encrypted search: leakage suppression - brown university · 2019. 10. 4. · how should we handle...
TRANSCRIPT
![Page 1: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/1.jpg)
Encrypted Search: Leakage Suppression
Seny Kamara
SAC Summer School 2019
![Page 2: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/2.jpg)
How Should we Handle Leakage?• Approach #1: ORAM simulation • Store and simulate data structure with ORAM • General-purpose • Zero-leakage (if data is transformed appropriately) • polylog overhead per read/write on top of simulation
• Approach #2: Custom oblivious structures
2
![Page 3: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/3.jpg)
How Should we Handle Leakage?• Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t queries • Set t using cryptanalysis • Open question: can you rebuild encrypted structures?
• Approach #4: Leakage suppression • Suppression compilers • Suppression transforms
3
![Page 4: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/4.jpg)
Q: can we reduce leakage?
4
![Page 5: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/5.jpg)
Leakage Suppression via ORAM• Common answer is “use ORAM!” • usually without any details • or experiments
• How exactly do we use ORAM to search?
5
![Page 6: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/6.jpg)
ORAM
6
Setup time
Query time
ORAM.Setup
Read(i)ORAM.Read(i)
Write(i,v)ORAM.Write(i,v)
![Page 7: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/7.jpg)
Leakage Suppression via ORAM• ORAM supports read & write operations to an array • with polylog(n) cost • and leakage profile 𝚲ORAM = (ℒS, ℒQ) = (dsize, ⟘)
• ORAM is a “low-level” primitive • designed for read/write operations to an array • what if we want to query a more complex structure?
• Need to use ORAM simulation
7
![Page 8: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/8.jpg)
ORAM Simulation• Represent DS as an array and store in ORAM • Client simulates Query(DS,q) algorithm • replaces each Read(i) with ORAM.Read(i) • replaces each Write(i,v) with ORAM.Write(i,v)
8
![Page 9: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/9.jpg)
ORAM Simulation
9
Setup time
Query time
ORAM.Setup
Read(3) ORAM.Read(3)
Write(1,v) ORAM.Write(1,v)
DS Represent
Query(DS,q)
Read(10) ORAM.Read(10)
![Page 10: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/10.jpg)
ORAM Simulation• Costs O(T·polylog(|DS|)) • where T is runtime of Query(DS,q)
• Leakage profile • 𝚲 = (dsize, (runtime, vol)) • vol: size of response (can be suppressed with padding)
• Can we do better?
10
![Page 11: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/11.jpg)
Q: can we do better than ORAM simulation?
11
![Page 12: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/12.jpg)
Suppression Compiler
12
CompilerSTE
𝚲 = (ℒS, ℒQ)
= (★, (patt1, patt2))
STE
𝚲 = (ℒS, ℒQ)
= (★, patt2)
![Page 13: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/13.jpg)
Suppression Compiler for Query Equality
13
CompilerSTE STE
𝚲 = (ℒS, ℒQ)
= (★, qeq)
𝚲 = (ℒS, ℒQ)
= (★, ⟘)
![Page 14: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/14.jpg)
Q: Can we build such a thing?
14
![Page 15: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/15.jpg)
Suppression Compiler for Query Equality
15
Cache-based Compiler
STE STE
𝚲 = (ℒS, ℒQ)
= (★, (qeq, patt))
𝚲 = (ℒS, ℒQ)
= (★, nrp)
nrp is the non-repeating sub-pattern of patt
![Page 16: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/16.jpg)
Non-Repeating Sub-Patterns• Leakage patterns can be decomposed into sub-patterns:
• Non-repeating sub-patterns ≈ leakage on non-repeating queries
16
patt =
(patt1 if “condition” is true
patt2 otherwise.<latexit sha1_base64="i8p2FJOCQJSTi+CPAB+1LYAOq5E=">AAACh3icbVHRbtMwFHUCg64DVuCRl6tOQ0iTqqQaMB6QCrzscUiUTWqqznFuWmuOHdk3QBXlW7Zv4o2/wWm3CbodydLRuffcax+npZKOouhPED54uPXocWe7u/Pk6bPd3vMX352prMCxMMrYs5Q7VFLjmCQpPCst8iJVeJpefGnrpz/QOmn0N1qWOC34XMtcCk5emvUuoU5cDiUnauBjFzySFOdS18JPdc1KaXHbNosbeA0J4S/SxhZc1TKH83NhdCbbmX2QDshW2ECSwD3+4abf0ALtT+mwGawvgDq7WT/r7UWDaAW4S+JrsjfqJwdXjLGTWe93khlRFahJKO7cJI5KmtbckhQKm25SOSy5uOBznHiqeYFuWq+CbGDfKxnkxvqjCVbqv46aF84ti9R3FpwWbrPWivfVJhXlR9Na6rIi1GK9KK8UkIH2VyCTFgWppSdcWJ+jALHglgvyf9eGEG8++S4ZDwcfBvFXH8ZntkaHvWJ99obF7D0bsWN2wsZMBFvBQXAYvA27YRS+C4/WrWFw7XnJ/kP46S8xy7+r</latexit><latexit sha1_base64="3uvXwExZBiIh72RmQD/YX1ApuK0=">AAACh3icbVFNT9tAEF0baCH9SttjL6OgVpWQIhvRlh4qBXrhCFIDSHEU1utxsmK9a+2O20aW/wV3/lNv/BvWCa1o4EkrPb2ZN7P7Ni2VdBRFN0G4tr7x5OnmVufZ8xcvX3Vfvzl1prICh8IoY89T7lBJjUOSpPC8tMiLVOFZevm9rZ/9ROuk0T9oXuK44FMtcyk4eWnSvYY6cTmUnKiBbx3wSFKcSl0LP9U1C6XFv7ZJ3MAHSAh/kza24KqWOVxcCKMz2c7sgXRAtsIGkgQe8e+u+g3N0P6SDpv+8gKos7/rJ93tqB8tAA9JfEe2B71k5+pmMD+edP8kmRFVgZqE4s6N4qikcc0tSaGw6SSVw5KLSz7FkaeaF+jG9SLIBt57JYPcWH80wUK976h54dy8SH1nwWnmVmut+FhtVFG+P66lLitCLZaL8koBGWh/BTJpUZCae8KF9TkKEDNuuSD/d20I8eqTH5Lhbv9rPz7xYRyyJTbZO9ZjH1nMvrABO2LHbMhEsBHsBHvBp7ATRuHncH/ZGgZ3nrfsP4QHtzmvwTE=</latexit><latexit sha1_base64="3uvXwExZBiIh72RmQD/YX1ApuK0=">AAACh3icbVFNT9tAEF0baCH9SttjL6OgVpWQIhvRlh4qBXrhCFIDSHEU1utxsmK9a+2O20aW/wV3/lNv/BvWCa1o4EkrPb2ZN7P7Ni2VdBRFN0G4tr7x5OnmVufZ8xcvX3Vfvzl1prICh8IoY89T7lBJjUOSpPC8tMiLVOFZevm9rZ/9ROuk0T9oXuK44FMtcyk4eWnSvYY6cTmUnKiBbx3wSFKcSl0LP9U1C6XFv7ZJ3MAHSAh/kza24KqWOVxcCKMz2c7sgXRAtsIGkgQe8e+u+g3N0P6SDpv+8gKos7/rJ93tqB8tAA9JfEe2B71k5+pmMD+edP8kmRFVgZqE4s6N4qikcc0tSaGw6SSVw5KLSz7FkaeaF+jG9SLIBt57JYPcWH80wUK976h54dy8SH1nwWnmVmut+FhtVFG+P66lLitCLZaL8koBGWh/BTJpUZCae8KF9TkKEDNuuSD/d20I8eqTH5Lhbv9rPz7xYRyyJTbZO9ZjH1nMvrABO2LHbMhEsBHsBHvBp7ATRuHncH/ZGgZ3nrfsP4QHtzmvwTE=</latexit><latexit sha1_base64="Mr1Pcb3zvdwH+T3mZsNla8gg3ts=">AAACh3icbVFdb9MwFHXCvigwOnjk5WoVCAmpSipg4wFpwMseh7SySU3VOc5Na82xI/tmUEX5LftPe+Pf4LTdNLodydLRuffcax+npZKOouhvED7Z2Nza3nnaefb8xe7L7t6rX85UVuBQGGXsecodKqlxSJIUnpcWeZEqPEsvf7T1syu0Thp9SvMSxwWfaplLwclLk+411InLoeREDXztgEeS4lTqWviprlkoLe7aJnED7yAh/EPa2IKrWuZwcSGMzmQ7cx+kA7IVNpAk8Ih/sO43NEP7Wzps+ssLoM5u10+6vagfLQAPSbwiPbbCyaR7k2RGVAVqEoo7N4qjksY1tySFwqaTVA5LLi75FEeeal6gG9eLIBt465UMcmP90QQL9b6j5oVz8yL1nQWnmVuvteJjtVFF+eG4lrqsCLVYLsorBWSg/RXIpEVBau4JF9bnKEDMuOWC/N+1IcTrT35IhoP+l378M+odfV+lscPesH32nsXsgB2xY3bChkwEm8GH4GPwKeyEUfg5PFy2hsHK85r9h/DbPyDVviI=</latexit>
