Searchable%20Symmetric%20Encryption:%20Improved%20Definitions%20and%20Efficient%20Constructions - PowerPoint PPT Presentation

About This Presentation
Title:

Searchable%20Symmetric%20Encryption:%20Improved%20Definitions%20and%20Efficient%20Constructions

Description:

Title: Searchable Symmetric Encryption: Improved Definitions and Efficient Constructions Last modified by: Rafail Ostrovsky Document presentation format – PowerPoint PPT presentation

Number of Views:208
Avg rating:3.0/5.0

less

Transcript and Presenter's Notes

Title: Searchable%20Symmetric%20Encryption:%20Improved%20Definitions%20and%20Efficient%20Constructions


1
Searchable Symmetric Encryption Improved
Definitions and Efficient Constructions
  • Reza Curtmola Juan Garay Seny Kamara
    Rafail Ostrovsky
  • Johns Hopkins Bell Labs
    Johns Hopkins UCLA

2
Remote Storage
  • Remote storage is ubiquitous
  • data backups
  • GMail, Yahoo Mail etc...
  • Q How do we store sensitive data on an untrusted
    server?
  • A Encryption
  • hides all partial information about data
  • client must download all data, decrypt and
    perform operations locally
  • Can we enable the server to help ?

3
Outline
  • Motivation
  • Brief overview of different models for private
    searching
  • Our focus Searchable Symmetric Encryption (SSE)
  • Revisiting security definitions for SSE
  • point out subtle (but serious) issues with
    previous definitions
  • Two new notions of security for SSE
  • Non-adaptive security
  • Adaptive security
  • Two new constructions
  • Extensions

4
Private Searching
  • MPC general, but inefficient Yao82, GMW87,
    BGW88, CCD88
  • Searching (explicitly) -- different settings
  • public data unencrypted (e.g., stock-quotes,
    news articles)
  • client wishes to hide which element is accessed
  • PIR and its variants CGKS,KO97,...
  • user-owned data symmetrically encrypted
  • client can upload additional encrypted data
    structures to help search
  • Oblivious RAMs, searchable symmetric encryption
    O90, OG96, SWP00, Goh03, CM05
  • third-party data public-key encrypted
  • data comes encrypted to server from users other
    than client BKOS07
  • public-key searchable encryption BDOP05,BW06...

5
Searchable Symmetric Encryption
  • We consider the following scenario
  • client has a collection of documents that
    consists of a set of words
  • encrypts document collection together with
    additional data structure
  • sends everything to server
  • Functionality server should support the
    following types of queries
  • find all documents that contain a particular
    keyword
  • Privacy allow server to help, but reveal as
    little as possible

6
Prior work on SSE
  • SSE can be achieved using oblivious RAMs Ost,
    GO
  • functionality can simulate any data structure in
    a hidden way, and can support conjunctive
    queries, B-trees etc...
  • privacy hides everything, even the access
    pattern
  • efficiency logarithmic number of rounds per each
    read/write
  • Q Can we search over encrypted data in
    single/constant rounds?
  • with absolute privacy, recently solved by
    Boneh-Kushilevitz-Ostrovsky-Skeith wish sqrtDB
    communication.
  • This paper what if we relax the security
    requirements to get better performance?

7
How do we relax the security definition ?
  • Informal answer
  • leak the access pattern but nothing else
  • What does it mean to leak the access pattern but
    nothing else ?
  • defining this formally is delicate
  • in fact, there are issues with 3 previous attempts

8
Constant-round SSE with relaxed security
  • 3 previous constant-round solutions that leak
    access pattern
  • Practical techniques for searches on encrypted
    data SWP00
  • Secure Indexes Goh03
  • Privacy-preserving keyword searches on remote
    encrypted data CM05
  • BKOS-07 is constant round but sqrt(DB)
    communication

9
Outline
  • Motivation
  • Overview of privacy-preserving searching
  • Searchable symmetric encryption
  • Revisiting security definitions for SSE
  • Non-adaptive definitions and construction
  • Adaptive definitions and construction
  • Extensions

10
Revisiting SSE security definitions
  • SWP00,Goh03,CM05 A secure SSE scheme should
    not leak anything beyond the outcome of a search
  • search outcome memory addresses of documents
    that contain a hidden keyword (precise definition
    later)
  • Important to note different keyword requests may
    lead to the same search outcome
  • search pattern whether two queries were for
    the same keyword or not
  • A (slightly) better intuition
  • A secure SSE scheme should not leak anything
    beyond the outcome and the pattern of a search

11
Issues with SWPs security definition
  • SWP00 implicitly use indistinguishability
    GM84 as a security definition
  • any function of the plaintext that can be
    computed from the ciphertext can be computed from
    the length of the plaintext
  • Issue adversary gets to see search outcomes and
    search pattern
  • SWP00 does not model the fact that this
    additional information is revealed.
  • There are also issues with definitions in
    Goh03,CM05, but to explain these well need to
    define the model more precisely

12
SSE Algorithms
  • Keygen(1k) outputs symmetric key K
  • BuildIndex(K, D1, ..., Dn) outputs secure
    index I
  • Trapdoor(K, w) outputs a trapdoor Tw
  • Search(I, Tw) outputs identifiers of documents
    containing w (id1, ..., idm)

13
SSE System Operation
  • Secure index additional data structure that
    helps the server to search (following Goh03
    terminology)
  • Symmetrically encrypted data client performs
    encryption himself
  • Trapdoors associate a trapdoor to keywords which
    enables server to search while keeping keyword
    hidden

keyword
14
Our model
  • History documents and keywords
  • View encrypted documents, index, trapdoors
  • Trace length of documents, search outcomes,
    search pattern

