SlideShare a Scribd company logo

SSE.ppt

Download as PPT, PDF
M
mazharul7

SSE

Engineering
1 of 36
1 Searchable Symmetric Encryption: Improved Definitions and Efficient Constructions Reza Curtmola Juan Garay Seny Kamara Rafail Ostrovsky Johns Hopkins Bell Labs Johns Hopkins UCLA
2 Remote Storage ‣Remote storage is ubiquitous •data backups •GMail, Yahoo Mail etc... ‣Q: How do we store sensitive data on an untrusted server? ‣A: Encryption •hides all partial information about data •client must download all data, decrypt and perform operations locally ‣Can we enable the server to help ?
3 Outline ‣Motivation ‣Brief overview of different models for private searching ‣Our focus: Searchable Symmetric Encryption (SSE) •Revisiting security definitions for SSE -point out subtle (but serious) issues with previous definitions •Two new notions of security for SSE -“Non-adaptive” security -“Adaptive” security •Two new constructions ‣Extensions
4 Private Searching ‣MPC: general, but inefficient [Yao82, GMW87, BGW88, CCD88] ‣Searching (explicitly) -- different settings •public data: unencrypted (e.g., stock-quotes, news articles) -client wishes to hide which element is accessed -PIR and its variants [CGKS,KO97,...] •user-owned data: symmetrically encrypted -client can upload additional “encrypted” data structures to help search -Oblivious RAMs, searchable symmetric encryption [O90, OG96, SWP00, Goh03, CM05] •third-party data: public-key encrypted -data comes encrypted to server from users other than client [BKOS07] -public-key searchable encryption [BDOP05,BW06...]
5 Searchable Symmetric Encryption ‣We consider the following scenario •client has a collection of documents that consists of a set of words •encrypts document collection together with additional data structure •sends everything to server ‣Functionality: server should support the following types of queries •find all documents that contain a particular keyword ‣Privacy: allow server to help, but reveal as little as possible
6 Prior work on SSE ‣SSE can be achieved using oblivious RAMs [Ost, GO] •functionality: can simulate any data structure in a hidden way, and can support conjunctive queries, B-trees etc... •privacy: hides everything, even the access pattern •efficiency: logarithmic number of rounds per each read/write ‣Q: Can we search over encrypted data in single/constant rounds? •with absolute privacy, recently solved by Boneh-Kushilevitz-Ostrovsky- Skeith wish sqrt{DB} communication. •This paper: what if we relax the security requirements to get better performance?
7 How do we relax the security definition ? ‣Informal answer •leak the access pattern but nothing else ‣What does it mean to “leak the access pattern but nothing else” ? •defining this formally is “delicate” •in fact, there are issues with 3 previous attempts
8 Constant-round SSE with relaxed security ‣3 previous constant-round solutions that “leak access pattern” •“Practical techniques for searches on encrypted data” [SWP00] •“Secure Indexes” [Goh03] •“Privacy-preserving keyword searches on remote encrypted data” [CM05] ‣[BKOS-07] is constant round but sqrt(DB) communication
9 Outline ‣Motivation ‣Overview of privacy-preserving searching ‣Searchable symmetric encryption •Revisiting security definitions for SSE •“Non-adaptive” definitions and construction •“Adaptive” definitions and construction ‣Extensions
10 Revisiting SSE security definitions ‣[SWP00,Goh03,CM05]: “A secure SSE scheme should not leak anything beyond the outcome of a search” •“search outcome”: memory addresses of documents that contain a hidden keyword (precise definition later) •Important to note: different keyword requests may lead to the same search outcome •“search pattern”: whether two queries were for the same keyword or not ‣A (slightly) better intuition •“A secure SSE scheme should not leak anything beyond the outcome and the pattern of a search”
11 Issues with SWP’s security definition ‣[SWP00] implicitly use indistinguishability [GM84] as a security definition •“any function of the plaintext that can be computed from the ciphertext can be computed from the length of the plaintext” ‣Issue: adversary gets to see search outcomes and search pattern ‣[SWP00] does not model the fact that this additional information is revealed. ‣There are also issues with definitions in [Goh03,CM05], but to explain these we’ll need to define the model more precisely
12 SSE Algorithms ‣Keygen(1k): outputs symmetric key K ‣BuildIndex(K, {D1, ..., Dn}): outputs secure index I ‣Trapdoor(K, w): outputs a trapdoor Tw ‣Search(I, Tw): outputs identifiers of documents containing w (id1, ..., idm)
13 SSE System Operation ‣Secure index: additional data structure that helps the server to search (following [Goh03] terminology) ‣Symmetrically encrypted data: client performs encryption himself ‣Trapdoors: associate a trapdoor to keywords which enables server to search while keeping keyword hidden INDEX keyword keyword
14 Our model ‣History: documents and keywords ‣View: encrypted documents, index, trapdoors ‣Trace: length of documents, search outcomes, search pattern
15 Our Intuition ‣Previous intuition •“A secure SSE scheme should not leak anything beyond the outcome and the pattern of a search” ‣A more “formal intuition” •“any function about the documents and the keywords that can be computed from the encrypted documents, the index and the trapdoors can be computed from the length of the documents, the search outcomes and the search pattern”
16 Issues with Goh’s SSE security definition ‣IND2-CKA: indistinguishability against chosen-keyword attacks •“any function of the documents that can be computed from the encrypted documents and the index can be computed from the length of the documents and the search outcomes” ‣Issue: says nothing about keywords or trapdoors ‣Important Note: [Goh03] considers more than SSE and notes that secure trapdoors is not necessary for all the applications considered. Also Z-IDX has secure trapdoors. ‣Why not prove index secure in the sense of IND2-CKA and trapdoors “secure” using another definition? ‣We show that there exists an SSE scheme that has •IND2-CKA indexes and trapdoors that are “secure” •but when taken together, adversary can recover keyword
17 Issues with CM’s SSE security definition ‣“CM security” •“any function that can be computed about the documents and keywords given the ciphertexts, the index and the trapdoors can be computed from the length of the documents and the search outcomes” ‣Issues •leaves out search pattern (proofs assume unique queries) •order of quantifiers implies that there will always exist a simulator that can evaluate function on documents and keywords •Only guarantees security against non-adaptive adversaries
18 What is adaptiveness? ‣Non-adaptive adversaries make search queries without seeing the outcome of previous searches ‣Adaptive adversaries can make search queries as a function of the outcome of previous searches ‣What are the implications of adaptiveness?
19 Modeling adaptiveness Non-Adaptive [SWP00,Goh03,CM05,...] Adaptive (new) SI w1 w2 w3 w4 SI w2 w1 w3
20 Outline ‣Motivation ‣Overview of privacy-preserving searching ‣Searchable symmetric encryption •Revisiting security definitions for SSE •“Non-adaptive” definitions and construction •“Adaptive” definitions and construction ‣Extensions
21 Non-adaptive security ‣“any function about the history that can be computed from the view can be computed from the trace” •history: documents and keywords •view: encrypted documents, index, trapdoors, •trace: document lengths, search outcomes, search pattern
22 SSE-1 ‣Building a Secure Index Austin Baltimore Washington
23 SSE-1 ‣Building a Secure Index Austin Baltimore Washington
24 SSE-1 ‣Building a Secure Index ‣P: PRP ‣F: PRF F(Austin) = KA P(Austin) Austin Baltimore Washington F(Baltimore) = KB F(Washington) = KW P(Baltimore) P(Washington)
25 SSE-1 ‣Searching Baltimore addr := P(Baltimore) key := F(Baltimore) Trapdoor := (addr, key) D8, D10
26 Technical issues ‣We overlooked many technical details •padding and shuffling ‣Efficient storage of sparse tables •large address space; small number of entries •FKS dictionaries [Fredman-Komlos-Szemeredi84] -storage: O(#entries) -lookup: O(1)
27 Outline ‣Motivation ‣Overview of privacy-preserving computation ‣Searchable symmetric encryption •Revisiting security definitions for SSE •“Non-adaptive” definitions and construction •“Adaptive” definitions and construction ‣Extensions
28 Adaptive security ‣“any function about the partial history that can be computed from the partial view can be computed from the partial trace” •partial history: documents and keywords •partial view: encrypted documents, index, trapdoors, •partial trace: document lengths, search outcomes, search pattern
29 Adaptive security ‣Do we need revised SSE constructions? ‣Are previous constructions adaptively secure? ‣Technical challenge: simulator must be able to “fake” trapdoors after having committed to index ‣Previous constructions do not have this property ‣Unfortunately, this is expensive!
30 SSE-2 ‣Similar to SSE-1 ‣Pre-processing and padding •simulator can commit to an index before query is issued •and still build valid trapdoors after query is issued ‣Constant blowup in •size of trapdoors •size of index •server search time
31 Comparison ‣n: total # of documents d: # of documents that contain word [Ost90,GO 96] [SWP00] [Goh03] [CM05] SSE-1 SSE-2 access pattern yes no no no no no server comp. server storage rounds 1 1 1 1 1 comm. adaptive yes no no no no yes
32 Outline ‣Motivation ‣Overview of privacy-preserving searching ‣Searchable symmetric encryption •Revisiting security definitions for SSE •“Non-adaptive” definitions and construction •“Adaptive” definitions and construction ‣Extensions
33 Multi-User SSE
34 Multi-User SSE ‣Indexes and trapdoors require same security notions as single-user SSE ‣Revocation: owner can revoke searching privileges •robust against user collusions ‣Anonymity: server should not know who initiated search ‣Simple construction that transforms single-user SSE schemes to multi- user SSE schemes •broadcast encryption (revocation) • PRPs
35 Open Questions ‣Constant-round schemes that hide everything, even the access pattern ‣Constant-round Searching for Boolean combinations of keywords (note that with logarithmic rounds already follows from [Ost,GO].) - Conjunctive searchable encryption [GSW04, PKL04, BW06] - Disjunctive ?
36 Conclusions ‣Weakening “complete security” is delicate •point out issues with previous attempts ‣Introduce new definitions •non-adaptive: simulation and indistinguishability-based •adaptive: simulation and indistinguishability-based ‣Efficient and practical constructions ‣Multi-user setting

