DATA RECOVERY Reconstructed Values 400 ON ENCRYPTED DATABASES 350 - - PowerPoint PPT Presentation

EVGENIOS M. KORNAROPOULOS CHARALAMPOS PAPAMANTHOU ROBERTO TAMASSIA

DATA RECOVERY ON ENCRYPTED DATABASES WITH k-NEAREST NEIGHBOR QUERY LEAKAGE

100 200 300 400 50 100 150 200 250 300 350 400

Reconstructed Values

Full version: https://eprint.iacr.org/2018/719

WHO CARES ABOUT k-NN?

INTRO

COLUMN-ORIENTED DBMS

COLUMN-ORIENTED DBMS

INTRO

OBJECT-RELATIONAL DBMS

WHO CARES ABOUT k-NN?

INTRO

WHO CARES ABOUT k-NN?

COLUMN-ORIENTED DBMS OBJECT-RELATIONAL DBMS CLOUD SERVICES

Records:

2

k-NEAREST NEIGHBORS SETUP

q

Records:

2

SETUP k-NEAREST NEIGHBORS

q

Records:

2

SETUP k-NEAREST NEIGHBORS

3

SETUP VORONOI DIAGRAMS

3

SETUP VORONOI DIAGRAMS

3

VORONOI DIAGRAMS SETUP

Voronoi Diagram

Response Voronoi Segment

3

VORONOI DIAGRAMS SETUP

Voronoi Edges

ENCRYPTED SEARCH Client Server

PRFK( ) = t

Tokens

Responses

PRFK( ) = t PRFK( ) = t0 PRFK( ) = t00

SETUP

4

Access Pattern Leakage

Search Pattern Leakage

ENCRYPTED SEARCH Client Server

PRFK( ) = t

Tokens

Responses

PRFK( ) = t PRFK( ) = t0 PRFK( ) = t00

SETUP

4

OUR CONTRIBUTIONS OVERVIEW

k-NN EXACT RECONSTRUCTION k-NN APPROXIMATE RECONSTRUCTION

ORDERED RESPONSES: Possible when all encrypted queries are issued UNORDERED RESPONSES: Impossible due to many reconstructions UNORDERED RESPONSES: Even with many reconstructions approximate with bounded error ORDERED RESPONSES: Approximate reconstruction when not all encrypted queries are issued

5

OVERVIEW

ORDERED RESPONSES: Possible when all encrypted queries are issued

k-NN EXACT RECONSTRUCTION k-NN APPROXIMATE RECONSTRUCTION

UNORDERED RESPONSES: Even with many reconstructions approximate with bounded error UNORDERED RESPONSES: Impossible due to many reconstructions ORDERED RESPONSES: Approximate reconstruction when not all encrypted queries are issued

5

OUR CONTRIBUTIONS

ASSUMPTIONS OF THE ATTACK

BOUNDARIES: STATIC: UNIFORMITY:

Queries are generated uniformly at random from [α,β]

No updates in the database Known boundaries α and β

6

UNORDERED RESPONSES

UNORDERED RESPONSES

Impossible to achieve Exact Reconstruction

Best Case Scenario for the Adversary

EXACT RECONSTRUCTION

{s0, s1} {s1, s2} {s2, s3} {s3, s4} {s4, s5}

α β

7

Impossible to achieve Exact Reconstruction

Valid Reconstruction DB1

α β

EXACT RECONSTRUCTION UNORDERED RESPONSES

{s0, s1} {s1, s2} {s2, s3} {s3, s4} {s4, s5}

7

Best Case Scenario for the Adversary

Impossible to achieve Exact Reconstruction

Valid Reconstruction DB1

{s0, s1} {s1, s2} {s2, s3} {s3, s4} {s4, s5}

α β

EXACT RECONSTRUCTION UNORDERED RESPONSES

7

Best Case Scenario for the Adversary Valid Reconstruction DB2

Impossible to achieve Exact Reconstruction

Valid Reconstruction DB1

{s0, s1} {s1, s2} {s2, s3} {s3, s4} {s4, s5}

α β

EXACT RECONSTRUCTION UNORDERED RESPONSES

Best Case Scenario for the Adversary Valid Reconstruction DB2

7

Impossible to achieve Exact Reconstruction

Valid Reconstruction DB1 Valid Reconstruction DB2

Many reconstructions that explain the Voronoi Diagram

{s0, s1} {s1, s2} {s2, s3} {s3, s4} {s4, s5}

α β

UNORDERED RESPONSES

Vor(DB1)=Vor(DB2)=…

7

Best Case Scenario for the Adversary

EXACT RECONSTRUCTION

Since there are reconstructions and the exact recovery is , the encrypted values must be safe… MANY IMPOSSIBLE

