Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check...
Transcript of Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check...
![Page 1: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/1.jpg)
Searchable EncryptionNew Constructions of Encrypted Databases
Raphael Bost - 8/01/2017Slides at https://r.bost.fyi/phd
![Page 2: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/2.jpg)
![Page 3: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/3.jpg)
![Page 4: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/4.jpg)
Searchable EncryptionOutsource data
Securely
Keep search functionalities
Aimed at efficiency
… we have to leak some information …
… and this can lead to devastating attacks
![Page 5: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/5.jpg)
An example: property preserving encryption
Deterministic encryption, Order Preserving Encryption
Legacy compatible (works on top of unencrypted DB)
Very efficient
Not secure in practice (frequency analysis)
![Page 6: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/6.jpg)
Client
Security of SEEverything the server learns can be computed from the leakage
Adversary
![Page 7: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/7.jpg)
Client
Security of SEEverything the server learns can be computed from the leakage
Adversary
![Page 8: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/8.jpg)
Security of SEEverything the server learns can be computed from the leakage
Simulator
LeakageReal Client Adversary
![Page 9: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/9.jpg)
Simulator
Security of SEEverything the server learns can be computed from the leakage
LeakageReal Client Adversary
![Page 10: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/10.jpg)
Leakage
Simulator
Security of SEEverything the server learns can be computed from the leakage
Real Client Adversary
? ? ?
Ideal World
![Page 11: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/11.jpg)
Examples of leakage
After a search, the user will access the matching documents. This will reveal the search result.
When the user searches for the same keyword twice, the server might learn that the query has been repeated.
In both cases, trying to get rid of this leakage is expensive
![Page 12: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/12.jpg)
An explicit tradeoff between security and performance
Oblivious RAM lower bound: if one wants to hide the access pattern to a memory of size N, the computational overhead is
A similar lower bound exists for searchable encryption: a search pattern-hiding SE incurs a search overhead of
Ω!logNlogσ
"
log (|DB |
nw)
log
![Page 13: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/13.jpg)
Constructing encrypted databases
![Page 14: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/14.jpg)
w D2D1 D3 D4 D5 D6Kw
Client
Server
![Page 15: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/15.jpg)
w’ Kw’
Client
Server
D’2D’1 D’3 D’4 D’5
![Page 16: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/16.jpg)
w Kw
Client
Server
D2 D1 D3 D4D5D6
![Page 17: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/17.jpg)
D2 D6 D1 D3 D5 D4
w Kw
Client
Server
D7
KwI know that w was
updated !
D7
![Page 18: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/18.jpg)
File injection attacks [ZKP’16]
Insert purposely crafted documents in the DB (e.g. spam for encrypted emails)
log |W| injected documents
D1 w1 w2 w3 w4 w5 w6 w7 w8
D2 w1 w2 w3 w4 w5 w6 w7 w8
D3 w1 w2 w3 w4 w5 w6 w7 w8
K
![Page 19: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/19.jpg)
Active adaptive attacksThese adaptive attacks use the update leakage
We need SE schemes with oblivious updates
Forward Privacy
![Page 20: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/20.jpg)
Forward privacyForward private: an update does not leak any information
Secure online build of the EDB
Only one scheme existed so far [SPS’14]
ORAM-like construction
Inefficient updates
Large client storage
![Page 21: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/21.jpg)
How to achieve forward privacy efficiently?
![Page 22: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/22.jpg)
ST
…
ST’
![Page 23: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/23.jpg)
ST1 STn+1ST2 STn…
UTn+1UT1 UT2 UTn…
H(.)
H(.)
H(.)
H(.)
![Page 24: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/24.jpg)
ST1 STn+1ST2 STn…
UTn+1UT1 UT2 UTn…
H(.)
H(.)
H(.)
H(.)
Naïve solution: STi(w) = F(Kw,i), send all STi(w)’s
Client needs to send n tokens
Use a trapdoor permutation (client has the secret key, server has the public key, and cannot compute the inverse)
πPK πPK πPK πPK
π-1SK π-1SK π-1SK π-1SK
![Page 25: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/25.jpg)
ST1 STn+1ST2 STn…
UTn+1UT1 UT2 UTn…
π-1SK π-1SK π-1SK π-1SK
πPK πPK πPK πPK
H(.)
