improved reconstruction attacks on encrypted data using
play

Improved Reconstruction Attacks on Encrypted Data Using Range Query - PowerPoint PPT Presentation

Feb 09, 2023 •34 likes •654 views

Improved Reconstruction Attacks on Encrypted Data Using Range Query Leakage Marie-Sarah Lacharit, Brice Minaud , Kenny Paterson Information Security Group IEEE Symposium on Security and Privacy, May 21, 2018 Outsourcing Data with Search

  1. Improved Reconstruction Attacks on Encrypted Data Using Range Query Leakage Marie-Sarah Lacharité, Brice Minaud , Kenny Paterson Information Security Group IEEE Symposium on Security and Privacy, May 21, 2018

  2. Outsourcing Data with Search Capabilities Server Client 2

  3. Outsourcing Data with Search Capabilities Data upload Server Client 2

  4. Outsourcing Data with Search Capabilities Data upload Search query Matching records Server Client 2

  5. Outsourcing Data with Search Capabilities Data upload Search query Matching records Server Client For an encrypted database management system : • Data = collection of records in a database. e.g. health records. • Search query examples: - find records with given value. e.g. patients aged 57. - find records within a given range. e.g. patients aged 55-65. 2

  6. Security of Data Outsourcing Solutions Search query Matching records Adversarial Client server Adversaries : • Snapshot : breaks into server, gets snapshot of memory. • Persistent : corrupts server, sees all communication transcripts. Can be server itself. Security goal = privacy. → Adversary learns as little as possible about the client’s data and queries. 3

  7. Solutions • Structure-preserving encryption. Vulnerable to snapshot attackers. 4

  8. Solutions • Structure-preserving encryption. Vulnerable to snapshot attackers. • Second-generation schemes : Aim to protect against snapshot and persistent attackers. 4

  9. Solutions • Structure-preserving encryption. Vulnerable to snapshot attackers. • Second-generation schemes : Aim to protect against snapshot and persistent attackers. • Very active research topic. [AKSX04], [BCLO09], [PKV+14], [BLR+15], [NKW15], [KKNO16], [LW16], [FVY+17], [SDY+17], [DP17], [HLK18], [PVC18], [MPC+18]… 4

  10. Schemes Supporting Range Queries Range = [40,100] Server Client 3 1 2 4 45 6 83 28 5

  11. Schemes Supporting Range Queries Range = [40,100] 1 3 45 83 Server Client 3 1 2 4 45 6 83 28 5

  12. Schemes Supporting Range Queries Range = [40,100] 1 3 45 83 Server Client 3 1 2 4 45 6 83 28 5

  13. Schemes Supporting Range Queries Range = [40,100] 1 3 45 83 Server Client 3 1 2 4 45 6 83 28 • Most schemes leak set of matching records = access pattern leakage. OPE, ORE schemes, POPE, [HK16], BlindSeer, [Lu12], [FJ+15], … 5

  14. Schemes Supporting Range Queries Range = [40,100] 1 3 45 83 Server Client 3 1 2 4 45 6 83 28 • Most schemes leak set of matching records = access pattern leakage. OPE, ORE schemes, POPE, [HK16], BlindSeer, [Lu12], [FJ+15], … • Some schemes also leak #records below queried endpoints = rank leakage. FH-OPE, Lewi-Wu, Arx, Cipherbase, EncKV, … 5

  15. Exploiting Leakage • Most schemes prove that nothing more leaks than their leakage model allows. For example, leakage = access pattern + rank. What can we really learn from this leakage? 6

  16. Exploiting Leakage • Most schemes prove that nothing more leaks than their leakage model allows. For example, leakage = access pattern + rank. What can we really learn from this leakage? • Our goal : full reconstruction = recovering the exact value of every record. 6

  17. Exploiting Leakage • Most schemes prove that nothing more leaks than their leakage model allows. For example, leakage = access pattern + rank. What can we really learn from this leakage? • Our goal : full reconstruction = recovering the exact value of every record. • [KKNO16] : O( N 2 log N ) queries suffice for full reconstruction using only access pattern leakage! - where N is the number of possible values (e.g. 125 for age in years). 6

  18. Assumptions for our Analysis • Data is dense: all values appear in at least one record. • Queries are uniformly distributed . Our algorithms don’t actually care though – the assumption is for computing data upper bounds. 7

