Searchable Encryption - Indian Statistical Institutelaltu_r/docs/searchable-encryption.pdf · 53%...

Searchable Encryption

Laltu SardarIndian Statistical Institute, Kolkata

Summer Internship in Cryptology

R. C. Bose Centre for Cryptology and Security

May 22-23, 2018

Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 1 / 103

Introduction Searchable Encryption

Cloud Services

Cloud Computing Services

Amazon Web Services (AWS)

Microsoft Azure

Google Cloud Platform

IBM Cloud

Cloud Storage Services

Google Drive

Dropbox

Microsoft Onedrive

Cloud Services

Microsoft Azure

IBM Cloud

Google Drive

Dropbox

Microsoft Onedrive

Cloud Services

Microsoft Azure

IBM Cloud

Google Drive

Dropbox

Microsoft Onedrive

Can we trust Remote Storage Service Providers?

Cloud Computing and Storage

Email service providers- Gmail, outlook.com, Yahoo! Mail etc.

Stoarge service providers- Google Drive, Dropbox etc.

Institutional Server

Survey Report [CER12]

53% attacks are insider

67% are sensitive or personal data.

Privacy-Preserving Computation

Preserve search privacy → Private Information Retrieval

Data repository is huge → Privacy-preserving data mining

Data are encrypted → Searchable Encryption

Trivial Solution

Encrypt data

Upload data to the cloud server

To perform SEARCH

Download all data

Decrypt data

Perform Search

Re-encrypt and upload

Problems

Huge Communication overhead for the client

Huge Computation at client side

Does NOT solve the purpose of using cloud

Trivial Solution

Encrypt data

To perform SEARCH

Download all data

Decrypt data

Perform Search

Problems

Trivial Solution

Encrypt data

To perform SEARCH

Download all data

Decrypt data

Perform Search

Problems

Trivial Solution

Encrypt data

To perform SEARCH

Download all data

Decrypt data

Perform Search

Problems

Trivial Solution

Encrypt data

To perform SEARCH

Download all data

Decrypt data

Perform Search

Problems

Trivial Solution

Encrypt data

To perform SEARCH

Download all data

Decrypt data

Perform Search

Problems

Trivial Solution

Encrypt data

To perform SEARCH

Download all data

Decrypt data

Perform Search

Problems

Trivial Solution

Encrypt data

To perform SEARCH

Download all data

Decrypt data

Perform Search

Problems

Trivial Solution

Encrypt data

To perform SEARCH

Download all data

Decrypt data

Perform Search

Problems

Trivial Solution

Encrypt data

To perform SEARCH

Download all data

Decrypt data

Perform Search

Problems

Trivial Solution

Encrypt data

To perform SEARCH

Download all data

Decrypt data

Perform Search

Problems

Trivial Solution

Encrypt data

To perform SEARCH

Download all data

Decrypt data

Perform Search

Problems

Trivial Solution

Encrypt data

To perform SEARCH

Download all data

Decrypt data

Perform Search

Problems

Searchable Encryption Goals

Data should be

I OutsourcedI Encrypted

Set Search Goals

I What to searchI Who can search

Client should not

I Wait long for search → Ine�ciencyI Download all dataI Compute much

Protection Needed

I Source DataI Search keywordsI Search Results

Data should be

I OutsourcedI Encrypted

Set Search Goals

Client should not

Protection Needed

Data should beI Outsourced

I Encrypted

Set Search Goals

Client should not

Protection Needed

Data should beI OutsourcedI Encrypted

Set Search Goals

Client should not

Protection Needed

Set Search Goals

Client should not

Protection Needed

Set Search GoalsI What to search

I Who can search

Client should not

Protection Needed

Set Search GoalsI What to searchI Who can search

Client should not

Protection Needed

Client should not

Protection Needed

Client should notI Wait long for search → Ine�ciency

I Download all dataI Compute much

Protection Needed

Client should notI Wait long for search → Ine�ciencyI Download all data

I Compute much

Protection Needed

Client should notI Wait long for search → Ine�ciencyI Download all dataI Compute much

Protection Needed

Protection NeededI Source Data

I Search keywordsI Search Results

Protection NeededI Source DataI Search keywords

I Search Results

Protection NeededI Source DataI Search keywordsI Search Results

Adversarial Model

Who is the adversary?

I Cloud Service Provider

What is the power of adversary?

I In�nite Power can not be assumed

What about channel?

I Secure?I Can it be aborted?

Adversarial Model

Who is the adversary?

I Cloud Service Provider

What about channel?

Adversarial Model

Who is the adversary?I Cloud Service Provider

What about channel?

Adversarial Model

What about channel?

Adversarial Model

What is the power of adversary?I In�nite Power can not be assumed

What about channel?

Adversarial Model

What about channel?

Adversarial Model

What about channel?I Secure?

I Can it be aborted?

Adversarial Model

What about channel?I Secure?I Can it be aborted?

Preliminaries Cryptographic Tools

Cryptographic Tools

Pseudo Random Function (PRF)

De�nition

F : {0, 1}k × {0, 1}n → {0, 1}m

∀ key K ∈ {0, 1}k , and ∀x ∈ {0, 1}n, F (K , x) or (FK (x)) is E�cientlycomputable

F is Indistinguishable from a random Function

Pseudo Random Permutation (PRP)

De�nition

F : {0, 1}k × {0, 1}n → {0, 1}n

Indistinguishable from a random Permutation

Examples

a PRP is a PRF

De�nition

F : {0, 1}k × {0, 1}n → {0, 1}n

Examples

a PRP is a PRF

De�nition

F : {0, 1}k × {0, 1}n → {0, 1}n

Examples

a PRP is a PRF

Pseudo Random Generator (PRG)

De�nition

Deterministic random bit generator

Properties

Given a seed (start state), produces a sequences of randomnumbers/bits

E�cient: Can produce many numbers/bits in a short time

Deterministic: Same seeds generate same sequences of numbers/bits

Periodic: Sequence will eventually repeat itself

Examples

Stream cipher

linear congruential generator

Multiple-recursive generators

De�nition

Properties

Examples

Stream cipher

De�nition

Properties

Examples

Stream cipher

Hash Function

De�nition

An algorithm/function that produces sequences of random numbers/bits.