H(.)
H(.)
H(.)
Search: Client: constant Server: # results
Update: Client: constant Server: constant
Optimal
![Page 26: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/26.jpg)
ST1 STn+1ST2 STn…
UTn+1UT1 UT2 UTn…
π-1SK π-1SK π-1SK π-1SK
πPK πPK πPK πPK
H(.)
H(.)
H(.)
H(.)
Storage: Client: # distinct keywords Server: # database entries
![Page 27: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/27.jpg)
Σoφoς
Forward private index-based scheme
Very simple
Efficient search (IO bounded)
Asymptotically efficient update In practice, very low update throughput 4300 updates/s — 20x slower than other work
![Page 28: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/28.jpg)
Another path towards forward privacy
![Page 29: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/29.jpg)
ST
…
ST’
![Page 30: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/30.jpg)
ST
…
ST’
![Page 31: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/31.jpg)
Constrained PRFCan we restrict the evaluation of F(Kw,.) on [1,n]?
K Evaluation F(K,x)
x
![Page 32: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/32.jpg)
Constrained PRFCan we restrict the evaluation of F(Kw,.) on [1,n]?
K Evaluation
x
F(K,x)
Constrain
C
KC
🚫
C(x) = true
C(x) = false
![Page 33: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/33.jpg)
Range-Constrained PRF
Consider the condition Cn:
Cn(x) = true if and only if 1≤ x ≤ n (range condition)
Kn = Constrain(K,Cn) can only be used to evaluate F on [1,n]
![Page 34: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/34.jpg)
w Kw
Client
Server
D2 D1 D3 D4D5D6
Kw6Constrain
![Page 35: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/35.jpg)
D2 D6 D1 D3 D5 D4
w Kw
Client
Server Kw6
D7
D7 D8Kw8Constrain
D8
![Page 36: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/36.jpg)
DianaInstantiate the CPRF F with a tree-based PRF construction
Asymptotically less efficient than Σoφoς
In practice, a lot better. Always IO bounded (for both searches and updates)
Search: <1µs per match (on RAM) Update: 174 000 entries per second (4300 for Σoφoς)
![Page 37: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/37.jpg)
Can we do better?
Similarly to the ORAM lower bound, we can show that the computational overhead of an update for a forward-private scheme is
Σoφoς is optimal (constant-time update, σ = |W|)
log |W |log
![Page 38: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/38.jpg)
Deletions
![Page 39: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/39.jpg)
Deletions
How to delete entries in an encrypted database?
Existing schemes use a ‘revocation list’
Pb: the deleted information is still revealed to the server
Backward privacy: ‘nothing’ is leaked about the deleted documents
![Page 40: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/40.jpg)
Backward privacy
Baseline: the client fetches the encrypted lists of inserted and deleted documents, locally decrypts and retrieves the documents. Optimal security 2 interactions Complexity (communication & computation) :
# insertions (vs. # results)
![Page 41: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/41.jpg)
Backward privacy with optimal updates & comm.Could we prevent the server from decrypting some entries?
Puncturable Encryption [GM’15]: Revocation of decryption capabilities for specific messages
K Encrypt
D T
T
![Page 42: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/42.jpg)
Backward privacy with optimal updates & comm.Could we prevent the server from decrypting some entries?
Puncturable Encryption [GM’15]: Revocation of decryption capabilities for specific messages
K Puncture
T
Puncture
T’
K T K T T’
![Page 43: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/43.jpg)
Backward privacy with optimal updates & comm.
DecryptK T T’
T’’
D Decrypt 🚫
T
Could we prevent the server from decrypting some entries?