  19. Our Main Results • Full reconstruction with O( N · log N ) queries from access pattern leakage – in fact, N · (3 + log N ). 8

  20. Our Main Results • Full reconstruction with O( N · log N ) queries from access pattern leakage – in fact, N · (3 + log N ). Approximate reconstruction with relative accuracy ε with O( N · (log 1/ ε )) • queries. 8

  21. Our Main Results • Full reconstruction with O( N · log N ) queries from access pattern leakage – in fact, N · (3 + log N ). Approximate reconstruction with relative accuracy ε with O( N · (log 1/ ε )) • queries. • Approximate reconstruction using an auxiliary distribution and access pattern + rank leakage. 8

  22. Our Main Results • Full reconstruction with O( N · log N ) queries from access pattern leakage – in fact, N · (3 + log N ). Approximate reconstruction with relative accuracy ε with O( N · (log 1/ ε )) • queries. • Approximate reconstruction using an auxiliary distribution and access pattern + rank leakage. 8

  23. Full reconstruction

  24. Full Reconstruction Algorithm Set of all records M 1 M 2 M 3 M 4 M 5 Assume N = 7 values, and 5 queries. M i = set of records matched by i -th query. 10

  25. Step 1: Partitioning M 1 M 2 M 3 M 4 M 5 11

  26. Step 1: Partitioning M 1 M 2 M 3 M 4 M 5 … … 11

  27. Step 1: Partitioning M 1 M 2 M 3 M 4 M 5 … … If there are N minimal subsets → each of them correspond to a single value. 11

  28. Step 2a: Finding an Endpoint M 1 M 2 M 3 M 4 M 5 M 1 ∪ M 3 cover all but 1 minimal set 12

  29. Step 2a: Finding an Endpoint M 1 M 2 M 3 M 4 M 5 Endpoint! M 1 ∪ M 3 cover all but 1 minimal set 12

  30. Step 2a: Finding an Endpoint 7 M 1 M 2 M 3 M 4 M 5 Endpoint! M 1 ∪ M 3 cover all but 1 minimal set 12

  31. Step 2b: Propagating 7 M 1 M 1 M 2 M 3 M 4 M 5 • Intersect 13

  32. Step 2b: Propagating 7 M 1 M 1 M 2 M 3 M 4 M 5 • Intersect • Trim 13

  33. Step 2b: Propagating 7 M 1 M 1 M 1 M 2 M 3 M 4 M 5 • Intersect • Trim 13

  34. Step 2b: Propagating 7 M 1 M 1 M 1 M 2 M 3 M 4 M 5 Next point! • Intersect • Trim 13

  35. Step 2b: Propagating 7 6 M 1 M 1 M 1 M 2 M 3 M 4 M 5 Next point! • Intersect • Trim 13

  36. Step 2b: Propagating 5 7 6 M 1 M 2 M 3 M 4 M 5 • Intersect • Trim 14

  37. Step 2b: Propagating 4 5 7 6 M 1 M 2 M 3 M 4 M 5 • Intersect • Trim 15

  38. Step 2b: Propagating 3 4 5 7 6 M 1 M 2 M 3 M 4 M 5 • Intersect • Trim 16

  39. Step 2b: Propagating 2 3 4 5 7 6 M 1 M 2 M 3 M 4 M 5 • Intersect • Trim 17

  40. Done! 1 2 3 4 5 7 6 M 1 M 2 M 3 M 4 M 5 • Intersect • Trim 18

  41. Full Reconstruction: Conclusion • Generic setting: only access pattern leakage. • Partiotioning , then sorting steps. • Expectation of #queries sufficient for reconstruction: N · (3 + log N ) for N ≥ 26 • Expectation of #queries necessary for reconstruction: 1/2 · N · log N – O(N) for any algorithm. • Our algorithm is data-optimal. 19

  42. Reconstruction with Auxiliary Data + Rank Leakage

  43. Auxiliary Data Attack with Rank Leakage • Assume access pattern + rank leakage. • Also assume an approximation to the distribution on values is known. “Auxiliary distribution”. From aggregate data, or from another reference source. • We show experimentally that, under these assumptions, far fewer queries are needed. 21

  44. Auxiliary Data Attack Algorithm Set of all records M 1 M 2 Assume N = 125 values, and 2 queries. M i = set of records matched by i -th query. 22

