improved reconstruction attacks using range query leakage
play

Improved reconstruction attacks using range query leakage - PowerPoint PPT Presentation

Jun 18, 2023 •25 likes •615 views

Improved reconstruction attacks using range query leakage Marie-Sarah Lacharit Brice Minaud Kenny Paterson Information Security Group Application Setting Storing Records in the Cloud value of record ( N possible values) record identifier

  1. Improved reconstruction attacks using range query leakage Marie-Sarah Lacharité Brice Minaud Kenny Paterson Information Security Group

  2. Application Setting

  3. Storing Records in the Cloud value of record ( N possible values) record identifier (unique) R records 3

  4. Application Scenario give me all records with values in the range [1975, 1979] client 4

  5. Access Pattern Leakage give me all records with values in the range [1975, 1979] client record identifiers 5 OPE, ORE schemes, POPE, [HK16], Blind seer, [Lu12], [FJKNRS15],…

  6. Access Pattern Leakage and Rank Leakage give me all records with values rank in the range [1975, 1979] a+1 client b record identifiers 6 FH-OPE, Lewi-Wu, Arx, Cipherbase, EncKV,…

  7. Assumptions 1. Data is dense: all values appear in at least one record. 2. Queries are uniformly distributed . Target : full reconstruction: find the value associated with each record. Best previous result (Kellaris et al., CCS 2016): Full reconstruction by analysing access pattern leakage from O( N 2 log N ) queries. 7

  8. Our Main Results (eprint 2017/701) Full reconstruction with O( N log N ) queries • – in fact, expected N · (3 + log N ). Approximate reconstruction with relative accuracy ε from • O( N · (log 1/ ε )) queries – in fact, expected 5/4 · N · (log 1/ ε ) + O(N). Approximate reconstruction using an auxiliary distribution and • rank leakage. – more efficient in practice, evaluation via simulation. – applies in the non-dense case too, giving a new attack on OPE/ORE schemes. 8

  9. (1, 1) Uniform Queries: Uniform Endpoints vs. Uniform Ranges ( N =10) 9 (1, 2) (1, 3) (1, 4) (1, 5) (1, 6) (1, 7) (1, 8) (1, 9) (1, 10) (2, 2) (2, 3) (2, 4) (2, 5) (2, 6) (2, 7) (2, 8) (2, 9) (2, 10) (3, 3) (3, 4) (3, 5) (3, 6) (3, 7) (3, 8) (3, 9) (3, 10) (4, 4) (4, 5) (4, 6) (4, 7) (4, 8) (4, 9) (4, 10) (5, 5) (5, 6) (5, 7) (5, 8) (5, 9) (5, 10) (6, 6) (6, 7) (6, 8) (6, 9) Uniform ranges Uniform endpoints (6, 10) (7, 7) (7, 8) (7, 9) (7, 10) (8, 8) (8, 9) (8, 10) (9, 9) (9, 10) (10, 10)

  10. Distribution of Left Endpoints: Uniform Endpoints vs. Uniform Ranges ( N =10) Uniform endpoints Uniform ranges 1 2 3 4 5 6 7 8 9 10 10

  11. Coupon Collector’s Problem 800 700 600 500 Expected 400 number of draws 300 N · (1 + log N) 200 N · H(N) 100 0 0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 100 105 110 115 120 125 11 Number of coupons (N)

  12. Coupon Collector’s Problem 800 700 600 500 Expected 400 number of draws 300 N · (1 + log N) 200 N · H(N) 100 0 0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 100 105 110 115 120 125 12 Number of coupons (N)

  13. Attack 1: Full Reconstruction

  14. Motivating Example (with Rank Leakage) • Suppose left endpoints of query intervals are chosen uniformly at random. • Wish to observe at least 1 query with each of the N possible left endpoints. • Expected number of queries needed is at most N · (1 + log N ). hidden leaked [x,y] a = rank(x-1) b = rank(y) matching IDs [20,25] 1300 1500 M 20 [1,18] 0 1200 M 1 [55,125] 3100 4400 M 55 [2,10] 500 800 M 2 [7,98] 700 4200 M 7 relabelled for convenience 14

  15. Motivating Example (with Rank Leakage) 501 … … 4400 1 rank M 1 M 2 M 3 …. M 1 – U i >1 M i M 2 – U i >2 M i M N-1 – M N M N 15

