structured encryption and leakage suppression
play

Structured Encryption and Leakage Suppression Tarik Moataz Part I - PowerPoint PPT Presentation

Structured Encryption and Leakage Suppression Tarik Moataz Part I is a joint work with Seny Kamara and Olya Ohrimenko Part II is a joint work with Seny Kamara Structured Encryption (STE) [CK10] EDS DS tk ans Query tk , Setup 1 k , ans ,


  1. Structured Encryption and Leakage Suppression Tarik Moataz Part I is a joint work with Seny Kamara and Olya Ohrimenko Part II is a joint work with Seny Kamara

  2. Structured Encryption (STE) [CK10] EDS DS tk ans Query tk , Setup 1 k , ans , DS EDS EDS Token , q tk � 2

  3. Structured Encryption [CK10] Setup Leakage 
 EDS L S DS tk Query Leakage 
 L Q ans Query tk , Setup 1 k , ans , DS EDS EDS Token , q tk � 3

  4. Structured Encryption [CK10] An STE scheme is -secure if � � L S , L Q • It reveals no information about the structure beyond L S • It reveals no information about the structure and queries beyond L Q � 4

  5. Structured Encryption [CK10] Encrypted NoSQL Encrypted Distributed Garbled Circuits … Databases Hash Tables Applications Encrypted Relational Searchable Symmetric Network Provenance Databases Encryption Structured Encrypted Multi-maps, Encrypted Dictionaries, Encrypted Arrays, Encrypted Graphs… Encryption (STE) � 5

  6. Structured Encryption [CK10] E ffi ciency Expressiveness Security � 6

  7. Structured Encryption Evolution Efficiency Expressiveness Security ‘00 Linear per file [SWP00] ‘00 ‘06 Single-keyword SSE Leakage-parametrized [SWP00], [Goh03], security definitions [CGKO06], [CJJJKRS14] [CGKO06] ‘03 Linear [Goh03] ‘06 Multi-user SSE ‘12 Adv. models 
 ‘06 Optimal [CGKO06,CK10] [CGKO06], [JJKRS13], [KO12],[BFP16], [PPY16], [HSWW18] [AKM18] ‘12 Dynamism [KPR12], Boolean SSE ‘13 ‘12 Attacks [KP13], [CJJJKRS14] [CJJKRS13], [PKVK+14], [IKK12], [CGPR15], [KM17] [ZKP16], [KMNO16], ‘14 I/O efficiency [CT14], [LMP18], [GLMP18] [CJJJKRS14], [ANSS16], Range SSE 
 ‘14 [DPP18], [ASS18] [PKVK+14], [FJKNRS15] ‘14 Forward/Backward Security 
 STE-based SQL [KM18] ‘18 [SPS14], [Bost16], [LC17], [BMO17], [AKM18] � 7

  8. What about Leakage ? � 8

  9. What about Leakage? Cryptanalysis Measure Suppression [IKK12] ? [KMO18] � 9

  10. Cryptanalysis Def: Given a leakage profile, design attacks to recover the queries or the data under some assumptions Goal: empirically learn the impact of a leakage pattern in real-world Limitations: the gap between assumptions and reality can get wide � 10

  11. Measure Def: Given a leakage profile, quantify (e.g., in bits) a specific leakage pattern Goal: theoretically compare between leakage patterns Limitations: (maybe) no possible total order (work in progress!) � 11

  12. Suppression Def: Given a leakage profile, design a compiler or a transform to suppress a specific leakage pattern Goal: develop tools to suppress various leakage patterns Limitations: introducing some overhead � 12

  13. Part 1* Suppressing Leakage *joint work with Seny Kamara and Olya Ohrimenko https://eprint.iacr.org/2018/551 � 13

  14. Q : is there an existing approach to reduce leakage? � 14

  15. Existing Approaches • ORAM Simulation [GO96], [SvDSFRD13] Generic • Polylog Read/Write Read/Write … • Small Leakage profile ORAM Alg(q) RAM Read/Write Interactive • … … E ffi ciency • … • Garbled RAM [LO13], [GHLORW14] • Custom Schemes [WNLCSSH14], [BM16] � 15

  16. Q : are there more e ffi cient ways to suppress leakage? � 16

  17. Background Modeling Leakage • : query equality • : query length • : response length • search pattern • volume pattern • : data identity • : maximum query length • : response equality • : maximum response length • : response identity • : sequence response length • access pattern • : data size � 17

  18. Background Non-Repeating Sub-Pattern • Non-repeating sub-pattern • Example � 18

  19. Leakage Suppression Through Compilation STE STE’ Compilation � 19

  20. Suppressing Query Equality STE STE’ Cache-Based Compiler (CBC) � 20

  21. Leakage Suppression Through Transformation STE’ DS ✓ ◆ Λ 0 = L S , L Q = patt 1 STE DS EDS Transform DS DS* ✓ ◆ Λ = L S , L Q = ( patt 1 , patt 2 ) � 21

  22. STE STE’ CBC • Cache-based Compiler (CBC) • suppresses the query equality and the repeating sub-pattern • induces an additive poly-log overhead • Requires a rebuildable STE � 22

  23. STE RSTE RSTE’ RBC CBC • Rebuild Compiler (RBC) • makes any STE scheme rebuildable • preserves the scheme’s query efficiency • adds a super-linear rebuild cost � 23

  24. STE RSTE RSTE’ RBC CBC The problem boils down to reduce of the base STE scheme � 24

  25. AZL PBS RPBS RBC CBC FZL • Piggyback scheme (PBS) • hides the response length for non-repeating queries • introduces query latency � 25