  45. Partitioning and Matching M 1 M 2 23

  46. Partitioning and Matching M 1 M 2 23

  47. Partitioning and Matching M 1 M 2 % records 10% below 23

  48. Partitioning and Matching M 1 M 2 % records 10% 32% below 23

  49. Partitioning and Matching M 1 M 2 % records 10% 32% 77% below 23

  50. Partitioning and Matching M 1 M 2 % records 10% 32% 77% 85% below 23

  51. Partitioning and Matching M 1 M 2 % records 10% 32% 77% 85% below Matching with aux. distribution Age 12 23

  52. Partitioning and Matching M 1 M 2 % records 10% 32% 77% 85% below Matching with aux. distribution Age 12 43 23

  53. Partitioning and Matching M 1 M 2 % records 10% 32% 77% 85% below Matching with aux. distribution Age 12 43 60 23

  54. Partitioning and Matching M 1 M 2 % records 10% 32% 77% 85% below Matching with aux. distribution Age 12 43 60 72 23

  55. Partitioning and Matching M 1 M 2 % records 10% 32% 77% 85% below Matching with aux. distribution Age 12 43 60 72 Expectation 19 23

  56. Partitioning and Matching M 1 M 2 % records 10% 32% 77% 85% below Matching with aux. distribution Age 12 43 60 72 Expectation 19 50 23

  57. Partitioning and Matching M 1 M 2 % records 10% 32% 77% 85% below Matching with aux. distribution Age 12 43 60 72 Expectation 19 50 65 23

  58. Auxiliary Data Attack: Experimental Evaluation • Ages, N = 125. • Health records from US hospitals (NIS HCUP 2009). • Target: age of individual hospitals' records. • Auxiliary data: aggregate of 200 hospitals' records. • Measure of success: proportion of records with value guessed within ε . 24

  59. Results with Imperfect Auxiliary Data 25

  60. Conclusions

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Improved reconstruction attacks using range query leakage Marie-Sarah Lacharit Brice Minaud

Improved reconstruction attacks using range query leakage Marie-Sarah Lacharit Brice Minaud

Improved reconstruction attacks using range query leakage Marie-Sarah Lacharit Brice Minaud Kenny Paterson Information Security Group Application Setting Storing Records in the Cloud value of record ( N possible values) record identifier

615 views • 59 slides
Learning to Reconstruct Statistical Learning Theory and Encrypted Database Attacks Paul Grubbs,

Learning to Reconstruct Statistical Learning Theory and Encrypted Database Attacks Paul Grubbs,

Learning to Reconstruct Statistical Learning Theory and Encrypted Database Attacks Paul Grubbs, Marie-Sarah Lacharit, Brice Minaud, Kenny Paterson CASYS team seminar, Grenoble, December 2018 Outsourcing Data with Search Capabilities Data

534 views • 38 slides
Learning to Reconstruct Statistical Learning Theory and Encrypted Database Attacks Paul Grubbs,

Learning to Reconstruct Statistical Learning Theory and Encrypted Database Attacks Paul Grubbs,

Learning to Reconstruct Statistical Learning Theory and Encrypted Database Attacks Paul Grubbs, Marie-Sarah Lacharit, Brice Minaud, Kenny Paterson eprint 2019/011 and IEEE S&P 2019. C2 seminar, Rennes, 2019 Outsourcing Data Data upload

646 views • 39 slides
Updates-Leak: Data Set Inference and Reconstruction Attacks in Online Learning Ahmed Salem ,

Updates-Leak: Data Set Inference and Reconstruction Attacks in Online Learning Ahmed Salem ,

Updates-Leak: Data Set Inference and Reconstruction Attacks in Online Learning Ahmed Salem , Apratim Bhattacharya, Michael Backes Mario Fritz,Yang Zhang CISPA Helmholtz Center for Information Security, Max Planck Institute for Informatics 1

568 views • 20 slides
Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and

Improved Key Recovery Attacks on Reduced-Round AES on Reduced-Round AES with Practical Data and Memory Complexities Orr Dunkelman Achiya Bar-On Eyal Ronen Nathan Keller Adi Shamir AES AES is the best known and most widely used secret

863 views • 58 slides
3D RECONSTRUCTION Reconstruction method Reconstruction from images Reconstruction from video

3D RECONSTRUCTION Reconstruction method Reconstruction from images Reconstruction from video

3D RECONSTRUCTION Reconstruction method Reconstruction from images Reconstruction from video Using Kinect Raw Depth Image Infrared laser projector Monochrome CMOS sensor Demo Kinect Raw data Real-time Reconstruction Pipeline Measurement