Answer: We can still compute an reconstruction that is to the encrypted DB

VERY CLOSE Since there are reconstructions and the exact recovery is , the encrypted values must be safe… IMPOSSIBLE MANY

In case all queries are issued:

APPROXIMATE RECONSTRUCTION UNORDERED RESPONSES

*

The length of each Voronoi segments

Uniform Query Distribution: Estimate via Concentration Bounds on Multinomials

8

In case all queries are issued: Goal:

Characterize the set of all valid reconstructions that explain the Voronoi Diagram

APPROXIMATE RECONSTRUCTION UNORDERED RESPONSES

*

The length of each Voronoi segments

8

In case all queries are issued: Goal: What’s Next:

Intuitive characterization = rigorous reconstruction guarantees

APPROXIMATE RECONSTRUCTION UNORDERED RESPONSES

*

The length of each Voronoi segments

Characterize the set of all valid reconstructions that explain the Voronoi Diagram

8

APPROXIMATE RECONSTRUCTION UNORDERED RESPONSES Modeling All Reconstructions:

*

9

APPROXIMATE RECONSTRUCTION UNORDERED RESPONSES Modeling All Reconstructions:

*

Use geometry of bisectors to define unknowns

9

APPROXIMATE RECONSTRUCTION UNORDERED RESPONSES Modeling All Reconstructions:

v0 = b0,2 − ξ0 v2 = b0,2 + ξ0

*

9

Use geometry of bisectors to define unknowns

APPROXIMATE RECONSTRUCTION UNORDERED RESPONSES Modeling All Reconstructions:

v0 = b0,2 − ξ0 v2 = b0,2 + ξ0 v4 = 2b2,4 − v2 = 2

*

9

Use geometry of bisectors to define unknowns

APPROXIMATE RECONSTRUCTION UNORDERED RESPONSES

v0 = b0,2 − ξ0 v2 = b0,2 + ξ0 v4 = 2b2,4 − v2 = 2

*

9

Use geometry of bisectors to define unknowns

Modeling All Reconstructions:

APPROXIMATE RECONSTRUCTION UNORDERED RESPONSES

v0 = b0,2 − ξ0 v2 = b0,2 + ξ0 v4 = 2b2,4 − v2 = 2b2,4 − b0,2 − ξ0

*

9

Use geometry of bisectors to define unknowns

Modeling All Reconstructions:

APPROXIMATE RECONSTRUCTION UNORDERED RESPONSES

v0 = b0,2 − ξ0 v2 = b0,2 + ξ0 v4 = 2b2,4 − v2 = 2b2,4 − b0,2 − ξ0 v6 = 2b4,6 − v4 = 2b4,6 − 2b2,4 + b0,2 + ξ0 v8 = 2b6,8 − v6 = 2b6,8 − 2b4,6 + 2b2,4 − b0,2 − ξ0

vi

*

Half of the as a function of unknown ξ0

9

Use geometry of bisectors to define unknowns

Modeling All Reconstructions:

APPROXIMATE RECONSTRUCTION UNORDERED RESPONSES

v0 = b0,2 − ξ0 v2 = b0,2 + ξ0 v4 = 2b2,4 − v2 = 2b2,4 − b0,2 − ξ0 v6 = 2b4,6 − v4 = 2b4,6 − 2b2,4 + b0,2 + ξ0 v8 = 2b6,8 − v6 = 2b6,8 − 2b4,6 + 2b2,4 − b0,2 − ξ0 v1 = b1,3 − ξ1 v3 = b1,3 + ξ1 v5 = 2b3,5 − v3 = 2b3,5 − b1,3 − ξ1 v7 = 2b5,7 − v5 = 2b5,7 − 2b3,5 + b1,3 + ξ1 v9 = 2b7,9 − v7 = 2b7,9 − 2b5,7 + 2b3,5 − b1,3 − ξ1

Half of the as a function of unknown ξ0

vi

Other half of the as a function of unknown ξ1

vi

*

9

Use geometry of bisectors to define unknowns

Modeling All Reconstructions:

v0 = b0,2 − ξ0 v2 = b0,2 + ξ0 v4 = 2b2,4 − v2 = 2b2,4 − b0,2 − ξ0 v6 = 2b4,6 − v4 = 2b4,6 − 2b2,4 + b0,2 + ξ0 v8 = 2b6,8 − v6 = 2b6,8 − 2b4,6 + 2b2,4 − b0,2 − ξ0 v1 = b1,3 − ξ1 v3 = b1,3 + ξ1 v5 = 2b3,5 − v3 = 2b3,5 − b1,3 − ξ1 v7 = 2b5,7 − v5 = 2b5,7 − 2b3,5 + b1,3 + ξ1 v9 = 2b7,9 − v7 = 2b7,9 − 2b5,7 + 2b3,5 − b1,3 − ξ1

