1 / 21

Practical Techniques for Searches on Encrypted Data

Practical Techniques for Searches on Encrypted Data. Dawn Song, David Wagner, Adrian Perrig. Motivation. Why searches on encrypted data? Searching on encrypted e-mails on mail servers Searching on encrypted files on file servers Searching on encrypted databases Why is this hard?

fay
Download Presentation

Practical Techniques for Searches on Encrypted Data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Practical Techniques for Searches on Encrypted Data Dawn Song, David Wagner, Adrian Perrig

  2. Motivation • Why searches on encrypted data? • Searching on encrypted e-mails on mail servers • Searching on encrypted files on file servers • Searching on encrypted databases • Why is this hard? • Perform computations on encrypted data is often hard • Usual tradeoffs: security and functionality Search query Download emails

  3. E(Wi+1) Wi Wi+1 E(Wi) m bits m bits m bits m bits Sequential Scan and Straw Man Example • Search by sequential scan: Search for W W W W … … Wi -1 m bits • Naïve approach: Search for W E(W) E(W) E(W) … … E(Wi –1) m bits

  4. Desired Properties • Provable security • Provable secrecy: encryption scheme is provable secure • Controlled search: server cannot search for arbitrary word • Query isolation: search for one word does not leak information about other different words • Hidden queries: does not reveal the search words • Efficiency • Low computation overhead • Low space and communication overhead • Low management overhead

  5. … Wi -1 Wi Wi+1  m bits m bits m bits … … Si Si+1 Si -1 m bits m bits m bits … … Ci Ci+1 Ci -1  Wi+1 Wi+1 Wi+1 The Key Idea Search for Wi+1

  6. … Wi -1 Li Wi Wi+1 Li-1 Li+1 m bits m bits m bits n bits n bits n bits … … Setup and Notations • Document: sequence of fixed length words • Pseudorandom Generator G and seed: • L  G ( seed ) , Li Gi ( seed ) • Pseudorandom Function Fand key K : • FKmaps n bits to m-n bits

  7. m bits m bits Wi  Ci Li Ri n bits m-n bits Ri  FK ( Li ) Li  Gi (seed), Basic Scheme (Encryption)

  8. m bits m bits  Wi Ci Li Ri m-n bits n bits n bits m-n bits Ci,L Ci,R  Li Ri Wi Ri  FK ( Li ) Li  Gi (seed), Basic Scheme (Decryption)

  9. m bits m bits  Wi Ci Li Ri  n bits m-n bits Li' Ri' n bits m-n bits Basic Scheme (Searches) Search for word W, give server W and K W Check:Ri' = FK ( Li' ) ? Yes  match, ( false positive rate = 1 / 2m-n )

  10. Problems with Basic Scheme • Queries are not hidden, server learns word • Query isolation is not satisfied, server learns K and can search for arbitrary words

  11. m bits m bits Wi Hidden Queries E(.) m bits E(Wi)  Ci Li Ri n bits m-n bits Li Gi (seed), Ri  FK ( Li )

  12. Controlled Searches and Query Isolation • For hidden queries, server can search for word W if it knows E(W) • Controlled searches on words Instead of Ri  FK ( Li ), Ri  FKi( Li ), whereKi = F'K ( Wi ) • Enhancements • Check for a word in a single chapter/section only • Check only for “word occurs at least once” in document • Check only for “word occurs at least N times” in document

  13. m bits m bits Wi Improved Security (Change K) E(.) m bits E(Wi)  Ci Li Ri n bits m-n bits Li Gi (seed), Ri  FKi( Li ) whereKi = F'K( E( Wi ))

  14. m bits m bits Wi Final Scheme (Encryption) E(.) E(Wi) E2(Wi) E1(Wi)  Ci Li Ri m-n bits n bits Li Gi (seed), Ri  FKi( Li ) whereKi = F'K( E1( Wi ))

  15. m bits Wi E(.) E(Wi) m bits E2(Wi) E1(Wi)  Ci Li Ri n bits m-n bits n bits m-n bits Ci,L Ci,R   Li Fki(Li) E1(Wi) Ri E2(Wi) Final Scheme (Decryption)

  16. Advanced Search Queries • Building blocks for advanced search queries W1and W2 , W1near W2 , W1immediately precedes W2 • Supports variable length words • Same provable security • Similar efficiency

  17. Conclusion • Provable security • Provable secrecy • Controlled search • Query isolation • Hidden queries • Simple and efficient • O(n) stream cipher and block cipher operations per search • Almost no space and communication overhead • Easy to add documents • Convenient key management : user needs only one master key • Embedding information in pseudorandom bit streams

  18. Discussion • Search is one operation on an abstract encrypted data type • What other operations on abstract encrypted data types are possible?

  19. Variable length words encryption scheme x bits n-x bits m-n bits Len El ( Wi ) Er(Wi)  Ci Li Ri m bits n bits m–n bits Li = Gi ( r ) , Ri = F( Ki , Li)

  20. Related Work • Secure file servers and memory protection M. Blaze et al, M. Blum et al, P. Devanbu et al. • Multiparty computation O. Goldreich et al, R. Canetti et al. • Private information retrieval B. Chor et al, C. Cachin et al, Y. Gertner et al.

More Related