Searchable Encryption. Nuttiiya Seekhao

Transcription

1 Searchable Encryption Nuttiiya Seekhao

2 Overview Motivation Literature Background Solutions Scheme I, II, III, IV Discussion Runtime Possible Extensions Conclusion

3 Motivation

4 Motivation

5 Motivation

6 Searchable Encryption!

7 Practical techniques for searches on encrypted data By Dawn Xiaodong Song, David Wagner, and Adrian Perrig in 2000 Main idea: Embed information in the cipher text Sequential Scan Not scalable

8 Practical techniques for searches on encrypted data The techniques provide: Provable secrecy Controlled searching Hidden queries Query isolation

9 Related Work Prior to This Paper (1) Providing secrecy and integrity on untrusted file server [2, 11, 1, 3] Secure multi-party computation and oblivious functions [13, 5] Requires high overhead e.g. multiple servers

10 Related Work Prior to This Paper (2) Private Information Retrieval (PIR) Problem [9, 15, 12, 8, 4] Have at least one of the following limitations: Requires multiple non-colluding servers Consume large amounts of bandwidth Do not guarantee the confidentiality of the data Do not support private keyword searching Do not support controlled searching or query isolation

11 Background and Definitions Let n = block length (or word length, assuming fixed length words) Let m = system parameter G G : K G S Pseudorandom generator,

12 Background and Definitions F F : K F X Y Pseudorandom function,, Pseudorandom permutation,, E : K E Z Z Pseudorandom function,, f : K f {0,1}* K f f E

13 Scheme I The Basic Scheme W 1 W 2 W 3 S 1 S 2 S 3 T 1 T 2 T 3 k 1 k 2 k 3 W l -1 W l T l -1 T l S l -1 S l k l -1 k l

14 Scheme I The Basic Scheme W 1 W 2 W 3 T 1 T 2 T 3 C 1 C 2 C 3 C i = W i T i W l -1 W l C l -1 C l T l -1 T l

15 Scheme I The Basic Scheme To encrypt: T i = S i, F ki (S i ) C i = W i T i Plaintext Stream Cipher W i S i F ki (S i ) + Ciphertext Alice generates a sequence F ki of random nonce S 1, S 2,..., S l Alice computes T i for each location in the document where T i = S i, F ki (S i )

16 Scheme I The Basic Scheme To search: Alice gives W i, k i to Bob Plaintext Stream Cipher W i S i F ki (S i ) + Ciphertext F ki

17 Scheme I Problem? Alice wants Bob to search for a word W, either: Alice reveal all k i to Bob Horrible security scheme! Alice must know in advance locations W may appear Horrible remote search scheme!

18 Scheme II Controlled Searching k i := f k' (W i ) To search: Alice gives W i, k i to Bob Plaintext Stream Cipher W i S i F ki (S i ) + Ciphertext F ki

19 Scheme II Problems? Does not support hidden queries Can we do better? Of course! Encryption!

20 Scheme III Support for Hidden Searches k := f Plaintext To search: i k' (Ek '' (Wi )) Alice gives Xi, ki to Bob Wi E Ek '' (Wi ) + Stream Cipher Si Fki Fki (Si ) Ciphertext

21 Scheme III Problems? How would Alice recover plaintext from ciphertext? Circular Dependency Need k i to decrypt C i Need W i to get k i Need to decrypt C i to get W i Need plaintext to decrypt plaintext?!?! Can we fix this?

22 Scheme IV The Final Scheme Plaintext To search: ki := fk ' (Li ) Alice gives Xi, ki to Bob Wi E Ek '' (Wi ) Li Ri + Stream Cipher Si Fki Fki (Si ) Ciphertext

23 Scheme IV The Final Scheme Plaintext To decrypt: Alice generates Si Computes Ti Si Get first n m bits = Li Compute ki := fk ' (Li ) ki := fk ' (Li ) Wi E Ek '' (Wi ) Li Ri + Stream Cipher Si Fki Fki (Si ) Ciphertext

24 Scheme IV Problems? Secure Encryption Scheme? Yes Secure Searchable Encryption Scheme? Statistical Attack? Periodically change the key, re-encrypt, and re-order ciphertexts Could decrease m to get more false matches

25 Discussion - Runtime For document of length n Search Algorithm: O(n) Encryption: O(n) Introduce almost no space and communication overhead Is search in O(n) really practical?