508 views • 34 slides
Phonotactic Reconstruction of Encrypted VoIP Conversations: Hookt on fon-iks Adam White, Austin

Phonotactic Reconstruction of Encrypted VoIP Conversations: Hookt on fon-iks Adam White, Austin

Phonotactic Reconstruction of Encrypted VoIP Conversations: Hookt on fon-iks Adam White, Austin Matthews, Kevin Snow, and Fabian Monrose Presented By Corly Leung Introduction - Google Hangout, Skype, FaceTime - Encrypting VoIP Packets -

480 views • 14 slides
Approximate reconstruction of encrypted databases Paul Grubbs, Marie-Sarah Lacharit, Brice

Approximate reconstruction of encrypted databases Paul Grubbs, Marie-Sarah Lacharit, Brice

Approximate reconstruction of encrypted databases Paul Grubbs, Marie-Sarah Lacharit, Brice Minaud, Kenny Paterson Information Security Group ESSA2, Bertinoro, 9th July 2018 Situation overview General message from previous talk: Dont use

667 views • 27 slides
Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 , 3 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education,

476 views • 29 slides
Raw Data Reconstruction with Raw-Data Reconstruction with PROOF C. Cheshkov, P. Hristov

Raw Data Reconstruction with Raw-Data Reconstruction with PROOF C. Cheshkov, P. Hristov

Raw Data Reconstruction with Raw-Data Reconstruction with PROOF C. Cheshkov, P. Hristov 24/10/2008 ALICE Offline Week C O e ee Many thanks to: Andrei,Federico,Fons,Jan,Gerri,Latchezar,Rene for the discussions and help and Marco &

399 views • 28 slides
Wiretapping End-to-End Encrypted VoIP Calls Real-World Attacks on ZRTP Dominik Schrmann, Fabian

Wiretapping End-to-End Encrypted VoIP Calls Real-World Attacks on ZRTP Dominik Schrmann, Fabian

Institute of Operating Systems and Computer Networks Wiretapping End-to-End Encrypted VoIP Calls Real-World Attacks on ZRTP Dominik Schrmann, Fabian Kabus, Gregor Hildermeier, Lars Wolf, 2017-07-18 Introduction Man-in-the-Middle ZRTP

396 views • 24 slides
Learning to Reconstruct: Statistical Learning Theory and Encrypted Database Attacks Paul Grubbs ,

Learning to Reconstruct: Statistical Learning Theory and Encrypted Database Attacks Paul Grubbs ,

Learning to Reconstruct: Statistical Learning Theory and Encrypted Database Attacks Paul Grubbs , Marie-Sarah Lacharit, Brice Minaud, Kenny Paterson pag225@cornell.edu, @pag_crypto Outsourced Databases Database Encrypting Outsourced

705 views • 23 slides
Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions

Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions

SAC Summer School 2019 Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions allow us to prove that our schemes achieve a certain leakage profile but doesnt tell us if a leakage profile is

477 views • 22 slides
Keys to the Cloud: Formal Analysis and Concrete Application-level Attacks on Encrypted Web

Keys to the Cloud: Formal Analysis and Concrete Application-level Attacks on Encrypted Web

Keys to the Cloud Bansal, Bhargavan, Delignat-Lavaud, Maffeis Keys to the Cloud: Formal Analysis and Concrete Application-level Attacks on Encrypted Web Storage Crypto on the Web Motivations Formal analysis of cryptographic web

1.19k views • 106 slides
On Improving Data Complexity of Attacks on RC5 A. Biryukov V. Velichkov Laboratory of

On Improving Data Complexity of Attacks on RC5 A. Biryukov V. Velichkov Laboratory of

Motivation Previous Work Improved Filter Conclusion On Improving Data Complexity of Attacks on RC5 A. Biryukov V. Velichkov Laboratory of Algorithmics, Cryptology and Security (LACS) University of Luxembourg Early Symmetric Crypto 2015

533 views • 37 slides
Why Encrypt Data? We have already discussed authentication and access control as means to

Why Encrypt Data? We have already discussed authentication and access control as means to

Security in Outsourced Databases II Outsourced Databases II (Query Processing on Encrypted Data) Disks replaced Data worthless if encrypted Customer Credit for maintenance Card Number Laptops stolen Backups lost p 1 Why Encrypt Data?