Features

Publicly known key or no key

Maps arbitrary-size bit-string to a �xed-size bit-string

Deterministic: Same bit-string always results in the same hash

E�cient: Quick to compute the hash value

Properties

Pre-image Resistance, Second pre-image Resistance, CollisionResistance

Examples

SHA-0, SHA-1, SHA-2, SHA-3, MD5, SHA256 etc.

Hash Function

De�nition

Features

Properties

Examples

Hash Function

De�nition

Features

Properties

Examples

Hash Function

De�nition

Features

Properties

Examples

SHA-0, SHA-1, SHA-2, SHA-3, MD5, SHA256 etc.Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 12 / 103

Preliminaries Data Structures

Data Type and Structures

Linked List

10 a b c d null

Operations

Create (Link List)

Insert (a Node)

Delete (a Node)

Linked List

10 a b c d null

Operations

Create (Link List)

Insert (a Node)

Delete (a Node)

Dictionary

De�nition

A collection of (key-value) pairs, such that each possible key appears atmost once in the collection.

Operations

Create (a Dictionary)

Insert a (key-value) pair (a Node)

Search whether a key exists

Properties

Creation: In constant time

Insertion: In logarithmic time

Search: In constant time

Dictionary

De�nition

Operations

Properties

Dictionary

De�nition

Operations

Properties

First Few Searchable Encryptions Song et al. [SWP00] Scheme

Song et al. [SWP00] Scheme

Scheme I

Encrypt a document D = (W1,W2, . . . ,Wl ) as follows

si are generated using stream cipher

ki are �xed

For each i

Ti = Si ||Fki (Si )Ci = Wi + Ti

Finally uploads Enc(D) = (C1,C2, . . . ,Cl )

Scheme I

ki are �xed

For each i

Scheme I

ki are �xed

For each i

Scheme I

Search

To search for a word W

Must reveal all the ki

Problems

Potentially revealing the entire document

Solution

Alice must know in advance which locations W may appear

Scheme I

Search

Problems

Solution

Scheme I

Search

Problems

Solution

Scheme II

ki = fk ′(Wi ), solves problem with keys

Ti = Si ||fki (Si ), f is a PRF

Ci = Wi + Ti

Search

Only reveals all the fk ′(W ), Controlled searching.

Check all positions

If any decryption matches, returns the Doc

Problems

W is revealed during search

Scheme II

Ci = Wi + Ti

Search

Check all positions

Problems

Scheme II

Ci = Wi + Ti

Search

Check all positions

Problems

Scheme III

Xi = Ek ′′(Wi ), Ek ′′ is a deterministic encryption algorithm

ki = fk ′(Xi )

Ti = Si ||Fki (Xi ),

Ci = Xi + Ti

Scheme III

Search

Compute X = Ek ′′(W )

Compute k = fk ′(X )

Sends (X , k)

Advantages

Searched keyword W is not revealed

Problems

Owner can't recover the plaintext as Ek ′′(Wi ) is needed for decryption

Applicable for Scheme II

Scheme III

Search

Sends (X , k)

Advantages

Problems

Scheme III

Search

Sends (X , k)

Advantages

Problems

Scheme IV- Final Scheme

Xi = Ek ′′(Wi ), Ek ′′ is a deterministic encryption algorithm

Xi =< Li ||Ri >

ki = fk ′(Li ),

Ti = Si ||Fki (Xi ),

Ci = Xi + Ti

Scheme IV

Search

Sends (X , k) computed similarly

Decryption

Generate Si

Recover Li XORing Si with Ci

Recover ki = fk ′(Li ),

Recover Xi

Get Wi Decrypting Xi

Scheme IV

Search

Sends (X , k) computed similarly

Decryption

Generate Si

Recover Li XORing Si with Ci

Recover ki = fk ′(Li ),

Recover Xi

Get Wi Decrypting Xi

Major Disadvantage

Every keywords of every �les have to be decrypted

First Few Searchable Encryptions Eu-Jin Goh [Goh03] Scheme

Eu-Jin Goh [Goh03] Scheme

Main Contribution

De�ned Secure index

Formulated Security Model for indexes

Background

Bloom Filter

A set S = s1, . . . , sn, represented by an array of m bits.

All array bits are initially set to 0

The �lter uses r independent hash functions h1, . . . , hr ,

To determine if an element a belongs to the set S , checks whether allhi (a) are 1 or not

Scheme Overview

Key Generation

Given Security parameter s

f : {0, 1}n × {0, 1}s → {0, 1}s , pseudo-random function

k1, . . . , kr ← {0, 1}s , keys for hash functions

Kpriv ← (k1, . . . , kr )

Build Index

Given Kpriv and a document D = (w0, . . . ,wt) with identi�er Did

For each unique word wi for i ∈ [0, t], -I Compute trapdoor: (x1 = f (wi , k1), . . . , xr = f (wi , kr )) ∈ {0, 1}sr ,I Compute codeword for wi in

Did : (y1 = f (Did , x1), . . . , yr = f (Did , xr )) ∈ {0, 1}srI Insert y1, . . . , yr into Did 's Bloom �lter BF .

Output IDid= (Did ,BF ) as the index for Did .