  16. Full Reconstruction (with Rank Leakage) • Now suppose queries have ranges chosen uniformly at random. • We present a data-optimal algorithm (fails ð full reconstruction is impossible). • Expected number of sufficient queries is at most N · (2 + log N ) for N ≥ 27. • Main idea: partition, then sort (easy with rank leakage, harder without). • Expected number of necessary queries is at least 1/2 · N · log N – O(N) for any algorithm . 16

  17. Full Reconstruction (with Rank Leakage) 80000 70000 60000 50000 Expected number 40000 of queries O( N 2 log N ) 30000 KKNO16 20000 This work 10000 0 0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 100 105 110 115 120 125 17 Number of coupons (N)

  18. Full Reconstruction (with Rank Leakage): Partitioning Step record matched query? ID 1 2 3 4 5 6 7 20 ü ü û û ü û û 23 ü û û ü ü ü ü 29 û ü ü û û ü û 89 û ü ü û ü ü û 193 ü ü û û ü ü ü … • Equality of matching defines a partition of records. • Records in same class of partition cannot be distinguished. • For complete reconstruction, we need N classes – one class 18 per value.

  19. Full Reconstruction (with Rank Leakage): Partitioning Step record matched query? ID 1 2 3 4 5 6 7 20 ü ü û û ü û û 23 ü ü û û ü ü ü [1,100] [18,82] [16,96] [16,30] [21,61] 29 û ü ü û û ü û 89 û ü ü û ü ü û 193 ü ü û û ü ü ü … Can also deduce from rank leakage that, e.g., records 23 and 193 have ranks in [21,30], by intersecting rank intervals. 19

  20. Full Reconstruction (with Rank Leakage): Partitioning Step 1 2 Order partition 3 into N classes by rank 4 Ranks 5 [21,30] records 23 and 193 6 (and more) 20

  21. Full Reconstruction (with Rank Leakage): Proof Intuition • Hard part is to show that O( N log N ) queries suffice with a small constant. • Proof consists of showing that if certain favourable queries are made, then partitioning succeeds in constructing N classes. • Roughly speaking, for our proof we hope for queries on ranges: 1. [x,*] for all 1 ≤ x ≤ N /2 (left coupons) 2. [*,y] for all N /2+1 ≤ y ≤ N (right coupons) 3. [ N /2+1,y] and [x, N ] for some y ≥ x. • Assuming these all arise, then a combinatorial argument establishes the success of the partitioning step. • First two cases are essentially a pair of coupon collector problems – success with high probability with O( N log N ) queries. • Third case is a high probability event: 1 - e - Q /(2 N+2) for Q queries. 21

  22. Full Reconstruction ( without Rank Leakage) • Can only recover values up to reflection . • Data-optimal algorithm (fails _ full reconstruction is impossible). • Expected number of sufficient queries is at most N · (3 + log N ) for N ≥ 26 • Partition (as before), then sort*. • Expected number of necessary queries is at least 1/2 · N · log N – O(N) - for any algorithm . *Not quite. 22

  23. Full Reconstruction (without Rank Leakage): Sorting Step all records M 7 M 39 M 72 1 or N M 36 M 93 M 58 M 28 M 9 M 40 M 18 23 Interval of size N -1

  24. Full Reconstruction (without Rank Leakage): Sorting Step – Extending all records M 25 M 36 M 22 M 17 T M 62 T M 81 T … 24

  25. Full Reconstruction (without Rank Leakage): Sorting Step – Extending all records 25

  26. Full Reconstruction (without Rank Leakage): Sorting Step all records M 3 M 39 M 27 M 13 T M 52 T M 99 T 26

  27. Full Reconstruction (without Rank Leakage): Sorting Step all records … 27

  28. Full Reconstruction (without Rank Leakage): Proof Intuition • Hard part is again to show that O( N log N ) queries suffice, with a small constant. • Proof again consists of showing that if certain favourable queries are made, then partitioning succeeds in constructing N classes. • Coupon collecting bounds then establish that O( N log N ) queries are enough. 28

  29. Attack 2: Approximate Reconstruction

  30. Approximate Reconstruction Attack (without Rank Leakage) • Recover values up to reflection and with relative error ε. • Expected number of sufficient queries is 5/4 · N · (log 1/ ε ) + O(N). • Expected number of necessary queries is at least 1/2 · N · (log 1/ ε) – O(N) for any algorithm. • Not data-optimal without rank leakage (but is with it) 30

