PROPERTY-PRESERVING ENCRYPTION GRAD SEC NOV 07 2017 TODAYS - - PowerPoint PPT Presentation

property preserving encryption
SMART_READER_LITE
LIVE PREVIEW

PROPERTY-PRESERVING ENCRYPTION GRAD SEC NOV 07 2017 TODAYS - - PowerPoint PPT Presentation

Mar 04, 2023 548 likes •798 views

PROPERTY-PRESERVING ENCRYPTION GRAD SEC NOV 07 2017 TODAYS PAPERS CRYPTDB BUILDING BLOCKS RND AES+CBC+random IV DET AES+CBC+fixed IV OPE x < y OPE K (x) < OPE K (y) HOM HOM K (x) * HOM K (y) = HOM K (x+y) Fully

slide-1
SLIDE 1

PROPERTY-PRESERVING
 ENCRYPTION

GRAD SEC

NOV 07 2017

slide-2
SLIDE 2

TODAY’S PAPERS

slide-3
SLIDE 3

CRYPTDB BUILDING BLOCKS

RND DET OPE HOM SEARCH

AES+CBC+random IV AES+CBC+fixed IV x < y ⟹ OPEK(x) < OPEK(y) Fully homomorphic: F(EK(x)) = EK(F(x)) HOMK(x) * HOMK(y) = HOMK(x+y) …

slide-4
SLIDE 4

ORDER PRESERVING ENCRYPTION

slide-5
SLIDE 5

SEARCHABLE ENCRYPTION

Alice is tall and Alice is small

slide-6
SLIDE 6

SEARCHABLE ENCRYPTION

Alice is tall and Alice is small

REMOVE REPETITIONS

Alice is tall and small

slide-7
SLIDE 7

SEARCHABLE ENCRYPTION

Alice is tall and Alice is small

REMOVE REPETITIONS

Alice is tall and small

PERMUTE POSITIONS

Alice is tall and small

slide-8
SLIDE 8

SEARCHABLE ENCRYPTION

Alice is tall and Alice is small

REMOVE REPETITIONS

Alice is tall and small

PERMUTE POSITIONS

Alice is tall and small

PAD AND ENCRYPT [46]

slide-9
SLIDE 9

SEARCHABLE ENCRYPTION

PROBLEM

W1, …, WN Store these (encrypted) on an untrusted server Search for Wi

slide-10
SLIDE 10

SEARCHABLE ENCRYPTION

PROBLEM

W1, …, WN Store these (encrypted) on an untrusted server Search for Wi

SCHEME 0

Stream cipher PRNG: generates S1, …, SN Cannot guess without knowing the original seed

Store: Wi ⊕ Si Lookup: Send each Si and W? Send seed and W?

slide-11
SLIDE 11

SEARCHABLE ENCRYPTION

PROBLEM

W1, …, WN Store these (encrypted) on an untrusted server Search for Wi

SCHEME 0

Stream cipher PRNG: generates S1, …, SN Cannot guess without knowing the original seed

Store: Wi ⊕ Si Lookup: Send each Si and W? Send seed and W?

SCHEME 1

PRF Fk

Store: Wi ⊕Si, Fki(Si)〉 Lookup: Send W, ki’s

Si Fki(Si) Wi

Server checks: Fki([Ci⊕W]n-m) = [Ci⊕W]m

First n-m bits Last m bits

Ci

slide-12
SLIDE 12

SEARCHABLE ENCRYPTION

SCHEME 2

Don’t reveal keys Make the keys functions of the words themselves ki = fk’(Wi) never reveal k’ Si F (Si) Wi

Ci

fk’(Wi)

Store as before Lookup: Send W, fk’(Wi) Server checks as before

slide-13
SLIDE 13

SEARCHABLE ENCRYPTION

SCHEME 2

Don’t reveal keys Make the keys functions of the words themselves ki = fk’(Wi) never reveal k’ Si F (Si) Wi