26 Possible Extensions (1) More Advanced Search Queries Boolean e.g. W and W Regular expression e.g. ab[a-z] Generates 26 search queries in the form: {aba, abb,, abz} Retrieve list of documents containing word of interest Store each word occurrence with a count e.g. <0, puppy>, <1, puppy>, Hides location information Could search for documents containing n or more occurrences of W by searching <n-1, W>

27 Possible Extensions (2) Variable-Length Words Pad to a fixed-size blocks Inefficient storage Store word length with the word itself How to search? Scan for a match at each possible bit boundary Inefficient search

28 Possible Extensions (3) Searching with Encrypted Index Index contains a list of key words List of pointers to documents containing itself with each word Each proposed extension assumes fixed size of documents pointer data Updates would not be pretty!

29 Related Work Revisited Searchable symmetric encryption: Improved definitions and efficient constructions (2006) [10] Work performed by server per returned document is constant Requires O(# of files) to search 2 nd construction achieves adaptive SSE security Privacy preserving keyword searches on remote encrypted data (2005) [6] Works with existing file encryption scheme Works with compressed files Dynamic searchable symmetric encryption (2012) [14] Search in O(# of files containing the word) Adaptive SSE secure Dynamic Highly-scalable searchable symmetric encryption with support for Boolean queries (2013) [7] Supports conjunctive searches and general Boolean queries More

30 Conclusion At the time, new techniques for Searchable Encryption Advantages: Provably secure Supports controlled and hidden search and query isolation Simple Introduce almost no space and communication overhead Disadvantages: O(n) Search algorithm Vulnerable to statistical attacks

31 References [1] Amato, Nancy M., and Michael C. Loui. "Checking linked data structures."fault-tolerant Computing, FTCS-24. Digest of Papers., Twenty-Fourth International Symposium on. IEEE, [2] Blaze, Matt. "A cryptographic file system for UNIX." Proceedings of the 1st ACM conference on Computer and communications security. ACM, [3] Blum, Manuel, et al. "Checking the correctness of memories." Algorithmica (1994): [4] Cachin, Christian, Silvio Micali, and Markus Stadler. "Computationally private information retrieval with polylogarithmic communication." Advances in Cryptology EUROCRYPT 99. Springer Berlin Heidelberg, [5] Canetti, Ran. Studies in secure multiparty computation and applications. Diss. The Weizmann Institute of Science, [6] Chang, Yan-Cheng, and Michael Mitzenmacher. "Privacy preserving keyword searches on remote encrypted data." Applied Cryptography and Network Security. Springer Berlin Heidelberg, [7] Cash, David, et al. "Highly-scalable searchable symmetric encryption with support for boolean queries." Advances in Cryptology CRYPTO Springer Berlin Heidelberg, [8] Chor, Benny, et al. "Private information retrieval." Journal of the ACM (JACM)45.6 (1998): [9] Chor, Benny, Niv Gilboa, and Moni Naor. Private information retrieval by keywords. Technion-IIT, Department of Computer Science, [10] Curtmola, Reza, et al. "Searchable symmetric encryption: improved definitions and efficient constructions." Proceedings of the 13th ACM conference on Computer and communications security. ACM, [11] Devanbu, Premkumar T., and Stuart G. Stubblebine. "Stack and queue integrity on hostile platforms." Software Engineering, IEEE Transactions on 28.1 (2002): [12] Gertner, Yael, et al. "Protecting data privacy in private information retrieval schemes." Proceedings of the thirtieth annual ACM symposium on Theory of computing. ACM, [13] Goldreich, Oded. "Secure multi-party computation." Manuscript. Preliminary version (1998). [14] Kamara, Seny, Charalampos Papamanthou, and Tom Roeder. "Dynamic searchable symmetric encryption." Proceedings of the 2012 ACM conference on Computer and communications security. ACM, [15] Kushilevitz, Eyal, and Rafail Ostrovsky. "Replication is not needed: Single database, computationally-private information retrieval." focs. Vol [16] Song, Dawn Xiaodong, David Wagner, and Adrian Perrig. "Practical techniques for searches on encrypted data." Security and Privacy, S&P Proceedings IEEE Symposium on. IEEE, 2000.

32 Questions?