  31. Coupon Collection ( N =125) Collecting n of 125 coupons 700 600 500 Expected 400 number of draws 300 200 100 0 0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 100 105 110 115 120 125 Coupon number ( n ) 31

  32. Coupon Collection ( N =125) Collecting fraction (1- ε) of 125 coupons 700 ε = 0.04 ε = 0.08 600 ε = 0.12 ε = 0.16 500 ε = 0.2 Expected 400 number of draws 300 200 100 0 0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75 80 85 90 95 100 105 110 115 120 125 Coupon number ( n ) 32

  33. Approximate Reconstruction: Old Partitioning Method Doesn't Work all records M 7 M 39 M 72 M 36 M 93 M 58 M 28 M 9 M 40 M 18 33

  34. Approximate Reconstruction: Partitioning Step 1. Pick any record r. 34

  35. Approximate Reconstruction: Partitioning Step 2. Intersect all queries matching r to get M . 35

  36. Approximate Reconstruction: Partitioning Step 2. Intersect all queries matching r to get M . M 36

  37. Approximate Reconstruction: Partitioning Step 3. Find q L and q R : q L ∩ q R = M and | q L U q R | maximised. q L q R M 37

  38. Approximate Reconstruction: Partitioning Step 4. Find q' L : q L ∩ q' L ≠ ∅ , q' L ∩ q R ⊆ M , | q L U q' L | maximised. q' L q L q R M 38

  39. Approximate Reconstruction: Partitioning Step 5. Find q' R : q R ∩ q' R ≠ ∅ , q' R ∩ q L ⊆ M , | q R U q' R | maximised. q' L q L q R M q' R 39

  40. Approximate Reconstruction: Partitioning Step 6. Start over if not every record is in q L U q' L U q R U q’ R . q' L q L q R M q' R 40

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Improved Reconstruction Attacks on Encrypted Data Using Range Query Leakage Marie-Sarah

Improved Reconstruction Attacks on Encrypted Data Using Range Query Leakage Marie-Sarah

Improved Reconstruction Attacks on Encrypted Data Using Range Query Leakage Marie-Sarah Lacharit, Brice Minaud , Kenny Paterson Information Security Group IEEE Symposium on Security and Privacy, May 21, 2018 Outsourcing Data with Search

654 views • 62 slides
Reconstructing Encrypted Data Using Range Query Leakage Marie-Sarah Lacharit, Brice Minaud,

Reconstructing Encrypted Data Using Range Query Leakage Marie-Sarah Lacharit, Brice Minaud,

Reconstructing Encrypted Data Using Range Query Leakage Marie-Sarah Lacharit, Brice Minaud, Kenny Paterson ePrint 2017/701, to appear S&P 2018. Information Security Group Workshop IoT+Cloud, Bochum, 7 Nov 2017. Outsourcing Data to the

699 views • 22 slides
Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions

Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions

SAC Summer School 2019 Encrypted Search: Leakage Attacks Seny Kamara How do we Deal with Leakage? Our definitions allow us to prove that our schemes achieve a certain leakage profile but doesnt tell us if a leakage profile is

477 views • 22 slides
Spatial Range Query in Sensor Spatial Range Query in Sensor Networks Networks Jie Gao Computer

Spatial Range Query in Sensor Spatial Range Query in Sensor Networks Networks Jie Gao Computer

Spatial Range Query in Sensor Spatial Range Query in Sensor Networks Networks Jie Gao Computer Science Department Stony Brook University 11/1/05 Jie Gao, CSE590-fall05 1 Orthogonal range search Orthogonal range search Find all the

338 views • 31 slides
Pin Power Reconstruction with Leakage-corrected Embedded Calculation in PWRs Hwanyeal Yu*,

Pin Power Reconstruction with Leakage-corrected Embedded Calculation in PWRs Hwanyeal Yu*,

Transactions of the Korean Nuclear Society Virtual Spring Meeting July 9-10, 2020 Pin Power Reconstruction with Leakage-corrected Embedded Calculation in PWRs Hwanyeal Yu*, Seongdong Jang*, and Yonghee Kim* *Korea Advanced Institute of Science

