1 / 30

Introduction to Practical Cryptography

Introduction to Practical Cryptography. Lecture 9 Searchable Encryption. What Area of Cryptography?. Privacy-Preserving Computation (PPC) Function (including inputs and outputs) does not reveal private information. MPC vs. PPC. MPC is general – it captures all applications.

darice
Download Presentation

Introduction to Practical Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to Practical Cryptography Lecture 9 Searchable Encryption

  2. What Area of Cryptography? • Privacy-Preserving Computation (PPC) • Function (including inputs and outputs) does not reveal private information

  3. MPC vs. PPC • MPC is general – it captures allapplications. • Regarding privacy, MPC aims for the following: • A secure protocol must reveal no more information than the output of the function itself • That is, the process of protocol computation reveals nothing. • MPC does not deal with the question of whether or not the function reveals much information – that’s the focus of Privacy-Preserving Computation (PPC)

  4. query • Client wants to preserve search privacy:Private Information Retrieval • Data repository is huge! Privacy-preserving data mining • Data are encrypted: Search over encrypted data Privacy-Preserving Computation Search Data repository

  5. Untrusted Remote Storage • Remote storage is ubiquitous: • E-mail, backups, CVS • Department servers, Yahoo Mail, Gmail

  6. Untrusted Remote Storage • Google’s Search Across Computers feature • “In order to share your indexed files between your computers, we first copy this content to Google Desktop servers located at Google. This is necessary, for example, if one of your computers is turned off or otherwise offline when new or updated items are indexed on another of your machines. We store this data temporarily on Google Desktop servers and automatically delete older flies, and your data is never accessible by anyone doing a Google search.” • Do you trust this?

  7. Searchable Encryption • Store data externally • encrypted • want to search data easily • avoid downloading everything then decrypt • allow others to search data without having access to plaintext

  8. Searchable Encryption - Factors • When searching, what must be protected? • retrieved data • search query • search query outcome (was anything found?) • Scenario • single query vs multiple queries • non-adaptive: series of queries, each independent of the others • adaptive: form next query based on previous results • # of participants • single user (owner of data) can query data • multiple users can query the data, possibly with access rights defined by the owner

  9. SSE Security Non-Adaptive Adaptive

  10. Search Over Encrypted Data • Applications:Storage outsourcing, mail gateways, Google Desktop (“search across computers”), … • Untrusted servers  Data has to be encrypted • Encryption hides all information about the data  Server cannot search! • Client must download entiredocument collection:

  11. Search Over Encrypted Data (cont’d) • SearchableSymmetric Key Encryption where client performs encryption before storing data • Recall that public key algorithms are too slow for encrypting large data • Secure index (SI): Auxiliary data structure that allows the remote server to perform searches efficiently, while keeping queries and data confidential • Documents are encrypted; SI is encrypted — “two-layer;” searches performed using trapdoors.

  12. Searchable EncryptionSong, Wagner, Perrig Proposal • Alice wants to encrypt a document containing a sequence of n bit words, w1, w2 … wq • Compute bitwise XOR of plaintext with sequence of “pseudorandom” bits with some structure • n-m bit strings: s1, s2, .. sq generated (such as from a stream cipher using a key k’) • use keyed function F on n-m bits that outputs m bits • ti = si || Fki(si) • ci = wi ti

  13. Basic Idea • To search for some wj, tell server • ki for each location i want to search • wj • Server computes ci wj • checks if it is of the form s || Fki(s) • s = first n-m bits, insert into Fki and see if result matches last m bits of ci w • But this requires that Alice reveals • all ki’s in subset of data she wants to search • and wj

  14. Don’t Reveal All ki’s • Instead, only reveal key for the wj • Can use one secret key k and a function G to create ki’s : ki = Gk(wi) • Reveal wj and Gk(wj) when searching for wj • If wj is in location i, does not reveal other keys, ki for i ≠ j • Still reveals wj