Recommended

Secure and efficient skyline queries on encrypted data
Secure and efficient skyline queries on encrypted dataSecure and efficient skyline queries on encrypted data
Secure and efficient skyline queries on encrypted dataJAYAPRAKASH JPINFOTECH
 
Searching Encrypted Cloud Data: Academia and Industry Done Right
Searching Encrypted Cloud Data: Academia and Industry Done RightSearching Encrypted Cloud Data: Academia and Industry Done Right
Searching Encrypted Cloud Data: Academia and Industry Done RightSkyhigh Networks
 
Secure and Privacy-Preserving Big-Data Processing
Secure and Privacy-Preserving Big-Data ProcessingSecure and Privacy-Preserving Big-Data Processing
Secure and Privacy-Preserving Big-Data ProcessingShantanu Sharma
 
IRJET- Privacy Preserving Cloud Storage based on a Three Layer Security M...
IRJET- Privacy Preserving Cloud Storage based on a Three Layer Security M...IRJET- Privacy Preserving Cloud Storage based on a Three Layer Security M...
IRJET- Privacy Preserving Cloud Storage based on a Three Layer Security M...IRJET Journal
 
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB
 
Organizational compliance and security in Microsoft SQL 2012-2016
Organizational compliance and security in Microsoft SQL 2012-2016Organizational compliance and security in Microsoft SQL 2012-2016
Organizational compliance and security in Microsoft SQL 2012-2016George Walters
 
Attribute Based Ecdsa Searchable Encryption in Cloud Computing ECDSA Elliptic...
Attribute Based Ecdsa Searchable Encryption in Cloud Computing ECDSA Elliptic...Attribute Based Ecdsa Searchable Encryption in Cloud Computing ECDSA Elliptic...
Attribute Based Ecdsa Searchable Encryption in Cloud Computing ECDSA Elliptic...ijtsrd
 
Paper id 28201425
Paper id 28201425Paper id 28201425
Paper id 28201425IJRAT
 

Recommended

Secure and efficient skyline queries on encrypted data
Secure and efficient skyline queries on encrypted dataSecure and efficient skyline queries on encrypted data
Secure and efficient skyline queries on encrypted dataJAYAPRAKASH JPINFOTECH
 
Searching Encrypted Cloud Data: Academia and Industry Done Right
Searching Encrypted Cloud Data: Academia and Industry Done RightSearching Encrypted Cloud Data: Academia and Industry Done Right
Searching Encrypted Cloud Data: Academia and Industry Done RightSkyhigh Networks
 
Secure and Privacy-Preserving Big-Data Processing
Secure and Privacy-Preserving Big-Data ProcessingSecure and Privacy-Preserving Big-Data Processing
Secure and Privacy-Preserving Big-Data ProcessingShantanu Sharma
 
