Searchable Encryption Nuttiiya Seekhao

Overview �  Motivation �  Literature �  Background �  Solutions

�  Scheme I, II, III, IV �  Discussion

�  Runtime �  Possible Extensions

�  Conclusion

Motivation

Motivation

Motivation

Searchable Encryption!

Practical techniques for searches on encrypted data �  By Dawn Xiaodong Song, David Wagner, and

Adrian Perrig in 2000

� Main idea: Embed information in the cipher text

� Sequential Scan �  Not scalable

Practical techniques for searches on encrypted data � The techniques provide:

�  Provable secrecy �  Controlled searching �  Hidden queries �  Query isolation

Related Work – Prior to This Paper (1) � Providing secrecy and integrity on

untrusted file server [2, 11, 1, 3] � Secure multi-party computation and

oblivious functions [13, 5] �  Requires high overhead e.g. multiple servers

Related Work – Prior to This Paper (2) �  Private Information Retrieval (PIR) Problem

[9, 15, 12, 8, 4] �  Have at least one of the following limitations:

� Requires multiple non-colluding servers � Consume large amounts of bandwidth � Do not guarantee the confidentiality of the

data � Do not support private keyword searching � Do not support controlled searching or query

isolation

Background and Definitions � Let n = block length (or word length,

assuming fixed length words) � Let m = system parameter � Pseudorandom generator,

G : KG → SG

Background and Definitions � Pseudorandom function, ,

� Pseudorandom permutation, ,

� Pseudorandom function, ,

F : KF × X→YF

E

f

E : KE × Z→ Z

f : K f ×{0,1}*→ K f

Scheme I – The Basic Scheme

W1 W2 W3 …

… Wl -1 Wl

S1 S2 S3 …

… Sl -1 Sl

k1 k2 k3 …

… kl -1 kl

T1 T2 T3 …

… Tl -1 Tl

Scheme I – The Basic Scheme

W1 W2 W3 …

… Wl -1 Wl

T1 T2 T3 …

… Tl -1 Tl

C1 C2 C3 …

… Cl -1 Cl

Ci =Wi ⊕Ti

Scheme I – The Basic Scheme

Wi

Si Fki (Si )

Plaintext

Stream Cipher

Ciphertext

Fki

+

To encrypt:

Alice generates a sequence of random nonce

S1, S2, ..., SlAlice computes for each location in the document where Ti = Si,Fki (Si )

Ti

Ci =Wi ⊕Ti

Ti = Si,Fki (Si )

Scheme I – The Basic Scheme

Wi

Si Fki (Si )

Plaintext

Stream Cipher

Ciphertext

Fki

+

To search: Alice gives to Bob Wi,ki

Scheme I – Problem? � Alice wants Bob to search for a word W,

either: �  Alice reveal all ki to Bob

� Horrible security scheme!

�  Alice must know in advance locations W may appear � Horrible remote search scheme!

Scheme II – Controlled Searching

Wi

Si Fki (Si )

+

Plaintext

Stream Cipher

Ciphertext

Fki

ki := fk ' (Wi )

To search: Alice gives to Bob Wi,ki

Scheme II – Problems? � Does not support hidden queries � Can we do better?

�  Of course! �  Encryption!

Scheme III – Support for Hidden Searches

Plaintext

Ek '' (Wi )

Si Fki (Si )Stream Cipher

Ciphertext

Fki

Wi

E

+

ki := fk ' (Ek '' (Wi ))To search: Alice gives to Bob Xi,ki

Scheme III – Problems? � How would Alice recover plaintext from

ciphertext? �  Circular Dependency

� Need ki to decrypt Ci � Need Wi to get ki

� Need to decrypt Ci to get Wi � Need plaintext to decrypt plaintext?!?! � Can we fix this?

Scheme IV – The Final Scheme

Ek '' (Wi )

Si Fki (Si )Stream Cipher

Ciphertext

Fki

Wi

E

Plaintext

Li Ri+

ki := fk ' (Li )To search: Alice gives to Bob Xi,ki

Scheme IV – The Final Scheme

Ek '' (Wi )

Si Fki (Si )Stream Cipher

Ciphertext

Fki

Wi

E

Plaintext

Li Ri+

ki := fk ' (Li )To decrypt: •  Alice generates •  Computes •  Get first n – m bits = •  Compute

SiTi ⊕ Si

Liki := fk ' (Li )

Scheme IV – Problems? � Secure Encryption Scheme?

�  Yes

� Secure Searchable Encryption Scheme? �  Statistical Attack? �  Periodically change the key, re-encrypt,

and re-order ciphertexts �  Could decrease m to get more false

matches

Discussion - Runtime � For document of length n � Search Algorithm:

�  O(n)

� Encryption: �  O(n)

�  Introduce almost no space and communication overhead

�  Is search in O(n) really practical?

