Presentation is loading. Please wait.

Presentation is loading. Please wait.

Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig.

Published byLesley Burns Modified over 9 years ago

Similar presentations

Presentation on theme: "Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig."— Presentation transcript:

1

2 Practical Techniques for Searches on Encrypted Data Yongdae Kim kyd@cs.umn.edu Written by Song, Wagner, Perrig

3 Contents  Introduction  Basic Cryptography  Schemes  Basic search  Controlled Search  Hidden query  Final scheme  Discussions  Conclusion and open problems

4 Introduction  IEEE Symp. on Security and Privacy 2000  I’m not expert in database, but…  Desirable features  Encrypted data  Encrypted query  Encrypted result  Untrusted server

5 Example  Mail Server  Fully trusted, i.e. sys admin can read my e-mail   Can build secure storage  But need to sacrifice functionality  Moving the computation to the data storage seems to be very difficult  For example, how to search encrypted data?

6 Nice Features  Provably secure  Controlled searching: untrusted server cannot search for a word without owner’s authorization  Hidden queries: user may ask the untrusted server to search for a secret word without revealing the word  Fast and efficient  Do not rely on public key algorithm  Based on stream cipher

7 Other Features  Each document is divided up into “words”  Assume it has same length  Otherwise, pad or split it  Certain computation on the ciphertext  Search method  Indexing  advantageous for read-only data  But faster search  Sequential scan

8 Basics  Cryptography   the study of mathematical techniques related to aspects of information security   such as confidentiality, data integrity, entity authentication, and data origin authentication. Alice Bob Eve

9 Taxonomy of Cryptographic Primitives Arbitrary length hash functions One-way permutations Random sequences Symmetric-key ciphers Arbitrary length hash functions(MACs) Signatures Pseudorandom sequences Identification primitives Public-key ciphers Signatures Identification primitives Unkeyed Primitives Symmetric-key Primitives Public-key Primitives Security Primitives Block ciphers Stream ciphers Symmetric-key ciphers Arbitrary length hash functions(MACs) Block ciphers Stream ciphers

10 Symmetric Key Encryption.  Encryption key and decryption key are same (mostly)  E K (M) = C  D K (C) = M  Ex. DES, AES, IDEA, …  Fast  Based on simple operations (exor, shift, substitute, rotate, …)  How to share a key?

11 Block/Stream ciphers  Block cipher  breaks up the plaintext into blocks of a fixed length,  and then encrypts one block at a time.  Stream cipher  takes the plaintext string and produces a ciphertext string using keystream  M  S = C, C  S = M  where S is a key stream,  is a bit-wise exclusive-or  S is generated by a key stream generator or pseudo- random function

12 Hash function/MAC  Hash function   computationally efficient function   mapping binary strings of arbitrary length to binary strings of some fixed length,  Cryptographic hash function  One-way, collision-free  MAC (Message authentication code)  Keyed hash function  Parties that share a key can check the integrity of data  MAC K (M) = H(K 1 || H(K 2, M))

13 Notations  S i : i-th stream from stream cipher G, n-m bits  W i : i-th word, n bits  C i : i-th cipher text, n bits   : Bitwise exclusive-or  F k (x): MAC of x using key k, m bits output

14 Scheme I: Basic scheme  To search W  Alice reveals {k i | where W may occur}  Bob checks if W i  C i is of the form for some s  For unknown k i, Bob knows nothing  To search W, either  Alice reveal all k i, or   Alice has to know where W may occur  WiWi SiSi F Ki (S i ) F Ki Plaintext Stream Cipher ciphertext

15 Scheme II: Controlled search.  Replace k i = f k’ (W i ) where  k’ is secret, never revealed  f is another MAC with output size = | k i |  Reveal only f k’ (W) and W  Bob identifies only location where W occurs  But reveals nothing on the locations i where W != W i  Still does not support hidden search

16 Scheme III: Hidden Searches. E k” (W i ) SiSi F Ki (S i ) F Ki Plaintext Stream Cipher ciphertext WiWi E k”

17 Scheme III (Cnt’d)  Let X i := E k” (W i )  After the pre-encryption, Alice has X 1, …, X l  Same as before, C i = X i  T i where  X i = E k” (W i )  T i =  T i =  To search W, Alice queries (X, k) such that  X := E k” (W) and k := f k’ (X)

18 A problem of Scheme III  Scheme III has a problem… Guess what?  If Alice generates k i = f k’ (E k” (W i )), she cannot recover the plaintext from the ciphertext.  C i = X i  T i where T i =  C i = X i  T i where T i =  To compute X i from C i, we have to know T i  S i can be computed easily  How about F ki (S i )?  The problem is k i  To compute this, we have to know all E k” (W i ) for all i  Ups! If you know all of these, why do you need search?

19 Scheme IV: The Final Scheme.  Fix  X i = E k” (W i ) = where |L i |=n-m bits  T i = where k i =f k’ (L i ) instead of f k’ (W i )

20 Scheme IV: The Final Picture E k” (W i ) SiSi F ki (S i ) F Ki Plaintext Stream Cipher ciphertext WiWi E k” LiLi f k’ kiki

21 Practical Considerations  Alice only needs to remember only one password k”  Supporting more advanced queries  Boolean operations (W and W’)  Proximity queries (W near W’)  Phrase searches (W immediately precedes W’)

22 Dealing with variable length words  Pick a long enough fixed-size block  A fixed padding is required  Inefficient in space  Support variable length word with word length  Instead of W, use  Instead of W, use  Move pointer bit by bit  Longer scan time, but efficient space

23 Index-based Search  For large database applications  Index contains a list of keywords  each keyword points to documents containing it  Methods  Encrypt keyword and leave pointers unencrypted  Encrypt pointers also  Alice queries encrypted keyword, and Bob returns encrypted pointers  Alice needs to spend extra round  Update cost is expensive

24 Conclusion and Open Problems  Pretty efficient  No public key operation  Small message expansion  Interesting, and useful  Interesting, and useful  Open problems  Searching “Record > 13” ?#^@*#^!  Searching “a[a-z]b” : needs 26 queries

25

Download ppt "Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig."

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Chapter 3 Public Key Cryptography and Message authentication.
Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Computer Science CSC 474By Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.1 Introduction to Cryptography.

Computer Science CSC 474By Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.1 Introduction to Cryptography.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Introduction to Practical Cryptography Lecture 9 Searchable Encryption.

Introduction to Practical Cryptography Lecture 9 Searchable Encryption.
1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Digital Signature Key distribution.

1 Counter-measures Threat Monitoring Cryptography as a security tool Encryption Digital Signature Key distribution.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
Block Ciphers: Workhorses of Cryptography COMP 1721 A Winter 2004.

Block Ciphers: Workhorses of Cryptography COMP 1721 A Winter 2004.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.
First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.

First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.
Chapter 5 Cryptography Protecting principals communication in systems.

Chapter 5 Cryptography Protecting principals communication in systems.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.

Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.
Practical Techniques for Searches on Encrypted Data Author:Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀汶承.

Practical Techniques for Searches on Encrypted Data Author:Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀汶承.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale CS 591 – Wireless & Network Security Lecture.

Similar presentations

Ads by Google