SLIDE 1
Pixek
Seny Kamara,Tarik Moataz, Martin Zhu
1Pixek Seny Kamara,Tarik Moataz, Martin Zhu 1 2 9,198,580,293* 4% - - PowerPoint PPT Presentation
Pixek Seny Kamara,Tarik Moataz, Martin Zhu 1 2 9,198,580,293* 4% - - PowerPoint PPT Presentation
Pixek Seny Kamara,Tarik Moataz, Martin Zhu 1 2 9,198,580,293* 4% * since 2013 3 Why so Few? Incompetence? Lazyness? Cost? because it would have hurt Yahoos ability to index and search message data J. Bonforte in NY
SLIDE 2 2
SLIDE 3 3
4% 9,198,580,293*
* since 2013
SLIDE 4
Why so Few?
4“…because it would have hurt Yahoo’s ability to index and search message data…”
— J. Bonforte in NY Times
Cost? Incompetence? Lazyness?
SLIDE 5
Q: can we search on encrypted data?
5 SLIDE 6
Encrypted Search (Building Blocks)
6Property-Preserving Encryption (PPE) Fully-Homomorphic Encryption (FHE) Functional Encryption Oblivious RAM (ORAM) Structured Encryption (STE)
SLIDE 7
Efficiency Leakage Functionality
7 SLIDE 8
Evolution from 2001-2018
8Property- Preserving Encryption (PPE) Oblivious RAM (ORAM) Structured Encryption (STE) DET ‘06 OPE ‘09 OPE proofs ‘11 CryptDB ‘12 MS Always Enc ‘15 NKW attacks ‘15 Snapshot PPE ‘16 ORAM ‘96 Tree-based ORAM ‘12 SSE ‘01 Efficient SSE ‘06 STE ‘10 Boolean SSE ’13 OSPIR; BlindSeer ’14 SQL ’17 IKK attacks ’12 Path ORAM; ObliviStore ‘13 KKNO attacks ‘16 Obliv P2P; TaoStore ‘16 CS2 ’12 Clusion; OpenSSE ’16
SLIDE 9
Structured Encryption
9tk utk
SLIDE 10
Would Encryption Even Prevent Breaches?
10 SLIDE 11
Q: can encrypted search be deployed?
11 SLIDE 12
Why Isn’t Encrypted Search Deployed?
12 SLIDE 13 13
Tarik Martin
SLIDE 14
End-to-End Encryption
14messaging video
SLIDE 15
Digital Photos - 1.2 Trillion (2017)
1585% 4.7% 10.3%
SLIDE 16
Photo Collections
16Large Sentimental value Private
Cloud Encryption
SLIDE 17
Celebgate (2014)
- Edward Majerczyk
- hacked 30 Gmail & iCloud accounts
- 500 private photos leaked including of many celebrities
SLIDE 18 18
SLIDE 19 19
SLIDE 20 20
SLIDE 21 21
SLIDE 22
Pixek
End-to-end encrypted camera app
SLIDE 23 23
SLIDE 24
Building Blocks
24Clusion
- pen source (GPLv3) encrypted search library from Brown ESL
pibase, pidyn, 2Lev, ZMF, IEX-2Lev, IEX-ZMF coming: DLS, SPX, REX, PBS TensorFlow Mobile
- pen source machine learning from Google
pre-trained model Geomobile
- pen source geolocation
SLIDE 25 25
Lamp/Bear
23’x21’x24’
SLIDE 26 26
bear lamp Brown U. Providence, RI
TensorFlow downsampling
utk utk utk utk
bear lamp Providence, RI Brown U.
