presented by: Keegan Sherman and Pardeep Banwait Searchable Symmetric Encryption Allows a user to store a collection of encrypted documents and

350 views • 24 slides
Conspiracies between Learning Algorithms, Lower Bounds, and Pseudorandomness Igor Carboni

Conspiracies between Learning Algorithms, Lower Bounds, and Pseudorandomness Igor Carboni

Conspiracies between Learning Algorithms, Lower Bounds, and Pseudorandomness Igor Carboni Oliveira University of Oxford Joint work with Rahul Santhanam (Oxford) Context Minor algorithmic improvements imply lower bounds (Williams, 2010). NEXP

696 views • 30 slides
Lower bounds for parameterized problems Dniel Marx 1 1 Institute for Computer Science and

Lower bounds for parameterized problems Dniel Marx 1 1 Institute for Computer Science and

Lower bounds for parameterized problems Dniel Marx 1 1 Institute for Computer Science and Control, Hungarian Academy of Sciences (MTA SZTAKI) Budapest, Hungary ICERM Providence, RI April 26, 2014 1 Lower bounds So far we have seen positive

1.14k views • 94 slides
Tight Tradeoffs in Searchable Symmetric Encryption Gilad Asharov Gil Segev Ido Shahaf Cornell

Tight Tradeoffs in Searchable Symmetric Encryption Gilad Asharov Gil Segev Ido Shahaf Cornell

Tight Tradeoffs in Searchable Symmetric Encryption Gilad Asharov Gil Segev Ido Shahaf Cornell Hebrew Hebrew Tech University University The Efficiency of SSE [CT14] 2 Existing Schemes and Lower Bounds Space Locality Read efficiency

649 views • 12 slides
Lower Bounds on the Probability of a Finite Union of Events Jun Yang (joint work with Fady

Lower Bounds on the Probability of a Finite Union of Events Jun Yang (joint work with Fady

Lower Bounds on the Probability of a Finite Union of Events Jun Yang (joint work with Fady Alajaji and Glen Takahara) Department of Mathematics and Statistics, Queens University, Kingston, Canada ISIT 2014 Lower Bounds on P ( N Jun

228 views • 19 slides
Circuit Lower-bounds Lecture 24 Weak circuits are indeed weak 1 Circuit Lower-bounds 2

Circuit Lower-bounds Lecture 24 Weak circuits are indeed weak 1 Circuit Lower-bounds 2

Circuit Lower-bounds Lecture 24 Weak circuits are indeed weak 1 Circuit Lower-bounds 2 Circuit Lower-bounds Today: 2 Circuit Lower-bounds Today: PARITY AC 0 2 Circuit Lower-bounds Today: PARITY AC 0 Two different proofs! (Latter

1.59k views • 137 slides
Lower Bounds for Quantile Estimation in Random-Order and Multi-Pass Streams Sudipto Guha (UPenn)

Lower Bounds for Quantile Estimation in Random-Order and Multi-Pass Streams Sudipto Guha (UPenn)

Lower Bounds for Quantile Estimation in Random-Order and Multi-Pass Streams Sudipto Guha (UPenn) Andrew McGregor (UCSD) Data Stream Model Data Stream Model Stream: m elements from a universe of size n :

991 views • 82 slides
Stronger Connections Between Circuit Analysis and Circuit Lower Bounds, via PCPs of Proximity

Stronger Connections Between Circuit Analysis and Circuit Lower Bounds, via PCPs of Proximity

Stronger Connections Between Circuit Analysis and Circuit Lower Bounds, via PCPs of Proximity Lijie Chen Ryan Williams Context: The Algorithmic Method for Proving Circuit Lower Bounds Proving limitations on non-uniform circuits is extremely

796 views • 31 slides
Techniques to lower bound extension complexity Thomas Rothvoss UW Seattle Known lower bounds on

Techniques to lower bound extension complexity Thomas Rothvoss UW Seattle Known lower bounds on

Techniques to lower bound extension complexity Thomas Rothvoss UW Seattle Known lower bounds on extended formulation Kaibel, Razborovs Inform. SA Weltge symmetry arg. theory + Fourier COR/ yes yes yes ? TSP [KW13]

1.25k views • 108 slides
Exponential Lower Bounds for Polytopes in Combinatorial Optimization Ronald de Wolf Joint with

Exponential Lower Bounds for Polytopes in Combinatorial Optimization Ronald de Wolf Joint with

Exponential Lower Bounds for Polytopes in Combinatorial Optimization Ronald de Wolf Joint with Samuel Fiorini (ULB), Serge Massar (ULB), Sebastian Pokutta (Erlangen), Hans Raj Tiwary (ULB) Exponential Lower Bounds for Polytopes in

1.19k views • 94 slides
Lower Bounds for Geometric Diameter Problems Herv e Fournier University of Versailles