IRJET- Privacy Preserving Cloud Storage based on a Three Layer Security M...
IRJET- Privacy Preserving Cloud Storage based on a Three Layer Security M...IRJET- Privacy Preserving Cloud Storage based on a Three Layer Security M...
IRJET- Privacy Preserving Cloud Storage based on a Three Layer Security M...IRJET Journal
 
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...MongoDB
 
Organizational compliance and security in Microsoft SQL 2012-2016
Organizational compliance and security in Microsoft SQL 2012-2016Organizational compliance and security in Microsoft SQL 2012-2016
Organizational compliance and security in Microsoft SQL 2012-2016George Walters
 
Attribute Based Ecdsa Searchable Encryption in Cloud Computing ECDSA Elliptic...
Attribute Based Ecdsa Searchable Encryption in Cloud Computing ECDSA Elliptic...Attribute Based Ecdsa Searchable Encryption in Cloud Computing ECDSA Elliptic...
Attribute Based Ecdsa Searchable Encryption in Cloud Computing ECDSA Elliptic...ijtsrd
 
Paper id 28201425
Paper id 28201425Paper id 28201425
Paper id 28201425IJRAT
 
Key aggregate searchable encryption (kase) for group data sharing via cloud s...
Key aggregate searchable encryption (kase) for group data sharing via cloud s...Key aggregate searchable encryption (kase) for group data sharing via cloud s...
Key aggregate searchable encryption (kase) for group data sharing via cloud s...CloudTechnologies
 
2014 IEEE DOTNET DATA MINING PROJECT Trusteddb a-trusted-hardware-based-datab...
2014 IEEE DOTNET DATA MINING PROJECT Trusteddb a-trusted-hardware-based-datab...2014 IEEE DOTNET DATA MINING PROJECT Trusteddb a-trusted-hardware-based-datab...
2014 IEEE DOTNET DATA MINING PROJECT Trusteddb a-trusted-hardware-based-datab...IEEEMEMTECHSTUDENTSPROJECTS
 
IEEE 2014 DOTNET DATA MINING PROJECTS Trusted db a-trusted-hardware-based-dat...
IEEE 2014 DOTNET DATA MINING PROJECTS Trusted db a-trusted-hardware-based-dat...IEEE 2014 DOTNET DATA MINING PROJECTS Trusted db a-trusted-hardware-based-dat...
IEEE 2014 DOTNET DATA MINING PROJECTS Trusted db a-trusted-hardware-based-dat...IEEEMEMTECHSTUDENTPROJECTS
 
A Survey on Efficient Privacy-Preserving Ranked Keyword Search Method
A Survey on Efficient Privacy-Preserving Ranked Keyword Search MethodA Survey on Efficient Privacy-Preserving Ranked Keyword Search Method
A Survey on Efficient Privacy-Preserving Ranked Keyword Search MethodIRJET Journal
 
iaetsd Secured multiple keyword ranked search over encrypted databases
iaetsd Secured multiple keyword ranked search over encrypted databasesiaetsd Secured multiple keyword ranked search over encrypted databases
iaetsd Secured multiple keyword ranked search over encrypted databasesIaetsd Iaetsd
 
Key aggregate searchable encryption (kase) for group data sharing via cloud s...
Key aggregate searchable encryption (kase) for group data sharing via cloud s...Key aggregate searchable encryption (kase) for group data sharing via cloud s...
Key aggregate searchable encryption (kase) for group data sharing via cloud s...Pvrtechnologies Nellore
 
A New Pairing Free ID Based Certificate Less Digital Signature (CL-DS) Scheme...
A New Pairing Free ID Based Certificate Less Digital Signature (CL-DS) Scheme...A New Pairing Free ID Based Certificate Less Digital Signature (CL-DS) Scheme...
A New Pairing Free ID Based Certificate Less Digital Signature (CL-DS) Scheme...IJCSIS Research Publications
 
Sharing Secured Scalable Data in Cloud Environment Using Key Aggregate Crypto...
Sharing Secured Scalable Data in Cloud Environment Using Key Aggregate Crypto...Sharing Secured Scalable Data in Cloud Environment Using Key Aggregate Crypto...
Sharing Secured Scalable Data in Cloud Environment Using Key Aggregate Crypto...IRJET Journal
 
Making Software Secure by Design
Making Software Secure by DesignMaking Software Secure by Design
Making Software Secure by DesignOmegapoint Academy
 
IRJET- An Approach for Implemented Secure Proxy Server for Multi-User Searcha...
IRJET- An Approach for Implemented Secure Proxy Server for Multi-User Searcha...IRJET- An Approach for Implemented Secure Proxy Server for Multi-User Searcha...
IRJET- An Approach for Implemented Secure Proxy Server for Multi-User Searcha...IRJET Journal
 
Implementation and Review Paper of Secure and Dynamic Multi Keyword Search in...
Implementation and Review Paper of Secure and Dynamic Multi Keyword Search in...Implementation and Review Paper of Secure and Dynamic Multi Keyword Search in...
Implementation and Review Paper of Secure and Dynamic Multi Keyword Search in...IRJET Journal
 
Comparative Analysis of Encryption Algorithm
Comparative Analysis of Encryption AlgorithmComparative Analysis of Encryption Algorithm
Comparative Analysis of Encryption AlgorithmKhubaib Ahmad Kunjahi
 
EXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATA
EXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATAEXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATA
EXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATAIRJET Journal
 
IRJET- A Key-Policy Attribute based Temporary Keyword Search Scheme for S...
IRJET- A Key-Policy Attribute based Temporary Keyword Search Scheme for S...IRJET- A Key-Policy Attribute based Temporary Keyword Search Scheme for S...
IRJET- A Key-Policy Attribute based Temporary Keyword Search Scheme for S...IRJET Journal
 
Se
SeSe
SeKingg Ravi
 
Proposed Lightweight Block Cipher Algorithm for Securing Internet of Things
Proposed Lightweight Block Cipher Algorithm for Securing Internet of ThingsProposed Lightweight Block Cipher Algorithm for Securing Internet of Things
Proposed Lightweight Block Cipher Algorithm for Securing Internet of ThingsSeddiq Q. Abd Al-Rahman
 
Enhanced Hybrid Blowfish and ECC Encryption to Secure Cloud Data Access and S...
Enhanced Hybrid Blowfish and ECC Encryption to Secure Cloud Data Access and S...Enhanced Hybrid Blowfish and ECC Encryption to Secure Cloud Data Access and S...
Enhanced Hybrid Blowfish and ECC Encryption to Secure Cloud Data Access and S...IJCSIS Research Publications
 