patt =
(nrp if queries are unique
misc otherwise.<latexit sha1_base64="RPjjgyIct3h/2rqBbwTZzVSotFU=">AAACgHicbVFNb9NAEF27hbYpHwGOvYxaikAIY3PhQ0Kq6IVjKxFaKY6i9WacrLof7u4YiCz/D478pt76Z1A3Tg405UkrvX0zb2Z3pqiU9JSm11G8sXnv/tb2Tm/3wcNHj/tPnn73tnYCB8Iq684L7lFJgwOSpPC8csh1ofCsuDhexM9+oPPSmm80r3Ck+dTIUgpOQRr3fwM0uS+h4kQtfO5BQF7gVJpGhLK+7ZQFujTjqhZeQE74i4x1mqtGlnBZo5PogTuE2shwbSHP4bZVSy/WvZZm6H5Kj22y7Ixmsuo77h+kSdoB7pJsRQ6O9vPXfxhjJ+P+VT6xotZoSCju/TBLKxo13JEUCtteXnusuLjgUxwGarhGP2q6CbZwGJQJlNaFYwg69V9Hw7X3c12ETM1p5tdjC/F/sWFN5YdRI01VExqxbFTWCsjCYh0wkQ4FqXkgXDgZ3gpixh0XFJbWC0PI1r98lwzeJR+T7DQM4wtbYpvtsX32kmXsPTtiX9kJGzDB/kbPozdREm/Er+K3cbZMjaOV5xm7hfjTDes2vms=</latexit><latexit sha1_base64="uyiZCzrLxl+0jsE3W4sWpZAAXVk=">AAACgHicbVFNb9NAEF27BdrwFeixl1ELCIRwbS58SJUiuPTYSoRWiqNovRknq+6H2R0DkeV/wYHfxa1/BrFxcmhTnrTS2zfzZnZnikpJT2l6FcVb23fu3tvZ7d1/8PDR4/6Tp1+9rZ3AobDKuouCe1TS4JAkKbyoHHJdKDwvLj8v4+ff0XlpzRdaVDjWfGZkKQWnIE36vwGa3JdQcaIWjnsQkBc4k6YRoaxvO2WJLs24qoUXkBP+JGOd5qqRJXyr0Un0wB1CbWS4tpDncNOqpRebXktzdD+kxzZZdUYzXfed9A/TJO0At0m2JoeDg/z1r6vB4nTS/5NPrag1GhKKez/K0orGDXckhcK2l9ceKy4u+QxHgRqu0Y+bboItPA/KFErrwjEEnXrd0XDt/UIXIVNzmvvN2FL8X2xUU/l+3EhT1YRGrBqVtQKysFwHTKVDQWoRCBdOhreCmHPHBYWl9cIQss0v3ybDt8mHJDsLw/jEVthh++yAvWQZe8cG7ISdsiET7G/0LHoTJfFW/Co+irNVahytPXvsBuKP/wDzGr/x</latexit><latexit sha1_base64="uyiZCzrLxl+0jsE3W4sWpZAAXVk=">AAACgHicbVFNb9NAEF27BdrwFeixl1ELCIRwbS58SJUiuPTYSoRWiqNovRknq+6H2R0DkeV/wYHfxa1/BrFxcmhTnrTS2zfzZnZnikpJT2l6FcVb23fu3tvZ7d1/8PDR4/6Tp1+9rZ3AobDKuouCe1TS4JAkKbyoHHJdKDwvLj8v4+ff0XlpzRdaVDjWfGZkKQWnIE36vwGa3JdQcaIWjnsQkBc4k6YRoaxvO2WJLs24qoUXkBP+JGOd5qqRJXyr0Un0wB1CbWS4tpDncNOqpRebXktzdD+kxzZZdUYzXfed9A/TJO0At0m2JoeDg/z1r6vB4nTS/5NPrag1GhKKez/K0orGDXckhcK2l9ceKy4u+QxHgRqu0Y+bboItPA/KFErrwjEEnXrd0XDt/UIXIVNzmvvN2FL8X2xUU/l+3EhT1YRGrBqVtQKysFwHTKVDQWoRCBdOhreCmHPHBYWl9cIQss0v3ybDt8mHJDsLw/jEVthh++yAvWQZe8cG7ISdsiET7G/0LHoTJfFW/Co+irNVahytPXvsBuKP/wDzGr/x</latexit><latexit sha1_base64="B+ZBEFD1rsp5mydZgBDIZdjAOcs=">AAACgHicbVFLb9NAEF67PEp4pfTIZUQAwQHX5sJDQqrohWORCK0UR9F6M05W3YfZHRciy/+jv6u3/hnUjeMDTfmklb79Zr6Z3ZmiUtJTml5F8c6du/fu7z4YPHz0+MnT4d6zn97WTuBYWGXdacE9KmlwTJIUnlYOuS4UnhRnR+v4yTk6L635QasKp5ovjCyl4BSk2fACoMl9CRUnauHLAALyAhfSNCKU9W2nrNGlGVe18Bpywj9krNNcNbKEXzU6iR64Q6iNDNcW8hxuWrX0YttraYnut/TYJpvOaOZ939lwlCZpB7hNsp6MWI/j2fAyn1tRazQkFPd+kqUVTRvuSAqF7SCvPVZcnPEFTgI1XKOfNt0EW3gVlDmU1oVjCDr1X0fDtfcrXYRMzWnpt2Nr8X+xSU3lx2kjTVUTGrFpVNYKyMJ6HTCXDgWpVSBcOBneCmLJHRcUljYIQ8i2v3ybjN8nn5Lsezo6/NpPY5c9Zy/YG5axD+yQfWPHbMwE+xu9jN5FSbwTv40P4myTGke9Z5/dQPz5GtpAvOI=</latexit>
![Page 17: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/17.jpg)
Suppression Compiler for Query Equality
17
Cache-based Compiler
STE STE
𝚲 = (ℒS, ℒQ)
= (★, (qeq, patt))
𝚲 = (ℒS, ℒQ)
= (★, nrp)
patt =
(nrp if queries are unique
misc otherwise.<latexit sha1_base64="RPjjgyIct3h/2rqBbwTZzVSotFU=">AAACgHicbVFNb9NAEF27hbYpHwGOvYxaikAIY3PhQ0Kq6IVjKxFaKY6i9WacrLof7u4YiCz/D478pt76Z1A3Tg405UkrvX0zb2Z3pqiU9JSm11G8sXnv/tb2Tm/3wcNHj/tPnn73tnYCB8Iq684L7lFJgwOSpPC8csh1ofCsuDhexM9+oPPSmm80r3Ck+dTIUgpOQRr3fwM0uS+h4kQtfO5BQF7gVJpGhLK+7ZQFujTjqhZeQE74i4x1mqtGlnBZo5PogTuE2shwbSHP4bZVSy/WvZZm6H5Kj22y7Ixmsuo77h+kSdoB7pJsRQ6O9vPXfxhjJ+P+VT6xotZoSCju/TBLKxo13JEUCtteXnusuLjgUxwGarhGP2q6CbZwGJQJlNaFYwg69V9Hw7X3c12ETM1p5tdjC/F/sWFN5YdRI01VExqxbFTWCsjCYh0wkQ4FqXkgXDgZ3gpixh0XFJbWC0PI1r98lwzeJR+T7DQM4wtbYpvtsX32kmXsPTtiX9kJGzDB/kbPozdREm/Er+K3cbZMjaOV5xm7hfjTDes2vms=</latexit><latexit sha1_base64="uyiZCzrLxl+0jsE3W4sWpZAAXVk=">AAACgHicbVFNb9NAEF27BdrwFeixl1ELCIRwbS58SJUiuPTYSoRWiqNovRknq+6H2R0DkeV/wYHfxa1/BrFxcmhTnrTS2zfzZnZnikpJT2l6FcVb23fu3tvZ7d1/8PDR4/6Tp1+9rZ3AobDKuouCe1TS4JAkKbyoHHJdKDwvLj8v4+ff0XlpzRdaVDjWfGZkKQWnIE36vwGa3JdQcaIWjnsQkBc4k6YRoaxvO2WJLs24qoUXkBP+JGOd5qqRJXyr0Un0wB1CbWS4tpDncNOqpRebXktzdD+kxzZZdUYzXfed9A/TJO0At0m2JoeDg/z1r6vB4nTS/5NPrag1GhKKez/K0orGDXckhcK2l9ceKy4u+QxHgRqu0Y+bboItPA/KFErrwjEEnXrd0XDt/UIXIVNzmvvN2FL8X2xUU/l+3EhT1YRGrBqVtQKysFwHTKVDQWoRCBdOhreCmHPHBYWl9cIQss0v3ybDt8mHJDsLw/jEVthh++yAvWQZe8cG7ISdsiET7G/0LHoTJfFW/Co+irNVahytPXvsBuKP/wDzGr/x</latexit><latexit sha1_base64="uyiZCzrLxl+0jsE3W4sWpZAAXVk=">AAACgHicbVFNb9NAEF27BdrwFeixl1ELCIRwbS58SJUiuPTYSoRWiqNovRknq+6H2R0DkeV/wYHfxa1/BrFxcmhTnrTS2zfzZnZnikpJT2l6FcVb23fu3tvZ7d1/8PDR4/6Tp1+9rZ3AobDKuouCe1TS4JAkKbyoHHJdKDwvLj8v4+ff0XlpzRdaVDjWfGZkKQWnIE36vwGa3JdQcaIWjnsQkBc4k6YRoaxvO2WJLs24qoUXkBP+JGOd5qqRJXyr0Un0wB1CbWS4tpDncNOqpRebXktzdD+kxzZZdUYzXfed9A/TJO0At0m2JoeDg/z1r6vB4nTS/5NPrag1GhKKez/K0orGDXckhcK2l9ceKy4u+QxHgRqu0Y+bboItPA/KFErrwjEEnXrd0XDt/UIXIVNzmvvN2FL8X2xUU/l+3EhT1YRGrBqVtQKysFwHTKVDQWoRCBdOhreCmHPHBYWl9cIQss0v3ybDt8mHJDsLw/jEVthh++yAvWQZe8cG7ISdsiET7G/0LHoTJfFW/Co+irNVahytPXvsBuKP/wDzGr/x</latexit><latexit sha1_base64="B+ZBEFD1rsp5mydZgBDIZdjAOcs=">AAACgHicbVFLb9NAEF67PEp4pfTIZUQAwQHX5sJDQqrohWORCK0UR9F6M05W3YfZHRciy/+jv6u3/hnUjeMDTfmklb79Zr6Z3ZmiUtJTml5F8c6du/fu7z4YPHz0+MnT4d6zn97WTuBYWGXdacE9KmlwTJIUnlYOuS4UnhRnR+v4yTk6L635QasKp5ovjCyl4BSk2fACoMl9CRUnauHLAALyAhfSNCKU9W2nrNGlGVe18Bpywj9krNNcNbKEXzU6iR64Q6iNDNcW8hxuWrX0YttraYnut/TYJpvOaOZ939lwlCZpB7hNsp6MWI/j2fAyn1tRazQkFPd+kqUVTRvuSAqF7SCvPVZcnPEFTgI1XKOfNt0EW3gVlDmU1oVjCDr1X0fDtfcrXYRMzWnpt2Nr8X+xSU3lx2kjTVUTGrFpVNYKyMJ6HTCXDgWpVSBcOBneCmLJHRcUljYIQ8i2v3ybjN8nn5Lsezo6/NpPY5c9Zy/YG5axD+yQfWPHbMwE+xu9jN5FSbwTv40P4myTGke9Z5/dQPz5GtpAvOI=</latexit>
![Page 18: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/18.jpg)
Cache-based Compiler and Rebuilding• Cache-based Compiler • needs to rebuild encrypted structure from time to time
