dynamic searchable encryption with small client storage
play

Dynamic Searchable Encryption with Small Client Storage Ioannis - PowerPoint PPT Presentation

Mar 18, 2024 •154 likes •561 views

Dynamic Searchable Encryption with Small Client Storage Ioannis Demertzis Javad Ghareh Chamani University of Maryland HKUST and Sharif University of Technology jgc@cse.ust.hk yannis@umd.edu Dimitrios Papadopoulos Charalampos Papamathou

  1. Dynamic Searchable Encryption with Small Client Storage Ioannis Demertzis Javad Ghareh Chamani University of Maryland HKUST and Sharif University of Technology jgc@cse.ust.hk yannis@umd.edu Dimitrios Papadopoulos Charalampos Papamathou HKUST University of Maryland dipapado@cse.ust.hk cpap@umd.edu

  2. What is Dynamic Searchable Encryption (DSE)? Untrusted ! "#$%& leakage: total leakage ! '%#() leakage---Search ? Cloud Client prior to query execution pattern: whether a search e.g. size of each encrypted file , query is repeated size of the encrypted index search query: keyword ! '%#() leakage---Access + pattern : encrypted document ids and files that satisfy the search query ! *&+,$# leakage : update query: keyword leakage during update execution Security (informal): The adversary does not learn anything beyond the above leakages!

  3. Update Leakage --- Forward Privacy Untrusted ? Cloud Client High-level idea: The server should not be able to relate an update with a previous operation! Time Add (F1, w1 ) 1 Query ( w1 ) + 2 Add (F2, w1 ) 3 Server should not learn that update in timestamp 3 is for the same keyword! • Definition: A DSE scheme is forward private if the update does not reveal any information • about the involved keyword, i.e., ! "#$%&' (w) = ! (op, id)

  4. Update Leakage --- Backward Privacy Untrusted High-level idea: The server should reveal controlled ? Cloud Client information about deleted files during search Time Add (F1, w1 ) 1 Add (F2, w1 ) 2 + Del (F1, w1 ) 3 Query ( w1 ) 4 !"#$%&(()) = { (,-, -) } !"#$%&(:) = {;iles @ABBCDEFG containing w and when they were stored} /0123$4 () ={ ), -, 5 } /0123$4 : = { timestamp of each update for w} %$67"43 : = {exactly which deletion cancels which addition } %$67"43(()) = {(), 5)}

  5. Update Leakage --- Backward Privacy Untrusted High-level idea: The server should reveal controlled ? Cloud Client information about deleted files during search Time Add (F1, w1 ) 1 Add (F2, w1 ) 2 + Del (F1, w1 ) 3 Query ( w1 ) 4 More Leakage ℒ 345678 w = ℒ(,)<.=! w ) !"#$%"&' (&)*"#+ ,+-. − 0: !"#$%"&' (&)*"#+ ,+-. − 00: ℒ ?45678 w = ℒ(,)<.=! w , A-'"B.C(w)) !"#$%"&' (&)*"#+ ,+-. − 000: ℒ 3DEFGH w = ℒ(,)<.=! w , A-'"B.C w , =.IJ)CB(w))

  6. Issues with Prior Forward & Backward DSE schemes Untrusted ? Cloud Client Require: The client to store an operation counter for each unique keyword !!! O(|W|) can be up to O(N) , Keyword Counter where N is the total DB size w1 3 + w2 2 O(|W|), where |W| w3 4 is the dictionary size … Synchronization issues: wM 5 if the client wants to access the encrypted DB from multiple devices

  7. Issues with Prior Forward & Backward DSE schemes Untrusted ? Cloud Client Outsourcing the operational counters to the server requires the use of Oblivious Indexes ~ extra O(log 2 N) overhead and O(logN) rounds of interaction! Keyword Counter E.g., an Oblivious w1 3 Hash Map ( OMAP ) + w2 2 w3 4 … wM 5

