property preserving encryption
play

PROPERTY-PRESERVING ENCRYPTION GRAD SEC NOV 07 2017 TODAYS - PowerPoint PPT Presentation

PROPERTY-PRESERVING ENCRYPTION GRAD SEC NOV 07 2017 TODAYS PAPERS CRYPTDB BUILDING BLOCKS RND AES+CBC+random IV DET AES+CBC+fixed IV OPE x < y OPE K (x) < OPE K (y) HOM HOM K (x) * HOM K (y) = HOM K (x+y) Fully


  1. PROPERTY-PRESERVING 
 ENCRYPTION GRAD SEC NOV 07 2017

  2. TODAY’S PAPERS

  3. CRYPTDB BUILDING BLOCKS RND AES+CBC+random IV DET AES+CBC+fixed IV OPE x < y ⟹ OPE K (x) < OPE K (y) HOM HOM K (x) * HOM K (y) = HOM K (x+y) Fully homomorphic: F(E K (x)) = E K (F(x)) SEARCH …

  4. ORDER PRESERVING ENCRYPTION

  5. SEARCHABLE ENCRYPTION Alice is tall and Alice is small

  6. SEARCHABLE ENCRYPTION Alice is tall and Alice is small REMOVE REPETITIONS Alice is tall and small

  7. SEARCHABLE ENCRYPTION Alice is tall and Alice is small REMOVE REPETITIONS Alice is tall and small PERMUTE POSITIONS tall small Alice and is

  8. SEARCHABLE ENCRYPTION Alice is tall and Alice is small REMOVE REPETITIONS Alice is tall and small PERMUTE POSITIONS tall small Alice and is PAD AND ENCRYPT [46]

  9. SEARCHABLE ENCRYPTION Store these (encrypted) on an untrusted server PROBLEM Search for W i W 1 , …, W N

  10. SEARCHABLE ENCRYPTION Store these (encrypted) on an untrusted server PROBLEM Search for W i W 1 , …, W N PRNG: generates S 1 , …, S N SCHEME 0 Stream cipher Cannot guess without knowing the original seed Store: W i ⊕ S i Lookup: Send each S i and W? Send seed and W?

  11. ⊕ SEARCHABLE ENCRYPTION Store these (encrypted) on an untrusted server PROBLEM Search for W i W 1 , …, W N PRNG: generates S 1 , …, S N SCHEME 0 Stream cipher Cannot guess without knowing the original seed Store: W i ⊕ S i Lookup: Send each S i and W? Send seed and W? W i SCHEME 1 C i S i F ki (S i ) PRF F k First n-m bits Last m bits Store: W i ⊕� S i , F ki (S i ) 〉 Lookup: Send W, k i ’s Server checks: F ki ([C i ⊕ W] n-m ) = [C i ⊕ W] m

  12. ⊕ SEARCHABLE ENCRYPTION Make the keys functions of the words themselves SCHEME 2 k i = f k’ (W i ) never reveal k’ Don’t reveal keys W i C i S i F (S i ) f k’ (W i ) Store as before Lookup: Send W, f k’ (W i ) Server checks as before

  13. ⊕ ⊕ SEARCHABLE ENCRYPTION Make the keys functions of the words themselves SCHEME 2 k i = f k’ (W i ) never reveal k’ Don’t reveal keys W i C i S i F (S i ) f k’ (W i ) Store as before Lookup: Send W, f k’ (W i ) Server checks as before Basic idea: encrypt the word first ( E k’’ (W i ) instead of W i ) SCHEME 3 Don’t reveal word Problem 1: Randomized encryption would require sending all IVs 
 ⟹ Use deterministic encryption E k’’ (W i ) C i F (S i ) S i f k’ (E(W i ))

  14. ⊕ SEARCHABLE ENCRYPTION Basic idea: encrypt the word first ( E k’’ (W i ) instead of W i ) SCHEME 3 Don’t reveal word Problem 1: Randomized encryption would require sending all IVs 
 ⟹ Use deterministic encryption E k’’ (W i ) C i F (S i ) S i f k’ (E(W i )) Problem 2: How do you decrypt? Need the last m bits of E k’’ (W i )

  15. ⊕ ⊕ SEARCHABLE ENCRYPTION Basic idea: encrypt the word first ( E k’’ (W i ) instead of W i ) SCHEME 3 Don’t reveal word Problem 1: Randomized encryption would require sending all IVs 
 ⟹ Use deterministic encryption E k’’ (W i ) C i F (S i ) S i f k’ (E(W i )) Problem 2: How do you decrypt? Need the last m bits of E k’’ (W i ) SCHEME 4 E k’’ (W i ) Split the ciphertext L i R i C i F (S i ) S i f k’ (Li) Lookup: Send E k’’ (W), f k’ (L) Server checks as before

  16. CRYPTDB BUILDING BLOCKS RND AES+CBC+random IV DET AES+CBC+fixed IV OPE x < y ⟹ OPE K (x) < OPE K (y) HOM HOM K (x) * HOM K (y) = HOM K (x+y) Fully homomorphic: F(E K (x)) = E K (F(x)) SEARCH basic idea: E k (W i ) ⊕ 〈 S i , F Ki (S i ) � K i = f k’ ([E k (W i )] n-m ) To search, give K i and E k (W i )

  17. CRYPTDB BUILDING BLOCKS ONIONS Peel off the layers as you need them Once removed, can never un-reveal

  18. CRYPTDB OPERATIONS Equi-joins: FROM X,Y where X.id = Y.id Known ahead of time: 
 Encrypt with the same key across columns using DET Not known ahead of time: 
 JOIN-ADJ

  19. JOIN-ADJ (ADJUSTABLE JOIN) Cryptographic hash that can be re-keyed without revealing information

  20. ATTACKS “Developed in the 9th century” FREQUENCY ANALYSIS Deterministic encryption (ECB) reveals frequency ℓ P -OPTIMIZATION ATTACKS Find an assignment from ciphertexts to plaintexts that 
 minimizes a cost function SORTING ATTACKS Order-preserving encryption reveals .. order CUMULATIVE ATTACK Order-preserving encryption needs high entropy

  21. ATTACKS ON DTE Compare the histograms of ciphertexts to histograms of auxiliary data Ciphertext Auxiliary data Match the rankings A more general formulation

  22. ATTACKS ON OPE Exploit the fact that the order is revelatory… Order, not frequency like DTE

  23. ATTACKS ON OPE …or that there is low entropy Intuitively, if a given OPE ciphertext is greater than 90% of the ciphertexts in the encrypted column c, then we should match it to a plaintext that also is greater than about 90% of the auxiliary data z.

  24. BILINEAR MAPS For any generator Public key scheme: Private key a Public key Signature scheme: Signature = H(m) a Verify: Multisignature scheme: Signatures = H(m) a1 , …, H(m) an Multisignature = H(m) a1 * … * H(m) an

Recommend


More recommend