Trusted db a trusted hardware based database with privacy and data confidenti...
Trusted db a trusted hardware based database with privacy and data confidenti...Trusted db a trusted hardware based database with privacy and data confidenti...
Trusted db a trusted hardware based database with privacy and data confidenti...JPINFOTECH JAYAPRAKASH
 
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWAREDESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWAREAyanda Demilade
 
Two Level Auditing Architecture to Maintain Consistent In Cloud
Two Level Auditing Architecture to Maintain Consistent In CloudTwo Level Auditing Architecture to Maintain Consistent In Cloud
Two Level Auditing Architecture to Maintain Consistent In Cloudtheijes
 
Research Methodolgy & Intellectual Property Rights Series 1
Research Methodolgy & Intellectual Property Rights Series 1Research Methodolgy & Intellectual Property Rights Series 1
Research Methodolgy & Intellectual Property Rights Series 1T.D. Shashikala
 
Complex plane, Modulus, Argument, Graphical representation of a complex numbe...
Complex plane, Modulus, Argument, Graphical representation of a complex numbe...Complex plane, Modulus, Argument, Graphical representation of a complex numbe...
Complex plane, Modulus, Argument, Graphical representation of a complex numbe...MohammadAliNayeem
 

More Related Content

Similar to SSE.ppt

Key aggregate searchable encryption (kase) for group data sharing via cloud s...
Key aggregate searchable encryption (kase) for group data sharing via cloud s...Key aggregate searchable encryption (kase) for group data sharing via cloud s...
Key aggregate searchable encryption (kase) for group data sharing via cloud s...CloudTechnologies
 
2014 IEEE DOTNET DATA MINING PROJECT Trusteddb a-trusted-hardware-based-datab...
2014 IEEE DOTNET DATA MINING PROJECT Trusteddb a-trusted-hardware-based-datab...2014 IEEE DOTNET DATA MINING PROJECT Trusteddb a-trusted-hardware-based-datab...
2014 IEEE DOTNET DATA MINING PROJECT Trusteddb a-trusted-hardware-based-datab...IEEEMEMTECHSTUDENTSPROJECTS
 
IEEE 2014 DOTNET DATA MINING PROJECTS Trusted db a-trusted-hardware-based-dat...
IEEE 2014 DOTNET DATA MINING PROJECTS Trusted db a-trusted-hardware-based-dat...IEEE 2014 DOTNET DATA MINING PROJECTS Trusted db a-trusted-hardware-based-dat...
IEEE 2014 DOTNET DATA MINING PROJECTS Trusted db a-trusted-hardware-based-dat...IEEEMEMTECHSTUDENTPROJECTS
 
A Survey on Efficient Privacy-Preserving Ranked Keyword Search Method
A Survey on Efficient Privacy-Preserving Ranked Keyword Search MethodA Survey on Efficient Privacy-Preserving Ranked Keyword Search Method
A Survey on Efficient Privacy-Preserving Ranked Keyword Search MethodIRJET Journal
 
iaetsd Secured multiple keyword ranked search over encrypted databases
iaetsd Secured multiple keyword ranked search over encrypted databasesiaetsd Secured multiple keyword ranked search over encrypted databases
iaetsd Secured multiple keyword ranked search over encrypted databasesIaetsd Iaetsd
 
Key aggregate searchable encryption (kase) for group data sharing via cloud s...
Key aggregate searchable encryption (kase) for group data sharing via cloud s...Key aggregate searchable encryption (kase) for group data sharing via cloud s...
Key aggregate searchable encryption (kase) for group data sharing via cloud s...Pvrtechnologies Nellore
 
A New Pairing Free ID Based Certificate Less Digital Signature (CL-DS) Scheme...
A New Pairing Free ID Based Certificate Less Digital Signature (CL-DS) Scheme...A New Pairing Free ID Based Certificate Less Digital Signature (CL-DS) Scheme...
A New Pairing Free ID Based Certificate Less Digital Signature (CL-DS) Scheme...IJCSIS Research Publications
 
Sharing Secured Scalable Data in Cloud Environment Using Key Aggregate Crypto...
Sharing Secured Scalable Data in Cloud Environment Using Key Aggregate Crypto...Sharing Secured Scalable Data in Cloud Environment Using Key Aggregate Crypto...
Sharing Secured Scalable Data in Cloud Environment Using Key Aggregate Crypto...IRJET Journal
 
Making Software Secure by Design
Making Software Secure by DesignMaking Software Secure by Design
Making Software Secure by DesignOmegapoint Academy
 
IRJET- An Approach for Implemented Secure Proxy Server for Multi-User Searcha...
IRJET- An Approach for Implemented Secure Proxy Server for Multi-User Searcha...IRJET- An Approach for Implemented Secure Proxy Server for Multi-User Searcha...
IRJET- An Approach for Implemented Secure Proxy Server for Multi-User Searcha...IRJET Journal
 
Implementation and Review Paper of Secure and Dynamic Multi Keyword Search in...
Implementation and Review Paper of Secure and Dynamic Multi Keyword Search in...Implementation and Review Paper of Secure and Dynamic Multi Keyword Search in...
Implementation and Review Paper of Secure and Dynamic Multi Keyword Search in...IRJET Journal
 
Comparative Analysis of Encryption Algorithm
Comparative Analysis of Encryption AlgorithmComparative Analysis of Encryption Algorithm
Comparative Analysis of Encryption AlgorithmKhubaib Ahmad Kunjahi
 
EXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATA
EXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATAEXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATA
EXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATAIRJET Journal
 
IRJET- A Key-Policy Attribute based Temporary Keyword Search Scheme for S...
IRJET- A Key-Policy Attribute based Temporary Keyword Search Scheme for S...IRJET- A Key-Policy Attribute based Temporary Keyword Search Scheme for S...
IRJET- A Key-Policy Attribute based Temporary Keyword Search Scheme for S...IRJET Journal
 
Proposed Lightweight Block Cipher Algorithm for Securing Internet of Things
Proposed Lightweight Block Cipher Algorithm for Securing Internet of ThingsProposed Lightweight Block Cipher Algorithm for Securing Internet of Things
Proposed Lightweight Block Cipher Algorithm for Securing Internet of ThingsSeddiq Q. Abd Al-Rahman
 
Enhanced Hybrid Blowfish and ECC Encryption to Secure Cloud Data Access and S...
Enhanced Hybrid Blowfish and ECC Encryption to Secure Cloud Data Access and S...Enhanced Hybrid Blowfish and ECC Encryption to Secure Cloud Data Access and S...
Enhanced Hybrid Blowfish and ECC Encryption to Secure Cloud Data Access and S...IJCSIS Research Publications
 
Trusted db a trusted hardware based database with privacy and data confidenti...
Trusted db a trusted hardware based database with privacy and data confidenti...Trusted db a trusted hardware based database with privacy and data confidenti...
Trusted db a trusted hardware based database with privacy and data confidenti...JPINFOTECH JAYAPRAKASH
 
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWAREDESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWAREAyanda Demilade
 
Two Level Auditing Architecture to Maintain Consistent In Cloud
Two Level Auditing Architecture to Maintain Consistent In CloudTwo Level Auditing Architecture to Maintain Consistent In Cloud
Two Level Auditing Architecture to Maintain Consistent In Cloudtheijes
 

Similar to SSE.ppt (20)

Key aggregate searchable encryption (kase) for group data sharing via cloud s...
Key aggregate searchable encryption (kase) for group data sharing via cloud s...Key aggregate searchable encryption (kase) for group data sharing via cloud s...
Key aggregate searchable encryption (kase) for group data sharing via cloud s...
 