• So base STE scheme has to have a Rebuild protocol • Rebuild protocol must • be efficient for server • have O(1) client storage • be zero-leakage
18
![Page 19: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/19.jpg)
Our Suppression Pipeline [K.-Moataz-Ohrimenko18]
19
Cache-based Compiler
Rebuild Compiler PBS
𝚲 = (ℒS, ℒQ,ℒA)
= (★, (qeq, patt), pattA)
RPBS
𝚲 = (ℒS, ℒQ,ℒA)
= (★, (qeq, patt), pattRb)
AZL
𝚲 = (ℒS, ℒQ)
= (★, srlen)
FZL
𝚲 = (ℒS, ℒQ)
= (★, ⟘)patt =
(srlen if queries are unique
misc otherwise.<latexit sha1_base64="gGTE4g3/iKpZgrTWXsLU4SqMX+w=">AAACgnicbVFNSxxBEO0ZNZrN18YcvRRKJCBsZpKDCSQg8eLRgKvCzrL09NbsNvbHpLsmyTLMH/Hkb8ot/8aeWQNx9UHD61f1qrqr8lJJT0nyN4rX1jeebG497T17/uLlq/7r7XNvKydwKKyy7jLnHpU0OCRJCi9Lh1znCi/yq+M2fvETnZfWnNGixLHmMyMLKTgFadK/hjrzBZScqIGvPQjIcpxJU4tQ1Ted0qJL806haWAfMsLfZKzTXNWygB8VOokeuEOojAzXBrIM7pu19GLVa2mO7pf02AyWvdFM/3We9PeSQdIBHpL0juwd7WYHN4yx00n/Tza1otJoSCju/ShNShrX3JEUCpteVnksubjiMxwFarhGP667GTbwNihTKKwLxxB06v+OmmvvFzoPmZrT3K/GWvGx2Kii4tO4lqasCI1YNioqBWShXQhMpUNBahEIF06Gt4KYc8cFhbW1Q0hXv/yQDD8MPg/S72EY39gSW2yH7bJ3LGWH7IidsFM2ZCJi0X70PkrijfggTuOPy9Q4uvO8YfcQf7kFu16+Pg==</latexit><latexit sha1_base64="58vNqlQPd4PlVXyB8U2ItZSMHGg=">AAACgnicbVFNb9NAEF2blpbw0UCPXEatqJAqBbs9UCSQonLhWKSmrRRH0XozTlbdD7M7BiLL/4ITP4tb/w1rp0g07ZNWevtm3szuTF4q6SlJbqL40cbm463tJ72nz56/2Om/fHXhbeUEjoRV1l3l3KOSBkckSeFV6ZDrXOFlfv25jV9+R+elNee0LHGi+dzIQgpOQZr2f0Od+QJKTtTApx4EZDnOpalFqOqbTmnRpXmn0DRwABnhTzLWaa5qWcC3Cp1ED9whVEaGawNZBnfNWnqx7rW0QPdDemwGq95oZv86T/v7ySDpAPdJekv2h3vZ4a+b4fJs2v+TzayoNBoSins/TpOSJjV3JIXCppdVHksurvkcx4EartFP6m6GDbwJygwK68IxBJ36v6Pm2vulzkOm5rTw67FWfCg2rqg4mdTSlBWhEatGRaWALLQLgZl0KEgtA+HCyfBWEAvuuKCwtnYI6fqX75PR0eDDIP0ahnHKVthmr9kee8tS9p4N2Rd2xkZMRCw6iN5FSbwZH8ZpfLxKjaNbzy67g/jjX8NCv8Q=</latexit><latexit sha1_base64="58vNqlQPd4PlVXyB8U2ItZSMHGg=">AAACgnicbVFNb9NAEF2blpbw0UCPXEatqJAqBbs9UCSQonLhWKSmrRRH0XozTlbdD7M7BiLL/4ITP4tb/w1rp0g07ZNWevtm3szuTF4q6SlJbqL40cbm463tJ72nz56/2Om/fHXhbeUEjoRV1l3l3KOSBkckSeFV6ZDrXOFlfv25jV9+R+elNee0LHGi+dzIQgpOQZr2f0Od+QJKTtTApx4EZDnOpalFqOqbTmnRpXmn0DRwABnhTzLWaa5qWcC3Cp1ED9whVEaGawNZBnfNWnqx7rW0QPdDemwGq95oZv86T/v7ySDpAPdJekv2h3vZ4a+b4fJs2v+TzayoNBoSins/TpOSJjV3JIXCppdVHksurvkcx4EartFP6m6GDbwJygwK68IxBJ36v6Pm2vulzkOm5rTw67FWfCg2rqg4mdTSlBWhEatGRaWALLQLgZl0KEgtA+HCyfBWEAvuuKCwtnYI6fqX75PR0eDDIP0ahnHKVthmr9kee8tS9p4N2Rd2xkZMRCw6iN5FSbwZH8ZpfLxKjaNbzy67g/jjX8NCv8Q=</latexit><latexit sha1_base64="VpjY4gzIU4pyJ5pGzF19lYuVy2E=">AAACgnicbVFNb9NAEF0bCiV8NJQjl1EjKiSkYLcHqNRKFVw4FonQSnEUrTfjZNX9MLvj0sjyH+Fn9dZ/w9oJEk37pJXevpk3szuTl0p6SpLbKH70eOvJ0+1nvecvXr7a6b/e/elt5QSOhFXWXeTco5IGRyRJ4UXpkOtc4Xl++bWNn1+h89KaH7QscaL53MhCCk5Bmvb/QJ35AkpO1MBJDwKyHOfS1CJU9U2ntOjSvFNoGtiHjPCajHWaq1oW8KtCJ9EDdwiVkeHaQJbBXbOWXmx6LS3Q/ZYem+GqN5rZv87T/iAZJh3gPknXZMDWOJv2b7KZFZVGQ0Jx78dpUtKk5o6kUNj0sspjycUln+M4UMM1+kndzbCBd0GZQWFdOIagU/931Fx7v9R5yNScFn4z1ooPxcYVFZ8ntTRlRWjEqlFRKSAL7UJgJh0KUstAuHAyvBXEgjsuKKytHUK6+eX7ZHQwPBqm35PB6Zf1NLbZW7bH3rOUfWKn7Bs7YyMmIhbtRx+jJN6KP8RpfLhKjaO15w27g/j4L6povLU=</latexit>
![Page 20: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/20.jpg)
Q: How does the CBC work?
20
![Page 21: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/21.jpg)
Square Root ORAM [Goldreigh-Ostrovsky92]
21
Setup timeCacheMain Memory + Dummies
CacheMain Memory + Dummies
ORAM.Setup
if item in cache get dummy
else get item
Query time
Zero-leakageLeaks qeq but query never repeated
![Page 22: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/22.jpg)
Reinterpreting Square Root ORAM [K.-Moataz-Ohrimenko18]
22
Setup timeORAM.Setup
if item in cache get dummy
else get item
Query time Cache
EDX 𝚲EDX = (ℒS, ℒQ)
= (★, ⟘)
Main Memory + Dummies
ERAM 𝚲ERAM = (ℒS, ℒQ) = (★, qeq)
Main Memory + Dummies
ERAM 𝚲ERAM = (ℒS, ℒQ) = (★, qeq)
Cache
EDX 𝚲EDX = (ℒS, ℒQ) = (★, ⟘)
![Page 23: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/23.jpg)
Reinterpreting Square Root ORAM• Square root ORAM ≈ • “uses a ZL encrypted dictionary… • …to suppress the qeq leakage of an encrypted RAM”
•Q: Can we replace the ERAM with another encrypted structure? • if yes then no multiplicative polylog overhead due to simulation
23
![Page 24: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/24.jpg)
The Cache-Based Compiler
24
Setup timeORAM.Setup
if item in cache get dummy
else get item
Query time Cache
EDX 𝚲EDX = (ℒS, ℒQ)
= (★, ⟘)
Main Memory + Dummies
EDS 𝚲EDS = (ℒS, ℒQ) = (★, qeq)
Main Memory + Dummies
EDS 𝚲EDS = (ℒS, ℒQ) = (★, qeq)
Cache
EDX 𝚲EDX = (ℒS, ℒQ) = (★, ⟘)
![Page 25: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/25.jpg)
The Cache-Based Compiler• EDS has to satisfy certain properties • has to be rebuildable • has to be “extendable” ≈ can store dummies
• has to be “safe” ≈ handles dummies securely
• has to have “small” non-repeating sub-pattern25
DS DSλ-extension
ℒS( ) ≤ ℒS(DS) DS ℒQ( ,q) ≤ ℒS(DS,q) DS
![Page 26: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/26.jpg)
The Piggy Back Scheme (PBS) [K.-Moataz-Ohrimenko18]
26
MM
ℓ1
ℓ2
ℓ3
ℓ1
ℓ2
ℓ3
DX
ℓ1|1
ℓ2|1
ℓ3|1
ℓ1|2
• Data structure transformation • pad tuples to multiple of 𝝰 (e.g., 𝝰 = 3)
![Page 27: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/27.jpg)
• PBS.Setup(1k, EMM = DX) • creates client state that maps labels to number of blocks • sends encrypted dictionary EDX to server
The Piggy Back Scheme (PBS)
27
State DX
ℓ1 2
ℓ2 1
ℓ3 1
EDX
ℓ1|1
ℓ2|1
ℓ3|1
ℓ1|2
![Page 28: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/28.jpg)
• Consider sequence (ℓ1, ℓ3, ℓ2, …) • PBS.Get(K, state, Q, ℓ1) • 2 := DX[ℓ1] • Enqueue ℓ1|1 and ℓ1|2 on Q • query := Q.dequeue() • send EDX.Token(K, query) • client only gets back
• PBS.Get(K, state, Q, ℓ3) • … • client gets back
The Piggy Back Scheme (PBS)
28
EDX
ℓ1|1
ℓ2|1
ℓ3|1
ℓ1|2
State DX
ℓ1 2
ℓ2 1
ℓ3 1
![Page 29: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/29.jpg)
