lower bounds for encrypted multi maps and searchable
play

Lower Bounds for Encrypted Multi-Maps and Searchable Encryption in - PowerPoint PPT Presentation

Mar 27, 2023 •298 likes •1.11k views

Lower Bounds for Encrypted Multi-Maps and Searchable Encryption in the Leakage Cell Probe Model Sarvar Patel*, Giuseppe Persiano** and Kevin Yeo* *Google **University of Salerno Key k i was queried. Privacy-Preserving Storage Protocols Key k i

  1. Lower Bounds for Encrypted Multi-Maps and Searchable Encryption in the Leakage Cell Probe Model Sarvar Patel*, Giuseppe Persiano** and Kevin Yeo* *Google **University of Salerno

  2. Key k i was queried. Privacy-Preserving Storage Protocols Key k i k 1 V 1 k 2 V 2 ... ... k n V n V i

  3. Key k 2 was never queried. Privacy-Preserving Storage Protocols k 1 V 1 Key k 15 was most frequently queried. k 2 V 2 ... ... k n V n

  4. What was the requested key? Privacy-Preserving Storage Protocols Key k i k 1 V 1 ... k 2 V 2 ... ... k n V n V i

  5. Privacy Spectrum for Maps Plaintext Maps

  6. Plaintext Maps Classic dictionary problem with many solutions! ● Perfect Hashing: Static [FKS’84], Dynamic [DKM+’94] ○ Cuckoo Hashing [PR’01] ○ … and many more ○

  7. Plaintext Maps Classic dictionary problem with many solutions! ● Perfect Hashing: Static [FKS’84], Dynamic [DKM+’94] ○ Cuckoo Hashing [PR’01] ○ … and many more ○ Efficiency : O(1) overhead, O(n) storage ● Privacy: None -- Leaks all keys and values. ●

  8. Privacy Spectrum for Maps Structured Plaintext Maps Encryption Efficiency : O(1) Leakage : Everything

  9. Structured Encryption Idea: Encrypt a data structure while maintaining operations ● Example: Searchable encryption = Encrypt a search index ○ Many works in the past two decades: ● Static [SWP’00], [BDOP’04], [CGKO’11], ... ○ Dynamic [CJJ+’14], [SPS’14], ... ○ Forward and Backward Privacy [Bost’16], [BMO’17], ... ○

  10. Structured Encryption Idea: Encrypt a data structure while maintaining operations ● Example: Searchable encryption = Encrypt a search index ○ Many works in the past two decades: ● Static [SWP’00], [BDOP’04], [CGKO’11], ... ○ Dynamic [CJJ+’14], [SPS’14], ... ○ Forward and Backward Privacy [Bost’16], [BMO’17], … ○ Efficiency: Typically O(1) but can be higher depending on leakage ● Privacy: Some well-defined leakage function ● Number of values associated with keys, Key-equality between operations, Number of operations, etc. ○

  11. Privacy Spectrum for Maps Structured Plaintext Maps Oblivious RAM Encryption Efficiency : O(1) Efficiency : O(1) Leakage : Everything Leakage : Non-trivial Leakage Function

  12. Oblivious RAM Introduced by Goldreich and Ostrovsky [GO’96] ● Also, many works in the past decade [PR’10], [SSS’11], [MMOT’12], [SvDS’13], [PPR Y ’18], .... ○ … leading to optimal O(log n) overhead construction [AKL+’20] ○

  13. Oblivious RAM Introduced by Goldreich and Ostrovsky [GO’96] ● Also, many works in the past decade [PR’10], [SSS’11], [MMOT’12], [SvDS’13], [PPR Y ’18], .... ○ … leading to optimal O(log n) overhead construction [AKL+’20] ○ Efficiency: O(log n), which is tight due to [GO’96, LN’18] ● Privacy : Adversary cannot distinguish two sequences of same length ● Leakage function is (upper bound on) length of operational sequence ○

  14. Privacy Spectrum for Maps Structured Plaintext Maps Oblivious RAM Encryption Efficiency : O(1) Efficiency : O(1) Efficiency : O(log n) Leakage : Everything Leakage : Non-trivial Leakage : Length of Leakage Function operational sequence