15
Our Intuition
  • Previous intuition
  • A secure SSE scheme should not leak anything
    beyond the outcome and the pattern of a search
  • A more formal intuition
  • any function about the documents and the
    keywords that can be computed from the encrypted
    documents, the index and the trapdoors can be
    computed from the length of the documents, the
    search outcomes and the search pattern

16
Issues with Gohs SSE security definition
  • IND2-CKA indistinguishability against
    chosen-keyword attacks
  • any function of the documents that can be
    computed from the encrypted documents and the
    index can be computed from the length of the
    documents and the search outcomes
  • Issue says nothing about keywords or trapdoors
  • Important Note Goh03 considers more than SSE
    and notes that secure trapdoors is not necessary
    for all the applications considered. Also Z-IDX
    has secure trapdoors.
  • Why not prove index secure in the sense of
    IND2-CKA and trapdoors secure using another
    definition?
  • We show that there exists an SSE scheme that has
  • IND2-CKA indexes and trapdoors that are secure
  • but when taken together, adversary can recover
    keyword

17
Issues with CMs SSE security definition
  • CM security
  • any function that can be computed about the
    documents and keywords given the ciphertexts, the
    index and the trapdoors can be computed from the
    length of the documents and the search outcomes
  • Issues
  • leaves out search pattern (proofs assume unique
    queries)
  • order of quantifiers implies that there will
    always exist a simulator that can evaluate
    function on documents and keywords
  • Only guarantees security against non-adaptive
    adversaries

18
What is adaptiveness?
  • Non-adaptive adversaries make search queries
    without seeing the outcome of previous searches
  • Adaptive adversaries can make search queries as a
    function of the outcome of previous searches
  • What are the implications of adaptiveness?

19
Modeling adaptiveness
Non-Adaptive SWP00,Goh03,CM05,...
Adaptive (new)
20
Outline
  • Motivation
  • Overview of privacy-preserving searching
  • Searchable symmetric encryption
  • Revisiting security definitions for SSE
  • Non-adaptive definitions and construction
  • Adaptive definitions and construction
  • Extensions

21
Non-adaptive security
  • any function about the history that can be
    computed from the view can be computed from the
    trace
  • history documents and keywords
  • view encrypted documents, index, trapdoors,
  • trace document lengths, search outcomes, search
    pattern

22
SSE-1
  • Building a Secure Index

23
SSE-1
  • Building a Secure Index

Austin Baltimore Washington
24
SSE-1
  • Building a Secure Index
  • P PRP
  • F PRF

F(Austin) KA
Austin
Baltimore
F(Baltimore) KB
Washington
F(Washington) KW
25
SSE-1
  • Searching

addr P(Baltimore)
key F(Baltimore)
Baltimore
26
Technical issues
  • We overlooked many technical details
  • padding and shuffling
  • Efficient storage of sparse tables
  • large address space small number of entries
  • FKS dictionaries Fredman-Komlos-Szemeredi84
  • storage O(entries)
  • lookup O(1)

27
Outline
  • Motivation
  • Overview of privacy-preserving computation
  • Searchable symmetric encryption
  • Revisiting security definitions for SSE
  • Non-adaptive definitions and construction
  • Adaptive definitions and construction
  • Extensions

28
Adaptive security
  • any function about the partial history that can
    be computed from the partial view can be computed
    from the partial trace
  • partial history documents and keywords
  • partial view encrypted documents, index,
    trapdoors,
  • partial trace document lengths, search outcomes,
    search pattern

29
Adaptive security
  • Do we need revised SSE constructions?
  • Are previous constructions adaptively secure?
  • Technical challenge simulator must be able to
    fake trapdoors after having committed to index
  • Previous constructions do not have this property
  • Unfortunately, this is expensive!

30
SSE-2
  • Similar to SSE-1
  • Pre-processing and padding
  • simulator can commit to an index before query is
    issued
  • and still build valid trapdoors after query is
    issued
  • Constant blowup in
  • size of trapdoors
  • size of index
  • server search time

31
Comparison
  • n total of documents d of
    documents that contain word

Ost90,GO96 SWP00 Goh03 CM05 SSE-1 SSE-2
access pattern yes no no no no no
server comp.
server storage
rounds 1 1 1 1 1
comm.
adaptive yes no no no no yes
32
Outline
  • Motivation
  • Overview of privacy-preserving searching
  • Searchable symmetric encryption
  • Revisiting security definitions for SSE
  • Non-adaptive definitions and construction
  • Adaptive definitions and construction
  • Extensions

33
Multi-User SSE
34
Multi-User SSE
  • Indexes and trapdoors require same security
    notions as single-user SSE
  • Revocation owner can revoke searching privileges
  • robust against user collusions
  • Anonymity server should not know who initiated
    search
  • Simple construction that transforms single-user
    SSE schemes to multi-user SSE schemes
  • broadcast encryption (revocation)
  • PRPs

35
Open Questions
  • Constant-round schemes that hide everything, even
    the access pattern
  • Constant-round Searching for Boolean combinations
    of keywords (note that with logarithmic rounds
    already follows from Ost,GO.)
  • Conjunctive searchable encryption GSW04, PKL04,
    BW06
  • Disjunctive ?

36
Conclusions
  • Weakening complete security is delicate
  • point out issues with previous attempts
  • Introduce new definitions
  • non-adaptive simulation and indistinguishability-
    based
  • adaptive simulation and indistinguishability-base
    d
  • Efficient and practical constructions
  • Multi-user setting
Write a Comment
User Comments (0)
About PowerShow.com