  8. Prior state-of-the-art Works & Our Contributions Search Update Search RT BP-Type ! ! Moneta O (a w logN + log 3 N) O (log 2 N) 2 Type-I O(a w + log 2 N) O(log 2 N) O(logN) Type-II OMAP + Mitra x SDa O(a w + logN) O(logN) (am.) 1 Type-II SDd O(a w + logN) O(log 3 N) 1 Type-II ORION O(n w log 2 N) O(log 2 N) O(logN) Type-I HORUS O(n w logd w logN + log 2 N) O(log 2 N) O(logN) Type-III QOS O(n w logi w + log 2 N) O(log 3 N) O(logN) Type-III N : total number of (file, keyword) pairs, a w : #updates for keyword w n w : #files currently containing keyword w , i w : #inserts for keyword w

  9. Prior state-of-the-art Works & Our Contributions Search Update Search RT BP-Type ! ! Moneta O (a w logN + log 3 N) O (log 2 N) 2 Type-I O(a w + log 2 N) O(log 2 N) O(logN) Type-II OMAP + Mitra SDa O(a w + logN) O(logN) (am.) 1 Type-II SDd O(a w + logN) O(log 3 N) 1 Type-II ORION O(n w log 2 N) O(log 2 N) O(logN) Type-I HORUS O(n w logd w logN + log 2 N) O(log 2 N) O(logN) Type-III QOS O(n w logi w + log 2 N) O(log 3 N) O(logN) Type-III SDa and SDd have 20x-85x faster search time than MITRA QOS has 14x-16531x faster search time than HORUS

  10. Prior state-of-the-art Works & Our Contributions Search Update Search RT BP-Type ! ! Moneta O (a w logN + log 3 N) O (log 2 N) 2 Type-I O(a w + log 2 N) O(log 2 N) O(logN) Type-II OMAP + Mitra SDa O(a w + logN) O(logN) (am.) 1 Type-II SDd O(a w + logN) O(log 3 N) 1 Type-II ORION O(n w log 2 N) O(log 2 N) O(logN) Type-I HORUS O(n w logd w logN + log 2 N) O(log 2 N) O(logN) Type-III QOS O(n w logi w + log 2 N) O(log 3 N) O(logN) Type-III QOS has better search time for deletion ratios between 40%-80%

  11. SDa scheme Untrusted ? Cloud Client High-level idea: Organize N updates in a collection of at most log 2 N independent encrypted indexes Add (F1, w1) 4 1

  12. SDa scheme Untrusted ? Cloud Client High-level idea: Organize N updates in a collection of at most log 2 N independent encrypted indexes Add (F4, w1) 4 1 1

  13. SDa scheme Untrusted ? Cloud Client High-level idea: Organize N updates in a collection of at most log 2 N independent encrypted indexes If we keep adding the Add (F4, w1) number of encrypted indexes will be O(N) 4 1 1

  14. SDa scheme Untrusted ? Cloud Client High-level idea: Organize N updates in a collection of at most log 2 N independent encrypted indexes Whenever two indexes of the same size exist, download them and merge them in a new index 4 1 1 2

  15. *Assuming that N is a power of 2 SDa scheme Untrusted ? Cloud Client High-level idea: Organize N updates in a collection of at most log 2 N independent encrypted indexes After N-1 updates … N/2 N/4 1 Update cost = O(log 2 N) (amortized) O(log 2 N ) encrypted indexes

  16. *Assuming that N is a power of 2 SDa scheme Untrusted ? Cloud Client High-level idea: Organize N updates in a collection of at most log 2 N independent encrypted indexes search query: keyword 1 Search cost = O(log 2 N + a w ) keyword search query: keyword 2 … N/2 N/4 1 … search query: keyword logN O(log 2 N ) encrypted indexes Intuition Forward/Backward privacy: Every index is built with a fresh key and the used static SE is response hiding!!!

