searchable encryptioncpap/course/enee759l/pdf/...cryptography and network security. springer berlin...
TRANSCRIPT
Searchable Encryption Nuttiiya Seekhao
Overview � Motivation � Literature � Background � Solutions
� Scheme I, II, III, IV � Discussion
� Runtime � Possible Extensions
� Conclusion
Motivation
Motivation
Motivation
Searchable Encryption!
Practical techniques for searches on encrypted data � By Dawn Xiaodong Song, David Wagner, and
Adrian Perrig in 2000
� Main idea: Embed information in the cipher text
� Sequential Scan � Not scalable
Practical techniques for searches on encrypted data � The techniques provide:
� Provable secrecy � Controlled searching � Hidden queries � Query isolation
Related Work – Prior to This Paper (1) � Providing secrecy and integrity on
untrusted file server [2, 11, 1, 3] � Secure multi-party computation and
oblivious functions [13, 5] � Requires high overhead e.g. multiple servers
Related Work – Prior to This Paper (2) � Private Information Retrieval (PIR) Problem
[9, 15, 12, 8, 4] � Have at least one of the following limitations:
� Requires multiple non-colluding servers � Consume large amounts of bandwidth � Do not guarantee the confidentiality of the
data � Do not support private keyword searching � Do not support controlled searching or query
isolation
Background and Definitions � Let n = block length (or word length,
assuming fixed length words) � Let m = system parameter � Pseudorandom generator,
G : KG → SG
Background and Definitions � Pseudorandom function, ,
� Pseudorandom permutation, ,
� Pseudorandom function, ,
F : KF × X→YF
E
f
E : KE × Z→ Z
f : K f ×{0,1}*→ K f
Scheme I – The Basic Scheme
W1 W2 W3 …
… Wl -1 Wl
S1 S2 S3 …
… Sl -1 Sl
k1 k2 k3 …
… kl -1 kl
T1 T2 T3 …
… Tl -1 Tl
Scheme I – The Basic Scheme
W1 W2 W3 …
… Wl -1 Wl
T1 T2 T3 …
… Tl -1 Tl
C1 C2 C3 …
… Cl -1 Cl
Ci =Wi ⊕Ti
Scheme I – The Basic Scheme
Wi
Si Fki (Si )
Plaintext
Stream Cipher
Ciphertext
Fki
+
To encrypt:
Alice generates a sequence of random nonce
S1, S2, ..., SlAlice computes for each location in the document where Ti = Si,Fki (Si )
Ti
Ci =Wi ⊕Ti
Ti = Si,Fki (Si )
Scheme I – The Basic Scheme
Wi
Si Fki (Si )
Plaintext
Stream Cipher
Ciphertext
Fki
+
To search: Alice gives to Bob Wi,ki
Scheme I – Problem? � Alice wants Bob to search for a word W,
either: � Alice reveal all ki to Bob
� Horrible security scheme!
� Alice must know in advance locations W may appear � Horrible remote search scheme!
Scheme II – Controlled Searching
Wi
Si Fki (Si )
+
Plaintext
Stream Cipher
Ciphertext
Fki
ki := fk ' (Wi )
To search: Alice gives to Bob Wi,ki
Scheme II – Problems? � Does not support hidden queries � Can we do better?
� Of course! � Encryption!
Scheme III – Support for Hidden Searches
Plaintext
Ek '' (Wi )
Si Fki (Si )Stream Cipher
Ciphertext
Fki
Wi
E
+
ki := fk ' (Ek '' (Wi ))To search: Alice gives to Bob Xi,ki
Scheme III – Problems? � How would Alice recover plaintext from
ciphertext? � Circular Dependency
� Need ki to decrypt Ci � Need Wi to get ki
� Need to decrypt Ci to get Wi � Need plaintext to decrypt plaintext?!?! � Can we fix this?
Scheme IV – The Final Scheme
Ek '' (Wi )
Si Fki (Si )Stream Cipher
Ciphertext
Fki
Wi
E
Plaintext
Li Ri+
ki := fk ' (Li )To search: Alice gives to Bob Xi,ki
Scheme IV – The Final Scheme
Ek '' (Wi )
Si Fki (Si )Stream Cipher
Ciphertext
Fki
Wi
E
Plaintext
Li Ri+
ki := fk ' (Li )To decrypt: • Alice generates • Computes • Get first n – m bits = • Compute
SiTi ⊕ Si
Liki := fk ' (Li )
Scheme IV – Problems? � Secure Encryption Scheme?
� Yes
� Secure Searchable Encryption Scheme? � Statistical Attack? � Periodically change the key, re-encrypt,
and re-order ciphertexts � Could decrease m to get more false
matches
Discussion - Runtime � For document of length n � Search Algorithm:
� O(n)
� Encryption: � O(n)
� Introduce almost no space and communication overhead
� Is search in O(n) really practical?
