Breach-Resistant Structured Encryption Ghous Amjad, Seny Kamara - - PowerPoint PPT Presentation

breach resistant structured encryption
SMART_READER_LITE
LIVE PREVIEW

Breach-Resistant Structured Encryption Ghous Amjad, Seny Kamara - - PowerPoint PPT Presentation

Mar 26, 2023 313 likes •770 views

Breach-Resistant Structured Encryption Ghous Amjad, Seny Kamara & Tarik Moataz 2 Databases A database is an organized collection of data --- Wikipedia 3 Encrypted Database Enc K 4 Q : can we encrypt DBs even in use? 5 Efficiency

slide-1
SLIDE 1

Breach-Resistant Structured Encryption

Ghous Amjad, Seny Kamara & Tarik Moataz

slide-2
SLIDE 2 2
slide-3
SLIDE 3

Databases

3

“A database is an organized collection of data” --- Wikipedia

slide-4
SLIDE 4

Encrypted Database

4

EncK

slide-5
SLIDE 5

Q: can we encrypt DBs even in use?

5
slide-6
SLIDE 6

Efficiency Leakage Functionality

6
slide-7
SLIDE 7

Tradeoffs: Functionality vs. Efficiency

7

SK-FE-based STE-based PPE-based FHE-based ORAM-based PK-FE-based Efficiency Functionality SQL NoSQL

slide-8
SLIDE 8

Tradeoffs: Efficiency vs. Security

8

Efficiency STE-based PPE-based FHE-based ORAM-based skFE-based pkFE-based Leakage STE+ORAM-based STE+ORAM-based

slide-9
SLIDE 9

Background: Data Structures

  • DXs map labels to values

  • Get: DX[w3] returns id2
  • MMs map labels to tuples


  • Get: MM[w3] returns (id2 , id4)
9

w1 w2 w3

id1 id3 id2 Dictionary DX

w1 w2 w3

id1 id3 id4 id3 id2 id4 Multi-map MM

slide-10
SLIDE 10

Structured Encryption [CK’10]

10

Setup(1k, DS) ⟾ (K, EDS)

Token(K, q) ⟾ tk

tk =

Query(EDS, tk) ⟾ ans

ans =

MM

EDS = DS =

wi id3 id3 EMM
slide-11
SLIDE 11

Background: Encrypted Data Structures

[CK’10]

11

Encrypted Multi-Map Encrypted relational DB Encrypted NoSQL DB Encrypted Graph DB Encrypted Inverted Index

=

Single-keyword SSE [SWP’00], [Goh’03], [CGKO’06], [CK10], [KPR’12], [KP’13], [CJJKRS’13], [CJJJKRS’14], [Bost’16] …

=

slide-12
SLIDE 12

LS(MM)

Multi-map MM

Adaptive Security for STE [CGKO’06,CK’10]

12

Real Ideal

Multi-map MM wi Encrypted Multi-map EMM Encrypted Multi-map EMM wi wi wi

LQ(MM, wi)

ui ui ui ui

LU(MM, ui)

slide-13
SLIDE 13

Forward Privacy [SPS’14]

  • Informally [SPS’14]
  • Formally [Bost’16]
13

“Updates cannot be correlated to previous queries”

LQ

  • MM, (op, w, v)
  • = #v
slide-14
SLIDE 14

Security of Encrypted Structures

[CGKO’06,CK’10]

  • Definition guarantees security vs. adversary that
  • Holds encrypted structure & executes queries
  • Models an untrusted cloud provider
  • Data breaches can occur even when server is trusted
  • Storage is compromised
  • Malicious employee
  • Government subpoena
  • Adversary holds encrypted structure but does not see queries
14
slide-15
SLIDE 15

Snapshot Security

  • Adversary holds encrypted structure but does not see queries
  • Discussed and formalized in [LW’16] for PPE
  • Discussed in [PBP’16, GRS’17] but never formalized for STE
15
slide-16
SLIDE 16

Q: What is snapshot security?