Scheme Overview

Key Generation

Given Security parameter s

f : {0, 1}n × {0, 1}s → {0, 1}s , pseudo-random function

k1, . . . , kr ← {0, 1}s , keys for hash functions

Kpriv ← (k1, . . . , kr )

Build Index

Given Kpriv and a document D = (w0, . . . ,wt) with identi�er Did

For each unique word wi for i ∈ [0, t], -I Compute trapdoor: (x1 = f (wi , k1), . . . , xr = f (wi , kr )) ∈ {0, 1}sr ,I Compute codeword for wi in

Did : (y1 = f (Did , x1), . . . , yr = f (Did , xr )) ∈ {0, 1}srI Insert y1, . . . , yr into Did 's Bloom �lter BF .

Output IDid= (Did ,BF ) as the index for Did .

Scheme Overview

Trapdoor Generation

Given a keyword w

Tw = (f (w , k1), . . . , f (w , kr ))

Search

(x1, . . . , xr )← Tw

The index IDid= (Did ,BF ) for document Did

For w ComputeDid : (y1 = f (Did , x1), . . . , yr = f (Did , xr)) ∈ {0, 1}sr .Test if BF contains 1's in all r locations denoted by y1, . . . , yr

First Few Searchable Encryptions Chang and Mitzenmacher Scheme

Chang and Mitzenmacher [CM05] Scheme

First Few Searchable Encryptions Chang and Mitzenmacher Scheme

Scheme Description

Privacy Preserving Keyword Searches on Remote Encrypted Data [CM05]

Scheme overview

Skip Now

First Few Searchable Encryptions Issues with the Schemes

Major Issues of Earlier Schemes

Greater Search Complexity: Linear in number of documents

Leaks Access Pattern: Memory addresses of documents that containthe searched keywords

Leaks Search Pattern: Whether two queries were for the same keywordor not

Leakages were not de�ned

Is there any Solution?

Yes, there is.

SSE can be achieved using oblivious RAMs (O-RAM)

Functionality: can simulate any data structure in a hidden way, andcan support conjunctive queries, B-trees etc...

Privacy: hides everything, even the access pattern

E�ciency: logarithmic number of rounds per each read/write

Question?

Can we search over encrypted data in single/constant rounds?

with privacy,

with e�ciency

Yes, there is.

Question?

with privacy,

with e�ciency

Yes, there is.

Question?

with privacy,

with e�ciency

Yes, there is.

Question?

with privacy,

with e�ciency

Curtmola et al. [CGKO06] Scheme

Curtmola et al. [CGKO06] Scheme Preliminaries

Background

Inverted Index

Index data structure

Maps content to its locations in a database

D ← {D1,D2,D3,D4}

D1 ← {cryptography, search,symmetric, encryption}

D2 ← {public, encryption, add}

D3 ← { add, public,cryptography}

D4 ← {search, symmetric,encryption, decryption, add}

Content Locations

encryption [D1,D2,D4]

symmetric [D1,D4]

decryption [D4]

cryptography [D1,D3]

add [D3,D4]

search [D1,D4]

public [D2,D3]

Table: Inverted Index corr. to D

Background

Inverted Index

D ← {D1,D2,D3,D4}

Content Locations

symmetric [D1,D4]

decryption [D4]

add [D3,D4]

search [D1,D4]

public [D2,D3]

Background

Inverted Index

D ← {D1,D2,D3,D4}

Content Locations

symmetric [D1,D4]

decryption [D4]

add [D3,D4]

search [D1,D4]

public [D2,D3]

Background

Inverted Index

D ← {D1,D2,D3,D4}

Content Locations

symmetric [D1,D4]

decryption [D4]

add [D3,D4]

search [D1,D4]

public [D2,D3]

Notations

D = (D1, . . . ,Dn)- Document Collection

Di - Document

T - A Table

A- An Array

Li - The Link list corr. to Di

F - A PRP

G - A PRG

H- A keyed Hash function

Curtmola et al. [CGKO06] Scheme De�nition of SSE

De�nition

A tuple of PPT algorithms as follows

Key Generation:I Input: A security parameter kI Output: A secret key K

Encryption: a document collection DI Input: A secret key K and a document collection D = (D1, . . . ,Dn)I Output: A secure index I and a sequence of ciphertexts

c = (c1, . . . , cn)

Trapdoor Gen: for a keyword wI Input: A secret key K and a keyword wI Output: A trapdoor t ← TrpdrK (w)

Search: for the documents in D that contain a keyword wI Input: An encrypted index I for a data collection D and a trapdoor tI Output: a set X of document identi�ers

Decryption: for an encrypted document Di

I Input: A secret key K and a ciphertext ciI Output: A document Di

De�nition

c = (c1, . . . , cn)

De�nition

c = (c1, . . . , cn)

De�nition

c = (c1, . . . , cn)

De�nition

c = (c1, . . . , cn)

De�nition

c = (c1, . . . , cn)

Curtmola et al. [CGKO06] Scheme Scheme Overview

Build Inverted Index

Encrypt List Entries

Make Search Table

Encrypt 1st Node

Encrypt Table

Search: Generate Trapdoor

Search: Decrypt List

Search: Return Result

Curtmola et al. [CGKO06] Scheme Advantages of Curtmola et al. [CGKO06] Scheme

Advantages

Search Complexities

# decryption ← O(Search Result)

Communication Complexities

# rounds ← constant

Privacy

Advantages

Search Complexities

Privacy

Advantages

Search Complexities

Privacy

Advantages

Search Complexities

Privacy

Dynamic SSE Introduction

Issues

Previous Schemes are STATIC

One encrypted index is generated, Can't be changed

Does not support Addition of document

Does not support Deletion of document

Does not support Addition of word in a document

Does not support Deletion of word from a document

In Practical

Database should support word of �le updates

Dynamic SSE

SSE that Supports updates

Issues

In Practical

Dynamic SSE

Issues

In Practical

Dynamic SSE

De�nition of Dynamic SSE

Skip Now :)

De�nition of Dynamic SSE

Skip Now :)

Few Remarkable works on Dynamic SSE

Dynamic SSE Kamara et al. [KPR12] Scheme

Kamara et al. [KPR12] Scheme

Scheme Overview

1st ever work on Dynamic SSE

Improvement over Curtmola et al. [CGKO06].

