searchable encryption - sciencesconf.org · 2019-05-20 · searchable encryption new constructions...
TRANSCRIPT
![Page 1: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/1.jpg)
Searchable EncryptionNew Constructions of Encrypted Databases
Raphael Bost - 8/01/2017Slides at https://r.bost.fyi/phd
![Page 2: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/2.jpg)
![Page 3: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/3.jpg)
![Page 4: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/4.jpg)
Searchable EncryptionOutsource data
Securely
Keep search functionalities
Aimed at efficiency
… we have to leak some information …
… and this can lead to devastating attacks
![Page 5: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/5.jpg)
An example: property preserving encryption
Deterministic encryption, Order Preserving Encryption
Legacy compatible (works on top of unencrypted DB)
Very efficient
Not secure in practice (frequency analysis)
![Page 6: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/6.jpg)
Client
Security of SEEverything the server learns can be computed from the leakage
Adversary
![Page 7: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/7.jpg)
Client
Security of SEEverything the server learns can be computed from the leakage
Adversary
![Page 8: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/8.jpg)
Security of SEEverything the server learns can be computed from the leakage
Simulator
LeakageReal Client Adversary
![Page 9: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/9.jpg)
Simulator
Security of SEEverything the server learns can be computed from the leakage
LeakageReal Client Adversary
![Page 10: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/10.jpg)
Leakage
Simulator
Security of SEEverything the server learns can be computed from the leakage
Real Client Adversary
? ? ?
Ideal World
![Page 11: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/11.jpg)
Examples of leakage
After a search, the user will access the matching documents. This will reveal the search result.
When the user searches for the same keyword twice, the server might learn that the query has been repeated.
In both cases, trying to get rid of this leakage is expensive
![Page 12: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/12.jpg)
An explicit tradeoff between security and performance
Oblivious RAM lower bound: if one wants to hide the access pattern to a memory of size N, the computational overhead is
A similar lower bound exists for searchable encryption: a search pattern-hiding SE incurs a search overhead of
Ω!logNlogσ
"
log (|DB |
nw)
log
![Page 13: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/13.jpg)
Constructing encrypted databases
![Page 14: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/14.jpg)
w D2D1 D3 D4 D5 D6Kw
Client
Server
![Page 15: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/15.jpg)
w’ Kw’
Client
Server
D’2D’1 D’3 D’4 D’5
![Page 16: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/16.jpg)
w Kw
Client
Server
D2 D1 D3 D4D5D6
![Page 17: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/17.jpg)
D2 D6 D1 D3 D5 D4
w Kw
Client
Server
D7
KwI know that w was
updated !
D7
![Page 18: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/18.jpg)
File injection attacks [ZKP’16]
Insert purposely crafted documents in the DB (e.g. spam for encrypted emails)
log |W| injected documents
D1 w1 w2 w3 w4 w5 w6 w7 w8
D2 w1 w2 w3 w4 w5 w6 w7 w8
D3 w1 w2 w3 w4 w5 w6 w7 w8
K
![Page 19: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/19.jpg)
Active adaptive attacksThese adaptive attacks use the update leakage
We need SE schemes with oblivious updates
Forward Privacy
![Page 20: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/20.jpg)
Forward privacyForward private: an update does not leak any information
Secure online build of the EDB
Only one scheme existed so far [SPS’14]
ORAM-like construction
Inefficient updates
Large client storage
![Page 21: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/21.jpg)
How to achieve forward privacy efficiently?
![Page 22: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/22.jpg)
ST
…
ST’
![Page 23: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/23.jpg)
ST1 STn+1ST2 STn…
UTn+1UT1 UT2 UTn…
H(.)
H(.)
H(.)
H(.)
![Page 24: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/24.jpg)
ST1 STn+1ST2 STn…
UTn+1UT1 UT2 UTn…
H(.)
H(.)
H(.)
H(.)
Naïve solution: STi(w) = F(Kw,i), send all STi(w)’s
Client needs to send n tokens
Use a trapdoor permutation (client has the secret key, server has the public key, and cannot compute the inverse)
πPK πPK πPK πPK
π-1SK π-1SK π-1SK π-1SK
![Page 25: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/25.jpg)
ST1 STn+1ST2 STn…
UTn+1UT1 UT2 UTn…
π-1SK π-1SK π-1SK π-1SK
πPK πPK πPK πPK
H(.)