The Piggy Back Scheme (PBS)• PBS leverages a new tradeoff • security vs. latency • hides response length (volume) but response not immediate
• PBS has leakage profile • 𝚲 = (ℒS, ℒQ) = (★, rqeq, ★) • where rqeq has non-repeating sub-pattern • ⟘ on all but the last query • srlen on the last query
29
![Page 30: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/30.jpg)
Latency Analysis of PBS
30
Thm: If queries and responses are Zipf distributed then under the inverted query hypothesis, latency is t + ε·t with probability at least
1� exp
✓� 2t
✓" · ↵
µ
◆2◆
<latexit sha1_base64="FfTsSGIsqkzAdfwx8GbkizFnHvo=">AAACNHicbZBNbxMxEIa9hX4QSknLsReLCKk9EO1GlWhvVXvhwKGVGlopTqNZZzax6rUte7ZqtMqf4sL/4AQHDoC48hvqfByg5ZUsPX5nRva8udMqUJp+S1aePF1dW9941ni++WLrZXN752OwlZfYlVZbf5VDQK0MdkmRxivnEcpc42V+czqrX96iD8qaC5o47JcwMqpQEihag+aHjL/lAu+cyNVotBcvHVqguAWPLihtDRdyaImLwoOsBWg3hmktymo679y/7vAFDJqttJ3OxR9DtoQWW+ps0PwihlZWJRqSGkLoZamjfg2elNQ4bYgqoAN5AyPsRTRQYujX862n/E10hrywPh5DfO7+PVFDGcKkzGNnCTQOD2sz83+1XkXFYb9WxlWERi4eKirNyfJZhHyoPErSkwggvYp/5XIMMRuKQTdiCNnDlR9Dt9M+amfnB63jk2UaG2yXvWZ7LGPv2DF7z85Yl0n2iX1lP9jP5HPyPfmV/F60riTLmVfsHyV/7gGHjapk</latexit><latexit sha1_base64="FfTsSGIsqkzAdfwx8GbkizFnHvo=">AAACNHicbZBNbxMxEIa9hX4QSknLsReLCKk9EO1GlWhvVXvhwKGVGlopTqNZZzax6rUte7ZqtMqf4sL/4AQHDoC48hvqfByg5ZUsPX5nRva8udMqUJp+S1aePF1dW9941ni++WLrZXN752OwlZfYlVZbf5VDQK0MdkmRxivnEcpc42V+czqrX96iD8qaC5o47JcwMqpQEihag+aHjL/lAu+cyNVotBcvHVqguAWPLihtDRdyaImLwoOsBWg3hmktymo679y/7vAFDJqttJ3OxR9DtoQWW+ps0PwihlZWJRqSGkLoZamjfg2elNQ4bYgqoAN5AyPsRTRQYujX862n/E10hrywPh5DfO7+PVFDGcKkzGNnCTQOD2sz83+1XkXFYb9WxlWERi4eKirNyfJZhHyoPErSkwggvYp/5XIMMRuKQTdiCNnDlR9Dt9M+amfnB63jk2UaG2yXvWZ7LGPv2DF7z85Yl0n2iX1lP9jP5HPyPfmV/F60riTLmVfsHyV/7gGHjapk</latexit><latexit sha1_base64="FfTsSGIsqkzAdfwx8GbkizFnHvo=">AAACNHicbZBNbxMxEIa9hX4QSknLsReLCKk9EO1GlWhvVXvhwKGVGlopTqNZZzax6rUte7ZqtMqf4sL/4AQHDoC48hvqfByg5ZUsPX5nRva8udMqUJp+S1aePF1dW9941ni++WLrZXN752OwlZfYlVZbf5VDQK0MdkmRxivnEcpc42V+czqrX96iD8qaC5o47JcwMqpQEihag+aHjL/lAu+cyNVotBcvHVqguAWPLihtDRdyaImLwoOsBWg3hmktymo679y/7vAFDJqttJ3OxR9DtoQWW+ps0PwihlZWJRqSGkLoZamjfg2elNQ4bYgqoAN5AyPsRTRQYujX862n/E10hrywPh5DfO7+PVFDGcKkzGNnCTQOD2sz83+1XkXFYb9WxlWERi4eKirNyfJZhHyoPErSkwggvYp/5XIMMRuKQTdiCNnDlR9Dt9M+amfnB63jk2UaG2yXvWZ7LGPv2DF7z85Yl0n2iX1lP9jP5HPyPfmV/F60riTLmVfsHyV/7gGHjapk</latexit><latexit sha1_base64="FfTsSGIsqkzAdfwx8GbkizFnHvo=">AAACNHicbZBNbxMxEIa9hX4QSknLsReLCKk9EO1GlWhvVXvhwKGVGlopTqNZZzax6rUte7ZqtMqf4sL/4AQHDoC48hvqfByg5ZUsPX5nRva8udMqUJp+S1aePF1dW9941ni++WLrZXN752OwlZfYlVZbf5VDQK0MdkmRxivnEcpc42V+czqrX96iD8qaC5o47JcwMqpQEihag+aHjL/lAu+cyNVotBcvHVqguAWPLihtDRdyaImLwoOsBWg3hmktymo679y/7vAFDJqttJ3OxR9DtoQWW+ps0PwihlZWJRqSGkLoZamjfg2elNQ4bYgqoAN5AyPsRTRQYujX862n/E10hrywPh5DfO7+PVFDGcKkzGNnCTQOD2sz83+1XkXFYb9WxlWERi4eKirNyfJZhHyoPErSkwggvYp/5XIMMRuKQTdiCNnDlR9Dt9M+amfnB63jk2UaG2yXvWZ7LGPv2DF7z85Yl0n2iX1lP9jP5HPyPfmV/F60riTLmVfsHyV/7gGHjapk</latexit>
![Page 31: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/31.jpg)
Our Suppression Pipeline [K.-Moataz-Ohrimenko18]
31
Cache-based Compiler
Rebuild Compiler PBS
𝚲 = (ℒS, ℒQ,ℒA)
= (★, (qeq, patt), pattA)
RPBS
𝚲 = (ℒS, ℒQ,ℒA)
= (★, (qeq, patt), pattRb)
AZL
𝚲 = (ℒS, ℒQ)
= (★, srlen)
FZL
𝚲 = (ℒS, ℒQ)
= (★, ⟘)patt =
(srlen if queries are unique
misc otherwise.<latexit sha1_base64="gGTE4g3/iKpZgrTWXsLU4SqMX+w=">AAACgnicbVFNSxxBEO0ZNZrN18YcvRRKJCBsZpKDCSQg8eLRgKvCzrL09NbsNvbHpLsmyTLMH/Hkb8ot/8aeWQNx9UHD61f1qrqr8lJJT0nyN4rX1jeebG497T17/uLlq/7r7XNvKydwKKyy7jLnHpU0OCRJCi9Lh1znCi/yq+M2fvETnZfWnNGixLHmMyMLKTgFadK/hjrzBZScqIGvPQjIcpxJU4tQ1Ted0qJL806haWAfMsLfZKzTXNWygB8VOokeuEOojAzXBrIM7pu19GLVa2mO7pf02AyWvdFM/3We9PeSQdIBHpL0juwd7WYHN4yx00n/Tza1otJoSCju/ShNShrX3JEUCpteVnksubjiMxwFarhGP667GTbwNihTKKwLxxB06v+OmmvvFzoPmZrT3K/GWvGx2Kii4tO4lqasCI1YNioqBWShXQhMpUNBahEIF06Gt4KYc8cFhbW1Q0hXv/yQDD8MPg/S72EY39gSW2yH7bJ3LGWH7IidsFM2ZCJi0X70PkrijfggTuOPy9Q4uvO8YfcQf7kFu16+Pg==</latexit><latexit sha1_base64="58vNqlQPd4PlVXyB8U2ItZSMHGg=">AAACgnicbVFNb9NAEF2blpbw0UCPXEatqJAqBbs9UCSQonLhWKSmrRRH0XozTlbdD7M7BiLL/4ITP4tb/w1rp0g07ZNWevtm3szuTF4q6SlJbqL40cbm463tJ72nz56/2Om/fHXhbeUEjoRV1l3l3KOSBkckSeFV6ZDrXOFlfv25jV9+R+elNee0LHGi+dzIQgpOQZr2f0Od+QJKTtTApx4EZDnOpalFqOqbTmnRpXmn0DRwABnhTzLWaa5qWcC3Cp1ED9whVEaGawNZBnfNWnqx7rW0QPdDemwGq95oZv86T/v7ySDpAPdJekv2h3vZ4a+b4fJs2v+TzayoNBoSins/TpOSJjV3JIXCppdVHksurvkcx4EartFP6m6GDbwJygwK68IxBJ36v6Pm2vulzkOm5rTw67FWfCg2rqg4mdTSlBWhEatGRaWALLQLgZl0KEgtA+HCyfBWEAvuuKCwtnYI6fqX75PR0eDDIP0ahnHKVthmr9kee8tS9p4N2Rd2xkZMRCw6iN5FSbwZH8ZpfLxKjaNbzy67g/jjX8NCv8Q=</latexit><latexit sha1_base64="58vNqlQPd4PlVXyB8U2ItZSMHGg=">AAACgnicbVFNb9NAEF2blpbw0UCPXEatqJAqBbs9UCSQonLhWKSmrRRH0XozTlbdD7M7BiLL/4ITP4tb/w1rp0g07ZNWevtm3szuTF4q6SlJbqL40cbm463tJ72nz56/2Om/fHXhbeUEjoRV1l3l3KOSBkckSeFV6ZDrXOFlfv25jV9+R+elNee0LHGi+dzIQgpOQZr2f0Od+QJKTtTApx4EZDnOpalFqOqbTmnRpXmn0DRwABnhTzLWaa5qWcC3Cp1ED9whVEaGawNZBnfNWnqx7rW0QPdDemwGq95oZv86T/v7ySDpAPdJekv2h3vZ4a+b4fJs2v+TzayoNBoSins/TpOSJjV3JIXCppdVHksurvkcx4EartFP6m6GDbwJygwK68IxBJ36v6Pm2vulzkOm5rTw67FWfCg2rqg4mdTSlBWhEatGRaWALLQLgZl0KEgtA+HCyfBWEAvuuKCwtnYI6fqX75PR0eDDIP0ahnHKVthmr9kee8tS9p4N2Rd2xkZMRCw6iN5FSbwZH8ZpfLxKjaNbzy67g/jjX8NCv8Q=</latexit><latexit sha1_base64="VpjY4gzIU4pyJ5pGzF19lYuVy2E=">AAACgnicbVFNb9NAEF0bCiV8NJQjl1EjKiSkYLcHqNRKFVw4FonQSnEUrTfjZNX9MLvj0sjyH+Fn9dZ/w9oJEk37pJXevpk3szuTl0p6SpLbKH70eOvJ0+1nvecvXr7a6b/e/elt5QSOhFXWXeTco5IGRyRJ4UXpkOtc4Xl++bWNn1+h89KaH7QscaL53MhCCk5Bmvb/QJ35AkpO1MBJDwKyHOfS1CJU9U2ntOjSvFNoGtiHjPCajHWaq1oW8KtCJ9EDdwiVkeHaQJbBXbOWXmx6LS3Q/ZYem+GqN5rZv87T/iAZJh3gPknXZMDWOJv2b7KZFZVGQ0Jx78dpUtKk5o6kUNj0sspjycUln+M4UMM1+kndzbCBd0GZQWFdOIagU/931Fx7v9R5yNScFn4z1ooPxcYVFZ8ntTRlRWjEqlFRKSAL7UJgJh0KUstAuHAyvBXEgjsuKKytHUK6+eX7ZHQwPBqm35PB6Zf1NLbZW7bH3rOUfWKn7Bs7YyMmIhbtRx+jJN6KP8RpfLhKjaO15w27g/j4L6povLU=</latexit>
![Page 32: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/32.jpg)
Q: Can we suppress other patterns besides the query equality?