Inverted Index Based

Instead of one, used TWO indexes-

I Search index - Inverted indexI Deletion Index - General index

Scheme Overview

Instead of one, used TWO indexes-I Search index - Inverted index

I Deletion Index - General index

Scheme Overview

Instead of one, used TWO indexes-I Search index - Inverted indexI Deletion Index - General index

Example

Issues

Complex Scheme- Di�cult To Implement

Nodes were at Random location- Sequential operation

Dynamic SSE Kamara et al. [KP13] Scheme

Kamara et al. [KP13] Scheme

Scheme Overview

Search or update can be done in Parallel

Extra: do not leak information about the keywords contained in anewly added or deleted document

Used tree-based multi-map data structure- keyword red-black (KRB)tree

Scheme Overview

Background

(k ,m) Hash Table

A table of (key , value) pairs

key ∈ {0, 1}k

at most m entries

KRB Tree

key ∈ {0, 1}k

at most m entries

Background

(k ,m) Hash Table

key ∈ {0, 1}k

at most m entries

KRB Tree

key ∈ {0, 1}k

at most m entries

Background

(k ,m) Hash Table

key ∈ {0, 1}k

at most m entries

KRB Tree

key ∈ {0, 1}k

at most m entries

Background

(k ,m) Hash Table

key ∈ {0, 1}k

at most m entries

KRB Tree

key ∈ {0, 1}k

at most m entries

KRB-Based Dynamic SSE

Scheme Overview

On White-Board

Dynamic SSE Other Remarkable Works

Remarkable Works Till Today

Stefanov et al. [SPS14] Scheme

Practical Dynamic Searchable Encryption with Small Leakage

Naveed et al. [NPG14] Scheme

Dynamic Searchable Encryption via Blind Storage

Cash et al. [CJJ+14] Scheme

Dynamic Searchable Encryption in Very-Large Databases: DataStructures and Implementation

Hahn and Kerschbaum. [HK14] Scheme

Searchable Encryption with Secure and E�cient Updates

Kamara et al. [KM17] Scheme

Boolean SSE with Worst-Case Sub-linear Complexity

Boolean SSE with Worst-Case Sub-linear ComplexityLaltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 57 / 103

Other Papers on Statistical Attacks

Attacks on Searchable Encryption Scheme

Other Papers on Statistical Attacks Islam et al. [IKK12] Attack

Islam et al. [IKK12] Attack

Access Pattern disclosure on Searchable Encryption: Rami�cation, Attackand Mitigation

1st to investigate- Access Pattern disclosure on Searchable Encryption

Attack the existing Schemes with few assumptions

Provide solution to the problem

Attack Overview

Assumptions

Attacker observes Q =< Q1, . . . ,Ql > and their responses< RQ1 , . . . ,RQl

Attacker knows the underlying keywords for a set of k queries: KQ

Attacker has access to a (m ×m) matrix M s.t.Mi ,j = Pr [(ki ∈ d) ∧ (kj ∈ d)] , here d is sampled uniformly from D.

Attack Process

From knowledge of d (sampled uniformly from D)I From publicly known large dataset, ex. WikiLeaksI Inside Attacker may have access to the sizable subset of the dataset

From publicly known large datasetI Attacker can calculate frequency of keywords i.e., Pr [(ki ∈ d)]I Attacker can calculate Mi,j = Pr [(ki ∈ d) ∧ (kj ∈ d)]

They later considered Pr [(ki1 ∈ d) ∧ . . . ∧ (kir ∈ d)]

Attack Overview

Assumptions

Attacker observes Q =< Q1, . . . ,Ql > and their responses< RQ1 , . . . ,RQl

Attacker knows the underlying keywords for a set of k queries: KQ

Attacker has access to a (m ×m) matrix M s.t.Mi ,j = Pr [(ki ∈ d) ∧ (kj ∈ d)] , here d is sampled uniformly from D.

Attack Process

From knowledge of d (sampled uniformly from D)I From publicly known large dataset, ex. WikiLeaksI Inside Attacker may have access to the sizable subset of the dataset

From publicly known large datasetI Attacker can calculate frequency of keywords i.e., Pr [(ki ∈ d)]I Attacker can calculate Mi,j = Pr [(ki ∈ d) ∧ (kj ∈ d)]

They later considered Pr [(ki1 ∈ d) ∧ . . . ∧ (kir ∈ d)]Laltu Sardar (ISI, Kolkata) Searchable Encryption May 22-23, 2018 60 / 103

Attack Overview

Attack Result

Knowing only subset of D signi�cant # queries can be guessed

(α, 0)- secure index

For each keyword, there are at least α− 1 keywords which appearexactly in the same set of documents.

It's hard for an attacker to distinguish a keyword given the queryresponse of that particular keyword.

Proposed a noise addition technique

Inject false positive docs so that index remains (α, 0)- secure

User can later decrypt the document and reject if the keywords is notpresent

Attack Overview

Attack Result

Attack Overview

Attack Result

Other Papers on Statistical Attacks Naveed et al. [NKW15] Attack

Inference Attacks on Property-Preserving EDB (Naveed etal. [NKW15])

SKIP NOW

Property Preserving Encryption (PPE)

Leaks a certain property of the plaintext

Order Preserving Encryption (PPE): Reveals the order of the messages(i.e., the order property).

Deterministic Encryption (PPE): Reveals whether they are equal ornot (i.e., the equality property).

Where is it Applicable?