16
slide-17
SLIDE 17

Snapshot Security

17

Real Ideal

wi

LS(MM0)

ui MM0 EMM0 EMM1 EMM2 MM0 EMM0 wi

LS(MM1, op)

EMM1 ui

LS(MM2, op)

EMM2
slide-18
SLIDE 18

Snapshot Security and Breach-Resistance

  • Informally
  • Formally
18

“Breach-resistant leakage reveals at most the size of the current structure”

LSnp(MM, op1, . . . , opi) = LS(MMi) = X

w∈W

#MMi[w]

slide-19
SLIDE 19

Tradeoffs: Efficiency vs. Security

19

Efficiency STE-based PPE-based FHE-based ORAM-based skFE-based pkFE-based Leakage

  • vs. Persistent Adversary!
slide-20
SLIDE 20

Tradeoffs: Efficiency vs. Security

20

Efficiency STE-based PPE-based FHE-based ORAM-based skFE-based pkFE-based Leakage

  • vs. Snapshot Adversary
slide-21
SLIDE 21

Snapshot Security

21

Breach- resistance Breach-resistance Forward privacy Insertion independence (variant of history independence) Write-only obliviousness

Static Structures Dynamic Structures

LS(MM) = X

w∈W

#MM[w]

slide-22
SLIDE 22

Q: Can we design breach-resistant &

forward-private EMMs?

22
slide-23
SLIDE 23

Dual-Secure EMMs

  • [SPS’14]
  • Query complexity
23

Q: Can we design efficient dual-secure EMMs?

O ✓ #MM[w] · polylog ✓ X

w∈W

#MM[w] ◆◆

slide-24
SLIDE 24

[CJJJKRS’14]

24

πdyn

EMM.Setup 1k ,

MM EMM

,

EMM

Setup

slide-25
SLIDE 25

[CJJJKRS’14]

25

w1 l2 w3 id1 id3 id4 id3 id2 id4

Multi-map MM

EMM.Setup 1k,

,

w2

* PRF and Enc keys are different but derived from wi

FKw1(1)

Encrypted MM

FKw1(2) FKw1(3) FKw2(1) FKw3(1) FKw3(2)

id1 id3 id4 id3 id2 id4

πdyn

Setup

slide-26
SLIDE 26

[CJJJKRS’14]

26 wi = Kw1 id1 id3 id4 EMM

Kw1

EMM.Get

,

πdyn

Get

FKw1(1)

  • 1. DX.Get

,

DX

id1

FKw1(2)

  • 2. DX.Get

,

DX

FKw1(3)

  • 3. DX.Get

,

DX

FKw1(4)

  • 4. DX.Get

,

DX

id3 id4

slide-27
SLIDE 27

[CJJJKRS’14]

27

EMM.Get

,

FKw1(1)

Dictionary DX

FKw1(2) FKw1(3) FKw2(1) FKw3(1) FKw3(2)

id1 id3 id4 id3 id2 id4

Kw1

FKw1(1)

  • 1. DX.Get

,

DX

id1

FKw1(2)

  • 2. DX.Get

,

DX

id3

FKw1(3)

  • 3. DX.Get

,

DX

id4

FKw1(4)

  • 4. DX.Get

,

DX

=

πdyn

Get

slide-28
SLIDE 28

[CJJJKRS’14]

28 EMM

EMM.Edit+

,

πdyn

Edit+

EMM

FKw1(4)

id9

  • 1. DX.Put

,

DX DX

slide-29
SLIDE 29

[CJJJKRS’14]

29

EMM.Edit+

,

FKw1(1)

Dictionary DX

FKw1(2) FKw1(3) FKw2(1) FKw3(1) FKw3(2)

id1 id3 id4 id3 id2 id4

FKw1(4)

id9

FKw1(1)

Dictionary DX

FKw1(2) FKw1(3) FKw2(1) FKw3(1) FKw3(2)

id1 id3 id4 id3 id2 id4

FKw1(4)

id9

Edit+

πdyn

slide-30
SLIDE 30

[CJJJKRS’14]

30 EMM

EMM.Edit-

,

πdyn

Edit-

EMM

FKw1(4)

id3

  • 1. DX.Put

,

DX DX

slide-31
SLIDE 31

[CJJJKRS’14]

31

EMM.Edit-

,

FKw1(1)

Dictionary DX

FKw1(2) FKw1(3) FKw2(1) FKw3(1) FKw3(2)

id1 id3 id4 id3 id2 id4

FKw1(4)

id3

FKw1(1)

Dictionary DX

FKw1(2) FKw1(3) FKw2(1) FKw3(1) FKw3(2)

id1 id3 id4 id3 id2 id4

FKw1(4)

id3

πdyn

Edit-

slide-32
SLIDE 32

[CJJJKRS’14]

32 wi = Kw1 id1 id3 id4 EMM

Kw1

EMM.Get

,

πdyn

Get

FKw1(1)

  • 1. DX.Get

,

DX

id1

FKw1(2)