32
![Page 33: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/33.jpg)
The Volume Pattern• Volume pattern is the size of a response • very common leakage pattern (even ORAM leaks it) • hard to suppress without blowup in storage
• [Kellaris-Kollios-Nissim-O’Neill16,…] • series of attacks vs. volume pattern of range queries
33
![Page 34: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/34.jpg)
Suppressing Volume with Naive Padding
34
MM
ℓ1
ℓ2
ℓ3
MM
ℓ1
ℓ2
ℓ3
EMM.Setup
EMM
ℓ1
ℓ2
ℓ3
• Query complexity
• Storage complexity
O( max`2LMM
#MM[`])
O(#LMM · max`2LMM
#MM[`])Can we do better?
![Page 35: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/35.jpg)
Computationally-Secure Leakage
35
Unbounded Adversary Bounded Adversary
vs.
![Page 36: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/36.jpg)
Pseudo-Random Transform (PRT)
36
• Let F:{0,1}kx{0,1}*⟶{0,1}log µ be a PRF • Let λ ≥ 0 be a parameter (min. response length) • For each label ℓ in MM • compute len(ℓ) = λ + FK(ℓ | #MM[ℓ]) • if len(ℓ) < #MM[ℓ] truncate ℓ’s tuple to length len(ℓ) • if len(ℓ) > #MM[ℓ] pad ℓ’s tuple to length len(ℓ)
![Page 37: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/37.jpg)
Pseudo-Random Transform (PRT)
37
MM
ℓ1
ℓ2
ℓ3
MM
ℓ1
ℓ2
ℓ3
λ+FK(ℓ1|4) = 1+ 0 = 1
λ+FK(ℓ2|2) = 1+ 2 = 3
λ+FK(ℓ3|3) = 1+ 1 = 1
• Example with λ = 1 and µ = 3
EMM
ℓ1
ℓ2
ℓ3
EMM.Setup
![Page 38: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/38.jpg)
Pseudo-Random Transform (PRT)• PRT is a “lossy” transformation • PRT exploits a new tradeoff • lossiness vs. security
• Volume hiding relies on pseudo-randomness of F • Need to analyze • Number of truncations • Storage overhead
38
![Page 39: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/39.jpg)
Zipf-Distributed Multi-Maps• A MM is Zipf-distributed if the rth tuple has length
39
1
r ·H#LMM,1·X
`2LMM
#MM[`]
rth
Response length
Number of labels
0
0.05
0.1
0.15
0.2
0 200 400 600 800 1000Fr
eque
ncy
Keywords rank
SU datasetM-MU datasetL-MU dataset
Enron dataset
![Page 40: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/40.jpg)
Pseudo-Random Transform (PRT)
40
Thm: Let 1/2 < 𝝰 < 1. If MM is Zipf-distributed, then MM’ has size at most
with probability at least .
Furthermore, it incurs at most
truncations with probability at least .
↵ ·#L ·max`2L
#MM[`]<latexit sha1_base64="vvLBhXoVHV/CK8ghePFeLWlAlgY=">AAACNXicbVBNS8NAFNz4WetX1aOXxSJ4KokI6q3oxYOFCtYWmlBetpt26WYTdjdiCflVXvwd3nrxoOLVv+C2jaitAwvDzDz2vfFjzpS27ZG1sLi0vLJaWCuub2xubZd2du9UlEhCGyTikWz5oChngjY005y2Ykkh9Dlt+oPLsd+8p1KxSNzqYUy9EHqCBYyANlKnVHOBx31wSTfS2C27Iei+76fXGc6lEB46qUs5xy4T+MfPvtMqSGu1rD2OeJ1S2a7YE+B54uSkjHLUO6VntxuRJKRCEw5KtR071l4KUjPCaVZ0E0VjIAPo0bahAkKqvHRydoYPjdLFQSTNExpP1N8TKYRKDUPfJCeLznpj8T+vnejgzEuZiBNNBZl+FCQc6wiPO8RdJinRfGgIEMnMrpj0QQLRpumiKcGZPXmeNI4r5xXn5qRcvcjbKKB9dICOkINOURVdoTpqIIIe0Qi9ojfryXqx3q2PaXTBymf20B9Yn1/3+axQ</latexit><latexit sha1_base64="vvLBhXoVHV/CK8ghePFeLWlAlgY=">AAACNXicbVBNS8NAFNz4WetX1aOXxSJ4KokI6q3oxYOFCtYWmlBetpt26WYTdjdiCflVXvwd3nrxoOLVv+C2jaitAwvDzDz2vfFjzpS27ZG1sLi0vLJaWCuub2xubZd2du9UlEhCGyTikWz5oChngjY005y2Ykkh9Dlt+oPLsd+8p1KxSNzqYUy9EHqCBYyANlKnVHOBx31wSTfS2C27Iei+76fXGc6lEB46qUs5xy4T+MfPvtMqSGu1rD2OeJ1S2a7YE+B54uSkjHLUO6VntxuRJKRCEw5KtR071l4KUjPCaVZ0E0VjIAPo0bahAkKqvHRydoYPjdLFQSTNExpP1N8TKYRKDUPfJCeLznpj8T+vnejgzEuZiBNNBZl+FCQc6wiPO8RdJinRfGgIEMnMrpj0QQLRpumiKcGZPXmeNI4r5xXn5qRcvcjbKKB9dICOkINOURVdoTpqIIIe0Qi9ojfryXqx3q2PaXTBymf20B9Yn1/3+axQ</latexit><latexit sha1_base64="vvLBhXoVHV/CK8ghePFeLWlAlgY=">AAACNXicbVBNS8NAFNz4WetX1aOXxSJ4KokI6q3oxYOFCtYWmlBetpt26WYTdjdiCflVXvwd3nrxoOLVv+C2jaitAwvDzDz2vfFjzpS27ZG1sLi0vLJaWCuub2xubZd2du9UlEhCGyTikWz5oChngjY005y2Ykkh9Dlt+oPLsd+8p1KxSNzqYUy9EHqCBYyANlKnVHOBx31wSTfS2C27Iei+76fXGc6lEB46qUs5xy4T+MfPvtMqSGu1rD2OeJ1S2a7YE+B54uSkjHLUO6VntxuRJKRCEw5KtR071l4KUjPCaVZ0E0VjIAPo0bahAkKqvHRydoYPjdLFQSTNExpP1N8TKYRKDUPfJCeLznpj8T+vnejgzEuZiBNNBZl+FCQc6wiPO8RdJinRfGgIEMnMrpj0QQLRpumiKcGZPXmeNI4r5xXn5qRcvcjbKKB9dICOkINOURVdoTpqIIIe0Qi9ojfryXqx3q2PaXTBymf20B9Yn1/3+axQ</latexit><latexit sha1_base64="vvLBhXoVHV/CK8ghePFeLWlAlgY=">AAACNXicbVBNS8NAFNz4WetX1aOXxSJ4KokI6q3oxYOFCtYWmlBetpt26WYTdjdiCflVXvwd3nrxoOLVv+C2jaitAwvDzDz2vfFjzpS27ZG1sLi0vLJaWCuub2xubZd2du9UlEhCGyTikWz5oChngjY005y2Ykkh9Dlt+oPLsd+8p1KxSNzqYUy9EHqCBYyANlKnVHOBx31wSTfS2C27Iei+76fXGc6lEB46qUs5xy4T+MfPvtMqSGu1rD2OeJ1S2a7YE+B54uSkjHLUO6VntxuRJKRCEw5KtR071l4KUjPCaVZ0E0VjIAPo0bahAkKqvHRydoYPjdLFQSTNExpP1N8TKYRKDUPfJCeLznpj8T+vnejgzEuZiBNNBZl+FCQc6wiPO8RdJinRfGgIEMnMrpj0QQLRpumiKcGZPXmeNI4r5xXn5qRcvcjbKKB9dICOkINOURVdoTpqIIIe0Qi9ojfryXqx3q2PaXTBymf20B9Yn1/3+axQ</latexit>
1� exp
✓�#L · (2↵� 1)2/8
◆
<latexit sha1_base64="KhUV5kmhcdYVPK2FwAarzbqAl2g=">AAACInicbVC7TsMwFHXKq5RXgZHFIkJqB0pSIVGYKlgYGIpEaKUmVI7rtladOLIdRBX1X1j4FRYGXhMSH4PTZoCWI1k6Pude3XuPHzEqlWV9GbmFxaXllfxqYW19Y3OruL1zK3ksMHEwZ1y0fCQJoyFxFFWMtCJBUOAz0vSHF6nfvCdCUh7eqFFEvAD1Q9qjGCktdYpnNjyELnmIXJ/2+6X0Y7oBUgPfT67GLu5yVaq6iEUDpD27fFc9qsFJbblTNK2KNQGcJ3ZGTJCh0Sl+uF2O44CECjMkZdu2IuUlSCiKGRkX3FiSCOEh6pO2piEKiPSSyY1jeKCVLuxxoV+o4ET93ZGgQMpR4OvKdH0566Xif147Vr2al9AwihUJ8XRQL2ZQcZgGBrtUEKzYSBOEBdW7QjxAAmGlYy3oEOzZk+eJU62cVuzrY7N+nqWRB3tgH5SADU5AHVyCBnAABo/gGbyCN+PJeDHejc9pac7IenbBHxjfP8pPoN8=</latexit><latexit