Searchable encryption that supports Range queries

PPE Based database CryptDB and its variants

SKIP NOW

Attack Techniques

Frequency analysis: DTE

lp-optimization: DTE

Sorting attack: OPE

Cumulative attack: OPE

Other Papers on Statistical Attacks Cash et al. [CGPR15] Attack

Leakage-Abuse Attacks (Cash et al. [CGPR15])

Leakage-Abuse Attacks Against Searchable Encryption

Query recovery attack: Determining the plaintext of queries that havebeen issued by the client

Partial plaintext recovery attack: Reconstruct indexed documents asmuch as possible

Query recovery attack

Attack Model

Count Attack:

Server knows count(w)∀w ∈W

Fully document knowledge

Solution?

Padding

Adding Garbage doc id in the index

Query recovery attack from Partially known Docs

See Islam et al. [IKK12]

Query recovery attack

Attack Model

Count Attack:

Server knows count(w)∀w ∈W

Fully document knowledge

Solution?

Padding

Adding Garbage doc id in the index

Query recovery attack from Partially known Docs

See Islam et al. [IKK12]

Partial plaintext recovery attack

Known-Document Attack

Active Attacks

Order of Hashes Known

Order of Hashes Unknown

Active Attacks

Hash order known for chosen document

Hash order unknown for chosen documents

Active Attacks

Other Papers on Statistical Attacks File Injection Attack (Zhang et al. [ZKP16])

File Injection Attack (Zhang et al. [ZKP16])

File Injection Attack

All Your Queries Are Belong to Us: The Power of File-Injection Attacks onSearchable Encryption

Attack Overview

Focused on Query Recover Attack

Applicable for Dynamic SSEs

Attack does not require the server to have any knowledge about theclient's �les

Recovers all the keywords being searched by the client with 100%accuracy

Attack Overview

Binary search Attack

Process

Insert #logK �les.

ith �le contains exactly those keywords whose ith most-signi�cant bitis 1

If a keyword w is searched and returns then it matches returned �leswith its injected ones.

Reduction in # �les

If targeted keyword set K ′ ⊂ K

Process

Insert #logK �les.

ith �le contains exactly those keywords whose ith most-signi�cant bitis 1

If a keyword w is searched and returns then it matches returned �leswith its injected ones.

Reduction in # �les

If targeted keyword set K ′ ⊂ K

Hierarchical File Injection

Considers K ′ instead of K

Apply Binary search on K

# �les to be injected ≈ d|K |/2T e.(dlog 2T e+ 1)

Solution

The Rest of the paper Assume partial knowledge of documents

Attack adaptive and statistical

Applicable for the scheme which are not Forward Private.

Forward Privacy: The server cannot tell if a newly inserted �lematches previous search queries

Examples: Stefanov et al. [SPS14], Raphael Bost [Bos16]

Solution

Forward Private DSSE

Forward Private DSSE Example of Forward-Secure DSSE

Few Examples of Forward-Secure DSSE

Stefanov et al. [SPS14]

Σoφoς (Sophos) Bost [Bos16] in 2016

Bost et al. [BMO17] in 2017

Rizomiliotis and Gritzalis [RG15], ORAM Based

Lai and Chow [LC17] based on Bipartite Graph

We have focused on Σoφoς

Forward Private DSSE Σoφoς

Σoφoς

Devided into two partsI Σoφoς-BI Σoφoς

Σoφoς-B -> Idea

Σoφoς-B -> Setup

Σoφoς-B -> Search

Search(w , σ,EDB)

Σoφoς-B -> Update

Problem with Σoφoς-B

No Deletion and Huge Client Storage

Enabling Deletion

Adding Extra Database for Deletion

Searching eliminate the deleted docs

Problem: Database size grows with time even after deletion

Any Solution?

Client-Storage Reduction

ST0 can be generated using PRF

From ST0 compute STc

Still, keyword id and counter have to be stored

Results large Computation

Any solution?

Enabling Deletion

Any Solution?

Any solution?

Enabling Deletion

Any Solution?

Any solution?

Enabling Deletion

Any Solution?

Any solution?

Enabling Deletion

Any Solution?

Any solution?

Enabling Deletion

Any Solution?

Any solution?

Enabling Deletion

Any Solution?

Any solution?

Enabling Deletion

Any Solution?

Any solution?

Enabling Deletion

Any Solution?

Any solution?

Enabling Deletion

Any Solution?

Any solution?

Enabling Deletion

Any Solution?

Any solution?

Enabling Deletion

Any Solution?

Any solution?

Security of SSE Scheme

Security of Searchable Encryption Schemes

Security of SSE Scheme How to De�ne Security

Security De�nition of SSE

First Formal De�nition by Curtmola et al. [CGKO06].

Approaches

Indistinguishability

Semantic Security

Adversary Types

Non-Adaptive: Queries don't depend on previous results

Adaptive: Queries depend on previous results

First Formal De�nition by Curtmola et al. [CGKO06].

Approaches

Indistinguishability

Semantic Security

Adversary Types

Non-Adaptive: Queries don't depend on previous results

Adaptive: Queries depend on previous results

Notations

D← Collection of documents

w← {w1, . . . ,wq}, set of keywords for queriesHistory H ← (D,w)

Access pattern α(H)← (D(w1), . . . ,D(wq)),

Search pattern σ(H)← M(= (mij)q×q where mij = 1 if wi = wj else0)

Trace τ(H)← (|D1|, . . . , |Dn|, α(H), σ(H))

Notations

D← Collection of documents

w← {w1, . . . ,wq}, set of keywords for queriesHistory H ← (D,w)

Access pattern α(H)← (D(w1), . . . ,D(wq)),

Search pattern σ(H)← M(= (mij)q×q where mij = 1 if wi = wj else0)

Trace τ(H)← (|D1|, . . . , |Dn|, α(H), σ(H))

Security of SSE Scheme Indistinguishability

Non-Adaptive Indistinguishability Game IndSSE ,A(k)