325 views • 4 slides
Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control Marcus Vlp,

Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control Marcus Vlp,

Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control Marcus Vlp, Adam Lackorzynski * , Jrmie Decouchant, Vincent Rahli, Francisco Rocha, and Paulo Esteves-Verssimo * Kernkonzept GmbH and University of

289 views • 28 slides
Understanding and Mitigating Leakage-Abuse Attacks against Searchable Encryption Raphael Bost 1 ,

Understanding and Mitigating Leakage-Abuse Attacks against Searchable Encryption Raphael Bost 1 ,

Understanding and Mitigating Leakage-Abuse Attacks against Searchable Encryption Raphael Bost 1 , Pierre-Alain Fouque 2 , Brice Minaud 3 1 Direction Gnrale de lArmement - Matrise de lInformation 2 Universit de Rennes 1 3 INRIA &

836 views • 45 slides
Reconstruction Gianpaolo Palma Surface reconstruction Input Point cloud With or without

Reconstruction Gianpaolo Palma Surface reconstruction Input Point cloud With or without

Surface Reconstruction Gianpaolo Palma Surface reconstruction Input Point cloud With or without normals Examples: multi-view stereo, union of range scan vertices Range scans Each scan is a triangular mesh Normal

975 views • 80 slides
Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 ,

Improved Single-Key Attacks on 9-Round AES-192/256 Improved Single-Key Attacks on 9-Round AES-192/256 Leibo Li 1 , Keting Jia 2 and Xiaoyun Wang 1 , 3 1 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education,

476 views • 29 slides
Privacy Leakage Attacks in Browser by Colluding Extensions Presentation by Anil Saini 1 , Manoj

Privacy Leakage Attacks in Browser by Colluding Extensions Presentation by Anil Saini 1 , Manoj

Privacy Leakage Attacks in Browser by Colluding Extensions Presentation by Anil Saini 1 , Manoj Singh Gaur 1 , Vijay Laxmi 1 , Tushar Singhal 1 , Mauro Conti 2 1 Malaviya National Institute of Technology, Jaipur, India 2 University of Padua, Italy

882 views • 58 slides
6 I \ No .co/-ptsreporteds . 440*1 & . . : 6 ' Layering . . IQ " " * :*

6 I \ No .co/-ptsreporteds . 440*1 & . . : 6 ' Layering . . IQ " " * :*

- , * - Dim Range Tree : Can we do better ? call this as Recap : .ge#TaYesi:socniogdiny-kTaFaesIr:uc9uerneFoartpPIsiPn Ran "kd rangetreewithf claim :A - Orthogonal range query - Query time : n pts has space Oln ) and : Oclogdn ) : -

145 views • 3 slides
Surface Reconstruction Gianpaolo Palma Surface reconstruction Input Point nt cloud oud

Surface Reconstruction Gianpaolo Palma Surface reconstruction Input Point nt cloud oud

Surface Reconstruction Gianpaolo Palma Surface reconstruction Input Point nt cloud oud With or without normals Examples: multi-view stereo, union of range scan vertices Ra Range ge scans ns Each scan is a triangular

932 views • 80 slides
Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer,

Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer,

Side-Channel Plaintext-Recovery Attacks on Leakage-Resilient Encryption Thomas Unterluggauer, Mario Werner, and Stefan Mangard, IAIK, Graz University of Technology 30. March 2017 Content Differential power analysis for key recovery Re-keying

284 views • 24 slides
Simple Network Management Pwnd Information Data Leakage Attacks Against SNMP Introduction Deral

Simple Network Management Pwnd Information Data Leakage Attacks Against SNMP Introduction Deral

Simple Network Management Pwnd Information Data Leakage Attacks Against SNMP Introduction Deral Heiland Matthew Kienow deral_heiland@rapid7.com mkienow@inokii.com dh@layereddefense.com @HacksForProfit @Percent_X Why ? Add value ?