sha1_base64="KhUV5kmhcdYVPK2FwAarzbqAl2g=">AAACInicbVC7TsMwFHXKq5RXgZHFIkJqB0pSIVGYKlgYGIpEaKUmVI7rtladOLIdRBX1X1j4FRYGXhMSH4PTZoCWI1k6Pude3XuPHzEqlWV9GbmFxaXllfxqYW19Y3OruL1zK3ksMHEwZ1y0fCQJoyFxFFWMtCJBUOAz0vSHF6nfvCdCUh7eqFFEvAD1Q9qjGCktdYpnNjyELnmIXJ/2+6X0Y7oBUgPfT67GLu5yVaq6iEUDpD27fFc9qsFJbblTNK2KNQGcJ3ZGTJCh0Sl+uF2O44CECjMkZdu2IuUlSCiKGRkX3FiSCOEh6pO2piEKiPSSyY1jeKCVLuxxoV+o4ET93ZGgQMpR4OvKdH0566Xif147Vr2al9AwihUJ8XRQL2ZQcZgGBrtUEKzYSBOEBdW7QjxAAmGlYy3oEOzZk+eJU62cVuzrY7N+nqWRB3tgH5SADU5AHVyCBnAABo/gGbyCN+PJeDHejc9pac7IenbBHxjfP8pPoN8=</latexit><latexit sha1_base64="KhUV5kmhcdYVPK2FwAarzbqAl2g=">AAACInicbVC7TsMwFHXKq5RXgZHFIkJqB0pSIVGYKlgYGIpEaKUmVI7rtladOLIdRBX1X1j4FRYGXhMSH4PTZoCWI1k6Pude3XuPHzEqlWV9GbmFxaXllfxqYW19Y3OruL1zK3ksMHEwZ1y0fCQJoyFxFFWMtCJBUOAz0vSHF6nfvCdCUh7eqFFEvAD1Q9qjGCktdYpnNjyELnmIXJ/2+6X0Y7oBUgPfT67GLu5yVaq6iEUDpD27fFc9qsFJbblTNK2KNQGcJ3ZGTJCh0Sl+uF2O44CECjMkZdu2IuUlSCiKGRkX3FiSCOEh6pO2piEKiPSSyY1jeKCVLuxxoV+o4ET93ZGgQMpR4OvKdH0566Xif147Vr2al9AwihUJ8XRQL2ZQcZgGBrtUEKzYSBOEBdW7QjxAAmGlYy3oEOzZk+eJU62cVuzrY7N+nqWRB3tgH5SADU5AHVyCBnAABo/gGbyCN+PJeDHejc9pac7IenbBHxjfP8pPoN8=</latexit><latexit sha1_base64="KhUV5kmhcdYVPK2FwAarzbqAl2g=">AAACInicbVC7TsMwFHXKq5RXgZHFIkJqB0pSIVGYKlgYGIpEaKUmVI7rtladOLIdRBX1X1j4FRYGXhMSH4PTZoCWI1k6Pude3XuPHzEqlWV9GbmFxaXllfxqYW19Y3OruL1zK3ksMHEwZ1y0fCQJoyFxFFWMtCJBUOAz0vSHF6nfvCdCUh7eqFFEvAD1Q9qjGCktdYpnNjyELnmIXJ/2+6X0Y7oBUgPfT67GLu5yVaq6iEUDpD27fFc9qsFJbblTNK2KNQGcJ3ZGTJCh0Sl+uF2O44CECjMkZdu2IuUlSCiKGRkX3FiSCOEh6pO2piEKiPSSyY1jeKCVLuxxoV+o4ET93ZGgQMpR4OvKdH0566Xif147Vr2al9AwihUJ8XRQL2ZQcZgGBrtUEKzYSBOEBdW7QjxAAmGlYy3oEOzZk+eJU62cVuzrY7N+nqWRB3tgH5SADU5AHVyCBnAABo/gGbyCN+PJeDHejc9pac7IenbBHxjfP8pPoN8=</latexit>
1
log(#L) ·#L<latexit sha1_base64="rsB98eGlCq0cXpnWoMx9ArcfnrE=">AAACF3icbVBNS8NAEN3Ur1q/oh69LBahXmoignorevHgoYKxhSaUzWbTLt1kw+5GKCE/w4t/xYsHFa9689+4aXOorQ8GHu/NMDPPTxiVyrJ+jMrS8srqWnW9trG5tb1j7u49SJ4KTBzMGRddH0nCaEwcRRUj3UQQFPmMdPzRdeF3HomQlMf3apwQL0KDmIYUI6WlvnnihgLhzM4zl/FBw627EVJD389u8+McujjgCs6KfbNuNa0J4CKxS1IHJdp989sNOE4jEivMkJQ920qUlyGhKGYkr7mpJAnCIzQgPU1jFBHpZZPHcniklQCGXOiKFZyosxMZiqQcR77uLC6U814h/uf1UhVeeBmNk1SRGE8XhSmDisMiJRhQQbBiY00QFlTfCvEQ6aSUzrKmQ7DnX14kzmnzsmnfndVbV2UaVXAADkED2OActMANaAMHYPAEXsAbeDeejVfjw/ictlaMcmYf/IHx9QuoBZ+9</latexit><latexit sha1_base64="rsB98eGlCq0cXpnWoMx9ArcfnrE=">AAACF3icbVBNS8NAEN3Ur1q/oh69LBahXmoignorevHgoYKxhSaUzWbTLt1kw+5GKCE/w4t/xYsHFa9689+4aXOorQ8GHu/NMDPPTxiVyrJ+jMrS8srqWnW9trG5tb1j7u49SJ4KTBzMGRddH0nCaEwcRRUj3UQQFPmMdPzRdeF3HomQlMf3apwQL0KDmIYUI6WlvnnihgLhzM4zl/FBw627EVJD389u8+McujjgCs6KfbNuNa0J4CKxS1IHJdp989sNOE4jEivMkJQ920qUlyGhKGYkr7mpJAnCIzQgPU1jFBHpZZPHcniklQCGXOiKFZyosxMZiqQcR77uLC6U814h/uf1UhVeeBmNk1SRGE8XhSmDisMiJRhQQbBiY00QFlTfCvEQ6aSUzrKmQ7DnX14kzmnzsmnfndVbV2UaVXAADkED2OActMANaAMHYPAEXsAbeDeejVfjw/ictlaMcmYf/IHx9QuoBZ+9</latexit><latexit sha1_base64="rsB98eGlCq0cXpnWoMx9ArcfnrE=">AAACF3icbVBNS8NAEN3Ur1q/oh69LBahXmoignorevHgoYKxhSaUzWbTLt1kw+5GKCE/w4t/xYsHFa9689+4aXOorQ8GHu/NMDPPTxiVyrJ+jMrS8srqWnW9trG5tb1j7u49SJ4KTBzMGRddH0nCaEwcRRUj3UQQFPmMdPzRdeF3HomQlMf3apwQL0KDmIYUI6WlvnnihgLhzM4zl/FBw627EVJD389u8+McujjgCs6KfbNuNa0J4CKxS1IHJdp989sNOE4jEivMkJQ920qUlyGhKGYkr7mpJAnCIzQgPU1jFBHpZZPHcniklQCGXOiKFZyosxMZiqQcR77uLC6U814h/uf1UhVeeBmNk1SRGE8XhSmDisMiJRhQQbBiY00QFlTfCvEQ6aSUzrKmQ7DnX14kzmnzsmnfndVbV2UaVXAADkED2OActMANaAMHYPAEXsAbeDeejVfjw/ictlaMcmYf/IHx9QuoBZ+9</latexit><latexit sha1_base64="rsB98eGlCq0cXpnWoMx9ArcfnrE=">AAACF3icbVBNS8NAEN3Ur1q/oh69LBahXmoignorevHgoYKxhSaUzWbTLt1kw+5GKCE/w4t/xYsHFa9689+4aXOorQ8GHu/NMDPPTxiVyrJ+jMrS8srqWnW9trG5tb1j7u49SJ4KTBzMGRddH0nCaEwcRRUj3UQQFPmMdPzRdeF3HomQlMf3apwQL0KDmIYUI6WlvnnihgLhzM4zl/FBw627EVJD389u8+McujjgCs6KfbNuNa0J4CKxS1IHJdp989sNOE4jEivMkJQ920qUlyGhKGYkr7mpJAnCIzQgPU1jFBHpZZPHcniklQCGXOiKFZyosxMZiqQcR77uLC6U814h/uf1UhVeeBmNk1SRGE8XhSmDisMiJRhQQbBiY00QFlTfCvEQ6aSUzrKmQ7DnX14kzmnzsmnfndVbV2UaVXAADkED2OActMANaAMHYPAEXsAbeDeejVfjw/ictlaMcmYf/IHx9QuoBZ+9</latexit>
1� exp
✓� 2 ·#L · log2(#L)
◆
<latexit sha1_base64="UybYZ3OhzrMhHo0Jqr5xs6TW5W4=">AAACKnicbVDNTsJAGNziH+Jf1aOXjcQEDpCWmKg3ghcPHjARIaFItstSNmy7ze7WSBrex4uv4kEPSrz6IG5LDwhOsslk5pvs940bMiqVZc2M3Nr6xuZWfruws7u3f2AeHj1IHglMWpgzLjoukoTRgLQUVYx0QkGQ7zLSdsfXid9+IkJSHtyrSUh6PvICOqQYKS31zYYNK9Ahz6HjUs8rVWoOHnDlFB0fqZHrxrfTVIAO495jrbRolGGaKffNolW1UsBVYmekCDI0++a7M+A48kmgMENSdm0rVL0YCUUxI9OCE0kSIjxGHulqGiCfyF6c3jqFZ1oZwCEX+gUKpupiIka+lBPf1ZPJpnLZS8T/vG6khpe9mAZhpEiA5x8NIwYVh0lxcEAFwYpNNEFYUL0rxCMkEFa63oIuwV4+eZW0atWrqn13Xqw3sjby4AScghKwwQWogxvQBC2AwQt4A5/gy3g1PoyZ8T0fzRlZ5hj8gfHzC9GLpdk=</latexit><latexit sha1_base64="UybYZ3OhzrMhHo0Jqr5xs6TW5W4=">AAACKnicbVDNTsJAGNziH+Jf1aOXjcQEDpCWmKg3ghcPHjARIaFItstSNmy7ze7WSBrex4uv4kEPSrz6IG5LDwhOsslk5pvs940bMiqVZc2M3Nr6xuZWfruws7u3f2AeHj1IHglMWpgzLjoukoTRgLQUVYx0QkGQ7zLSdsfXid9+IkJSHtyrSUh6PvICOqQYKS31zYYNK9Ahz6HjUs8rVWoOHnDlFB0fqZHrxrfTVIAO495jrbRolGGaKffNolW1UsBVYmekCDI0++a7M+A48kmgMENSdm0rVL0YCUUxI9OCE0kSIjxGHulqGiCfyF6c3jqFZ1oZwCEX+gUKpupiIka+lBPf1ZPJpnLZS8T/vG6khpe9mAZhpEiA5x8NIwYVh0lxcEAFwYpNNEFYUL0rxCMkEFa63oIuwV4+eZW0atWrqn13Xqw3sjby4AScghKwwQWogxvQBC2AwQt4A5/gy3g1PoyZ8T0fzRlZ5hj8gfHzC9GLpdk=</latexit><latexit sha1_base64="UybYZ3OhzrMhHo0Jqr5xs6TW5W4=">AAACKnicbVDNTsJAGNziH+Jf1aOXjcQEDpCWmKg3ghcPHjARIaFItstSNmy7ze7WSBrex4uv4kEPSrz6IG5LDwhOsslk5pvs940bMiqVZc2M3Nr6xuZWfruws7u3f2AeHj1IHglMWpgzLjoukoTRgLQUVYx0QkGQ7zLSdsfXid9+IkJSHtyrSUh6PvICOqQYKS31zYYNK9Ahz6HjUs8rVWoOHnDlFB0fqZHrxrfTVIAO495jrbRolGGaKffNolW1UsBVYmekCDI0++a7M+A48kmgMENSdm0rVL0YCUUxI9OCE0kSIjxGHulqGiCfyF6c3jqFZ1oZwCEX+gUKpupiIka+lBPf1ZPJpnLZS8T/vG6khpe9mAZhpEiA5x8NIwYVh0lxcEAFwYpNNEFYUL0rxCMkEFa63oIuwV4+eZW0atWrqn13Xqw3sjby4AScghKwwQWogxvQBC2AwQt4A5/gy3g1PoyZ8T0fzRlZ5hj8gfHzC9GLpdk=</latexit><latexit sha1_base64="UybYZ3OhzrMhHo0Jqr5xs6TW5W4=">AAACKnicbVDNTsJAGNziH+Jf1aOXjcQEDpCWmKg3ghcPHjARIaFItstSNmy7ze7WSBrex4uv4kEPSrz6IG5LDwhOsslk5pvs940bMiqVZc2M3Nr6xuZWfruws7u3f2AeHj1IHglMWpgzLjoukoTRgLQUVYx0QkGQ7zLSdsfXid9+IkJSHtyrSUh6PvICOqQYKS31zYYNK9Ahz6HjUs8rVWoOHnDlFB0fqZHrxrfTVIAO495jrbRolGGaKffNolW1UsBVYmekCDI0++a7M+A48kmgMENSdm0rVL0YCUUxI9OCE0kSIjxGHulqGiCfyF6c3jqFZ1oZwCEX+gUKpupiIka+lBPf1ZPJpnLZS8T/vG6khpe9mAZhpEiA5x8NIwYVh0lxcEAFwYpNNEFYUL0rxCMkEFa63oIuwV4+eZW0atWrqn13Xqw3sjby4AScghKwwQWogxvQBC2AwQt4A5/gy3g1PoyZ8T0fzRlZ5hj8gfHzC9GLpdk=</latexit>