UNORDERED RESPONSES

Reduced the space of reconstructions from n-dimensions to 2-dimensions

APPROXIMATE RECONSTRUCTION

vi vi

*

Half of the as a function of unknown ξ0 Other half of the as a function of unknown ξ1

9

Use geometry of bisectors to define unknowns

Modeling All Reconstructions:

Ordering Constraints:

v0 < v1 ⇒ −

APPROXIMATE RECONSTRUCTION UNORDERED RESPONSES

*

10

Modeling All Reconstructions:

Ordering Constraints:

v0 < v1 ⇒ −ξ0 + ξ1 < c0,1 , where c0,1 = (b1,3 − b0,2)

APPROXIMATE RECONSTRUCTION UNORDERED RESPONSES

Geometric Characterization

*

10

ξ0 ξ1

Modeling All Reconstructions:

Ordering Constraints:

v0 < v1 ⇒ −ξ0 + ξ1 < c0,1 , where c0,1 = (b1,3 − b0,2) v1 < v2 ⇒ −ξ0 − ξ1 < c1,2 , where c1,2 = −(b1,3 − b0,2) v2 < v3 ⇒ ξ0 − ξ1 < c2,3 , where c2,3 = (b1,3 − b0,2) v3 < v4 ⇒ ξ0 + ξ1 < c3,4 , where c3,4 = (b2,4 − b1,3) + (b2,4 − b0,2) v4 < v5 ⇒ −ξ0 + ξ1 < c4,5 , where c4,5 = 2(b3,5 − b2,4) − (b1,3 − b0,2) v5 < v6 ⇒ −ξ0 − ξ1 < c5,6, where c5,6 = 2(b4,6 − b3,5) − (b2,4 − b0,2) − (b2,4 − b1,3) v6 < v7 ⇒ ξ0 − ξ1 < c6,7, where c6,7 = 2(b5,7 − b4,6) − 2(b3,5 − b2,4) + (b1,3 − b0,2) v7 < v8 ⇒ ξ0 + ξ1 < c7,8, where c7,8 = 2(b6,8 − b5,7) − 2(b4,6 − b3,5) + (b2,4 − b1,3) + (b2,4 − b0,2)

v8 < v9 ⇒ −ξ0 + ξ1 < c8,9, where c8,9 = 2(b7,9 − b6,8) − 2(b5,7 − b4,6) + 2(b3,5 − b2,4) − (b1,3 − b0,2)

APPROXIMATE RECONSTRUCTION UNORDERED RESPONSES

Geometric Characterization

*

10

ξ0 ξ1

Modeling All Reconstructions:

Ordering Constraints:

v0 < v1 ⇒ −ξ0 + ξ1 < c0,1 , where c0,1 = (b1,3 − b0,2) v1 < v2 ⇒ −ξ0 − ξ1 < c1,2 , where c1,2 = −(b1,3 − b0,2) v2 < v3 ⇒ ξ0 − ξ1 < c2,3 , where c2,3 = (b1,3 − b0,2) v3 < v4 ⇒ ξ0 + ξ1 < c3,4 , where c3,4 = (b2,4 − b1,3) + (b2,4 − b0,2) v4 < v5 ⇒ −ξ0 + ξ1 < c4,5 , where c4,5 = 2(b3,5 − b2,4) − (b1,3 − b0,2) v5 < v6 ⇒ −ξ0 − ξ1 < c5,6, where c5,6 = 2(b4,6 − b3,5) − (b2,4 − b0,2) − (b2,4 − b1,3) v6 < v7 ⇒ ξ0 − ξ1 < c6,7, where c6,7 = 2(b5,7 − b4,6) − 2(b3,5 − b2,4) + (b1,3 − b0,2) v7 < v8 ⇒ ξ0 + ξ1 < c7,8, where c7,8 = 2(b6,8 − b5,7) − 2(b4,6 − b3,5) + (b2,4 − b1,3) + (b2,4 − b0,2)

Boundary Constraints:

v8 < v9 ⇒ −ξ0 + ξ1 < c8,9, where c8,9 = 2(b7,9 − b6,8) − 2(b5,7 − b4,6) + 2(b3,5 − b2,4) − (b1,3 − b0,2)

α < v0 ⇒ ξ0 < cα,0, where cα,0 = b0,2 − α

v9 < β ⇒ ξ1 > c9,β, where c9,β = 2b7,9 − 2b5,7 + 2b3,5 − b1,3 − β

APPROXIMATE RECONSTRUCTION UNORDERED RESPONSES

Geometric Characterization

*

10

ξ0 ξ1

Modeling All Reconstructions:

“Squeezed” the seemingly large space of valid reconstructions into a small polygon

Fv

Geometric Characterization

Valid Reconstructions

APPROXIMATE RECONSTRUCTION UNORDERED RESPONSES

Original DB:

• Reconstr. DB:

v0 = (v0

0, . . . , v0 n1)

v00 = (v00

0, . . . , v00 n1)

