PROPERTY-PRESERVING ENCRYPTION GRAD SEC NOV 07 2017 TODAYS - PowerPoint PPT Presentation

PROPERTY-PRESERVING 
 ENCRYPTION GRAD SEC NOV 07 2017

TODAY’S PAPERS

CRYPTDB BUILDING BLOCKS RND AES+CBC+random IV DET AES+CBC+fixed IV OPE x < y ⟹ OPE K (x) < OPE K (y) HOM HOM K (x) * HOM K (y) = HOM K (x+y) Fully homomorphic: F(E K (x)) = E K (F(x)) SEARCH …

ORDER PRESERVING ENCRYPTION

SEARCHABLE ENCRYPTION Alice is tall and Alice is small

SEARCHABLE ENCRYPTION Alice is tall and Alice is small REMOVE REPETITIONS Alice is tall and small

SEARCHABLE ENCRYPTION Alice is tall and Alice is small REMOVE REPETITIONS Alice is tall and small PERMUTE POSITIONS tall small Alice and is

SEARCHABLE ENCRYPTION Alice is tall and Alice is small REMOVE REPETITIONS Alice is tall and small PERMUTE POSITIONS tall small Alice and is PAD AND ENCRYPT [46]

SEARCHABLE ENCRYPTION Store these (encrypted) on an untrusted server PROBLEM Search for W i W 1 , …, W N

SEARCHABLE ENCRYPTION Store these (encrypted) on an untrusted server PROBLEM Search for W i W 1 , …, W N PRNG: generates S 1 , …, S N SCHEME 0 Stream cipher Cannot guess without knowing the original seed Store: W i ⊕ S i Lookup: Send each S i and W? Send seed and W?

⊕ SEARCHABLE ENCRYPTION Store these (encrypted) on an untrusted server PROBLEM Search for W i W 1 , …, W N PRNG: generates S 1 , …, S N SCHEME 0 Stream cipher Cannot guess without knowing the original seed Store: W i ⊕ S i Lookup: Send each S i and W? Send seed and W? W i SCHEME 1 C i S i F ki (S i ) PRF F k First n-m bits Last m bits Store: W i ⊕� S i , F ki (S i ) 〉 Lookup: Send W, k i ’s Server checks: F ki ([C i ⊕ W] n-m ) = [C i ⊕ W] m

⊕ SEARCHABLE ENCRYPTION Make the keys functions of the words themselves SCHEME 2 k i = f k’ (W i ) never reveal k’ Don’t reveal keys W i C i S i F (S i ) f k’ (W i ) Store as before Lookup: Send W, f k’ (W i ) Server checks as before

⊕ ⊕ SEARCHABLE ENCRYPTION Make the keys functions of the words themselves SCHEME 2 k i = f k’ (W i ) never reveal k’ Don’t reveal keys W i C i S i F (S i ) f k’ (W i ) Store as before Lookup: Send W, f k’ (W i ) Server checks as before Basic idea: encrypt the word first ( E k’’ (W i ) instead of W i ) SCHEME 3 Don’t reveal word Problem 1: Randomized encryption would require sending all IVs 
 ⟹ Use deterministic encryption E k’’ (W i ) C i F (S i ) S i f k’ (E(W i ))

⊕ SEARCHABLE ENCRYPTION Basic idea: encrypt the word first ( E k’’ (W i ) instead of W i ) SCHEME 3 Don’t reveal word Problem 1: Randomized encryption would require sending all IVs 
 ⟹ Use deterministic encryption E k’’ (W i ) C i F (S i ) S i f k’ (E(W i )) Problem 2: How do you decrypt? Need the last m bits of E k’’ (W i )

⊕ ⊕ SEARCHABLE ENCRYPTION Basic idea: encrypt the word first ( E k’’ (W i ) instead of W i ) SCHEME 3 Don’t reveal word Problem 1: Randomized encryption would require sending all IVs 
 ⟹ Use deterministic encryption E k’’ (W i ) C i F (S i ) S i f k’ (E(W i )) Problem 2: How do you decrypt? Need the last m bits of E k’’ (W i ) SCHEME 4 E k’’ (W i ) Split the ciphertext L i R i C i F (S i ) S i f k’ (Li) Lookup: Send E k’’ (W), f k’ (L) Server checks as before

CRYPTDB BUILDING BLOCKS RND AES+CBC+random IV DET AES+CBC+fixed IV OPE x < y ⟹ OPE K (x) < OPE K (y) HOM HOM K (x) * HOM K (y) = HOM K (x+y) Fully homomorphic: F(E K (x)) = E K (F(x)) SEARCH basic idea: E k (W i ) ⊕ 〈 S i , F Ki (S i ) � K i = f k’ ([E k (W i )] n-m ) To search, give K i and E k (W i )

CRYPTDB BUILDING BLOCKS ONIONS Peel off the layers as you need them Once removed, can never un-reveal

CRYPTDB OPERATIONS Equi-joins: FROM X,Y where X.id = Y.id Known ahead of time: 
 Encrypt with the same key across columns using DET Not known ahead of time: 
 JOIN-ADJ

JOIN-ADJ (ADJUSTABLE JOIN) Cryptographic hash that can be re-keyed without revealing information

ATTACKS “Developed in the 9th century” FREQUENCY ANALYSIS Deterministic encryption (ECB) reveals frequency ℓ P -OPTIMIZATION ATTACKS Find an assignment from ciphertexts to plaintexts that 
 minimizes a cost function SORTING ATTACKS Order-preserving encryption reveals .. order CUMULATIVE ATTACK Order-preserving encryption needs high entropy

ATTACKS ON DTE Compare the histograms of ciphertexts to histograms of auxiliary data Ciphertext Auxiliary data Match the rankings A more general formulation

ATTACKS ON OPE Exploit the fact that the order is revelatory… Order, not frequency like DTE

ATTACKS ON OPE …or that there is low entropy Intuitively, if a given OPE ciphertext is greater than 90% of the ciphertexts in the encrypted column c, then we should match it to a plaintext that also is greater than about 90% of the auxiliary data z.

BILINEAR MAPS For any generator Public key scheme: Private key a Public key Signature scheme: Signature = H(m) a Verify: Multisignature scheme: Signatures = H(m) a1 , …, H(m) an Multisignature = H(m) a1 * … * H(m) an