2014 IEEE DOTNET DATA MINING PROJECT Trusteddb a-trusted-hardware-based-datab...
2014 IEEE DOTNET DATA MINING PROJECT Trusteddb a-trusted-hardware-based-datab...2014 IEEE DOTNET DATA MINING PROJECT Trusteddb a-trusted-hardware-based-datab...
2014 IEEE DOTNET DATA MINING PROJECT Trusteddb a-trusted-hardware-based-datab...
 
IEEE 2014 DOTNET DATA MINING PROJECTS Trusted db a-trusted-hardware-based-dat...
IEEE 2014 DOTNET DATA MINING PROJECTS Trusted db a-trusted-hardware-based-dat...IEEE 2014 DOTNET DATA MINING PROJECTS Trusted db a-trusted-hardware-based-dat...
IEEE 2014 DOTNET DATA MINING PROJECTS Trusted db a-trusted-hardware-based-dat...
 
A Survey on Efficient Privacy-Preserving Ranked Keyword Search Method
A Survey on Efficient Privacy-Preserving Ranked Keyword Search MethodA Survey on Efficient Privacy-Preserving Ranked Keyword Search Method
A Survey on Efficient Privacy-Preserving Ranked Keyword Search Method
 
iaetsd Secured multiple keyword ranked search over encrypted databases
iaetsd Secured multiple keyword ranked search over encrypted databasesiaetsd Secured multiple keyword ranked search over encrypted databases
iaetsd Secured multiple keyword ranked search over encrypted databases
 
Key aggregate searchable encryption (kase) for group data sharing via cloud s...
Key aggregate searchable encryption (kase) for group data sharing via cloud s...Key aggregate searchable encryption (kase) for group data sharing via cloud s...
Key aggregate searchable encryption (kase) for group data sharing via cloud s...
 
A New Pairing Free ID Based Certificate Less Digital Signature (CL-DS) Scheme...
A New Pairing Free ID Based Certificate Less Digital Signature (CL-DS) Scheme...A New Pairing Free ID Based Certificate Less Digital Signature (CL-DS) Scheme...
A New Pairing Free ID Based Certificate Less Digital Signature (CL-DS) Scheme...
 
Sharing Secured Scalable Data in Cloud Environment Using Key Aggregate Crypto...
Sharing Secured Scalable Data in Cloud Environment Using Key Aggregate Crypto...Sharing Secured Scalable Data in Cloud Environment Using Key Aggregate Crypto...
Sharing Secured Scalable Data in Cloud Environment Using Key Aggregate Crypto...
 
Making Software Secure by Design
Making Software Secure by DesignMaking Software Secure by Design
Making Software Secure by Design
 
IRJET- An Approach for Implemented Secure Proxy Server for Multi-User Searcha...
IRJET- An Approach for Implemented Secure Proxy Server for Multi-User Searcha...IRJET- An Approach for Implemented Secure Proxy Server for Multi-User Searcha...
IRJET- An Approach for Implemented Secure Proxy Server for Multi-User Searcha...
 
Implementation and Review Paper of Secure and Dynamic Multi Keyword Search in...
Implementation and Review Paper of Secure and Dynamic Multi Keyword Search in...Implementation and Review Paper of Secure and Dynamic Multi Keyword Search in...
Implementation and Review Paper of Secure and Dynamic Multi Keyword Search in...
 
Comparative Analysis of Encryption Algorithm
Comparative Analysis of Encryption AlgorithmComparative Analysis of Encryption Algorithm
Comparative Analysis of Encryption Algorithm
 
EXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATA
EXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATAEXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATA
EXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATA
 
IRJET- A Key-Policy Attribute based Temporary Keyword Search Scheme for S...
IRJET- A Key-Policy Attribute based Temporary Keyword Search Scheme for S...IRJET- A Key-Policy Attribute based Temporary Keyword Search Scheme for S...
IRJET- A Key-Policy Attribute based Temporary Keyword Search Scheme for S...
 
Se
SeSe
Se
 
Proposed Lightweight Block Cipher Algorithm for Securing Internet of Things
Proposed Lightweight Block Cipher Algorithm for Securing Internet of ThingsProposed Lightweight Block Cipher Algorithm for Securing Internet of Things
Proposed Lightweight Block Cipher Algorithm for Securing Internet of Things
 
Enhanced Hybrid Blowfish and ECC Encryption to Secure Cloud Data Access and S...
Enhanced Hybrid Blowfish and ECC Encryption to Secure Cloud Data Access and S...Enhanced Hybrid Blowfish and ECC Encryption to Secure Cloud Data Access and S...
Enhanced Hybrid Blowfish and ECC Encryption to Secure Cloud Data Access and S...
 
Trusted db a trusted hardware based database with privacy and data confidenti...
Trusted db a trusted hardware based database with privacy and data confidenti...Trusted db a trusted hardware based database with privacy and data confidenti...
Trusted db a trusted hardware based database with privacy and data confidenti...
 
