Presentation is loading. Please wait.

Presentation is loading. Please wait.

based on slides by Debra Cook

Published byAnna Cunningham Modified over 6 years ago

Similar presentations

Presentation on theme: "based on slides by Debra Cook"— Presentation transcript:

1 based on slides by Debra Cook
Encrypted Search based on slides by Debra Cook

2 Privacy-Preserving Computation Search
Data repository is huge! Privacy-preserving data mining Client wants to preserve search privacy: Private Information Retrieval query Data are encrypted: Search over encrypted data Data repository Naïve solution: user retrieves all documents and then decrypts them. Ideally we want to let the server perform the search and return only the relevant documents, while ensuring the server learns as little as possible in this process: in particular we server should learn nothing about the keyword or document contents. We can have several scenarios: static case dynamic case (after the initial submission, user is allowed to update his document collection) Most of the work done in this area of research deals mostly with the static case, the solutions for the dynamic case aren’t very reliable.

3 Untrusted Remote Storage
Remote storage is ubiquitous: , backups, CVS Department servers, Yahoo Mail, Gmail

4 Untrusted Remote Storage
Google’s Search Across Computers feature “In order to share your indexed files between your computers, we first copy this content to Google Desktop servers located at Google. This is necessary, for example, if one of your computers is turned off or otherwise offline when new or updated items are indexed on another of your machines. We store this data temporarily on Google Desktop servers and automatically delete older flies, and your data is never accessible by anyone doing a Google search.” Do you trust this?

5 Searchable Encryption
Store data externally encrypted want to search data easily avoid downloading everything then decrypt allow others to search data without having access to plaintext

6 Searchable Encryption - Factors
When searching, what must be protected? retrieved data search query search query outcome (was anything found?) Scenario single query vs multiple queries non-adaptive: series of queries, each independent of the others adaptive: form next query based on previous results # of participants single user (owner of data) can query data multiple users can query the data, possibly with access rights defined by the owner

7 SSE Security Non-Adaptive Adaptive

8 Search Over Encrypted Data
Applications: Storage outsourcing, mail gateways, Google Desktop (“search across computers”), outsourced database… Untrusted servers  Data has to be encrypted Encryption hides all information about the data  Server cannot search! Client must download entire document collection: Since we are dealing with a search problem, the notion of indexes naturally comes to mind. An index is an additional data the user submits along with the documents Each document has an additional structure associated with it: an index Indexes are submitted to the remote server along with the associated documents

9 Search Over Encrypted Data (cont’d)
Searchable Symmetric Key Encryption where client performs encryption before storing data Recall that public key algorithms are too slow for encrypting large data Secure index (SI): Auxiliary data structure that allows the remote server to perform searches efficiently, while keeping queries and data confidential Documents are encrypted; SI is encrypted — “two-layer;” searches performed using trapdoors. Since we are dealing with a search problem, the notion of indexes naturally comes to mind. An index is an additional data the user submits along with the documents Each document has an additional structure associated with it: an index Indexes are submitted to the remote server along with the associated documents

10 Searchable Encryption Song, Wagner, Perrig Proposal
Alice wants to encrypt a document containing a sequence of n bit words, w1, w2 … wq Compute bitwise XOR of plaintext with sequence of “pseudorandom” bits with some structure n-m bit strings: s1, s2, .. sq generated (such as from a stream cipher using a key k’) use keyed function F on n-m bits that outputs m bits ti = si || Fki(si) ci = wi  ti

11 Basic Idea To search for some wj, tell server Server computes ci  wj
ki for each location i want to search wj Server computes ci  wj checks if it is of the form s || Fki(s) s = first n-m bits, insert into Fki and see if result matches last m bits of ci  w But this requires that Alice reveals all ki’s in subset of data she wants to search and wj

12 Don’t Reveal All ki’s Instead, only reveal key for the wj
Can use one secret key k and a function G to create ki’s : ki = Gk(wi) Reveal wj and Gk(wj) when searching for wj If wj is in location i, does not reveal other keys, ki for i ≠ j Still reveals wj

13 Don’t Reveal Plaintext
wi Esk(wi) Li Ri ciphertext stream cipher si Gki(si)

14 Don’t Reveal Plaintext
Instead of applying process to plaintext (w1, w2, … wq), encrypt wi’s first as individual blocks xi = Esk(wi) Also split xi into Li || Ri where Li is n-m bits (same length as si) to allow decryption – see on next slide Use Li to create ki, ti , xor with xi ki = Gk(Li) ti = si || Fki(si) ci = xi  ti To search for wj, Give server (xj, kj) Server computes ti = ci  xjfor each i checks if ti is of the form si || Fkj(si) if yes, found a match

15 Don’t Reveal Plaintext
xi broken into Li, Ri to allows decryption by someone with the fixed keys k’ (stream cipher) sk (E – encryption of wi’s) k (G – function for creating ki’s) Use k’ to compute si Recover Li: Li = si  (first n-m bits of ci) Use Li to compute ki : ki = Gk(Li) Use ki to recover Ri : Fki(si)  (last m bits of ci) Now have all of xi : xi = Li || Ri Then can recover wi : wi = E-1sk(xi)

16 Security Information leakage
Didn’t cover how to securely index documents After one query, does server know if two documents contain the same wi? Over many queries can determine if document are similar How to hide length of wi? Overhead – typical w not a full block for a block cipher Is each wi padded?