Ci

fk’(Wi)

Store as before Lookup: Send W, fk’(Wi) Server checks as before

SCHEME 3

Don’t reveal word Si Ek’’(Wi)

Ci Basic idea: encrypt the word first (Ek’’(Wi) instead of Wi) Problem 1: Randomized encryption would require sending all IVs
 ⟹Use deterministic encryption F (Si)

fk’(E(Wi))

slide-14
SLIDE 14

SEARCHABLE ENCRYPTION

Problem 2: How do you decrypt? Need the last m bits of Ek’’(Wi)

SCHEME 3

Don’t reveal word Si Ek’’(Wi)

Ci Basic idea: encrypt the word first (Ek’’(Wi) instead of Wi) Problem 1: Randomized encryption would require sending all IVs
 ⟹Use deterministic encryption F (Si)

fk’(E(Wi))

slide-15
SLIDE 15

SEARCHABLE ENCRYPTION

Problem 2: How do you decrypt? Need the last m bits of Ek’’(Wi)

SCHEME 4

Split the ciphertext Si Ek’’(Wi) F (Si)

fk’(Li)

Li Ri

Ci

Lookup: Send Ek’’(W), fk’(L) Server checks as before

SCHEME 3

Don’t reveal word Si Ek’’(Wi)

Ci Basic idea: encrypt the word first (Ek’’(Wi) instead of Wi) Problem 1: Randomized encryption would require sending all IVs
 ⟹Use deterministic encryption F (Si)

fk’(E(Wi))

slide-16
SLIDE 16

CRYPTDB BUILDING BLOCKS

RND DET OPE HOM SEARCH

AES+CBC+random IV AES+CBC+fixed IV x < y ⟹ OPEK(x) < OPEK(y) Fully homomorphic: F(EK(x)) = EK(F(x)) HOMK(x) * HOMK(y) = HOMK(x+y) basic idea: Ek(Wi)⊕ 〈Si, FKi(Si) Ki = fk’([Ek(Wi)]n-m) To search, give Ki and Ek(Wi)

slide-17
SLIDE 17

CRYPTDB BUILDING BLOCKS

ONIONS

Peel off the layers as you need them Once removed, can never un-reveal

slide-18
SLIDE 18

CRYPTDB OPERATIONS

Equi-joins: FROM X,Y where X.id = Y.id Known ahead of time:
 Encrypt with the same key across columns using DET Not known ahead of time:
 JOIN-ADJ

slide-19
SLIDE 19

JOIN-ADJ (ADJUSTABLE JOIN)

Cryptographic hash that can be re-keyed without revealing information

slide-20
SLIDE 20

ATTACKS

FREQUENCY ANALYSIS

Deterministic encryption (ECB) reveals frequency

SORTING ATTACKS

Order-preserving encryption reveals .. order

CUMULATIVE ATTACK

Order-preserving encryption needs high entropy

ℓP-OPTIMIZATION ATTACKS

Find an assignment from ciphertexts to plaintexts that
 minimizes a cost function “Developed in the 9th century”

slide-21
SLIDE 21

ATTACKS ON DTE

Compare the histograms of ciphertexts to histograms of auxiliary data Ciphertext Auxiliary data Match the rankings A more general formulation

slide-22
SLIDE 22

ATTACKS ON OPE

Exploit the fact that the order is revelatory… Order, not frequency like DTE

slide-23
SLIDE 23

ATTACKS ON OPE

…or that there is low entropy

Intuitively, if a given OPE ciphertext is greater than 90% of the ciphertexts in the encrypted column c, then we should match it to a plaintext that also is greater than about 90% of the auxiliary data z.

slide-24
SLIDE 24

BILINEAR MAPS

For any generator Signature scheme: Public key scheme: Private key a Public key Signature = H(m)a Verify: Multisignature scheme: Signatures = H(m)a1 , …, H(m)an Multisignature = H(m)a1 * … * H(m)an