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWAREDESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
DESIGN AND IMPLEMENTATION OF DATA ENCRYPTION SOFTWARE
 
Two Level Auditing Architecture to Maintain Consistent In Cloud
Two Level Auditing Architecture to Maintain Consistent In CloudTwo Level Auditing Architecture to Maintain Consistent In Cloud
Two Level Auditing Architecture to Maintain Consistent In Cloud
 

Recently uploaded

Research Methodolgy & Intellectual Property Rights Series 1
Research Methodolgy & Intellectual Property Rights Series 1Research Methodolgy & Intellectual Property Rights Series 1
Research Methodolgy & Intellectual Property Rights Series 1T.D. Shashikala
 
Complex plane, Modulus, Argument, Graphical representation of a complex numbe...
Complex plane, Modulus, Argument, Graphical representation of a complex numbe...Complex plane, Modulus, Argument, Graphical representation of a complex numbe...
Complex plane, Modulus, Argument, Graphical representation of a complex numbe...MohammadAliNayeem
 
Lesson no16 application of Induction Generator in Wind.ppsx
Lesson no16 application of Induction Generator in Wind.ppsxLesson no16 application of Induction Generator in Wind.ppsx
Lesson no16 application of Induction Generator in Wind.ppsxmichaelprrior
 
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...Lovely Professional University
 
ANSI(ST)-III_Manufacturing-I_05052020.pdf
ANSI(ST)-III_Manufacturing-I_05052020.pdfANSI(ST)-III_Manufacturing-I_05052020.pdf
ANSI(ST)-III_Manufacturing-I_05052020.pdfBertinKamsipa1
 
ONLINE VEHICLE RENTAL SYSTEM PROJECT REPORT.pdf
ONLINE VEHICLE RENTAL SYSTEM PROJECT REPORT.pdfONLINE VEHICLE RENTAL SYSTEM PROJECT REPORT.pdf
ONLINE VEHICLE RENTAL SYSTEM PROJECT REPORT.pdfKamal Acharya
 
Filters for Electromagnetic Compatibility Applications
Filters for Electromagnetic Compatibility ApplicationsFilters for Electromagnetic Compatibility Applications
Filters for Electromagnetic Compatibility ApplicationsMathias Magdowski
 
2024 DevOps Pro Europe - Growing at the edge
2024 DevOps Pro Europe - Growing at the edge2024 DevOps Pro Europe - Growing at the edge
2024 DevOps Pro Europe - Growing at the edgePaco Orozco
 
Research Methodolgy & Intellectual Property Rights Series 2
Research Methodolgy & Intellectual Property Rights Series 2Research Methodolgy & Intellectual Property Rights Series 2
Research Methodolgy & Intellectual Property Rights Series 2T.D. Shashikala
 
Supermarket billing system project report..pdf
Supermarket billing system project report..pdfSupermarket billing system project report..pdf
Supermarket billing system project report..pdfKamal Acharya
 
Quiz application system project report..pdf
Quiz application system project report..pdfQuiz application system project report..pdf
Quiz application system project report..pdfKamal Acharya
 
Introduction to Heat Exchangers: Principle, Types and Applications
Introduction to Heat Exchangers: Principle, Types and ApplicationsIntroduction to Heat Exchangers: Principle, Types and Applications
Introduction to Heat Exchangers: Principle, Types and ApplicationsKineticEngineeringCo
 
Introduction to Artificial Intelligence and History of AI
Introduction to Artificial Intelligence and History of AIIntroduction to Artificial Intelligence and History of AI
Introduction to Artificial Intelligence and History of AISheetal Jain
 
NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024
NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024
NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024EMMANUELLEFRANCEHELI
 
DR PROF ING GURUDUTT SAHNI WIKIPEDIA.pdf
DR PROF ING GURUDUTT SAHNI WIKIPEDIA.pdfDR PROF ING GURUDUTT SAHNI WIKIPEDIA.pdf
DR PROF ING GURUDUTT SAHNI WIKIPEDIA.pdfDrGurudutt
 
Electrical shop management system project report.pdf
Electrical shop management system project report.pdfElectrical shop management system project report.pdf
Electrical shop management system project report.pdfKamal Acharya
 
The battle for RAG, explore the pros and cons of using KnowledgeGraphs and Ve...
The battle for RAG, explore the pros and cons of using KnowledgeGraphs and Ve...The battle for RAG, explore the pros and cons of using KnowledgeGraphs and Ve...
The battle for RAG, explore the pros and cons of using KnowledgeGraphs and Ve...Roi Lipman
 
Circuit Breaker arc phenomenon.pdf engineering
Circuit Breaker arc phenomenon.pdf engineeringCircuit Breaker arc phenomenon.pdf engineering
Circuit Breaker arc phenomenon.pdf engineeringKanchhaTamang
 
Operating System chapter 9 (Virtual Memory)
Operating System chapter 9 (Virtual Memory)Operating System chapter 9 (Virtual Memory)
Operating System chapter 9 (Virtual Memory)NareenAsad
 
Software Engineering - Modelling Concepts + Class Modelling + Building the An...
Software Engineering - Modelling Concepts + Class Modelling + Building the An...Software Engineering - Modelling Concepts + Class Modelling + Building the An...
Software Engineering - Modelling Concepts + Class Modelling + Building the An...Prakhyath Rai
 

Recently uploaded (20)

Research Methodolgy & Intellectual Property Rights Series 1
Research Methodolgy & Intellectual Property Rights Series 1Research Methodolgy & Intellectual Property Rights Series 1
Research Methodolgy & Intellectual Property Rights Series 1
 
Complex plane, Modulus, Argument, Graphical representation of a complex numbe...
Complex plane, Modulus, Argument, Graphical representation of a complex numbe...Complex plane, Modulus, Argument, Graphical representation of a complex numbe...
Complex plane, Modulus, Argument, Graphical representation of a complex numbe...
 
Lesson no16 application of Induction Generator in Wind.ppsx
Lesson no16 application of Induction Generator in Wind.ppsxLesson no16 application of Induction Generator in Wind.ppsx
Lesson no16 application of Induction Generator in Wind.ppsx
 
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
Activity Planning: Objectives, Project Schedule, Network Planning Model. Time...
 
ANSI(ST)-III_Manufacturing-I_05052020.pdf
ANSI(ST)-III_Manufacturing-I_05052020.pdfANSI(ST)-III_Manufacturing-I_05052020.pdf
ANSI(ST)-III_Manufacturing-I_05052020.pdf
 
ONLINE VEHICLE RENTAL SYSTEM PROJECT REPORT.pdf
ONLINE VEHICLE RENTAL SYSTEM PROJECT REPORT.pdfONLINE VEHICLE RENTAL SYSTEM PROJECT REPORT.pdf
ONLINE VEHICLE RENTAL SYSTEM PROJECT REPORT.pdf
 
Filters for Electromagnetic Compatibility Applications
Filters for Electromagnetic Compatibility ApplicationsFilters for Electromagnetic Compatibility Applications
Filters for Electromagnetic Compatibility Applications
 
2024 DevOps Pro Europe - Growing at the edge
2024 DevOps Pro Europe - Growing at the edge2024 DevOps Pro Europe - Growing at the edge
2024 DevOps Pro Europe - Growing at the edge
 