17 Searchable Encryption Curtmola, Garay, Kamara, Ostrovsky Proposal
(Will cover a non-adaptive case) D = set of documents W = of words in D, w is a word in W D(w) = set of documents in D containing w T = lookup table containing information to locate and decrypt elements of A Li = linked list containing identities of documents in D(wi) Each node encrypted under separate key jth node of Li contains pointer to (j+1)st node its key to (need to decrypt jth node to get information for (j+1)st node ) A = array containing all nodes from all LI’s in random order Can’t determine order of LI’s within A Can’t determine length of an Li without traversing it

18 Build Lists Determine words in each D to create D(w)’s
Build linked lists Austin Baltimore Washington

19 Create Lists Encrypt linked lists: establish keys, pointers, encrypt
Austin Baltimore Washington

20 Build Index Table Build lookup table T g( ) f( ) f( ) g( ) f( ) g( )
Austin Baltimore Washington f( ) g( ) f( ) g( )

21 Create Array Merge, scramble linked lists to form A

22 Query Baltimore

23 Performance While traversing lists is linear in length of list but linear by what factor? In practice, is a block cipher used to encrypt each word? Padding? Need to run key schedule and decryption function per node

24 Extensions Can I share my document collection? Malicious servers
Updates

25 Multi-User SSE

26 Multi-User SSE (cont’d)
Similar security notions to single-user SSE’s Secure indexes and trapdoors Revocation: owner can revoke searching privileges Robust against user collusions Anonymity: server should not know who initiated search

27 Initial Work on SSE “Oblivious RAMs” [Ost90,GO96]
Optimal security (even hides access pattern) Poly-logarithmic number of rounds “Practical techniques for searches on encrypted data” [SWP00] First specific construction (PRGs, PRFs, PRPs) Limitations: leaks information; inadequate security definition (IND-CPA) “Secure Indexes” [Goh03] IND2-CKA: semantic security against chosen-keyword attacks Efficient and IND2-CKA construction (PRFs, Bloom filters) “Privacy Preserving Keyword Searches on Remote Encrypted Data” [CM05] Simulation-based security definition Two constructions (PRFs,PRPs) “Searchable Symmetric Encryption: Improved Definitions and Efficient Constructions,” [CGKO06] Proposed four new security definitions Two new efficient constructions for SSE IND2-CKA: Indistinguishability against Chosen-Keyword Attacks

Download ppt "based on slides by Debra Cook"

Similar presentations

Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,

Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Self-Healing in Wireless Networks. The self-healing property is expected in many aspects in wireless networks: – Encryption algorithms – Key distribution.

Self-Healing in Wireless Networks. The self-healing property is expected in many aspects in wireless networks: – Encryption algorithms – Key distribution.
Building an Encrypted and Searchable Audit Log Brent Waters Dirk Balfanz Glenn Durfee D.K. Smetters.

Building an Encrypted and Searchable Audit Log Brent Waters Dirk Balfanz Glenn Durfee D.K. Smetters.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Structured Encryption and Controlled Disclosure Melissa Chase Seny Kamara Microsoft Research Asiacrypt '10 1.

Structured Encryption and Controlled Disclosure Melissa Chase Seny Kamara Microsoft Research Asiacrypt '10 1.
Introduction to Practical Cryptography Lecture 9 Searchable Encryption.

Introduction to Practical Cryptography Lecture 9 Searchable Encryption.
1 Searchable Symmetric Encryption: Improved Definitions and Efficient Constructions Reza Curtmola Juan Garay Seny Kamara Rafail Ostrovsky Johns Hopkins.

1 Searchable Symmetric Encryption: Improved Definitions and Efficient Constructions Reza Curtmola Juan Garay Seny Kamara Rafail Ostrovsky Johns Hopkins.
Searchable Symmetric Encryption :Improved Definitions and Efficient Constructions Reza Curtmola Juan Garay Seny Kamara Rafail Ostrovsky.

Searchable Symmetric Encryption :Improved Definitions and Efficient Constructions Reza Curtmola Juan Garay Seny Kamara Rafail Ostrovsky.
Processing Data in External Storage CS 302 - Data Structures Mehmet H Gunes Modified from authors’ slides.

Processing Data in External Storage CS Data Structures Mehmet H Gunes Modified from authors’ slides.
1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.

1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.
Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.

Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.
Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.

Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.
Reza Curtmola Juan Garay Seny Kamara Rafail Ostrovsky

Reza Curtmola Juan Garay Seny Kamara Rafail Ostrovsky
Practical Techniques for Searches on Encrypted Data Author:Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀汶承.

Practical Techniques for Searches on Encrypted Data Author:Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀汶承.
1 Secure Indexes Author : Eu-Jin Goh Presented by Yi Cheng Lin.

1 Secure Indexes Author : Eu-Jin Goh Presented by Yi Cheng Lin.
Encryption Schemes Second Pass Brice Toth 21 November 2001.

Encryption Schemes Second Pass Brice Toth 21 November 2001.
Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig.

Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig.
Secure Cloud Database using Multiparty Computation.

Secure Cloud Database using Multiparty Computation.

Similar presentations

Ads by Google