  15. What leakage functions inherently cost Ω(log n) like Privacy Spectrum for Maps ORAM? Structured Plaintext Maps Oblivious RAM Encryption Efficiency : O(1) Efficiency : O(1) Efficiency : O(log n) Leakage : Everything Leakage : Non-trivial Leakage : Length of Leakage Function operational sequence

  16. Privacy Spectrum for Maps Structured Plaintext Maps Oblivious RAM Encryption Efficiency : O(1) Efficiency : O(1) Efficiency : O(log n) Leakage : Everything Leakage : Non-trivial Leakage : Length of Leakage Function operational sequence

  17. Hash-and-Encrypt Compiler Consider any plaintext map with operations: ● Insert(k, v) ○ Get(k) ○ Delete(k) ○

  18. Hash-and-Encrypt Compiler k 1 V 1 k 2 V 2 ... ... K k n V n

  19. Hash-and-Encrypt Compiler H(K, k 1 ) V 1 H(K, k 2 ) V 2 ... ... K H(K, k n ) V n

  20. Hash-and-Encrypt Compiler H(K, k 1 ) Enc(K, V 1 ) H(K, k 2 ) Enc(K, V 2 ) ... ... K H(K, k n ) Enc(K, V n )

  21. Hash-and-Encrypt Compiler (Query) Key k i H(K, k 1 ) Enc(K, V 1 ) H(K, k i ) H(K, k 2 ) Enc(K, V 2 ) ... ... Get(H(K, k i )) K H(K, k n ) Enc(K, V n ) Enc(K, V i )

  22. Hash-and-Encrypt Compiler (Insert) Key k i H(K, k 1 ) Enc(K, V 1 ) Value V i H(K, k i ), Enc(K, V i ) H(K, k 2 ) Enc(K, V 2 ) ... ... Insert(H(K, k i ), Enc(K, V i )) K H(K, k n ) Enc(K, V n )

  23. Hash-and-Encrypt Compiler (Insert) Key k i H(K, k 1 ) Enc(K, V 1 ) Value V i H(K, k i ), Enc(K, V i ) H(K, k 2 ) Enc(K, V 2 ) H(K, k i ) Enc(K, V i ) Insert(H(K, k i ), Enc(K, V i )) K H(K, k n ) Enc(K, V n )

  24. Leakage of Hash-and-Encrypt Insert H(K, “cat”) Enc(K, “01”)

  25. Leakage of Hash-and-Encrypt Insert Insert H(K, “cat”) H(K, “dog”) Enc(K, “01”) Enc(K, “00”)

  26. Leakage of Hash-and-Encrypt Insert Insert Query Insert Query H(K, “cat”) H(K, “dog”) H(K, “dog”) H(K, “cat”) H(K, “cat”) ... Enc(K, “01”) Enc(K, “00”) Enc(K, “00”) Enc(K, “11”) Enc(K, “01”) Enc(K, “11”)

  27. Leakage of Hash-and-Encrypt Type of operation performed ●

  28. Leakage of Hash-and-Encrypt Insert Insert Query Insert Query H(K, “cat”) H(K, “dog”) H(K, “dog”) H(K, “cat”) H(K, “cat”) ... Enc(K, “01”) Enc(K, “00”) Enc(K, “00”) Enc(K, “11”) Enc(K, “01”) Enc(K, “11”)

  29. Leakage of Hash-and-Encrypt Type of operation performed ● Length of Query response ●

  30. Leakage of Hash-and-Encrypt Insert Insert Query Insert Query H(K, “cat”) H(K, “dog”) H(K, “dog”) H(K, “cat”) H(K, “cat”) ... Enc(K, “01”) Enc(K, “00”) Enc(K, “00”) Enc(K, “11”) Enc(K, “01”) Enc(K, “11”)