  • 2. DX.Get

,

DX

FKw1(3)

  • 3. DX.Get

,

DX

FKw1(4)

  • 4. DX.Get

,

DX

id3 id4 id4 id4

O (#MM[w] + dels0(w))

slide-33
SLIDE 33

Forward-Private

  • Why is not forward-private?
  • new pairs encrypted under same key used for search,
  • Kwi := FK(wi||1)
  • so previously searched w’s can be linked to new pairs
  • Making forward-private
  • use keys with version number that rotates at each search
  • Kwi := FK(wi||version||1)
  • To search send keys for all versions
  • FK(wi||version1||1), …, FK(wi||version8||1)
33

πdyn

πdyn

πdyn

slide-34
SLIDE 34

Efficiency

  • Most dynamic EMM constructions handle deletes naively
  • forward-private or not
  • Query complexity
  • Storage complexity
34

O (#MM[w] + dels0(w))

O X

w∈W

#MM[w] + dels0(w) !

slide-35
SLIDE 35

Rebuilding

  • Rebuild operation
  • Executed throughout lifetime of encrypted structure
  • Removes/prunes delete pairs
  • Cost
  • Query complexity Storage complexity
35

Ω ✓ X

w∈W

#MM[w] ◆

O

  • #MM[w] + delsr(w)
  • O

✓ X

w∈W

#MM[w] + delsr(w) ◆

slide-36
SLIDE 36

Rebuilding Encrypted Structures

  • Ideally a zero-leakage operation
  • Approach #1
  • Client queries for each keyword and recovers encrypted id’s
  • Removes deleted id’s
  • Re-inserts new encrypted keywords and id’s
  • Leakage
36

Leaks new information to persistent Adv: query leakage of unsearched keywords

LR(MM) = ✓✓ LG(MM, w) ◆

w∈W

, ✓ LU(MM, (w, id) ◆

w∈W

◆ = ✓ f(w), #MM[w] + delsr(w), g(w), #MM[w] ◆

w∈W

slide-37
SLIDE 37

Rebuilding Encrypted Structures

  • Ideally a zero-leakage operation
  • Approach #2
  • Keep track of searched and unsearched
  • Use Approach #1 for searched
  • For unsearched sample pair uniformly at random & re-insert
  • Leakage
37

LR(MM) = ✓ f(w), #MM[w] + delsr(w), g(w), #MM[w] ◆

w∈S

, X

w∈U

#MM[w] ! = ✓ f(w), #MM[w], delsr(w), g(w) ◆

w∈S

, X

w∈U

#MM[w] ! Already leaked during queries

slide-38
SLIDE 38

Rebuilding Encrypted Structures

  • What about Snapshot security?
  • Rebuild is not de-amortized
  • Variant with de-amortized rebuild
  • When de-amortized rebuild occurs impacts snapshot leakage
  • Executed during Updates
  • Requires stash at client
38

LSnp(MM) = LS(MM) = X

w∈W

#MM[w]

slide-39
SLIDE 39

Forward-Private EMMs

Search Client Storage Forward Privacy Snapshot SPS’14 Yes Yes B’16 Yes No BMO’17 Yes No EKPE’17 Yes/No No This work Yes Yes

O (#W) O (#W + ML) O (#MM[w] + dels0(w)) O (#MM[w] + dels0(w)) O (#MM[w] + delsr(w)) O (#W) O (#W) O (#W) O

  • #MM[w] + delss(w)
  • O

✓ #MM[w] · polylog

  • #MM

39
slide-40
SLIDE 40

Implementation

  • Forward-private & response-hiding variant of
  • de-amortized rebuild with λ = 3
  • Java (1114 LOC)
  • Clusion encrypted search library
  • Lucene, Bouncy Castle
  • HMAC-SHA256 for PRFs and ROs
40

πdyn

slide-41
SLIDE 41

Experimental Setup

  • Amazon EC2 c3.8xlarge instantce
  • 32 vCPUs and 60GB of RAM
  • Wikipedia
  • 26.5GB & 2,681,795 files
  • Experiments (in memory)
  • time to setup EMM in function of pairs
  • Size of EMM & size of client state in function of pairs
  • Server query time in function of pairs for different selectivities
  • Server update time in function of pairs for different λ
  • Effect of rebuild on query time
41
slide-42
SLIDE 42

Setup Time & Sizes

42
slide-43
SLIDE 43

Query & Update Time

43
slide-44
SLIDE 44

Thank you

44