H(.)
H(.)
H(.)
Search: Client: constant Server: # results
Update: Client: constant Server: constant
Optimal
![Page 26: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/26.jpg)
ST1 STn+1ST2 STn…
UTn+1UT1 UT2 UTn…
π-1SK π-1SK π-1SK π-1SK
πPK πPK πPK πPK
H(.)
H(.)
H(.)
H(.)
Storage: Client: # distinct keywords Server: # database entries
![Page 27: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/27.jpg)
Σoφoς
Forward private index-based scheme
Very simple
Efficient search (IO bounded)
Asymptotically efficient update In practice, very low update throughput 4300 updates/s — 20x slower than other work
![Page 28: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/28.jpg)
Another path towards forward privacy
![Page 29: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/29.jpg)
ST
…
ST’
![Page 30: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/30.jpg)
ST
…
ST’
![Page 31: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/31.jpg)
Constrained PRFCan we restrict the evaluation of F(Kw,.) on [1,n]?
K Evaluation F(K,x)
x
![Page 32: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/32.jpg)
Constrained PRFCan we restrict the evaluation of F(Kw,.) on [1,n]?
K Evaluation
x
F(K,x)
Constrain
C
KC
🚫
C(x) = true
C(x) = false
![Page 33: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/33.jpg)
Range-Constrained PRF
Consider the condition Cn:
Cn(x) = true if and only if 1≤ x ≤ n (range condition)
Kn = Constrain(K,Cn) can only be used to evaluate F on [1,n]
![Page 34: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/34.jpg)
w Kw
Client
Server
D2 D1 D3 D4D5D6
Kw6Constrain
![Page 35: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/35.jpg)
D2 D6 D1 D3 D5 D4
w Kw
Client
Server Kw6
D7
D7 D8Kw8Constrain
D8
![Page 36: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/36.jpg)
DianaInstantiate the CPRF F with a tree-based PRF construction
Asymptotically less efficient than Σoφoς
In practice, a lot better. Always IO bounded (for both searches and updates)
Search: <1µs per match (on RAM) Update: 174 000 entries per second (4300 for Σoφoς)
![Page 37: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/37.jpg)
Can we do better?
Similarly to the ORAM lower bound, we can show that the computational overhead of an update for a forward-private scheme is
Σoφoς is optimal (constant-time update, σ = |W|)
log |W |log
![Page 38: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/38.jpg)
Deletions
![Page 39: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/39.jpg)
Deletions
How to delete entries in an encrypted database?
Existing schemes use a ‘revocation list’
Pb: the deleted information is still revealed to the server
Backward privacy: ‘nothing’ is leaked about the deleted documents
![Page 40: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/40.jpg)
Backward privacy
Baseline: the client fetches the encrypted lists of inserted and deleted documents, locally decrypts and retrieves the documents. Optimal security 2 interactions Complexity (communication & computation) :
# insertions (vs. # results)
![Page 41: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/41.jpg)
Backward privacy with optimal updates & comm.Could we prevent the server from decrypting some entries?
Puncturable Encryption [GM’15]: Revocation of decryption capabilities for specific messages
K Encrypt
D T
T
![Page 42: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/42.jpg)
Backward privacy with optimal updates & comm.Could we prevent the server from decrypting some entries?
Puncturable Encryption [GM’15]: Revocation of decryption capabilities for specific messages
K Puncture
T
Puncture
T’
K T K T T’
![Page 43: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/43.jpg)
Backward privacy with optimal updates & comm.
DecryptK T T’
T’’
D Decrypt 🚫
T
Could we prevent the server from decrypting some entries?
Puncturable Encryption [GM’15]: Revocation of decryption capabilities for specific messages
same tag
K T T’
≠ tags
![Page 44: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/44.jpg)
Client
Server
Σ Client
Σ Server
w
Kw Add to wTEncrypt
D T
Hash
Insertion
![Page 45: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/45.jpg)
Hash
DeletionClient
Server
Σ Client
Σ Server
w
Kw Puncture
D T
Kw T
![Page 46: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/46.jpg)
Hash
DeletionClient
Server
Σ Client
Σ Server
w
Puncture
D’ T’
Kw T Kw T T’
![Page 47: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/47.jpg)
🚫D1D2D4D5D6D8🚫
T1 T2 T3 T4 T5 T6 T7 T8
Search w
SearchClient
ServerΣ
Server
w Kw T7 T3Σ
Client
Decrypt
![Page 48: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/48.jpg)
Janus
Not so good:
O(nw.dw) search comp.