  31. Leakage of Hash-and-Encrypt Type of operation performed ● Length of Query response ● Key-Equality Pattern ●

  32. Leakage of Hash-and-Encrypt Insert Insert Query Insert Query H(K, “cat”) H(K, “dog”) H(K, “dog”) H(K, “cat”) H(K, “cat”) ... Enc(K, “01”) Enc(K, “00”) Enc(K, “00”) Enc(K, “11”) Enc(K, “01”) Enc(K, “11”)

  33. Leakage of Hash-and-Encrypt Insert Insert Query Insert Query H(K, “cat”) H(K, “dog”) H(K, “dog”) H(K, “cat”) H(K, “cat”) ... Enc(K, “01”) Enc(K, “00”) Enc(K, “00”) Enc(K, “11”) Enc(K, “01”) Enc(K, “11”)

  34. Leakage of Hash-and-Encrypt Insert Insert Query Insert Query H(K, “cat”) H(K, “dog”) H(K, “dog”) H(K, “cat”) H(K, “cat”) ... Enc(K, “01”) Enc(K, “00”) Enc(K, “00”) Enc(K, “11”) Enc(K, “01”) Enc(K, “11”)

  35. Leakage of Hash-and-Encrypt Type of operation performed ● Length of Query response ● Key-Equality Pattern ●

  36. Leakage of Hash-and-Encrypt Type of operation performed ● Length of Query response ● Key-Equality Pattern ● Surprisingly, this matches leakage of best STE O(1) schemes!!!

  37. Privacy Spectrum for Maps Structured Plaintext Maps Oblivious RAM Encryption Efficiency : O(1) Efficiency : O(1) Efficiency : O(log n) Leakage : Everything Leakage : Non-trivial Leakage : Length of Leakage Function operational sequence

  38. Can we do better? Type of operation performed ● Length of Query response ● Key-Equality Pattern ●

  39. Can we do better? Type of operation performed (Perform all possible operation types) ● Length of Query response ● Key-Equality Pattern ●

  40. Can we do better? Type of operation performed (Perform all possible operation types) ● Length of Query response ??? (Hard to do without increasing cost significantly) ● Padding Volume-Hiding STE schemes: [KM’19], [PP Y Y’19] ○ Key-Equality Pattern ●

  41. Can we do better? Type of operation performed (Perform all possible operation types) ● Length of Query response ??? (Hard to do without increasing cost significantly) ● Padding Volume-Hiding STE schemes: [KM’19], [PP Y Y’19] ○ Key-Equality Pattern ●

  42. Decoupled Key-Equality Insert Insert Query Insert Query H(K, “cat”) H(K, “dog”) H(K, “dog”) H(K, “cat”) H(K, “cat”) ... Enc(K, “01”) Enc(K, “00”) Enc(K, “00”) Enc(K, “11”) Enc(K, “01”) Enc(K, “11”)

  43. Decoupled Key-Equality Insert Insert Query Insert Query H(K, “cat”) H(K, “dog”) H(K, “dog”) H(K, “cat”) H(K, “cat”) ... Enc(K, “01”) Enc(K, “00”) Enc(K, “00”) Enc(K, “11”) Enc(K, “01”) Enc(K, “11”)

  44. Decoupled Key-Equality Insert Insert Query Insert Query H(K, “cat”) H(K, “dog”) H(K, “dog”) H(K, “cat”) H(K, “cat”) ... Enc(K, “01”) Enc(K, “00”) Enc(K, “00”) Enc(K, “11”) Enc(K, “01”) Enc(K, “11”)

  45. Decoupled Key-Equality Insert Insert Query Insert Query H(K, “cat”) H(K, “dog”) H(K, “dog”) H(K, “cat”) H(K, “cat”) ... Enc(K, “01”) Enc(K, “00”) Enc(K, “00”) Enc(K, “11”) Enc(K, “01”) Enc(K, “11”)

  46. Main Result Theorem. Any encrypted multi-map with leakage at most the decoupled key-equality pattern must have Ω (log n) overhead.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Leakage in the Cell Probe Model Lower Bounds for Response Hiding Encrypted Multi-Maps Giuseppe

Leakage in the Cell Probe Model Lower Bounds for Response Hiding Encrypted Multi-Maps Giuseppe