Research Methodolgy & Intellectual Property Rights Series 2
Research Methodolgy & Intellectual Property Rights Series 2Research Methodolgy & Intellectual Property Rights Series 2
Research Methodolgy & Intellectual Property Rights Series 2
 
Supermarket billing system project report..pdf
Supermarket billing system project report..pdfSupermarket billing system project report..pdf
Supermarket billing system project report..pdf
 
Quiz application system project report..pdf
Quiz application system project report..pdfQuiz application system project report..pdf
Quiz application system project report..pdf
 
Introduction to Heat Exchangers: Principle, Types and Applications
Introduction to Heat Exchangers: Principle, Types and ApplicationsIntroduction to Heat Exchangers: Principle, Types and Applications
Introduction to Heat Exchangers: Principle, Types and Applications
 
Introduction to Artificial Intelligence and History of AI
Introduction to Artificial Intelligence and History of AIIntroduction to Artificial Intelligence and History of AI
Introduction to Artificial Intelligence and History of AI
 
NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024
NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024
NEWLETTER FRANCE HELICES/ SDS SURFACE DRIVES - MAY 2024
 
DR PROF ING GURUDUTT SAHNI WIKIPEDIA.pdf
DR PROF ING GURUDUTT SAHNI WIKIPEDIA.pdfDR PROF ING GURUDUTT SAHNI WIKIPEDIA.pdf
DR PROF ING GURUDUTT SAHNI WIKIPEDIA.pdf
 
Electrical shop management system project report.pdf
Electrical shop management system project report.pdfElectrical shop management system project report.pdf
Electrical shop management system project report.pdf
 
The battle for RAG, explore the pros and cons of using KnowledgeGraphs and Ve...
The battle for RAG, explore the pros and cons of using KnowledgeGraphs and Ve...The battle for RAG, explore the pros and cons of using KnowledgeGraphs and Ve...
The battle for RAG, explore the pros and cons of using KnowledgeGraphs and Ve...
 
Circuit Breaker arc phenomenon.pdf engineering
Circuit Breaker arc phenomenon.pdf engineeringCircuit Breaker arc phenomenon.pdf engineering
Circuit Breaker arc phenomenon.pdf engineering
 
Operating System chapter 9 (Virtual Memory)
Operating System chapter 9 (Virtual Memory)Operating System chapter 9 (Virtual Memory)
Operating System chapter 9 (Virtual Memory)
 
Software Engineering - Modelling Concepts + Class Modelling + Building the An...
Software Engineering - Modelling Concepts + Class Modelling + Building the An...Software Engineering - Modelling Concepts + Class Modelling + Building the An...
Software Engineering - Modelling Concepts + Class Modelling + Building the An...
 