![Page 41: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/41.jpg)
Pseudo-Random Transform (PRT)• PRT has many advantages • easy to use and implement 😀 • doesn’t impact query and storage complexity too much 😀
• But it is is lossy 😞 • for keyword search one can rank results • so only low-ranked results are lost
41
![Page 42: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/42.jpg)
Q: Can we design a non-lossy transformation?
42
![Page 43: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/43.jpg)
Densest Subgraph Transform [K.-Moataz19]
• Data structure transformation • hides volume 😀 • query complexity ≈ query complexity of naive padding ☹ • storage complexity ≤ storage complexity of naive padding 😀 • non-lossy 😀
• How is this possible? • New EMM design framework • Computational assumptions from average-case complexity
43
![Page 44: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/44.jpg)
Densest Subgraph Transform [K.-Moataz19]
• For each label pick µ=maxℓ#MM[ℓ] bins at random • store values in bins • if #MM[ℓ] < µ don’t store anything in remaining bins
• Pad all bins
MM
ℓ1 v1
ℓ2 v3
ℓ3 v2
v2 v4
v4
Client state
v1 v3 v4
ℓ1 B1 B3 B4
ℓ1
v3
ℓ2 B2 B3 B4
v2 v4ℓ3 B1 B2 B3
ℓ2 ℓ3
B1 B2 B3 B4
Size of client state ≈
size of MM
![Page 45: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/45.jpg)
Densest Subgraph Transform [K.-Moataz19]
45
Client state
ℓ1 rand1
ℓ2 rand2
ℓ3 rand3
• Compressing the state • instead of choosing edges/bins uniformly at random • use a PRF and store key/rand value in state
Client state
ℓ1 B1 B3 B4
ℓ2 B2 B3 B4
ℓ3 B1 B2 B3
vs.
O(#L ·max`2L
#MM[`])<latexit sha1_base64="55ednwCn8nVnJcDhKfBDYlLR0jE=">AAACKHicbVDLSsNAFJ34rPVVdelmsAh1UxIR1F3RjQuLFawtJKFMppN26GQSZiZiCfkdN/6KGwWVbv0SJ2lAbb0wcOacc7n3Hi9iVCrTnBgLi0vLK6ultfL6xubWdmVn916GscCkjUMWiq6HJGGUk7aiipFuJAgKPEY63ugy0zsPREga8js1jogboAGnPsVIaapXadzUnKoTIDX0vOQ6dXA/VPr72EscwphD+Y+WwsIp/aTZTO3M4B71KlWzbuYF54FVgCooqtWrvDn9EMcB4QozJKVtmZFyEyQUxYykZSeWJEJ4hAbE1pCjgEg3yS9N4aFm+tAPhX5cwZz93ZGgQMpx4GlnvumslpH/aXas/DM3oTyKFeF4OsiPGVQhzGKDfSoIVmysAcKC6l0hHiKBsNLhlnUI1uzJ86B9XD+vW7cn1cZFkUYJ7IMDUAMWOAUNcAVaoA0weAIv4B18GM/Gq/FpTKbWBaPo2QN/yvj6BiRdp2Y=</latexit><latexit sha1_base64="55ednwCn8nVnJcDhKfBDYlLR0jE=">AAACKHicbVDLSsNAFJ34rPVVdelmsAh1UxIR1F3RjQuLFawtJKFMppN26GQSZiZiCfkdN/6KGwWVbv0SJ2lAbb0wcOacc7n3Hi9iVCrTnBgLi0vLK6ultfL6xubWdmVn916GscCkjUMWiq6HJGGUk7aiipFuJAgKPEY63ugy0zsPREga8js1jogboAGnPsVIaapXadzUnKoTIDX0vOQ6dXA/VPr72EscwphD+Y+WwsIp/aTZTO3M4B71KlWzbuYF54FVgCooqtWrvDn9EMcB4QozJKVtmZFyEyQUxYykZSeWJEJ4hAbE1pCjgEg3yS9N4aFm+tAPhX5cwZz93ZGgQMpx4GlnvumslpH/aXas/DM3oTyKFeF4OsiPGVQhzGKDfSoIVmysAcKC6l0hHiKBsNLhlnUI1uzJ86B9XD+vW7cn1cZFkUYJ7IMDUAMWOAUNcAVaoA0weAIv4B18GM/Gq/FpTKbWBaPo2QN/yvj6BiRdp2Y=</latexit><latexit sha1_base64="55ednwCn8nVnJcDhKfBDYlLR0jE=">AAACKHicbVDLSsNAFJ34rPVVdelmsAh1UxIR1F3RjQuLFawtJKFMppN26GQSZiZiCfkdN/6KGwWVbv0SJ2lAbb0wcOacc7n3Hi9iVCrTnBgLi0vLK6ultfL6xubWdmVn916GscCkjUMWiq6HJGGUk7aiipFuJAgKPEY63ugy0zsPREga8js1jogboAGnPsVIaapXadzUnKoTIDX0vOQ6dXA/VPr72EscwphD+Y+WwsIp/aTZTO3M4B71KlWzbuYF54FVgCooqtWrvDn9EMcB4QozJKVtmZFyEyQUxYykZSeWJEJ4hAbE1pCjgEg3yS9N4aFm+tAPhX5cwZz93ZGgQMpx4GlnvumslpH/aXas/DM3oTyKFeF4OsiPGVQhzGKDfSoIVmysAcKC6l0hHiKBsNLhlnUI1uzJ86B9XD+vW7cn1cZFkUYJ7IMDUAMWOAUNcAVaoA0weAIv4B18GM/Gq/FpTKbWBaPo2QN/yvj6BiRdp2Y=</latexit><latexit sha1_base64="55ednwCn8nVnJcDhKfBDYlLR0jE=">AAACKHicbVDLSsNAFJ34rPVVdelmsAh1UxIR1F3RjQuLFawtJKFMppN26GQSZiZiCfkdN/6KGwWVbv0SJ2lAbb0wcOacc7n3Hi9iVCrTnBgLi0vLK6ultfL6xubWdmVn916GscCkjUMWiq6HJGGUk7aiipFuJAgKPEY63ugy0zsPREga8js1jogboAGnPsVIaapXadzUnKoTIDX0vOQ6dXA/VPr72EscwphD+Y+WwsIp/aTZTO3M4B71KlWzbuYF54FVgCooqtWrvDn9EMcB4QozJKVtmZFyEyQUxYykZSeWJEJ4hAbE1pCjgEg3yS9N4aFm+tAPhX5cwZz93ZGgQMpx4GlnvumslpH/aXas/DM3oTyKFeF4OsiPGVQhzGKDfSoIVmysAcKC6l0hHiKBsNLhlnUI1uzJ86B9XD+vW7cn1cZFkUYJ7IMDUAMWOAUNcAVaoA0weAIv4B18GM/Gq/FpTKbWBaPo2QN/yvj6BiRdp2Y=</latexit>
O(#L)<latexit sha1_base64="ViGYl7alHyVSx3qrb+XPeCqUXsc=">AAAB93icbVBNS8NAFHzxs9aPRj16CQahXkoignorevEgWMHYQhPKZrtpl242YXcj1NBf4sWDilf/ijf/jZs2B20dWBhm3uPNTpgyKpXjfBtLyyura+uVjerm1vZOzdzde5BJJjDxcMIS0QmRJIxy4imqGOmkgqA4ZKQdjq4Kv/1IhKQJv1fjlAQxGnAaUYyUlnpm7bbu236M1DAM85vJcc+0nYYzhbVI3JLYUKLVM7/8foKzmHCFGZKy6zqpCnIkFMWMTKp+JkmK8AgNSFdTjmIig3wafGIdaaVvRYnQjytrqv7eyFEs5TgO9WQRUc57hfif181UdB7klKeZIhzPDkUZs1RiFS1YfSoIVmysCcKC6qwWHiKBsNJdVXUJ7vyXF4l30rhouHendvOybKMCB3AIdXDhDJpwDS3wAEMGz/AKb8aT8WK8Gx+z0SWj3NmHPzA+fwARvpJC</latexit><latexit sha1_base64="ViGYl7alHyVSx3qrb+XPeCqUXsc=">AAAB93icbVBNS8NAFHzxs9aPRj16CQahXkoignorevEgWMHYQhPKZrtpl242YXcj1NBf4sWDilf/ijf/jZs2B20dWBhm3uPNTpgyKpXjfBtLyyura+uVjerm1vZOzdzde5BJJjDxcMIS0QmRJIxy4imqGOmkgqA4ZKQdjq4Kv/1IhKQJv1fjlAQxGnAaUYyUlnpm7bbu236M1DAM85vJcc+0nYYzhbVI3JLYUKLVM7/8foKzmHCFGZKy6zqpCnIkFMWMTKp+JkmK8AgNSFdTjmIig3wafGIdaaVvRYnQjytrqv7eyFEs5TgO9WQRUc57hfif181UdB7klKeZIhzPDkUZs1RiFS1YfSoIVmysCcKC6qwWHiKBsNJdVXUJ7vyXF4l30rhouHendvOybKMCB3AIdXDhDJpwDS3wAEMGz/AKb8aT8WK8Gx+z0SWj3NmHPzA+fwARvpJC</latexit><latexit