Leakage in the Cell Probe Model Lower Bounds for Response Hiding Encrypted Multi-Maps Giuseppe Persiano Universit` a di Salerno June, 2019 Describing joint work with: Sarvar Patel and Kevin Yeo (Google LLC) Giuseppe Persiano (UNISA) June

1.15k views • 87 slides
Amit Chakrabarti Dartmouth College WAPMDS, IIT Kanpur, Dec 2009 Amit Chakrabarti 1 Multi-Pass

Amit Chakrabarti Dartmouth College WAPMDS, IIT Kanpur, Dec 2009 Amit Chakrabarti 1 Multi-Pass

Multi-Pass Lower Bounds Dec 20, 2009 Multi-pass Data Stream Lower Bounds via Round Elimination Amit Chakrabarti Dartmouth College WAPMDS, IIT Kanpur, Dec 2009 Amit Chakrabarti 1 Multi-Pass Lower Bounds Dec 20, 2009 Lower Bounds Paradigms

846 views • 70 slides
A Numerical Criterion for Lower bounds on K-energy maps of Algebraic manifolds Sean Timothy Paul

A Numerical Criterion for Lower bounds on K-energy maps of Algebraic manifolds Sean Timothy Paul

A Numerical Criterion for Lower bounds on K-energy maps of Algebraic manifolds Sean Timothy Paul University of Wisconsin , Madison stpaul@math.wisc.edu Outline Formulation of the problem : To bound the Mabuchi energy from below on the

622 views • 29 slides
Searching on/Testing Encrypted Data Lecture 23 Searchable Encryption Searchable Encryption A

Searching on/Testing Encrypted Data Lecture 23 Searchable Encryption Searchable Encryption A

Searching on/Testing Encrypted Data Lecture 23 Searchable Encryption Searchable Encryption A test key T w that allows one to test if Dec SK (C) = w Searchable Encryption A test key T w that allows one to test if Dec SK (C) = w No other

1.62k views • 116 slides
Dynamic Searchable M. Naveed, Encryption via Blind M. Prabhakaran, C.A. Gunter Storage

Dynamic Searchable M. Naveed, Encryption via Blind M. Prabhakaran, C.A. Gunter Storage

Dynamic Searchable M. Naveed, Encryption via Blind M. Prabhakaran, C.A. Gunter Storage Presented by: Keegan Sherman and Pardeep Banwait Searchable Symmetric Encryption Allows a user to store a collection of encrypted documents and

350 views • 24 slides
Conspiracies between Learning Algorithms, Lower Bounds, and Pseudorandomness Igor Carboni

Conspiracies between Learning Algorithms, Lower Bounds, and Pseudorandomness Igor Carboni

Conspiracies between Learning Algorithms, Lower Bounds, and Pseudorandomness Igor Carboni Oliveira University of Oxford Joint work with Rahul Santhanam (Oxford) Context Minor algorithmic improvements imply lower bounds (Williams, 2010). NEXP

696 views • 30 slides
Lower bounds for parameterized problems Dniel Marx 1 1 Institute for Computer Science and

Lower bounds for parameterized problems Dniel Marx 1 1 Institute for Computer Science and

Lower bounds for parameterized problems Dniel Marx 1 1 Institute for Computer Science and Control, Hungarian Academy of Sciences (MTA SZTAKI) Budapest, Hungary ICERM Providence, RI April 26, 2014 1 Lower bounds So far we have seen positive

1.14k views • 94 slides
Tight Tradeoffs in Searchable Symmetric Encryption Gilad Asharov Gil Segev Ido Shahaf Cornell

Tight Tradeoffs in Searchable Symmetric Encryption Gilad Asharov Gil Segev Ido Shahaf Cornell

Tight Tradeoffs in Searchable Symmetric Encryption Gilad Asharov Gil Segev Ido Shahaf Cornell Hebrew Hebrew Tech University University The Efficiency of SSE [CT14] 2 Existing Schemes and Lower Bounds Space Locality Read efficiency