Challenger C Adversary A

K ← Gen(1k)

b$←− {0, 1}

parse Hb as (Db,wb)

(Ib, cb)← EncK (Db)

for 1 ≤ i ≤ q do{tb,i ← TrpdrK (wb,i )}tb = (tb,1, . . . , tb,q)

Sends (Ib, cb, tb) to A

(stA,H0,H1)← A1(1k)

Sends (H0,H1) to Cb′ ← A2(stA, Ib, cb, tb)

Outputs 1 if b = b′, else output 0

SSE is secure if Pr [IndSSE ,A(k) = 1] ≤ 12 + negl(k)

K ← Gen(1k)

b$←− {0, 1}

parse Hb as (Db,wb)

(stA,H0,H1)← A1(1k)

K ← Gen(1k)

b$←− {0, 1}

parse Hb as (Db,wb)

(stA,H0,H1)← A1(1k)

K ← Gen(1k)

b$←− {0, 1}

parse Hb as (Db,wb)

(stA,H0,H1)← A1(1k)

K ← Gen(1k)

b$←− {0, 1}

parse Hb as (Db,wb)

(stA,H0,H1)← A1(1k)

Sends (H0,H1) to C

b′ ← A2(stA, Ib, cb, tb)

K ← Gen(1k)

b$←− {0, 1}

parse Hb as (Db,wb)

(stA,H0,H1)← A1(1k)

Sends (H0,H1) to C

K ← Gen(1k)

b$←− {0, 1}

parse Hb as (Db,wb)

(stA,H0,H1)← A1(1k)

Sends (H0,H1) to C

K ← Gen(1k)

b$←− {0, 1}

parse Hb as (Db,wb)

(stA,H0,H1)← A1(1k)

Sends (H0,H1) to C

K ← Gen(1k)

b$←− {0, 1}

parse Hb as (Db,wb)

for 1 ≤ i ≤ q do{tb,i ← TrpdrK (wb,i )}

tb = (tb,1, . . . , tb,q)

(stA,H0,H1)← A1(1k)

Sends (H0,H1) to C

K ← Gen(1k)

b$←− {0, 1}

parse Hb as (Db,wb)

(stA,H0,H1)← A1(1k)

Sends (H0,H1) to C

K ← Gen(1k)

b$←− {0, 1}

parse Hb as (Db,wb)

(stA,H0,H1)← A1(1k)

Sends (H0,H1) to C

K ← Gen(1k)

b$←− {0, 1}

parse Hb as (Db,wb)

(stA,H0,H1)← A1(1k)

K ← Gen(1k)

b$←− {0, 1}

parse Hb as (Db,wb)

(stA,H0,H1)← A1(1k)

K ← Gen(1k)

b$←− {0, 1}

parse Hb as (Db,wb)

(stA,H0,H1)← A1(1k)

Adaptive Indistinguishability Game Ind∗SSE ,A(k)

K ← Gen(1k)

b$←− {0, 1}

Generate and Send(Ib, cb)← EncK (Db)

Generate and Sendtb,1 ← TrpdrK (wb,1)

Generate and Send{tb,i ← TrpdrK (wb,i )}

(stA,D0,D1)← A0(1k)

Sends (D0,D1) to C(stA,w0,1,w1,1)← A1(stA, Ib, cb)

Sends w0,1,w1,1

(stA,w0,i ,w1,i )←Ai (stA, Ib, cb, tb,1, . . . , tb,q−1) andSend (w0,i ,w1,i )

Let tb = (tb,1, . . . , tb,q)

SSE is secure if Pr [Ind∗SSE ,A(k) = 1] ≤ 12 + negl(k)

K ← Gen(1k)

b$←− {0, 1}

(stA,D0,D1)← A0(1k)

Sends w0,1,w1,1

Let tb = (tb,1, . . . , tb,q)

K ← Gen(1k)

b$←− {0, 1}

(stA,D0,D1)← A0(1k)

Sends w0,1,w1,1

Let tb = (tb,1, . . . , tb,q)

K ← Gen(1k)

b$←− {0, 1}

(stA,D0,D1)← A0(1k)

Sends w0,1,w1,1

Let tb = (tb,1, . . . , tb,q)

K ← Gen(1k)

b$←− {0, 1}

(stA,D0,D1)← A0(1k)

Sends (D0,D1) to C

(stA,w0,1,w1,1)← A1(stA, Ib, cb)

Sends w0,1,w1,1

Let tb = (tb,1, . . . , tb,q)

K ← Gen(1k)

b$←− {0, 1}

(stA,D0,D1)← A0(1k)

Sends (D0,D1) to C

Sends w0,1,w1,1

Let tb = (tb,1, . . . , tb,q)

K ← Gen(1k)

b$←− {0, 1}

(stA,D0,D1)← A0(1k)

Sends (D0,D1) to C

Sends w0,1,w1,1

Let tb = (tb,1, . . . , tb,q)

K ← Gen(1k)

b$←− {0, 1}

(stA,D0,D1)← A0(1k)

Sends (D0,D1) to C

Sends w0,1,w1,1

Let tb = (tb,1, . . . , tb,q)

K ← Gen(1k)

b$←− {0, 1}

(stA,D0,D1)← A0(1k)

Sends w0,1,w1,1

Let tb = (tb,1, . . . , tb,q)

K ← Gen(1k)

b$←− {0, 1}

(stA,D0,D1)← A0(1k)

Sends w0,1,w1,1

Let tb = (tb,1, . . . , tb,q)

K ← Gen(1k)

b$←− {0, 1}

(stA,D0,D1)← A0(1k)

Sends w0,1,w1,1

Let tb = (tb,1, . . . , tb,q)

K ← Gen(1k)

b$←− {0, 1}

(stA,D0,D1)← A0(1k)

Sends w0,1,w1,1

Let tb = (tb,1, . . . , tb,q)