sha1_base64="ViGYl7alHyVSx3qrb+XPeCqUXsc=">AAAB93icbVBNS8NAFHzxs9aPRj16CQahXkoignorevEgWMHYQhPKZrtpl242YXcj1NBf4sWDilf/ijf/jZs2B20dWBhm3uPNTpgyKpXjfBtLyyura+uVjerm1vZOzdzde5BJJjDxcMIS0QmRJIxy4imqGOmkgqA4ZKQdjq4Kv/1IhKQJv1fjlAQxGnAaUYyUlnpm7bbu236M1DAM85vJcc+0nYYzhbVI3JLYUKLVM7/8foKzmHCFGZKy6zqpCnIkFMWMTKp+JkmK8AgNSFdTjmIig3wafGIdaaVvRYnQjytrqv7eyFEs5TgO9WQRUc57hfif181UdB7klKeZIhzPDkUZs1RiFS1YfSoIVmysCcKC6qwWHiKBsNJdVXUJ7vyXF4l30rhouHendvOybKMCB3AIdXDhDJpwDS3wAEMGz/AKb8aT8WK8Gx+z0SWj3NmHPzA+fwARvpJC</latexit><latexit sha1_base64="ViGYl7alHyVSx3qrb+XPeCqUXsc=">AAAB93icbVBNS8NAFHzxs9aPRj16CQahXkoignorevEgWMHYQhPKZrtpl242YXcj1NBf4sWDilf/ijf/jZs2B20dWBhm3uPNTpgyKpXjfBtLyyura+uVjerm1vZOzdzde5BJJjDxcMIS0QmRJIxy4imqGOmkgqA4ZKQdjq4Kv/1IhKQJv1fjlAQxGnAaUYyUlnpm7bbu236M1DAM85vJcc+0nYYzhbVI3JLYUKLVM7/8foKzmHCFGZKy6zqpCnIkFMWMTKp+JkmK8AgNSFdTjmIig3wafGIdaaVvRYnQjytrqv7eyFEs5TgO9WQRUc57hfif181UdB7klKeZIhzPDkUZs1RiFS1YfSoIVmysCcKC6qwWHiKBsNJdVXUJ7vyXF4l30rhouHendvOybKMCB3AIdXDhDJpwDS3wAEMGz/AKb8aT8WK8Gx+z0SWj3NmHPzA+fwARvpJC</latexit>
Some PRF seeds can lead to collisions
so just pick again until no collisions
![Page 46: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/46.jpg)
Densest Subgraph Transform [K.-Moataz19]
46
v1 v3 v4
ℓ1
v3
v2 v4
ℓ2 ℓ3
B1 B2 B3 B4
DX
B1 v1
B2 v3
B3 v3
v2
B4 v4
v4
EDX
B1 v1
B2 v3
B3 v3
v2
B4 v4
v4EMM.Setup
• Store bins in a dictionary DX and encrypt DX
![Page 47: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/47.jpg)
Densest Subgraph Transform [K.-Moataz19]
• To get ℓ2, • retrieve rand2 from state • compute bin identifiers
• 2:= F(rand2, 1), • 3:= F(rand2, 2), • 4:= F(rand3, 3)
• retrieve binsState DX
ℓ1 rand1
ℓ2 rand2
ℓ3 rand3
B2 B3 B4
EDX
B1 v1
B2 v3
B3 v3
v2
B4 v4
v4
v3 v3 v4v4
![Page 48: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/48.jpg)
Densest Subgraph Transform [K.-Moataz19]
48
Thm: The load of a bin is at most
with probability at least 1 - ε, where
N
n+
ln(1/")
3
✓1 +
s
1 +18N
n · ln(1/")
◆
N =X
`2LMM
#MM[`]
![Page 49: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/49.jpg)
• Alternative construction for concentrated MMs • v2 and v4 are duplicated so store them only once • Pick bi-partite clique at random
• store duplicated items in clique • Pick remaining edges at random
Densest Subgraph Transform [K.-Moataz19]
MM
ℓ1 v1
ℓ2 v3
ℓ3 v2
v2 v4
v4
ℓ1 ℓ2 ℓ3
v1 v3v2 v4
![Page 50: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/50.jpg)
Densest Subgraph Transform [K.-Moataz19]
50
Thm: The load of a bin is at most
with probability at least 1 - ε, where NDS is the size of concentrated part
N�NDS
n+
ln(1/")
3
✓1 +
s
1 +18(N�NDS)
n · ln(1/")
◆
![Page 51: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/51.jpg)
Densest Subgraph Assumption [Applebaum-Barak-Wigderson10]
51
≃Erdös-Rényi graph Erdös-Rényi graph with
planted dense subgraph
![Page 52: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/52.jpg)
Densest Subgraph Assumption [Applebaum-Barak-Wigderson10]
• Variant of the planted clique problem • central problem in average-case hardness
• Evidence for hardness • studied since the mid-70’s in CS & statistical physics • failure of powerful algorithmic techniques • restricted lower bounds • Sum-of-squares • Statistical query
52
![Page 53: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/53.jpg)
Conclusions
53
![Page 54: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/54.jpg)
Encrypted Search: 2000-2019• A large and vibrant area of research • Many interesting and hard problems • Many fundamental questions • how do we model leakage? • how do we quantify leakage? • how do we suppress leakage? • are the tradeoffs we observe inherent? (i..e, lower bounds)
54
![Page 55: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/55.jpg)
Encrypted Search: 2000-2019• Many connections • algorithms & data structures • database theory & systems • statistical learning theory • optimization • graph theory • distributed systems
55
![Page 56: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/56.jpg)
Encrypted Search: 2000-2019• Many interesting leakage attacks to study • But many new techniques to bypass leakage attacks • padding & clustering techniques [Bost-Fouque17] • response-hiding schemes [Blackstone-K.-Moataz19] • suppression compilers [K.-Moataz-Ohrimenko18] • suppression transforms [K.-Moataz19] • worst-case vs. average-case leakage [Agarwal-K.19] • distributing data [Agarwal-K.19]
56
![Page 57: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/57.jpg)
Encrypted Search: 2000-2019• New tradeoffs to explore • leakage vs. correctness [K.-Moataz19] • leakage vs. latency [K.-Moataz-Ohrimenko18]
57
![Page 58: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/58.jpg)
Encrypted Search: 2000-2019• Real-world impact • Microsoft SQL Server • MongoDB Field Level Encryption • Cisco WebEx • Ionic • more coming…
58
![Page 59: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/59.jpg)
Thanks to…
59Tarik Moataz
Ghous Amjad
Olya Ohrimenko
Laura BlackstoneArchita Agarwal
Sam ZhaoMarilyn George
Hajar Alturki
![Page 60: Encrypted Search: Leakage Suppression - Brown University · 2019. 10. 4. · How Should we Handle Leakage? • Approach #3: Rebuild [K.14] • Rebuild encrypted structure after t](https://reader035.vdocuments.mx/reader035/viewer/2022071606/61424cd255c1d11d1b341b71/html5/thumbnails/60.jpg)
The End
60