  15. Don’t Reveal Plaintext plaintext wi Esk(wi) Ri Li ciphertext stream cipher si Gki(si)

  16. Don’t Reveal Plaintext • Instead of applying process to plaintext (w1, w2, … wq), encrypt wi’s first as individual blocks • xi = Esk(wi) • Also split xi into Li || Ri • where Li is n-m bits (same length as si) • to allow decryption – see on next slide • Use Li to create ki, ti , xor with xi • ki = Gk(Li) • ti = si || Fki(si) • ci = xi ti • To search for wj, Give server (xj, kj) • Server computes • ti = ci xjfor each i • checks if ti is of the form si || Fkj(si) • if yes, found a match

  17. Don’t Reveal Plaintext • xi broken into Li, Ri to allows decryption by someone with the fixed keys • k’ (stream cipher) • sk (E – encryption of wi’s) • k (G – function for creating ki’s) • Use k’ to compute si • Recover Li: Li = si (first n-m bits of ci) • Use Li to compute ki : ki = Gk(Li) • Use ki to recover Ri : Fki(si)  (last m bits of ci) • Now have all of xi : xi = Li || Ri • Then can recover wi : wi = E-1sk(xi)

  18. Security • Information leakage • Didn’t cover how to securely index documents • After one query, does server know if two documents contain the same wi? • Over many queries can determine if document are similar • How to hide length of wi? • Overhead – typical w not a full block for a block cipher • Is each wi padded?

  19. Searchable Encryption Curtmola, Garay, Kamara, Ostrovsky Proposal (Will cover a non-adaptive case) • D = set of documents • W = of words in D, w is a word in W • D(w) = set of documents in D containing w • T = lookup table containing information to locate and decrypt elements of A • Li = linked list containing identities of documents in D(wi) • Each node encrypted under separate key • jth node of Li contains pointer to (j+1)st node its key to (need to decrypt jth node to get information for (j+1)st node) • A = array containing all nodes from all LI’s in random order • Can’t determine order of LI’s within A • Can’t determine length of an Li without traversing it

  20. Build Lists Determine words in each D to create D(w)’s Build linked lists Austin Baltimore Washington

  21. Create Lists Encrypt linked lists: establish keys, pointers, encrypt Austin Baltimore Washington

  22. g( ) f( ) g( ) f( ) f( ) g( ) Build Index Table Build lookup table T Austin Baltimore Washington

  23. Create Array Merge, scramble linked lists to form A

  24. Query Baltimore

  25. Performance • While traversing lists is linear in length of list but linear by what factor? • In practice, is a block cipher used to encrypt each word? • Padding? • Need to run key schedule and decryption function per node

  26. Extensions • Can I share my document collection? • Malicious servers • Updates

  27. Multi-User SSE

  28. Multi-User SSE (cont’d) • Similar security notions to single-user SSE’s • Secure indexes and trapdoors • Revocation: owner can revoke searching privileges • Robust against user collusions • Anonymity: server should not know who initiated search

  29. Related Work • Public Key Searchable Encryption (PEKS) • [BdCOP04, PKL04, GZZ05, ABC+05, BNS05, OS05] • E-mail gateways, streaming data

  30. Work on SSE • “Oblivious RAMs” [Ost90,GO96] • Optimal security (even hides access pattern) • Poly-logarithmic number of rounds • “Practical techniques for searches on encrypted data” [SWP00] • First specific construction (PRGs, PRFs, PRPs) • Limitations: leaks information; inadequate security definition (IND-CPA) • “Secure Indexes” [Goh03] • IND2-CKA: semantic security against chosen-keyword attacks • Efficient and IND2-CKA construction (PRFs, Bloom filters) • “Privacy Preserving Keyword Searches on Remote Encrypted Data” [CM05] • Simulation-based security definition • Two constructions (PRFs,PRPs) • “Searchable Symmetric Encryption: Improved Definitions and Efficient Constructions,” [CGKO06] • Proposed four new security definitions • Two new efficient constructions for SSE IND2-CKA: Indistinguishability against Chosen-Keyword Attacks

More Related