  26. Square-Root ORAM [GO96] Main memory Maximum size Cache 2 Read the real block 1 Read the entire cache 3 Insert the block back in the cache 2 Read a dummy block 1 Read the entire cache 3 Insert the block back in the cache Rebuild after � 26

  27. Reinterpreting the Square-Root Solution Main memory Encrypted Array ≈ • Main memory is an encrypted array construction • Accessing element is done deterministically through PRP evaluation • Adversary learns if/when an access to the same element is repeated • Leaks query equality � 27

  28. Reinterpreting the Square-Root Solution Cache Zero-Leakage Dictionary ≈ • The cache is an encrypted dictionary data structure • Given a label, it outputs an element or ⊥ • The cache is accessed in its entirety • Most trivial zero-leakage dictionary construction; therefore no query leakage � 28

  29. Reinterpreting the Square-Root Solution Access(15) Access(15) Access Zero-Leakage Dictionary Access Real or Dummy � 29

  30. Reinterpreting the Square-Root Solution Encrypted Array Zero-Leakage Dictionary Encrypted Data Structure Zero-Leakage Dictionary EDS � 30

  31. Reinterpreting the Square-Root Solution • Requirements • EDS scheme has to be rebuildable • Data structure has to be extendable and safe • Base scheme has to have smaller non-repeating sub-pattern � 31

  32. Data Structure Extension • -extension: • Extend the query space of the data structure with dummies • s.t. • Safe -extension: 
 EDS EDS � 32

  33. AZL RPBS PBS RBC CBC FZL � 33

  34. PBS: Data transformation • Batch size (ex: = 3) α • Pad all responses to a multiple of α Multi-map MM Dictionary DX l 1 ||1 l 1 l 1 l 1 ||2 l 2 l 2 l 2 ||1 l 3 l 3 ||1 l 3 � 34

  35. PBS Details Multi-map MM Setup PBS 1 k , State Encrypted Dictionary EDX l 1 , , l 1 ||1 2 l 1 l 1 ||2 l 2 1 l 2 ||1 l 2 l 3 1 l 3 ||1 l 3 � 35

  36. PBS Details • Consider a sequence of labels State 2 : l 1 Token PBS l 1 , , 1 l 2 1 l 3 1. has 2 batches l 1 2. Instantiate a queue l 1 ||1 l 1 ||2 3. Compute Token , l 1 ||1 l 1 ||1 4. Update queue l 1 ||2 � 36

  37. PBS Details Encrypted Dictionary EMM l 1 ||1 , Get PBS : l 1 ||2 l 1 ||1 l 2 ||1 l 3 ||1 Encrypted Dictionary EDX l 1 ||1 , Get EDX l 1 ||2 l 1 ||1 l 2 ||1 l 3 ||1 � 37

  38. PBS Details State 2 : , l 1 , Token PBS l 2 1 l 2 1 l 3 1. has 1 batch l 2 2. Update the queue l 1 ||2 l 2 ||1 3. Compute Token , l 1 ||2 l 1 ||2 4. Update queue l 2 ||1 � 38

  39. PBS Details Encrypted Dictionary EMM l 1 ||1 , Get PBS : l 1 ||2 l 1 ||2 l 2 ||1 l 3 ||1 Encrypted Dictionary EDX l 1 ||1 , Get EDX l 1 ||2 l 1 ||2 l 2 ||1 l 3 ||1 � 39

  40. PBS Details State 2 : , , l 1 Token PBS ⊥ 1 l 2 1 l 3 1. Compute Token , l 2 ||1 l 2 ||1 2. Update queue � 40

  41. PBS Details Encrypted Dictionary EMM l 1 ||1 , Get PBS : l 2 ||1 l 1 ||2 l 2 ||1 l 3 ||1 Encrypted Dictionary EMM l 1 ||1 , Get EDX l 1 ||2 l 2 ||1 l 2 ||1 l 3 ||1 � 41

  42. 
 
 
 PBS Latency • The worst-case query sequence of size t has latency • Real-world sequences have latency 
 with probability at least 
 where queries are drawn from a Zipf distribution and longer responses are mapped to less frequent labels � 42

  43. AZL RPBS PBS RBC CBC FZL � 43

  44. 
 
 AZL Analysis • Worst-case query complexity over queries • Comparison to ORAM simulation (Path-ORAM [SvDSFRD13]) 
 when Natural Assumption: and If response lengths are power –law distributed � 44

  45. Part 2* Suppressing Volume *joint work with Seny Kamara https://eprint.iacr.org/2018/978 � 45

  46. Leakage Suppression Through Compilation STE STE’ Compilation � 46

  47. Leakage Suppression Through Transformation STE’ DS ✓ ◆ Λ 0 = L S , L Q = patt 1 STE DS EDS Transform DS DS* ✓ ◆ Λ = L S , L Q = ( patt 1 , patt 2 ) � 47

  48. Q : is there any other approach to suppress leakage? � 48

  49. Suppression Data structure Black-box 
 Transformation Compilation against against unbounded bounded adversary adversary � 49

  50. Computationally-Secure Leakage Unbounded Adversary vs. Bounded Adversary � 50

  51. Leakage Suppression [KMO18] Through Transformation STE’ DS ✓ ◆ Λ 0 = L S , L Q = ( patt 1 , patt ⇤ ) STE DS EDS Transform DS DS* ✓ ◆ Λ = L S , L Q = ( patt 1 , patt 2 ) ⊥ patt ∗ ≃ � 51

  52. Q : can we suppress the response length pattern? � 52

Recommend


More recommend