  17. SDa --- Amortized Update Cost Expensive Updates O(N) Cheap Updates O(1)

  18. SDd scheme Untrusted ? Cloud Client High-level idea: Let’s de-amortize the SDa construction Add (F1, w1) … 4 2 1 O(log 2 N ) encrypted indexes

  19. SDd scheme Untrusted ? Cloud Client OLDEST 1 OLDEST 2 OLDEST 4 OLDER 2 OLDER 4 OLDER 1 … OLD 1 OLD 4 OLD 2 NEW 2 NEW 4 NEW 1 1 2 4

  20. SDd scheme Untrusted ? Cloud Client OLDEST 1 OLDEST 2 OLDEST 4 OLDER 2 OLDER 4 OLDER 1 … OLD 1 OLD 4 OLD 2 Add (F1, w1) NEW 2 NEW 4 NEW 1 1 2 4 If NEW is full move it to the first empty OLDEST, OLDER or OLD index

  21. SDd scheme Untrusted ? Cloud Client OLDEST 1 OLDEST 2 OLDEST 4 OLDER 2 OLDER 4 OLDER 1 … OLD 1 OLD 4 OLD 2 Add (F2, w1) NEW 2 NEW 4 NEW 1 1 2 4

  22. SDd scheme Untrusted ? Cloud Client If OLDEST i and OLDER i are full start moving the updates to the NEW i+1 index OLDEST 1 OLDEST 2 OLDEST 4 OLDER 2 OLDER 4 OLDER 1 … OLD 1 OLD 4 OLD 2 NEW 2 NEW 4 NEW 1 1 2 4

  23. SDd scheme Untrusted ? Cloud Client For achieving Forward Privacy we need to use Oblivious MAPs (OMAP) OLDEST 1 OLDEST 2 OLDEST 4 OLDER 2 OLDER 4 OLDER 1 … OLD 1 OLD 4 OLD 2 NEW 2 NEW 4 NEW 1 1 2 4 OMAP 1 OMAP 2

  24. SDd scheme Untrusted ? Cloud Client Search cost = O(3*log 2 N + a w ) OLDEST 1 OLDEST 2 OLDEST 4 OLDER 2 OLDER 4 OLDER 1 … OLD 1 OLD 4 OLD 2 Query(w1) NEW 2 NEW 4 NEW 1 1 2 4 OMAP cost = O(log 2 N) OMAP 1 OMAP 2 Update cost = O(log 3 N)

  25. Prior state-of-the-art Works & Our Contributions Search Update Search RT BP-Type ! ! Moneta O (a w logN + log 3 N) O (log 2 N) 2 Type-I O(a w + log 2 N) O(log 2 N) O(logN) Type-II OMAP + Mitra SDa O(a w + logN) O(logN) (am.) 1 Type-II SDd O(a w + logN) O(log 3 N) 1 Type-II ORION O(n w log 2 N) O(log 2 N) O(logN) Type-I HORUS O(n w logd w logN + log 2 N) O(log 2 N) O(logN) Type-III QOS O(n w logi w + log 2 N) O(log 3 N) O(logN) Type-III Definition: A DSE scheme has optimal (resp. quasi-optimal) search time, if the asymptotic • complexity of Search is O(n w ) (resp. O(n w polylog(N) ).

  26. Motivation for Optimal/Quasi-optimal Search Untrusted SDd search cost ? Cloud Client Add (F1, w1 ) = O(log 2 N + a w ) Add (F2, w1 ) … + Add (FN, w1 ) Del (F1, w1 ) … w1 is contained only in Del (F N-1 , w1 ) File N , but the result has size O(a w ) ~= O(N) Query( w1 )

  27. QOS --- Main Idea Untrusted ? Cloud Client Idea: For each keyword w create a data structure that helps us avoid the deleted regions Next empty Add (F1, w1 ) leaf for w1 Add (F2, w1 ) Add (F5, w1 ) OMAP 1 2 3 4 5 Add (F10, w1 ) Add (F35, w1 ) Tree for keyword w1 (N=8)

  28. QOS --- Main Idea Untrusted ? Cloud Client Idea: For each keyword w create a data structure that helps us avoid the deleted regions Returns the leaf Del (F1, w1 ) that contains F1, w1 OMAP 1 2 3 4 5 Tree for keyword w1 (N=8)