SSE.ppt

  • 1. 1 Searchable Symmetric Encryption: Improved Definitions and Efficient Constructions Reza Curtmola Juan Garay Seny Kamara Rafail Ostrovsky Johns Hopkins Bell Labs Johns Hopkins UCLA
  • 2. 2 Remote Storage ‣Remote storage is ubiquitous •data backups •GMail, Yahoo Mail etc... ‣Q: How do we store sensitive data on an untrusted server? ‣A: Encryption •hides all partial information about data •client must download all data, decrypt and perform operations locally ‣Can we enable the server to help ?
  • 3. 3 Outline ‣Motivation ‣Brief overview of different models for private searching ‣Our focus: Searchable Symmetric Encryption (SSE) •Revisiting security definitions for SSE -point out subtle (but serious) issues with previous definitions •Two new notions of security for SSE -“Non-adaptive” security -“Adaptive” security •Two new constructions ‣Extensions
  • 4. 4 Private Searching ‣MPC: general, but inefficient [Yao82, GMW87, BGW88, CCD88] ‣Searching (explicitly) -- different settings •public data: unencrypted (e.g., stock-quotes, news articles) -client wishes to hide which element is accessed -PIR and its variants [CGKS,KO97,...] •user-owned data: symmetrically encrypted -client can upload additional “encrypted” data structures to help search -Oblivious RAMs, searchable symmetric encryption [O90, OG96, SWP00, Goh03, CM05] •third-party data: public-key encrypted -data comes encrypted to server from users other than client [BKOS07] -public-key searchable encryption [BDOP05,BW06...]
  • 5. 5 Searchable Symmetric Encryption ‣We consider the following scenario •client has a collection of documents that consists of a set of words •encrypts document collection together with additional data structure •sends everything to server ‣Functionality: server should support the following types of queries •find all documents that contain a particular keyword ‣Privacy: allow server to help, but reveal as little as possible
  • 6. 6 Prior work on SSE ‣SSE can be achieved using oblivious RAMs [Ost, GO] •functionality: can simulate any data structure in a hidden way, and can support conjunctive queries, B-trees etc... •privacy: hides everything, even the access pattern •efficiency: logarithmic number of rounds per each read/write ‣Q: Can we search over encrypted data in single/constant rounds? •with absolute privacy, recently solved by Boneh-Kushilevitz-Ostrovsky- Skeith wish sqrt{DB} communication. •This paper: what if we relax the security requirements to get better performance?
  • 7. 7 How do we relax the security definition ? ‣Informal answer •leak the access pattern but nothing else ‣What does it mean to “leak the access pattern but nothing else” ? •defining this formally is “delicate” •in fact, there are issues with 3 previous attempts
  • 8. 8 Constant-round SSE with relaxed security ‣3 previous constant-round solutions that “leak access pattern” •“Practical techniques for searches on encrypted data” [SWP00] •“Secure Indexes” [Goh03] •“Privacy-preserving keyword searches on remote encrypted data” [CM05] ‣[BKOS-07] is constant round but sqrt(DB) communication
  • 9. 9 Outline ‣Motivation ‣Overview of privacy-preserving searching ‣Searchable symmetric encryption •Revisiting security definitions for SSE •“Non-adaptive” definitions and construction •“Adaptive” definitions and construction ‣Extensions
  • 10. 10 Revisiting SSE security definitions ‣[SWP00,Goh03,CM05]: “A secure SSE scheme should not leak anything beyond the outcome of a search” •“search outcome”: memory addresses of documents that contain a hidden keyword (precise definition later) •Important to note: different keyword requests may lead to the same search outcome •“search pattern”: whether two queries were for the same keyword or not ‣A (slightly) better intuition •“A secure SSE scheme should not leak anything beyond the outcome and the pattern of a search”
  • 11. 11 Issues with SWP’s security definition ‣[SWP00] implicitly use indistinguishability [GM84] as a security definition •“any function of the plaintext that can be computed from the ciphertext can be computed from the length of the plaintext” ‣Issue: adversary gets to see search outcomes and search pattern ‣[SWP00] does not model the fact that this additional information is revealed. ‣There are also issues with definitions in [Goh03,CM05], but to explain these we’ll need to define the model more precisely
  • 12. 12 SSE Algorithms ‣Keygen(1k): outputs symmetric key K ‣BuildIndex(K, {D1, ..., Dn}): outputs secure index I ‣Trapdoor(K, w): outputs a trapdoor Tw ‣Search(I, Tw): outputs identifiers of documents containing w (id1, ..., idm)
  • 13. 13 SSE System Operation ‣Secure index: additional data structure that helps the server to search (following [Goh03] terminology) ‣Symmetrically encrypted data: client performs encryption himself ‣Trapdoors: associate a trapdoor to keywords which enables server to search while keeping keyword hidden INDEX keyword keyword
  • 14. 14 Our model ‣History: documents and keywords ‣View: encrypted documents, index, trapdoors ‣Trace: length of documents, search outcomes, search pattern
  • 15. 15 Our Intuition ‣Previous intuition •“A secure SSE scheme should not leak anything beyond the outcome and the pattern of a search” ‣A more “formal intuition” •“any function about the documents and the keywords that can be computed from the encrypted documents, the index and the trapdoors can be computed from the length of the documents, the search outcomes and the search pattern”
  • 16. 16 Issues with Goh’s SSE security definition ‣IND2-CKA: indistinguishability against chosen-keyword attacks •“any function of the documents that can be computed from the encrypted documents and the index can be computed from the length of the documents and the search outcomes” ‣Issue: says nothing about keywords or trapdoors ‣Important Note: [Goh03] considers more than SSE and notes that secure trapdoors is not necessary for all the applications considered. Also Z-IDX has secure trapdoors. ‣Why not prove index secure in the sense of IND2-CKA and trapdoors “secure” using another definition? ‣We show that there exists an SSE scheme that has •IND2-CKA indexes and trapdoors that are “secure” •but when taken together, adversary can recover keyword
  • 17. 17 Issues with CM’s SSE security definition ‣“CM security” •“any function that can be computed about the documents and keywords given the ciphertexts, the index and the trapdoors can be computed from the length of the documents and the search outcomes” ‣Issues •leaves out search pattern (proofs assume unique queries) •order of quantifiers implies that there will always exist a simulator that can evaluate function on documents and keywords •Only guarantees security against non-adaptive adversaries
  • 18. 18 What is adaptiveness? ‣Non-adaptive adversaries make search queries without seeing the outcome of previous searches ‣Adaptive adversaries can make search queries as a function of the outcome of previous searches ‣What are the implications of adaptiveness?
  • 20. 20 Outline ‣Motivation ‣Overview of privacy-preserving searching ‣Searchable symmetric encryption •Revisiting security definitions for SSE •“Non-adaptive” definitions and construction •“Adaptive” definitions and construction ‣Extensions
  • 21. 21 Non-adaptive security ‣“any function about the history that can be computed from the view can be computed from the trace” •history: documents and keywords •view: encrypted documents, index, trapdoors, •trace: document lengths, search outcomes, search pattern
  • 22. 22 SSE-1 ‣Building a Secure Index Austin Baltimore Washington
  • 23. 23 SSE-1 ‣Building a Secure Index Austin Baltimore Washington
  • 24. 24 SSE-1 ‣Building a Secure Index ‣P: PRP ‣F: PRF F(Austin) = KA P(Austin) Austin Baltimore Washington F(Baltimore) = KB F(Washington) = KW P(Baltimore) P(Washington)
  • 25. 25 SSE-1 ‣Searching Baltimore addr := P(Baltimore) key := F(Baltimore) Trapdoor := (addr, key) D8, D10
  • 26. 26 Technical issues ‣We overlooked many technical details •padding and shuffling ‣Efficient storage of sparse tables •large address space; small number of entries •FKS dictionaries [Fredman-Komlos-Szemeredi84] -storage: O(#entries) -lookup: O(1)
  • 27. 27 Outline ‣Motivation ‣Overview of privacy-preserving computation ‣Searchable symmetric encryption •Revisiting security definitions for SSE •“Non-adaptive” definitions and construction •“Adaptive” definitions and construction ‣Extensions
  • 28. 28 Adaptive security ‣“any function about the partial history that can be computed from the partial view can be computed from the partial trace” •partial history: documents and keywords •partial view: encrypted documents, index, trapdoors, •partial trace: document lengths, search outcomes, search pattern
  • 29. 29 Adaptive security ‣Do we need revised SSE constructions? ‣Are previous constructions adaptively secure? ‣Technical challenge: simulator must be able to “fake” trapdoors after having committed to index ‣Previous constructions do not have this property ‣Unfortunately, this is expensive!
  • 30. 30 SSE-2 ‣Similar to SSE-1 ‣Pre-processing and padding •simulator can commit to an index before query is issued •and still build valid trapdoors after query is issued ‣Constant blowup in •size of trapdoors •size of index •server search time
  • 31. 31 Comparison ‣n: total # of documents d: # of documents that contain word [Ost90,GO 96] [SWP00] [Goh03] [CM05] SSE-1 SSE-2 access pattern yes no no no no no server comp. server storage rounds 1 1 1 1 1 comm. adaptive yes no no no no yes
  • 32. 32 Outline ‣Motivation ‣Overview of privacy-preserving searching ‣Searchable symmetric encryption •Revisiting security definitions for SSE •“Non-adaptive” definitions and construction •“Adaptive” definitions and construction ‣Extensions
  • 34. 34 Multi-User SSE ‣Indexes and trapdoors require same security notions as single-user SSE ‣Revocation: owner can revoke searching privileges •robust against user collusions ‣Anonymity: server should not know who initiated search ‣Simple construction that transforms single-user SSE schemes to multi- user SSE schemes •broadcast encryption (revocation) • PRPs
  • 35. 35 Open Questions ‣Constant-round schemes that hide everything, even the access pattern ‣Constant-round Searching for Boolean combinations of keywords (note that with logarithmic rounds already follows from [Ost,GO].) - Conjunctive searchable encryption [GSW04, PKL04, BW06] - Disjunctive ?
  • 36. 36 Conclusions ‣Weakening “complete security” is delicate •point out issues with previous attempts ‣Introduce new definitions •non-adaptive: simulation and indistinguishability-based •adaptive: simulation and indistinguishability-based ‣Efficient and practical constructions ‣Multi-user setting