*

11

APPROXIMATE RECONSTRUCTION UNORDERED RESPONSES

Original DB:

• Reconstr. DB:

v0 = (v0

0, . . . , v0 n1)

v00 = (v00

0, . . . , v00 n1)

ξ0 ξ00

Reconstruction Error between

v0, v00

*

Maximum Error

max

i2[0,n1] |v0 i − v00 i | ≤ diam(Fv)

11

APPROXIMATE RECONSTRUCTION UNORDERED RESPONSES

Original DB:

• Reconstr. DB:

v0 = (v0

0, . . . , v0 n1)

v00 = (v00

0, . . . , v00 n1)

diam(Fv) 2

Reconstruction Error between

v0, v00

*

max

i2[0,n1] |v0 i − v00 i | ≤ diam(Fv)

11

APPROXIMATE RECONSTRUCTION UNORDERED RESPONSES

Original DB:

• Reconstr. DB:

v0 = (v0

0, . . . , v0 n1)

v00 = (v00

0, . . . , v00 n1)

diam(Fv) 2

v00

Reconstruction Error between

v0, v00

*

Our Reconstruction

max

i2[0,n1] |v0 i − v00 i | ≤ diam(Fv)

11

APPROXIMATE RECONSTRUCTION UNORDERED RESPONSES

Original DB:

• Reconstr. DB:

v0 = (v0

0, . . . , v0 n1)

v00 = (v00

0, . . . , v00 n1)

diam(Fv) 2

v00

The worst case reconstruction between and every DB in is upper-bounded by diam(Fv)

2

Fv v00

Reconstruction Error between

v0, v00

*

Our Reconstruction

max

i2[0,n1] |v0 i − v00 i | ≤ diam(Fv)

11

Case k=3

0.2

• 0.2

0.1

1 0- 1

val(s2

1) - 0+ 1

val(s5

4)

• 0.1
• 0.25
• 0.2
• 0.15
• 0.1
• 0.05

0.05 0.1 0.15 0.2

• 0.1
• 0.2

0.1 0.2

2

0.25 0.2 0.1 1- 2

val(s3

2) - 1+ 2

val(s6

5) 1

• 0.25
• 0.1
• 0.2
• 0.2
• 0.15
• 0.1
• 0.1
• 0.2
• 0.05

0.1 0.2

2

0.05 0.1 0.15 0.2 0.25 0.2

0+ 2

val(s4

3) - 0- 2

val(s7

6)

0.1

1

• 0.1
• 0.25
• 0.2
• 0.2
• 0.15
• 0.1
• 0.2
• 0.1
• 0.05

0.1 0.2

2

0.05 0.1 0.15 0.2 0.25

Fv

k-NN queries is a polytope in k-dimensional space

Fv

APPROXIMATE RECONSTRUCTION UNORDERED RESPONSES

*

12

EVALUATION

ORDERED & UNORDERED RESPONSES 13

1-31 October 2009

• Geolocation
• f politician Spitz
• Simulated k-NN

Leakage from queries on his location DB

EVALUATION

ORDERED & UNORDERED RESPONSES 13

1-31 October 2009

20 40 60 80 100 120 20 40 60 80 100 120

Reconstructed Values of 1-31 Oct. Dataset

• Geolocation
• f politician Spitz
• Simulated k-NN

Leakage from queries on his location DB

EVALUATION

ORDERED & UNORDERED RESPONSES 13

1-31 October 2009

20 40 60 80 100 120 20 40 60 80 100 120

Reconstructed Values of 1-31 Oct. Dataset

• Geolocation
• f politician Spitz
• Simulated k-NN

Leakage from queries on his location DB

OUR CONTRIBUTIONS CONCLUSIONS

k-NN EXACT RECONSTRUCTION k-NN APPROXIMATE RECONSTRUCTION

ORDERED RESPONSES: Possible when all encrypted queries are issued UNORDERED RESPONSES: Impossible due to many reconstructions UNORDERED RESPONSES: Even with many reconstructions approximate with bounded error ORDERED RESPONSES: Approximate reconstruction when not all encrypted queries are issued

14

Thank you!

: @kornaropoulos

EVALUATION

20 40 60 80 100 120 20 40 60 80 100 120

Reconstructed Values of 1-5 Oct. Dataset

20 40 60 80 100 120 20 40 60 80 100 120

Reconstructed Values of 1-15 Oct. Dataset

20 40 60 80 100 120 20 40 60 80 100 120

Reconstructed Values of 1-31 Oct. Dataset

ORDERED & UNORDERED RESPONSES

• Geolocation
• f politician Malte Spitz
• Simulated k-NN

Leakage from queries

• n his location DB

13

1-5 October 1-15 October 1-31 October

UNORDERED RESPONSES EVALUATION

14