  29. QOS --- Main Idea Untrusted ? Cloud Client Idea: For each keyword w create a data structure that helps us avoid the deleted regions Returns the leaf Del (F1, w1 ) that contains F2, w2 Del (F2, w1 ) OMAP 1 2 3 4 5 Tree for keyword w1 (N=8)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Dynamic Searchable M. Naveed, Encryption via Blind M. Prabhakaran, C.A. Gunter Storage

Dynamic Searchable M. Naveed, Encryption via Blind M. Prabhakaran, C.A. Gunter Storage

Dynamic Searchable M. Naveed, Encryption via Blind M. Prabhakaran, C.A. Gunter Storage Presented by: Keegan Sherman and Pardeep Banwait Searchable Symmetric Encryption Allows a user to store a collection of encrypted documents and

350 views • 24 slides
Searchable Encryption Prepared for 600.624 February 9, 2006 Outline Motivation of

Searchable Encryption Prepared for 600.624 February 9, 2006 Outline Motivation of

Searchable Encryption Prepared for 600.624 February 9, 2006 Outline Motivation of Searchable Encryption Searchable Encryption Constructions of Song, Wagner and Perrig Discussion Related Work Conjunctive Keyword

753 views • 51 slides
Backward Secure Dynamic Searchable Symmetric Encryption with Efficient Updates Hyung Tae Lee

Backward Secure Dynamic Searchable Symmetric Encryption with Efficient Updates Hyung Tae Lee

Backward Secure Dynamic Searchable Symmetric Encryption with Efficient Updates Hyung Tae Lee Chonbuk National University, Republic of Korea June 14, 2019@ Workshop on Modern Trends in Cryptography Table of contents 1. Introduction 2.

537 views • 25 slides
Efficient Dynamic Searchable Encryption with Forward Privacy Mohammad Alptekin Charalampos

Efficient Dynamic Searchable Encryption with Forward Privacy Mohammad Alptekin Charalampos

Efficient Dynamic Searchable Encryption with Forward Privacy Mohammad Alptekin Charalampos David Kp Etemad Papamanthou Evans Efficient Dynamic Searchable Encryption with Forward Privacy Etemad, Kp , Papamanthou, Evans, PETS

1.57k views • 90 slides
FORWARD PRIVATE SEARCHABLE ENCRYPTION &amp; BEYOND 22/02/2017 MIT - RAPHAEL BOST DATE

FORWARD PRIVATE SEARCHABLE ENCRYPTION &amp; BEYOND 22/02/2017 MIT - RAPHAEL BOST DATE

FORWARD PRIVATE SEARCHABLE ENCRYPTION &amp; BEYOND 22/02/2017 MIT - RAPHAEL BOST DATE Searchable Encryption Outsource data securely keep search functionalities Generic Solutions Fully Homomorphic Encryption, MPC, ORAM

578 views • 37 slides
Dynamic Searchable Symmetric Encryption DSSE INTRODUCTION TO CYBER SECURITY ESTR 4306 | LIU

Dynamic Searchable Symmetric Encryption DSSE INTRODUCTION TO CYBER SECURITY ESTR 4306 | LIU

Dynamic Searchable Symmetric Encryption DSSE INTRODUCTION TO CYBER SECURITY ESTR 4306 | LIU YICUN Motivating Problem The clients want a encrypted database which can update dynamically. The clients want to do the updates without re-encrypting

898 views • 25 slides
The Locality of Searchable Symmetric Encryption David Cash Stefano Tessaro Rutgers U UC Santa

The Locality of Searchable Symmetric Encryption David Cash Stefano Tessaro Rutgers U UC Santa

The Locality of Searchable Symmetric Encryption David Cash Stefano Tessaro Rutgers U UC Santa Barbara 1 Outsourced storage and searching Browser only downloads documents matching query. Avoids downloading all 6 GB. 2 End-to-end

477 views • 47 slides
Sophos and Diane Searchable Symmetric Encryption with (Very) Low Overhead Raphael Bost, Brice

Sophos and Diane Searchable Symmetric Encryption with (Very) Low Overhead Raphael Bost, Brice

Sophos and Diane Searchable Symmetric Encryption with (Very) Low Overhead Raphael Bost, Brice Minaud RHUL ISG seminar, November 24th 2016 Plan 1. Symmetric Searchable Encryption. 2. Leakage and Forward-Privacy. 3. Sophos and Diane schemes. 4.