Uses pairings (not fast)
Good:
Forward & backward-private
Optimal update complexity
Optimal communication
![Page 49: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/49.jpg)
Implementation of SE
Client Server gRPC
Σoφoς Diana Janus RocksDB
PRF Hash TDPEnc. …libsodiummbedTLS
Relic
![Page 50: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/50.jpg)
OpenSSE
Goal: fast and secure implementation of SE schemes
10 700 C/C++ LoC (crypto: 6500, schemes: 4200)
Open Source: opensse.github.io
And its documented !!! (at least for the crypto)
![Page 51: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/51.jpg)
Other works on searchable encryption
Verifiable SSE: check that the results returned by the server are correct. Constructions and lower bounds
Analysis of recent attacks (leakage-abuse attacks) that only use the leakage to break the security of schemes. Proposed countermeasures.
![Page 52: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/52.jpg)
ConclusionForward privacy
Updates do not leak information about the past events Two efficient constructions Σoφoς and Diana
Backward privacy Deletions are not recoverable by the server Janus: backward privacy with optimal communication
![Page 53: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/53.jpg)
Conclusion
SE involves very diverse topics: theoretical CS, cryptanalysis, cryptographic primitives, systems, …
Real world cryptography, with great impact
![Page 54: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/54.jpg)
PublicationsSearchable Encryption:
[B Fouque Pointcheval - ePrint 16]: Verifiable Dynamic Symmetric Searchable Encryption: Optimality and Forward Security
[B - CCS 16]: Σoφoς: Forward Secure Searchable Encryption
[B Minaud Ohrimenko - CCS 17]: Forward and Backward Private Searchable Encryption from Constrained Cryptographic Primitives
[B Fouque - ePrint 17]: Thwarting Leakage Abuse Attacks against Searchable Encryption – A Formal Approach and Applications to Database Padding
Other:
[B Popa Tu Goldwasser - NDSS 15]: Machine Learning Classification over Encrypted Data.
[B Sanders - AsiaCrypt 16]: Trick or Tweak: On the (In)security of OTR’s Tweaks
![Page 55: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/55.jpg)
![Page 56: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/56.jpg)
Verifiable SEThe server might be malicious: return fake results, delete real results, …
The client needs to verify the results
![Page 57: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/57.jpg)
Verifiable SEThis is not free: lower bound (derived from [DNRV’09])
If client storage is less than |W|1-ε, search complexity has to be larger than log |W|
The lower bound is tight: using Merkle hash trees and set hash functions
Many possible tradeoffs between search & update complexities
![Page 58: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/58.jpg)
Diana (Diana (
))
![Page 59: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/59.jpg)
Crypto vs. Seek time
The magic world of searchable encryption:
Symmetric crypto is free
Asymmetric crypto is not overly expensive
A lot of the cost comes from the non-locality of memory accesses
![Page 60: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/60.jpg)
Locality vs. Caching
The OS is ‘smart’: it caches memory.
Be careful when you are testing your construction on small databases
Once the database is cached, non locality disappears
Beware of the evaluation of performance
![Page 61: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/61.jpg)
Evaluating the security
Use the leakage function from the security definitions Provable security Very hard to understand the extend of the leakage
Rely on cryptanalysis: leakage-abuse attacks Maybe not the best adversary ‘Real world’ implications
![Page 62: Searchable Encryption - Sciencesconf.org · 2019-05-20 · Searchable Encryption New Constructions of Encrypted Databases Slides at Raphael Bost - 8/01/2017](https://reader035.vdocuments.mx/reader035/viewer/2022070909/5f96b3c97b8eb644a1074750/html5/thumbnails/62.jpg)
Evaluating the security
State-of-the-art schemes leak the number of results of a query Enough to recover the queries when the adversary
knows the database [CGPR’15] Counter-measure: padding (it has a cost)