649 views • 12 slides
Lower Bounds on the Probability of a Finite Union of Events Jun Yang (joint work with Fady

Lower Bounds on the Probability of a Finite Union of Events Jun Yang (joint work with Fady

Lower Bounds on the Probability of a Finite Union of Events Jun Yang (joint work with Fady Alajaji and Glen Takahara) Department of Mathematics and Statistics, Queens University, Kingston, Canada ISIT 2014 Lower Bounds on P ( N Jun

228 views • 19 slides
Circuit Lower-bounds Lecture 24 Weak circuits are indeed weak 1 Circuit Lower-bounds 2

Circuit Lower-bounds Lecture 24 Weak circuits are indeed weak 1 Circuit Lower-bounds 2

Circuit Lower-bounds Lecture 24 Weak circuits are indeed weak 1 Circuit Lower-bounds 2 Circuit Lower-bounds Today: 2 Circuit Lower-bounds Today: PARITY AC 0 2 Circuit Lower-bounds Today: PARITY AC 0 Two different proofs! (Latter

1.59k views • 137 slides
Lower Bounds for Quantile Estimation in Random-Order and Multi-Pass Streams Sudipto Guha (UPenn)

Lower Bounds for Quantile Estimation in Random-Order and Multi-Pass Streams Sudipto Guha (UPenn)

Lower Bounds for Quantile Estimation in Random-Order and Multi-Pass Streams Sudipto Guha (UPenn) Andrew McGregor (UCSD) Data Stream Model Data Stream Model Stream: m elements from a universe of size n :

991 views • 82 slides
Stronger Connections Between Circuit Analysis and Circuit Lower Bounds, via PCPs of Proximity

Stronger Connections Between Circuit Analysis and Circuit Lower Bounds, via PCPs of Proximity

Stronger Connections Between Circuit Analysis and Circuit Lower Bounds, via PCPs of Proximity Lijie Chen Ryan Williams Context: The Algorithmic Method for Proving Circuit Lower Bounds Proving limitations on non-uniform circuits is extremely

796 views • 31 slides
Techniques to lower bound extension complexity Thomas Rothvoss UW Seattle Known lower bounds on

Techniques to lower bound extension complexity Thomas Rothvoss UW Seattle Known lower bounds on

Techniques to lower bound extension complexity Thomas Rothvoss UW Seattle Known lower bounds on extended formulation Kaibel, Razborovs Inform. SA Weltge symmetry arg. theory + Fourier COR/ yes yes yes ? TSP [KW13]

1.25k views • 108 slides
Exponential Lower Bounds for Polytopes in Combinatorial Optimization Ronald de Wolf Joint with

Exponential Lower Bounds for Polytopes in Combinatorial Optimization Ronald de Wolf Joint with

Exponential Lower Bounds for Polytopes in Combinatorial Optimization Ronald de Wolf Joint with Samuel Fiorini (ULB), Serge Massar (ULB), Sebastian Pokutta (Erlangen), Hans Raj Tiwary (ULB) Exponential Lower Bounds for Polytopes in

1.19k views • 94 slides
Lower Bounds for Geometric Diameter Problems Herv e Fournier University of Versailles

Lower Bounds for Geometric Diameter Problems Herv e Fournier University of Versailles

Lower Bounds for Geometric Diameter Problems Herv e Fournier University of Versailles St-Quentin en Yvelines Antoine Vigneron INRA Jouy-en-Josas Lower Bounds for Geometric Diameter Problems p.1/40 Outline Review of previous work on

563 views • 40 slides
Lecture 2. Upper and lower bounds for subgaussian matrices The -net method refined 1 Random

Lecture 2. Upper and lower bounds for subgaussian matrices The -net method refined 1 Random

Lecture 2. Upper and lower bounds for subgaussian matrices The -net method refined 1 Random processes. Multiscale -net method: Dudleys inequality 2 Upper and lower bounds Our goal: upper and lower bounds on random matrices. In Lecture

535 views • 17 slides
Embperl - How to Build Large Scale Websites/Webapplications With Perl ApacheCon 2002 Gerald