939 views • 66 slides
AnalysingAccess Pattern and Volume Leakage from Range Queries on Encrypted Data Kenny Paterson

AnalysingAccess Pattern and Volume Leakage from Range Queries on Encrypted Data Kenny Paterson

AnalysingAccess Pattern and Volume Leakage from Range Queries on Encrypted Data Kenny Paterson @kennyog based on joint work with Paul Grubbs, Marie-Sarah Lacharit, Brice Minaud Information Security Group SuRI EPFL June 18, 2018

859 views • 49 slides
How to Compute under AC 0 Leakage without Secure Hardware Guy Rothblum Microsoft Research

How to Compute under AC 0 Leakage without Secure Hardware Guy Rothblum Microsoft Research

How to Compute under AC 0 Leakage without Secure Hardware Guy Rothblum Microsoft Research Silicon Valley Protecting Sensitive Computations from Leakage/Side-Channel Attacks Sensitive computations: Cryptographic Algorithms Secret Key

232 views • 20 slides
Problems of Network Coding in P2P - and how to overcome it Christian Schindelhauer joint work

Problems of Network Coding in P2P - and how to overcome it Christian Schindelhauer joint work

Problems of Network Coding in P2P - and how to overcome it Christian Schindelhauer joint work with Christian Ortolf & Arne Vater presented in SPAA 09 & 10 Albert-Ludwig University Freiburg Department of Computer Science Computer

455 views • 27 slides
Probability 2: Random variables and Expectations E [ X + Y ] = E [ X ] + E [ Y ] Review Some

Probability 2: Random variables and Expectations E [ X + Y ] = E [ X ] + E [ Y ] Review Some

15-251: Great Theoretical Ideas in Computer Science Fall 2016 Lecture 18 October 27, 2016 Probability 2: Random variables and Expectations E [ X + Y ] = E [ X ] + E [ Y ] Review Some useful sample spaces 1) A fair coin sample space =

1.08k views • 89 slides
Last Time... Sanity Check Let X be a RV that takes on values in A . Expectation describes the

Last Time... Sanity Check Let X be a RV that takes on values in A . Expectation describes the

Last Time... Sanity Check Let X be a RV that takes on values in A . Expectation describes the weighted Expectation Continued: Tail Let Y be a RV that takes on values in B . average of a RV. Sum, Coupon Collector, and Let c R be a

505 views • 5 slides
Foundations of Computing II Lecture 12: Multiple Random Variables, Linearity of Expectation.

Foundations of Computing II Lecture 12: Multiple Random Variables, Linearity of Expectation.

CSE 312 Foundations of Computing II Lecture 12: Multiple Random Variables, Linearity of Expectation. Stefano Tessaro tessaro@cs.washington.edu 1 Midterm Information Next Friday Closed book, but we will provide important / needed

447 views • 19 slides
Transport problems 18.S995 - L32 dunkel@math.mit.edu Root systems Katifori lab, MPI Goettingen

Transport problems 18.S995 - L32 dunkel@math.mit.edu Root systems Katifori lab, MPI Goettingen

Transport problems 18.S995 - L32 dunkel@math.mit.edu Root systems Katifori lab, MPI Goettingen Maze solving 1 cm time = 0 after 8 hours Nakagaki et al (2000) Nature dunkel@math.mit.edu Tree graphs Spanning trees Minimal spanning tree

545 views • 29 slides
Probabilistic Programming Fun but Intricate Too! Joost-Pieter Katoen with Friedrich Gretz, Nils

Probabilistic Programming Fun but Intricate Too! Joost-Pieter Katoen with Friedrich Gretz, Nils

Probabilistic Programming is Fun, but Intricate Too Probabilistic Programming Fun but Intricate Too! Joost-Pieter Katoen with Friedrich Gretz, Nils Jansen, Benjamin Kaminski Christoph Matheja, Federico Olmedo and Annabelle McIver Mysore

775 views • 77 slides
Parametric Models Part II: Expectation-Maximization and Mixture Density Estimation Selim Aksoy

Parametric Models Part II: Expectation-Maximization and Mixture Density Estimation Selim Aksoy

Parametric Models Part II: Expectation-Maximization and Mixture Density Estimation Selim Aksoy Department of Computer Engineering Bilkent University saksoy@cs.bilkent.edu.tr CS 551, Spring 2019 CS 551, Spring 2019 2019, Selim Aksoy

356 views • 32 slides
Covariance in Unsupervised Learning of Probabilis6c Grammars Cohen

Covariance in Unsupervised Learning of Probabilis6c Grammars Cohen

Covariance in Unsupervised Learning of Probabilis6c Grammars Cohen and Smith (2010) Presenter: Alice Lai Introduc6on A framework for modeling covariance in

698 views • 32 slides

More recommend