Possible Extensions (1) � More Advanced Search Queries
� Boolean e.g. W and W’ � Regular expression e.g. ab[a-z]
� Generates 26 search queries in the form: {aba, abb, …, abz}
� Retrieve list of documents containing word of interest � Store each word occurrence with a count e.g.
<0, puppy>, <1, puppy>, … � Hides location information � Could search for documents containing n or
more occurrences of W by searching <n-1, W>
Possible Extensions (2) � Variable-Length Words
� Pad to a fixed-size blocks � Inefficient storage
� Store word length with the word itself � How to search? � Scan for a match at each possible bit
boundary � Inefficient search
Possible Extensions (3) � Searching with Encrypted Index
� Index contains a list of key words � List of pointers to documents containing
itself with each word � Each proposed extension assumes fixed size
of documents pointer data � Updates would not be pretty!
Related Work – Revisited � Searchable symmetric encryption: Improved definitions and
efficient constructions (2006) [10] � Work performed by server per returned document is constant � Requires O(# of files) to search � 2nd construction achieves adaptive SSE security
� Privacy preserving keyword searches on remote encrypted data (2005) [6] � Works with existing file encryption scheme � Works with compressed files
� Dynamic searchable symmetric encryption (2012) [14] � Search in O(# of files containing the word) � Adaptive SSE secure � Dynamic
� Highly-scalable searchable symmetric encryption with support for Boolean queries (2013) [7] � Supports conjunctive searches and general Boolean queries
� More…
Conclusion � At the time, new techniques for Searchable
Encryption � Advantages:
� Provably secure � Supports controlled and hidden search and query
isolation � Simple � Introduce almost no space and communication
overhead � Disadvantages:
� O(n) Search algorithm � Vulnerable to statistical attacks
References [1] Amato, Nancy M., and Michael C. Loui. "Checking linked data structures."Fault-Tolerant Computing, 1994. FTCS-24. Digest of Papers., Twenty-Fourth International Symposium on. IEEE, 1994. [2] Blaze, Matt. "A cryptographic file system for UNIX." Proceedings of the 1st ACM conference on Computer and communications security. ACM, 1993. [3] Blum, Manuel, et al. "Checking the correctness of memories." Algorithmica12.2-3 (1994): 225-244. [4] Cachin, Christian, Silvio Micali, and Markus Stadler. "Computationally private information retrieval with polylogarithmic communication." Advances in Cryptology—EUROCRYPT’99. Springer Berlin Heidelberg, 1999. [5] Canetti, Ran. Studies in secure multiparty computation and applications. Diss. The Weizmann Institute of Science, 1996. [6] Chang, Yan-Cheng, and Michael Mitzenmacher. "Privacy preserving keyword searches on remote encrypted data." Applied Cryptography and Network Security. Springer Berlin Heidelberg, 2005. [7] Cash, David, et al. "Highly-scalable searchable symmetric encryption with support for boolean queries." Advances in Cryptology–CRYPTO 2013. Springer Berlin Heidelberg, 2013. 353-373. [8] Chor, Benny, et al. "Private information retrieval." Journal of the ACM (JACM)45.6 (1998): 965-981. [9] Chor, Benny, Niv Gilboa, and Moni Naor. Private information retrieval by keywords. Technion-IIT, Department of Computer Science, 1997. [10] Curtmola, Reza, et al. "Searchable symmetric encryption: improved definitions and efficient constructions." Proceedings of the 13th ACM conference on Computer and communications security. ACM, 2006. [11] Devanbu, Premkumar T., and Stuart G. Stubblebine. "Stack and queue integrity on hostile platforms." Software Engineering, IEEE Transactions on 28.1 (2002): 100-108. [12] Gertner, Yael, et al. "Protecting data privacy in private information retrieval schemes." Proceedings of the thirtieth annual ACM symposium on Theory of computing. ACM, 1998. [13] Goldreich, Oded. "Secure multi-party computation." Manuscript. Preliminary version (1998). [14] Kamara, Seny, Charalampos Papamanthou, and Tom Roeder. "Dynamic searchable symmetric encryption." Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 2012. [15] Kushilevitz, Eyal, and Rafail Ostrovsky. "Replication is not needed: Single database, computationally-private information retrieval." focs. Vol. 97. 1997. [16] Song, Dawn Xiaodong, David Wagner, and Adrian Perrig. "Practical techniques for searches on encrypted data." Security and Privacy, 2000. S&P 2000. Proceedings. 2000 IEEE Symposium on. IEEE, 2000.
Questions?