1 / 23

Searching on Encrypted Data Without Revealing the Search Predicate

Searching on Encrypted Data Without Revealing the Search Predicate. Ananth Raghunathan Stanford University (joint work with Dan Boneh & Gil Segev ). Public-Key Encryption. public key. secret key. c. m. m. Bob. Alice. Learns nothing!. A more precise definition later on in the talk.

rozene
Download Presentation

Searching on Encrypted Data Without Revealing the Search Predicate

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Searching on Encrypted Data Without Revealing the Search Predicate Ananth Raghunathan Stanford University (joint work with Dan Boneh & Gil Segev)

  2. Public-Key Encryption public key secret key c m m Bob Alice Learns nothing! A more precise definition later on in the talk

  3. Public-Key Encryption with Keyword Search Payment Routing Gateway Payment Routing Gateway Scenario 1: Payment Gateway

  4. Public-Key Encryption with Keyword Search Assistant Email routing proxy Urgent! Later Scenario 2: Email forwarding

  5. Requirements An encryption scheme that allows untrusted proxies to test for keywords (using “tokens”) • Without a token, the proxy learns nothing. • With a token, the proxy learns whether message contains the keyword or not and nothing else. • (Implied) Tokens generated by secret key holder.

  6. PEKS definition (Boneh et al. ‘04) secret key public key “BoA” • Enc(pk,w) is publicly computable • Generating Tokw requires the secret key • Given TokBoA and Enc(pk, w), the gateway can check if keyword w=“BoA” or not (algorithm Test) Payment Routing Gateway TokBoA Enc(pk, “BoA”) TokWF TokChase TokBoA

  7. Security: Overview Informally: the attacker is given tokens of his choice and should not be able to Test for w for which he does not have a token. (to ) Payment Routing Gateway Enc(pk, “BoA”) Yes for “BoA” TokWF TokChase TokBoA

  8. Security: Overview Informally: the attacker is given tokens of his choice and should not be able to Test for w for which he does not have a token. (to ) Payment Routing Gateway Enc(pk, “JP Morgan”) TokWF TokChase TokBoA

  9. This Work: Predicate Privacy • Previous research did not consider information leaked about w by the token Tokw • Several schemes even explicitly leak w in Tokw • Motivation 1: Payment gateway • Routing rules may be sensitive • Transactions tagged with “suspected fraudulent” or other attributes that affect routing but shouldn’t be revealed to a gateway • Motivation 2: Encrypted email filter • Keywords are sensitive: “Urgent” keywords might leak information about personal life or medical data • Can we model a realistic notion of predicate privacy? • Can we construct schemes that satisfy predicate privacy?

  10. Defining Predicate Privacy • Can we hide w given Tokw? • Not always! Adversary can compute Enc(pk, w) and then run algorithm Test with Tokw and Enc(pk, w) • “Public-key” nature of the encryption scheme implies additional restrictions • Tokw leaks no information about w whenever w “cannot be guessed” • w comes from a distribution Wwith low guessing probability (min-entropy)

  11. Defining Predicate Privacy w sampled from W of adversary’s choice and W has small guessing probability TokenGen(sk, .) f(w)? Tokw ≈ REAL WORLD IDEAL WORLD TokenGen(sk, .) Simulator is given no input! f(w)? Simulator

  12. Defining Predicate Privacy w sampled from W of adversary’s choice and W has small guessing probability (Turing award-winning) Simulation Paradigm [Goldwasser-Micali’82] TokenGen(sk, .) f(w)? Tokw ≈ REAL WORLD IDEAL WORLD TokenGen(sk, .) Simulator is given no input! f(w)? Simulator

  13. Aside: Public-Key Encryption (CPA) Any message m f(m)? Enc(pk, m) ≈ REAL WORLD IDEAL WORLD Simulator is given no input! f(m)? Simulator

  14. Back to our regularly scheduled programming …

  15. Defining Predicate Privacy w sampled from W of adversary’s choice and W has small guessing probability (Turing award-winning) Simulation Paradigm [Goldwasser-Micali’82] TokenGen(sk, .) f(w)? Tokw ≈ REAL WORLD IDEAL WORLD OUR RESULTS We construct PEKS schemes with keyword privacyby describing a generic approach “Extract-Augment-Combine” applicable to several existing schemes TokenGen(sk, .) Simulator is given no input! f(w)? Simulator

  16. Phase I: Extract (from keyword) w s seed chosen uniformly at random Ext w TokenGen(sk, .) w’ Idea: The extractor ensures that w’ has no information about (unpredictable) w even given s Challenge: Ext has to be collisionresistant } Tokw Tokw’ new token s

  17. Phase II: Augment (the ciphertext) • Token corresponds to w’ does not allow to Test for Enc(pk, w) (because w ≠ w’) • Can we instead do Enc(pk, w’)? • Cannot (in fact, should not) be able to guess s and hence w’ at the time of constructing the encrypted keyword • Cannot construct encryptions for all possible values of s, as there are too many of them (“super-polynomially many”) • Solution? • Augment ciphertexts to ensure that during Test, given s, the algorithm can compute Enc(pk, w’) • Augment ciphertexts with this additional information without breaking PEKS security

  18. Phase III: Combine Enc(pk, x) s Augmented-Enc(pk, x) Correctness follows from observing that if x=w, then Ext(x, s)=Ext(w, s)=w’ Combine Yes or No Enc(pk, Ext(x, s)) Test(. , .) Tokw’ Soundness follows from the collision resistance of Ext

  19. A Quick Example • Master secret key msk = α∈ Zp • Secret key • w = (w1, …, wn) ∈Gn • Ext((w1, …, wn), (s1, …, sn)) = w1s1w2s2…wnsn= w’ • Tokw= (s1, …, sn), (w’)α • Encryption • gr, e(h, w1)r, e(h, w2)r, …, e(h, wn)r Extractor seed Original token on w’ Augmented Ciphertext

  20. A Quick Example It works! (Phew) • Secret key: • Ext((w1, …, wn), (s1, …, sn)) = w1s1w2s2…wnsn= w’ • Tokw= (s1, …, sn), (w’)α • Encryption: • gr, e(h, w1)r, e(h, w2)r, …, e(h, wn)r • Decryption: • gr, e(h,w1)r.s1x … x e(h,wn)r.sn= gr, e(h,w1s1…wnsn)r = gr, e(h,w’)r Original token on w’ Augmented Ciphertext Combine Original CT!

  21. Results • We tailor our Extract-Augment-Combine approach to several existing PEKS schemes • Construct the first encryption schemes with keyword search and keyword privacy • More generally, we construct the first “function-private” Identity Based Encryption (IBE) schemes • Secret key skid enables to decrypt Enc(id,m) • Function privacy: skid leaks no information about id • This implies PEKS

  22. Going Forward: More Expressive Predicates In IBE, p corresponds to and id and p(id) checks if the id’s are the same or not • A more general formulation • Encrypt a tuple (id,m) • Secret key skp • Decryption algorithm given Enc(id,m) and skp recover m only if p(id)=1 • [Boneh et al. ‘04]: Equality predicate (point function) • [Boneh-Waters ‘07]: Conjunctive, subset, and range queries • [Katz-Sahai-Waters ‘08, Agrawal-Freeman-Vaikuntanathan ‘11]: Inner product, polynomial equations, and disjunctions • [Shi-Waters ‘08, Okamoto-Takashima ‘09, Lewko et al. ‘10]: Hierarchical inner product systems

  23. Thank you!Any questions? ananthr@stanford.edu

More Related