K ← Gen(1k)

b$←− {0, 1}

(stA,D0,D1)← A0(1k)

Sends w0,1,w1,1

Let tb = (tb,1, . . . , tb,q)

K ← Gen(1k)

b$←− {0, 1}

(stA,D0,D1)← A0(1k)

Sends w0,1,w1,1

Let tb = (tb,1, . . . , tb,q)

K ← Gen(1k)

b$←− {0, 1}

(stA,D0,D1)← A0(1k)

Sends w0,1,w1,1

Let tb = (tb,1, . . . , tb,q)

K ← Gen(1k)

b$←− {0, 1}

(stA,D0,D1)← A0(1k)

Sends w0,1,w1,1

Let tb = (tb,1, . . . , tb,q)

Security of SSE Scheme Real-Ideal Game Paradigm

Non-Adaptive Semantic Security

Security of SSE Scheme Real-Ideal Game Paradigm

Adaptive Semantic Security

Security of SSE Scheme Non-Adaptive Semantic Security for DSSE

Adaptive Semantic Security for DSSE

RealA(λ):

1 The challenger C generates a key K by running Gen(1λ).

2 A generates a set of �les f and sends it to C.3 C computes (γ, c)← Build(K , f) and sends (γ, c) to A4 A makes polynomial number of adaptive queries. In each query A

sends either a search query for a keyword w or an add query for a �lef1 or a delete query for a �le f2 to C.

5 Depending on the query, C returns either the search tokents ← SearchToken(K ,w) or the add token ta ← AddToken(K , f1) orthe delete token td ← DelToken(K , f2) to A.

6 Finally A returns a bit b that is output by the experiment.

Adaptive Semantic Security for DSSE

IdealA,S(λ):

1 A generates a set of �les f. It gives f and Lbld (f) to S.2 On receiving Lbld (f), S generates (γ, c) and sends it to A3 A makes polynomial number of adaptive queries q ∈ {w , f1, f2}. For

each query, S is given either Lsrch(w , f) or Ladd (f1, f) or Ldel (f2, f).4 Depending on the query q, S returns to A either search token ts or

add token ta or delete token td .

5 Finally A returns a bit b that is output by the experiment.

Security

|Pr [RealA(λ) = 1]− Pr [IdealA,S(λ) = 1]| ≤ µ(λ)

Searchable Encryption with Complex Queries

Searchable Encryption with Complex Queries Few Example Schemes

Di�erent type of Queries

Range Queries

Given two keywords w1 and w2, �nd all keywords between w1 and w2.

Order should be de�ned

Existing schemes: Ishai et al. [IKLO16], Fisch et al. [FVK+15]

Conjunctive Queries:

Disjunctive Queries

Boolean Queries:

Substring Queries:

Phrase Queries:

Range Queries

Disjunctive Queries

Boolean Queries:

Substring Queries:

Phrase Queries:

Range Queries

Disjunctive Queries

Boolean Queries:

Substring Queries:

Phrase Queries:

Range Queries

Disjunctive Queries

Boolean Queries:

Substring Queries:

Phrase Queries:

Range Queries

Disjunctive Queries

Boolean Queries:

Substring Queries:

Phrase Queries:

Range Queries

Disjunctive Queries

Boolean Queries:

Substring Queries:

Phrase Queries:

Range Queries

Disjunctive Queries

Boolean Queries:

Substring Queries:

Phrase Queries:

Range Queries

Disjunctive Queries

Boolean Queries:

Substring Queries:

Phrase Queries:

Range Queries

Disjunctive Queries

Boolean Queries:

Substring Queries:

Phrase Queries:

Generalization of Searchable Encryption

Generalization of Searchable Encryption Few Schemes on Graph Encryption

Graph Encryption

Graph Encryption is a generalization of Searchable Encryption

It can be considered as Bipartite Graph

I Set of documentsI set of keywordsI Each document is connected with multiple keywordsI Each keyword is connected with multiple documents

Lai and Chow [LC17] proposed a forward-secure Searchable Encryptionconsidering it as a Bipartite Graph

More complex queries can be solved if Graph encryption becomee�cient

Graph Encryption

It can be considered as Bipartite Graph

I Set of documentsI set of keywordsI Each document is connected with multiple keywordsI Each keyword is connected with multiple documents

Graph Encryption

It can be considered as Bipartite GraphI Set of documents

I set of keywordsI Each document is connected with multiple keywordsI Each keyword is connected with multiple documents

Graph Encryption

It can be considered as Bipartite GraphI Set of documentsI set of keywords

I Each document is connected with multiple keywordsI Each keyword is connected with multiple documents

Graph Encryption

It can be considered as Bipartite GraphI Set of documentsI set of keywordsI Each document is connected with multiple keywords

I Each keyword is connected with multiple documents

Graph Encryption

It can be considered as Bipartite GraphI Set of documentsI set of keywordsI Each document is connected with multiple keywordsI Each keyword is connected with multiple documents

Graph Encryption

Future Research Direction

Scope of Research

Future Research Direction Forward Secure Schemes

Future Research Directions

E�cient Forward Secure Scheme Design

New techniques can be applied to propose new SSE/DSSE scheme

E�cient Attacks on existing schemes

Provide Solutions of the attacks

Complex queries on Encrypted Data/DSSE

Complex queries on Encrypted Graph

References

Raphaël Bost, Brice Minaud, and Olga Ohrimenko.

Forward and backward private searchable encryption from constrained

cryptographic primitives.

In Proceedings of the 2017 ACM SIGSAC Conference on Computer and

Communications Security, CCS '17, pages 1465�1482, New York, NY, USA, 2017.

Raphael Bost.

Sophos - forward secure searchable encryption.

IACR Cryptology ePrint Archive, 2016:728, 2016.

2012 cybersecurity watch survey: How bad is the insider threat?