Possible Extensions (1) �  More Advanced Search Queries

�  Boolean e.g. W and W’ �  Regular expression e.g. ab[a-z]

� Generates 26 search queries in the form: {aba, abb, …, abz}

�  Retrieve list of documents containing word of interest �  Store each word occurrence with a count e.g.

<0, puppy>, <1, puppy>, … � Hides location information � Could search for documents containing n or

more occurrences of W by searching <n-1, W>

Possible Extensions (2) � Variable-Length Words

�  Pad to a fixed-size blocks �  Inefficient storage

�  Store word length with the word itself � How to search? � Scan for a match at each possible bit

boundary �  Inefficient search

Possible Extensions (3) � Searching with Encrypted Index

�  Index contains a list of key words �  List of pointers to documents containing

itself with each word �  Each proposed extension assumes fixed size

of documents pointer data � Updates would not be pretty!

Related Work – Revisited �  Searchable symmetric encryption: Improved definitions and

efficient constructions (2006) [10] �  Work performed by server per returned document is constant �  Requires O(# of files) to search �  2nd construction achieves adaptive SSE security

�  Privacy preserving keyword searches on remote encrypted data (2005) [6] �  Works with existing file encryption scheme �  Works with compressed files

�  Dynamic searchable symmetric encryption (2012) [14] �  Search in O(# of files containing the word) �  Adaptive SSE secure �  Dynamic

�  Highly-scalable searchable symmetric encryption with support for Boolean queries (2013) [7] �  Supports conjunctive searches and general Boolean queries

�  More…

Conclusion �  At the time, new techniques for Searchable

Encryption �  Advantages:

�  Provably secure �  Supports controlled and hidden search and query

isolation �  Simple �  Introduce almost no space and communication

overhead �  Disadvantages:

�  O(n) Search algorithm �  Vulnerable to statistical attacks

References [1] Amato, Nancy M., and Michael C. Loui. "Checking linked data structures."Fault-Tolerant Computing, 1994. FTCS-24. Digest of Papers., Twenty-Fourth International Symposium on. IEEE, 1994. [2] Blaze, Matt. "A cryptographic file system for UNIX." Proceedings of the 1st ACM conference on Computer and communications security. ACM, 1993. [3] Blum, Manuel, et al. "Checking the correctness of memories." Algorithmica12.2-3 (1994): 225-244. [4] Cachin, Christian, Silvio Micali, and Markus Stadler. "Computationally private information retrieval with polylogarithmic communication." Advances in Cryptology—EUROCRYPT’99. Springer Berlin Heidelberg, 1999. [5] Canetti, Ran. Studies in secure multiparty computation and applications. Diss. The Weizmann Institute of Science, 1996. [6] Chang, Yan-Cheng, and Michael Mitzenmacher. "Privacy preserving keyword searches on remote encrypted data." Applied Cryptography and Network Security. Springer Berlin Heidelberg, 2005. [7] Cash, David, et al. "Highly-scalable searchable symmetric encryption with support for boolean queries." Advances in Cryptology–CRYPTO 2013. Springer Berlin Heidelberg, 2013. 353-373. [8] Chor, Benny, et al. "Private information retrieval." Journal of the ACM (JACM)45.6 (1998): 965-981. [9] Chor, Benny, Niv Gilboa, and Moni Naor. Private information retrieval by keywords. Technion-IIT, Department of Computer Science, 1997. [10] Curtmola, Reza, et al. "Searchable symmetric encryption: improved definitions and efficient constructions." Proceedings of the 13th ACM conference on Computer and communications security. ACM, 2006. [11] Devanbu, Premkumar T., and Stuart G. Stubblebine. "Stack and queue integrity on hostile platforms." Software Engineering, IEEE Transactions on 28.1 (2002): 100-108. [12] Gertner, Yael, et al. "Protecting data privacy in private information retrieval schemes." Proceedings of the thirtieth annual ACM symposium on Theory of computing. ACM, 1998. [13] Goldreich, Oded. "Secure multi-party computation." Manuscript. Preliminary version (1998). [14] Kamara, Seny, Charalampos Papamanthou, and Tom Roeder. "Dynamic searchable symmetric encryption." Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 2012. [15] Kushilevitz, Eyal, and Rafail Ostrovsky. "Replication is not needed: Single database, computationally-private information retrieval." focs. Vol. 97. 1997. [16] Song, Dawn Xiaodong, David Wagner, and Adrian Perrig. "Practical techniques for searches on encrypted data." Security and Privacy, 2000. S&P 2000. Proceedings. 2000 IEEE Symposium on. IEEE, 2000.

Questions?