Lower Bounds for Geometric Diameter Problems Herv e Fournier University of Versailles

Lower Bounds for Geometric Diameter Problems Herv e Fournier University of Versailles St-Quentin en Yvelines Antoine Vigneron INRA Jouy-en-Josas Lower Bounds for Geometric Diameter Problems p.1/40 Outline Review of previous work on

563 views • 40 slides
Lecture 2. Upper and lower bounds for subgaussian matrices The -net method refined 1 Random

Lecture 2. Upper and lower bounds for subgaussian matrices The -net method refined 1 Random

Lecture 2. Upper and lower bounds for subgaussian matrices The -net method refined 1 Random processes. Multiscale -net method: Dudleys inequality 2 Upper and lower bounds Our goal: upper and lower bounds on random matrices. In Lecture

535 views • 17 slides
COMP 3170 - Analysis of Algorithms & Data Structures Shahin Kamali Lower Bounds CLRS 8.1

COMP 3170 - Analysis of Algorithms & Data Structures Shahin Kamali Lower Bounds CLRS 8.1

COMP 3170 - Analysis of Algorithms & Data Structures Shahin Kamali Lower Bounds CLRS 8.1 University of Manitoba Lower Bounds Introductions Assume you design an algorithm that solves a given problem P in ( n 2 ). Further exploration

1.58k views • 61 slides
Better Time-Space Lower Bounds for SAT and Related Problems Ryan Williams Carnegie Mellon

Better Time-Space Lower Bounds for SAT and Related Problems Ryan Williams Carnegie Mellon

Better Time-Space Lower Bounds for SAT and Related Problems Ryan Williams Carnegie Mellon University June 12, 2005 0-0 Introduction Few super-linear time lower bounds known for natural problems in NP (Existing ones generally use a restricted

1.28k views • 106 slides
Kernel-Size Lower Bounds: The Evidence from Complexity Theory Andrew Drucker IAS Worker 2013,

Kernel-Size Lower Bounds: The Evidence from Complexity Theory Andrew Drucker IAS Worker 2013,

Kernel-Size Lower Bounds: The Evidence from Complexity Theory Andrew Drucker IAS Worker 2013, Warsaw Andrew Drucker Kernel-Size Lower Bounds Part 2/3 Andrew Drucker Kernel-Size Lower Bounds Note These slides are a slightly revised version

803 views • 51 slides
9. Sorting III Lower bounds for the comparison based sorting, radix- and bucket-sort 248 9.1

9. Sorting III Lower bounds for the comparison based sorting, radix- and bucket-sort 248 9.1

9. Sorting III Lower bounds for the comparison based sorting, radix- and bucket-sort 248 9.1 Lower bounds for comparison based sorting [Ottman/Widmayer, Kap. 2.8, Cormen et al, Kap. 8.1] 249 Lower bound for sorting Up to here: worst case

600 views • 55 slides
Lower bounds certification for multivariate real functions using SDP Joint Work with B. Werner,

Lower bounds certification for multivariate real functions using SDP Joint Work with B. Werner,

Lower bounds certification for multivariate real functions using SDP Joint Work with B. Werner, S. Gaubert and X. Allamigeon Victor MAGRON LIX/INRIA, Ecole Polytechnique LIX PhD Seminar Friday 18 t January Victor MAGRON Lower bounds

280 views • 25 slides
Kernel-size lower bounds: accompanying exercises Andrew Drucker April 19, 2013 These

Kernel-size lower bounds: accompanying exercises Andrew Drucker April 19, 2013 These

Kernel-size lower bounds: accompanying exercises Andrew Drucker April 19, 2013 These exercises are intended to aimed at building background to understand recent work on complexity-theoretic evidence for kernel-size lower bounds [BDFH09, FS11,

587 views • 12 slides
Lecture 3: Lower Bounds for Sorting, Linear Time Sorting Algorithms Instructor: Saravanan

Lecture 3: Lower Bounds for Sorting, Linear Time Sorting Algorithms Instructor: Saravanan

Lecture 3: Lower Bounds for Sorting, Linear Time Sorting Algorithms Instructor: Saravanan Thirumuruganathan CSE 5311 Saravanan Thirumuruganathan Outline 1 Lower bound for Comparison based Sorting Algorithms Concept of Lower Bounds Decision

750 views • 43 slides
Supporting Less-Than Queries on Encrypted Data using Multi-Server Secret Sharing and Practical

Supporting Less-Than Queries on Encrypted Data using Multi-Server Secret Sharing and Practical

Supporting Less-Than Queries on Encrypted Data using Multi-Server Secret Sharing and Practical Order-Revealing Encryption Nate Chenette ICERM conference on Encrypted Search June 12, 2019 Project Background Baffle Inc. https://baffle.io/

407 views • 23 slides

More recommend