759 views • 19 slides
Death by a 1000 Cuts: Bringing Swift to Windows Saleem Abdulrasool ( @ compnerd) Porting by a

Death by a 1000 Cuts: Bringing Swift to Windows Saleem Abdulrasool ( @ compnerd) Porting by a

Death by a 1000 Cuts: Bringing Swift to Windows Saleem Abdulrasool ( @ compnerd) Porting by a 1000 Patches: Bringing Swift to Windows Saleem Abdulrasool ( @ compnerd) Why Swift? Why Swift? Safe Why Swift? Safe Flexible

2.01k views • 93 slides
Abstract in-place merge Goal. Given two sorted subarrays a[lo] to a[mid] and a[mid+1] to a[hi] ,

Abstract in-place merge Goal. Given two sorted subarrays a[lo] to a[mid] and a[mid+1] to a[hi] ,

BBM 202 - ALGORITHMS D EPT . OF C OMPUTER E NGINEERING M ERGESORT Acknowledgement: The course slides are adapted from the slides prepared by R. Sedgewick and K. Wayne of Princeton University. Mergesort Basic plan. Divide array into

866 views • 69 slides
Algorithms R OBERT S EDGEWICK | K EVIN W AYNE 2.2 M ERGESORT mergesort bottom-up mergesort

Algorithms R OBERT S EDGEWICK | K EVIN W AYNE 2.2 M ERGESORT mergesort bottom-up mergesort

Algorithms R OBERT S EDGEWICK | K EVIN W AYNE 2.2 M ERGESORT mergesort bottom-up mergesort sorting complexity Algorithms comparators F O U R T H E D I T I O N stability R OBERT S EDGEWICK | K EVIN W AYNE

1.04k views • 57 slides
Cisco Inter-network Operating System (IOS) A short guide for the NetAdmin Angelos Stavrou Let's

Cisco Inter-network Operating System (IOS) A short guide for the NetAdmin Angelos Stavrou Let's

Cisco Inter-network Operating System (IOS) A short guide for the NetAdmin Angelos Stavrou Let's start out at the very beginning with the question: "What is a Command?" The most important thing to understand is that all computers run

355 views • 10 slides
(ALAMIS) Unit Training Manual Updated: September 27, 2013 OVERVIEW The American Legion

(ALAMIS) Unit Training Manual Updated: September 27, 2013 OVERVIEW The American Legion

American Legion Auxiliary Management Information System (ALAMIS) Unit Training Manual Updated: September 27, 2013 OVERVIEW The American Legion Auxiliary Management Information System (ALAMIS) is used by Units and Departments to manage

661 views • 42 slides
WITH BSD Constantine A. Murenin University of Waterloo BSDCan 2009 6/9 May 2009 Ottawa,

WITH BSD Constantine A. Murenin University of Waterloo BSDCan 2009 6/9 May 2009 Ottawa,

Q UIET C OMPUTING WITH BSD Constantine A. Murenin University of Waterloo BSDCan 2009 6/9 May 2009 Ottawa, Ontario, Canada A GENDA Slow fans down, not speed em up! Slower speed less noise less stress for the user less stress

205 views • 16 slides
L ECTURE 25: B AYESIAN F ILTERS M ONTE C ARLO L OCALIZATION (PF) I NSTRUCTOR : G IANNI A. D I C ARO

L ECTURE 25: B AYESIAN F ILTERS M ONTE C ARLO L OCALIZATION (PF) I NSTRUCTOR : G IANNI A. D I C ARO

16-311-Q I NTRODUCTION TO R OBOTICS F ALL 17 L ECTURE 25: B AYESIAN F ILTERS M ONTE C ARLO L OCALIZATION (PF) I NSTRUCTOR : G IANNI A. D I C ARO P R O B A B I L I S T I C I N F E R E N C E Process noise Localization is an instance of the

368 views • 10 slides
On interleaving in {P {P,A}-Tim ime P e Pet etri i net ets s with stron rong semantics

On interleaving in {P {P,A}-Tim ime P e Pet etri i net ets s with stron rong semantics

On interleaving in {P {P,A}-Tim ime P e Pet etri i net ets s with stron rong semantics Hanifa Boucheneb (1) , Kamel Barkaoui (2) (1) Laboratoire VeriForm , cole Polytechnique de Montral (Canada) (2) Laboratoire CEDRIC,. CNAM (France)

775 views • 25 slides

More recommend