Pixek Client EC2+S3
SLIDE 27 27
Bear
tk
Pixek Client EC2+S3
SLIDE 28
What I Didn’t Cover
- Caching
- Crash recovery
- Password recovery
- Multi-device
- Local mode
SLIDE 29
Pixek v0.1.0 (Current)
- Tags & photos are streamed
- Encrypted structure needs forward-privacy
- Published state-of-the-art
- Sophos [Bost16]
- Diana [Bost-Minaud-Ohrimenko17]
- New scheme
- pidyn [Cash-Jaeger-Jarecki-Jutla-Krawczyk-Rosu-Steiner14]
- no public-key operations
- no constrained PRFs
SLIDE 30
Background: Data Structures
- DXs map labels to values
- Get: DX[w3] returns id2
- MMs map labels to tuples
- Get: MM[w3] returns (id2 , id4)
w1 w2 w3
id1 id3 id2 Dictionary DX
w1 w2 w3
id1 id3 id4 id3 id2 id4 Multi-map MM
SLIDE 31
[CJJJKRS’14]
31πdyn
EMM.Setup 1k ,
MM EMM,
EMMSetup
SLIDE 32
[CJJJKRS’14]
32w1 l2 w3 id1 id3 id4 id3 id2 id4
Multi-map MMEMM.Setup 1k,
,
w2
* PRF and Enc keys are different but derived from wi
FKw1(1)
Encrypted MM
FKw1(2) FKw1(3) FKw2(1) FKw3(1) FKw3(2)
id1 id3 id4 id3 id2 id4
πdyn
Setup
SLIDE 33
[CJJJKRS’14]
33 wi = Kw1 id1 id3 id4 EMMKw1
EMM.Get
,
πdyn
Get
FKw1(1)
- 1. DX.Get
,
DX
id1FKw1(2)
- 2. DX.Get
,
DX
id3FKw1(3)
- 3. DX.Get
,
DX
id4FKw1(4)
- 4. DX.Get
,
DX
⊥
SLIDE 34
[CJJJKRS’14]
34EMM.Get
,
FKw1(1)
Dictionary DX
FKw1(2) FKw1(3) FKw2(1) FKw3(1) FKw3(2)
id1 id3 id4 id3 id2 id4
Kw1
FKw1(1)
- 1. DX.Get
,
DX
id1
FKw1(2)
- 2. DX.Get
,
DX
id3
FKw1(3)
- 3. DX.Get
,
DX
id4
FKw1(4)
- 4. DX.Get
,
DX
⊥
=
πdyn
Get
SLIDE 35
[CJJJKRS’14]
35πdyn
EMMEdit+
FKw1(4)
id9
EMM.Edit+
,
EMM- 1. DX.Put
,
DX DX
SLIDE 36
[CJJJKRS’14]
36EMM.Edit+
,
FKw1(1)
Dictionary DX
FKw1(2) FKw1(3) FKw2(1) FKw3(1) FKw3(2)
id1 id3 id4 id3 id2 id4
FKw1(4)
id9
FKw1(1)
Dictionary DX
FKw1(2) FKw1(3) FKw2(1) FKw3(1) FKw3(2)
id1 id3 id4 id3 id2 id4
FKw1(4)
id9
Edit+
πdyn
SLIDE 37
Forward-Private
- Why is not forward-private?
- new pairs encrypted under same key used for search,
- Kwi := FK(wi||1)
- so previously searched w’s can be linked to new pairs
- Making forward-private
- use keys with version number that rotates at each update
- Kwi := FK(wi||version||1)
- To search send keys for all versions
- FK(wi||version1||1), …, FK(wi||version8||1)
πdyn
πdyn
πdyn
SLIDE 38
Forward-Private
- Search complexity
- optimal O(#MM[w])
- Token size
- non-optimal O(#MM[w])
- new technique makes it O(1) (not implemented yet)
πdyn
SLIDE 39
Leakage
- Search pattern
- we see if a query is repeated
- ex: if you search for “bear” 3x, we see you searched for ? 3x
- Access pattern
- we see which encrypted photo matched your query
- ex: if you search for “bear”, we see which encrypted photos match query
- What are the consequences of this leakage?
- To see your photos we have to break AES
- To learn about your queries we have to know/guess > 90% of your tags
& know the occurrence of each tag
39 SLIDE 40 40
SLIDE 41
Testers & Feedback
- Only available on Android
- Let us know @pixekapp if you want access
SLIDE 42
pixek.io
@pixekapp