Embperl - How to Build Large Scale Websites/Webapplications With Perl ApacheCon 2002 Gerald

Embperl - How to Build Large Scale Websites/Webapplications With Perl Seite 1 von 19 Embperl - How to Build Large Scale Websites/Webapplications With Perl ApacheCon 2002 Gerald Richter ecos gmbh http://www.ecos.de The Embperl Website

576 views • 19 slides
Efficient Top-K Query Processing on Massively Parallel Hardware ANIL SHANBHAG, HOLGER PIRK, SAM

Efficient Top-K Query Processing on Massively Parallel Hardware ANIL SHANBHAG, HOLGER PIRK, SAM

Efficient Top-K Query Processing on Massively Parallel Hardware ANIL SHANBHAG, HOLGER PIRK, SAM MADDEN 1 CPU GPU 16-24 Cores ~5000 Cores 60 GB/s 250-900 GB/s Main Mem GPU Mem 128-256GB 12-32GB 16-40 GB/s 2 Top-K SELECT id FROM tweets

635 views • 26 slides
alignment, arrays, and pointers hic 1 allocation of multiple variables Consider the program

alignment, arrays, and pointers hic 1 allocation of multiple variables Consider the program

The programming language C (part 2) alignment, arrays, and pointers hic 1 allocation of multiple variables Consider the program main(){ char x; int i; short s; char y; .... } What will the layout of this data in memory be? Assuming 4

713 views • 42 slides
Lecture 18: Concluding Convolutional Neural Networks, Graphical Models as Foundation for Recurrent

Lecture 18: Concluding Convolutional Neural Networks, Graphical Models as Foundation for Recurrent

Lecture 18: Concluding Convolutional Neural Networks, Graphical Models as Foundation for Recurrent Neural Networks and Bayesian Networks Reference: We will be referring to sections etc of Deep Learning by Yoshua Bengio, Ian J. Goodfellow

974 views • 54 slides
Internet Software Technologies I t t S ft T h l i HTML HTML IMCNE IMCNE A.A. 2008/09

Internet Software Technologies I t t S ft T h l i HTML HTML IMCNE IMCNE A.A. 2008/09

Internet Software Technologies I t t S ft T h l i HTML HTML IMCNE IMCNE A.A. 2008/09 Gabriele Cecchetti Gabriele Cecchetti The Web WWW: network of information systems. WWW: network of information systems Information unit:

461 views • 21 slides
Deep learning 4.5. Pooling Fran cois Fleuret https://fleuret.org/ee559/ Nov 2, 2020 The

Deep learning 4.5. Pooling Fran cois Fleuret https://fleuret.org/ee559/ Nov 2, 2020 The

Deep learning 4.5. Pooling Fran cois Fleuret https://fleuret.org/ee559/ Nov 2, 2020 The historical approach to compute a low-dimension signal ( e.g. a few scores) from a high-dimension one ( e.g. an image) was to use pooling operations. Such

701 views • 36 slides
GSM privacy attacks Karsten Nohl, nohl@srlabs.de Karsten Nohl, nohl@srlabs.de Agenda GSM

GSM privacy attacks Karsten Nohl, nohl@srlabs.de Karsten Nohl, nohl@srlabs.de Agenda GSM

GSM privacy attacks Karsten Nohl, nohl@srlabs.de Karsten Nohl, nohl@srlabs.de Agenda GSM attack history GSM attack vectors Attacking GSMs A 5/1 encryption Risk scenario: GSM payment GSM is global, omnipresent and wants to

600 views • 46 slides
Learning Transferable Architectures for Scalable Image Recognition - Barret Zoph, Vijay Vasudevan,

Learning Transferable Architectures for Scalable Image Recognition - Barret Zoph, Vijay Vasudevan,

Learning Transferable Architectures for Scalable Image Recognition - Barret Zoph, Vijay Vasudevan, Jonathon Shlens, Quoc V. Le Seminar - Recent trends in Automated Machine Learning Sebastian Fellner Technische Universitt Mnchen 06. June

511 views • 13 slides

More recommend