479 views • 45 slides
Lower Bounds for Encrypted Multi-Maps and Searchable Encryption in the Leakage Cell Probe Model

Lower Bounds for Encrypted Multi-Maps and Searchable Encryption in the Leakage Cell Probe Model

Lower Bounds for Encrypted Multi-Maps and Searchable Encryption in the Leakage Cell Probe Model Sarvar Patel*, Giuseppe Persiano** and Kevin Yeo* *Google **University of Salerno Key k i was queried. Privacy-Preserving Storage Protocols Key k i

1.11k views • 81 slides
Searching on/Testing Encrypted Data Lecture 23 Searchable Encryption Searchable Encryption A

Searching on/Testing Encrypted Data Lecture 23 Searchable Encryption Searchable Encryption A

Searching on/Testing Encrypted Data Lecture 23 Searchable Encryption Searchable Encryption A test key T w that allows one to test if Dec SK (C) = w Searchable Encryption A test key T w that allows one to test if Dec SK (C) = w No other

1.62k views • 116 slides
in Searchable Symmetric Encryption Kaoru Kurosawa and Yasuhiro Ohtaki Ibaraki University, Japan

in Searchable Symmetric Encryption Kaoru Kurosawa and Yasuhiro Ohtaki Ibaraki University, Japan

How to Update Documents Verifiably in Searchable Symmetric Encryption Kaoru Kurosawa and Yasuhiro Ohtaki Ibaraki University, Japan Outline (1) Introduction (2) Our (previous) verifiable SSE scheme (3) Extend it to a dynamic SSE scheme (but

1.13k views • 70 slides
Searchable Symmetric Encryption Seny Kamara Advanced Topics in Network Security Spring 2006 1

Searchable Symmetric Encryption Seny Kamara Advanced Topics in Network Security Spring 2006 1

Searchable Symmetric Encryption Seny Kamara Advanced Topics in Network Security Spring 2006 1 Yesterday Motivation for searchable encryption First SSE scheme [SWP00] Attacks on [SWP00] Conjunctive SSE [GSW04,PKL04,BKM05] 2

703 views • 24 slides
Two-Client and Multi-client Functional Encryption for Set Intersection and Variants Tim van de

Two-Client and Multi-client Functional Encryption for Set Intersection and Variants Tim van de

Two-Client and Multi-client Functional Encryption for Set Intersection and Variants Tim van de Kamp David Stritzl Willem Jonker Andreas Peter ACISP 2019 Functional Encryption for Set Operations n evaluate i = 1 S i S 1 S 2 S n

707 views • 32 slides
Searchable Encryption From Theory to Implementation Raphael Bost Direction Gnrale de

Searchable Encryption From Theory to Implementation Raphael Bost Direction Gnrale de

Searchable Encryption From Theory to Implementation Raphael Bost Direction Gnrale de lArmement - Maitrise de lInformation &amp; Universit de Rennes 1 ECRYPT NET Workshop - Crypto for the Cloud &amp; Implementation - 28/06/2017

793 views • 43 slides
Understanding and Mitigating Leakage-Abuse Attacks against Searchable Encryption Raphael Bost 1 ,

Understanding and Mitigating Leakage-Abuse Attacks against Searchable Encryption Raphael Bost 1 ,

Understanding and Mitigating Leakage-Abuse Attacks against Searchable Encryption Raphael Bost 1 , Pierre-Alain Fouque 2 , Brice Minaud 3 1 Direction Gnrale de lArmement - Matrise de lInformation 2 Universit de Rennes 1 3 INRIA &amp;

836 views • 45 slides
Searchable Symmetric Encryption: Optimal Locality in Linear Space via Two-Dimensional Balanced

Searchable Symmetric Encryption: Optimal Locality in Linear Space via Two-Dimensional Balanced