Puncturable Encryption [GM’15]: Revocation of decryption capabilities for specific messages
same tag
K T T’
≠ tags
![Page 44: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/44.jpg)
Client
Server
Σ Client
Σ Server
w
Kw Add to wTEncrypt
D T
Hash
Insertion
![Page 45: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/45.jpg)
Hash
DeletionClient
Server
Σ Client
Σ Server
w
Kw Puncture
D T
Kw T
![Page 46: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/46.jpg)
Hash
DeletionClient
Server
Σ Client
Σ Server
w
Puncture
D’ T’
Kw T Kw T T’
![Page 47: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/47.jpg)
🚫D1D2D4D5D6D8🚫
T1 T2 T3 T4 T5 T6 T7 T8
Search w
SearchClient
ServerΣ
Server
w Kw T7 T3Σ
Client
Decrypt
![Page 48: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/48.jpg)
Janus
Not so good:
O(nw.dw) search comp.
Uses pairings (not fast)
Good:
Forward & backward-private
Optimal update complexity
Optimal communication
![Page 49: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/49.jpg)
Implementation of SE
Client Server gRPC
Σoφoς Diana Janus RocksDB
PRF Hash TDPEnc. …libsodiummbedTLS
Relic
![Page 50: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/50.jpg)
OpenSSE
Goal: fast and secure implementation of SE schemes
10 700 C/C++ LoC (crypto: 6500, schemes: 4200)
Open Source: opensse.github.io
And its documented !!! (at least for the crypto)
![Page 51: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/51.jpg)
Other works on searchable encryption
Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds
Analysis of recent attacks (leakage-abuse attacks) that only use the leakage to break the security of schemes. Proposed countermeasures.
![Page 52: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/52.jpg)
ConclusionForward privacy
Updates do not leak information about the past events Two efficient constructions Σoφoς and Diana
Backward privacy Deletions are not recoverable by the server Janus: backward privacy with optimal communication
![Page 53: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/53.jpg)
Conclusion
SE involves very diverse topics: theoretical CS, cryptanalysis, cryptographic primitives, systems, …
Real world cryptography, with great impact
![Page 54: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/54.jpg)
PublicationsSearchable Encryption:
[B Fouque Pointcheval - ePrint 16]: Verifiable Dynamic Symmetric Searchable Encryption: Optimality and Forward Security
[B - CCS 16]: Σoφoς: Forward Secure Searchable Encryption
[B Minaud Ohrimenko - CCS 17]: Forward and Backward Private Searchable Encryption from Constrained Cryptographic Primitives
[B Fouque - ePrint 17]: Thwarting Leakage Abuse Attacks against Searchable Encryption – A Formal Approach and Applications to Database Padding
Other:
[B Popa Tu Goldwasser - NDSS 15]: Machine Learning Classification over Encrypted Data.
[B Sanders - AsiaCrypt 16]: Trick or Tweak: On the (In)security of OTR’s Tweaks
![Page 55: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/55.jpg)
![Page 56: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/56.jpg)
Verifiable SEThe server might be malicious: return fake results, delete real results, …
The client needs to verify the results
![Page 57: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/57.jpg)
Verifiable SEThis is not free: lower bound (derived from [DNRV’09])
If client storage is less than |W|1-ε, search complexity has to be larger than log |W|
The lower bound is tight: using Merkle hash trees and set hash functions
Many possible tradeoffs between search & update complexities
![Page 58: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/58.jpg)
Diana (Diana (
))
![Page 59: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/59.jpg)
Crypto vs. Seek time
The magic world of searchable encryption:
Symmetric crypto is free
Asymmetric crypto is not overly expensive
A lot of the cost comes from the non-locality of memory accesses
![Page 60: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/60.jpg)
Locality vs. Caching
The OS is ‘smart’: it caches memory.
Be careful when you are testing your construction on small databases
Once the database is cached, non locality disappears
Beware of the evaluation of performance
![Page 61: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/61.jpg)
Evaluating the security
Use the leakage function from the security definitions Provable security Very hard to understand the extend of the leakage
Rely on cryptanalysis: leakage-abuse attacks Maybe not the best adversary ‘Real world’ implications
![Page 62: Searchable Encryption - Raphael Bost · Other works on searchable encryption Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds](https://reader033.fdocuments.us/reader033/viewer/2022052611/5f0706917e708231d41aecf7/html5/thumbnails/62.jpg)
Evaluating the security
State-of-the-art schemes leak the number of results of a query Enough to recover the queries when the adversary
knows the database [CGPR’15] Counter-measure: padding (it has a cost)