Reza Curtmola, Juan A. Garay, Seny Kamara, and Rafail Ostrovsky.

Searchable symmetric encryption: improved de�nitions and e�cient constructions.

In Proceedings of the 13th ACM Conference on Computer and Communications

Security, CCS 2006, Alexandria, VA, USA, Ioctober 30 - November 3, 2006, pages

79�88, 2006.

References

David Cash, Paul Grubbs, Jason Perry, and Thomas Ristenpart.

Leakage-abuse attacks against searchable encryption.

In Proceedings of the 22nd ACM SIGSAC Conference on Computer and

Communications Security, Denver, CO, USA, October 12-6, 2015, pages 668�679,

David Cash, Joseph Jaeger, Stanislaw Jarecki, Charanjit S. Jutla, Hugo Krawczyk,

Marcel-Catalin Rosu, and Michael Steiner.

Dynamic searchable encryption in very-large databases: Data structures and

implementation.

In 21st Annual Network and Distributed System Security Symposium, NDSS 2014,

San Diego, California, USA, February 23-26, 2014, 2014.

Yan-Cheng Chang and Michael Mitzenmacher.

Privacy preserving keyword searches on remote encrypted data.

In Applied Cryptography and Network Security, Third International Conference,

ACNS 2005, New York, NY, USA, June 7-10, 2005, Proceedings, pages 442�455,

References

Ben A. Fisch, Binh Vo, Fernando Krell, Abishek Kumarasubramanian, Vladimir

Kolesnikov, Tal Malkin, and Steven M. Bellovin.

Malicious-client security in blind seer: A scalable private DBMS.

In 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA,

May 17-21, 2015, pages 395�410, 2015.

Eu-Jin Goh.

Secure indexes.

IACR Cryptology ePrint Archive, 2003:216, 2003.

Florian Hahn and Florian Kerschbaum.

Searchable encryption with secure and e�cient updates.

In Proceedings of the 2014 ACM SIGSAC Conference on Computer and

Communications Security, Scottsdale, AZ, USA, November 3-7, 2014, pages

310�320, 2014.

Mohammad Saiful Islam, Mehmet Kuzu, and Murat Kantarcioglu.

Access pattern disclosure on searchable encryption: Rami�cation, attack and

mitigation.

In 19th Annual Network and Distributed System Security Symposium, NDSS 2012,

References

Yuval Ishai, Eyal Kushilevitz, Steve Lu, and Rafail Ostrovsky.

Private large-scale databases with distributed searchable symmetric encryption.

In Topics in Cryptology - CT-RSA 2016 - The Cryptographers' Track at the RSA

Conference 2016, San Francisco, CA, USA, February 29 - March 4, 2016,

Proceedings, pages 90�107, 2016.

Seny Kamara and Tarik Moataz.

Boolean searchable symmetric encryption with worst-case sub-linear complexity.

In Advances in Cryptology - EUROCRYPT 2017 - 36th Annual International

Conference on the Theory and Applications of Cryptographic Techniques, Paris,

France, April 30 - May 4, 2017, Proceedings, Part III, pages 94�124, 2017.

Seny Kamara and Charalampos Papamanthou.

Parallel and dynamic searchable symmetric encryption.

In Financial Cryptography and Data Security - 17th International Conference, FC

2013, Okinawa, Japan, April 1-5, 2013, Revised Selected Papers, pages 258�274,

References

Seny Kamara, Charalampos Papamanthou, and Tom Roeder.

Dynamic searchable symmetric encryption.

In the ACM Conference on Computer and Communications Security, CCS'12,

Raleigh, NC, USA, October 16-18, 2012, pages 965�976, 2012.

Russell W. F. Lai and Sherman S. M. Chow.

Forward-secure searchable encryption on labeled bipartite graphs.

In Applied Cryptography and Network Security - 15th International Conference,

ACNS 2017, Kanazawa, Japan, July 10-12, 2017, Proceedings, pages 478�497,

Muhammad Naveed, Seny Kamara, and Charles V. Wright.

Inference attacks on property-preserving encrypted databases.

In Proceedings of the 22nd ACM SIGSAC Conference on Computer and

Communications Security, Denver, CO, USA, October 12-6, 2015, pages 644�655,

Muhammad Naveed, Manoj Prabhakaran, and Carl A. Gunter.

Dynamic searchable encryption via blind storage.

In 2014 IEEE Symposium on Security and Privacy, SP 2014, Berkeley, CA, USA,

May 18-21, 2014, pages 639�654, 2014.

References

Panagiotis Rizomiliotis and Stefanos Gritzalis.

ORAM based forward privacy preserving dynamic searchable symmetric encryption

schemes.

In Proceedings of the 2015 ACM Workshop on Cloud Computing Security

Workshop, CCSW 2015, Denver, Colorado, USA, October 16, 2015, pages 65�76,

Emil Stefanov, Charalampos Papamanthou, and Elaine Shi.

Practical dynamic searchable encryption with small leakage.

In 21st Annual Network and Distributed System Security Symposium, NDSS 2014,

Dawn Xiaodong Song, David A. Wagner, and Adrian Perrig.

Practical techniques for searches on encrypted data.

In 2000 IEEE Symposium on Security and Privacy, Berkeley, California, USA, May

14-17, 2000, pages 44�55, 2000.

References

Yupeng Zhang, Jonathan Katz, and Charalampos Papamanthou.

All your queries are belong to us: The power of �le-injection attacks on searchable

encryption.

In 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA,

August 10-12, 2016., pages 707�720, 2016.

Questions

Questions?

thankyou

Searchable Encryption - Indian Statistical Institutelaltu_r/docs/searchable-encryption.pdf · 53%...

Documents

Transcript of Searchable Encryption - Indian Statistical Institutelaltu_r/docs/searchable-encryption.pdf · 53%...