Searchable Symmetric Encryption: Optimal Locality in Linear Space via Two-Dimensional Balanced Allocations Gilad Asharov Cornell-Tech (Hebrew University) Moni Naor Weizmann Gil Segev

827 views • 56 slides
Searchable Encryption with Optimal Locality: Achieving Sublogarithmic Read Efficiency Charalampos

Searchable Encryption with Optimal Locality: Achieving Sublogarithmic Read Efficiency Charalampos

Searchable Encryption with Optimal Locality: Achieving Sublogarithmic Read Efficiency Charalampos Papamanthou Ioannis Demertzis Dimitris Papadopoulos Hong Kong UST University of Maryland University of Maryland yannis@umd.edu

753 views • 26 slides
IMPORTANCE OF DISASTER PLANNING For indi r indivi vidual duals with with resp respirat atory

IMPORTANCE OF DISASTER PLANNING For indi r indivi vidual duals with with resp respirat atory

9/2/2015 IMPORTANCE OF DISASTER PLANNING For indi r indivi vidual duals with with resp respirat atory issu issues, disast disaster plann planning ng is a is a must. must. Breathing is not optional. Must be prepared with a

344 views • 15 slides
Comprehensive P Pre reparatory Assistance P Program The FREE Comprehensive Preparatory

Comprehensive P Pre reparatory Assistance P Program The FREE Comprehensive Preparatory

PURPOSE OF LOOKS LIKE - SOUNDS LIKE EXERCISE If you give a child a choice, you give him a chance Comprehensive P Pre reparatory Assistance P Program The FREE Comprehensive Preparatory Assistance Program is your one-stop resource

134 views • 10 slides
Bridging the Gap for the Special Needs Learner CPR Training for the Project SEARCH Intern Angie

Bridging the Gap for the Special Needs Learner CPR Training for the Project SEARCH Intern Angie

Bridging the Gap for the Special Needs Learner CPR Training for the Project SEARCH Intern Angie Jackson, RRT Education Associate, AHA BLS/PALS Instructor Center for Professional Excellence/Education Cincinnati Childrens Hospital Tina

338 views • 19 slides
TF-Media meeting Mars 18-19 2010 Otto J Wittner UNINETT, Norway Outline Open Scalable Video

TF-Media meeting Mars 18-19 2010 Otto J Wittner UNINETT, Norway Outline Open Scalable Video

TF-Media meeting Mars 18-19 2010 Otto J Wittner UNINETT, Norway Outline Open Scalable Video Coding Work item A: Progress, updates, plans 2 Liaison with T-CPR Open Scalable Video Coding (SVC) What is SVC ? 3 Bit stream switch

217 views • 10 slides
Emergency Algorithm Outline Tracheostomy in children Tracheostomy Emergencies National

Emergency Algorithm Outline Tracheostomy in children Tracheostomy Emergencies National

Paediatric Working Group Paediatric Tracheostomy Emergency Algorithm Outline Tracheostomy in children Tracheostomy Emergencies National Tracheostomy Safety Project Tracheostomy Package Emergency Algorithms Tracheostomy in Children

282 views • 15 slides
Surgical Decision Making in Temporal Lobe Epilepsy by Heterogeneous Classifier Ensembles

Surgical Decision Making in Temporal Lobe Epilepsy by Heterogeneous Classifier Ensembles

Shobeir Fakhraei, Hamid Soltanian-Zadeh, Farshad Fotouhi, Kost Elisevich Surgical Decision Making in Temporal Lobe Epilepsy by Heterogeneous Classifier Ensembles Epilepsy Epilepsy is a brain disorder involving repeated, spontaneous

399 views • 29 slides
Containment Domains Resilience Mechanisms and Tools Toward Exascale Resilience Mattan Erez The

Containment Domains Resilience Mechanisms and Tools Toward Exascale Resilience Mattan Erez The

Containment Domains Resilience Mechanisms and Tools Toward Exascale Resilience Mattan Erez The University of Texas at Austin 2 (c) Mattan Erez Yes, resilience is an exascale concern Checkpoint-restart not good enough on its own

886 views • 75 slides

More recommend