cloud security & cryptography iiseny/slides/cloudsec2.pdf · dynamic sse...
TRANSCRIPT
![Page 1: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/1.jpg)
Cloud Security & Cryptography II
Cloud-oriented
Primitives
SENY KAMARA
MICROSOFT RESEARCH
![Page 2: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/2.jpg)
Cloud Cryptography
Current crypto tools are inappropriate for the cloud
Due to assumptions about how tools will be used
Results in efficiency loss & insecurity
We need new tools!
2
![Page 3: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/3.jpg)
Cloud Cryptography
Searchable encryption
Searching over encrypted data
Structured encryption
Querying encrypted structured data
Private information retrieval
Downloading data privately
Oblivious RAM
Computing privately with untrusted memory
Proofs of storage
Verifying integrity of outsourced data
3
![Page 4: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/4.jpg)
Searchable Encryption
4
![Page 5: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/5.jpg)
Cloud Storage
?
5
![Page 6: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/6.jpg)
Two Simple Solutions to Search
?
Large comm.
complexity
id2
Large local
storage
Q: can we achieve the best of both?
EncEnc
EncEnc
6
![Page 7: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/7.jpg)
Searchable Symm. Encryption
tw
K EncK
EncK EncK
7
![Page 8: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/8.jpg)
SSE Parameters
Paramerers
n: number of files in collection
|f|: size of file collection
m: number of keywords
Client-side
Security: CKA1, CKA2, UC
Token generation & size: O(1) to O(n)
Server-side
Search time: OPT, OPT ∙ log(n), O(n), O(|f|)
Index size: O(n), O(n ∙ m)
8
![Page 9: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/9.jpg)
Security Definitions
Security against chosen-keyword attack
[Goh03,CM05,CGKO06]
Security against adaptive chosen-keywords attacks [CGKO06]
CKA1: “Protects files and keywords even if
chosen by adversary”
CKA2: “Protects files and keywords even if chosen
by adversary, and even if chosen as a function of ciphertexts, index, and previous results”
9
![Page 10: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/10.jpg)
Security Definitions
UC [KO12]
Universal composability [Canetti01]
UC: “Remains CKA2-secure even if composed arbitrarily”
10
![Page 11: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/11.jpg)
Searchable Symmetric
EncryptionScheme Dynamism Security Search Verifiable Leakage
SWP00 No CPA O(|f|) No ++++
Goh03 Yes CKA1 O(n) No ++
CM05 No CKA1 O(n) No ++
CGKO06-1 No CKA1 OPT No ++
CGKO06-2 No CKA2 OPT No ++
CK10 No CKA2 OPT No ++
vLSDHJ10 Yes CKA2 O(log m) No +++
KO12 No UC O(n) No +++
KPR12 Yes CKA2 OPT No +++
KP13 Yes CKA2 OPT∙log(n) Yes ++
KPR13 Yes UC OPT Yes +++
11
![Page 12: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/12.jpg)
GOOG
I B M
A A P L
M SFT
SSE-1 [CGKO06]
M SFT
GOOG
A A P L
I B M
F2 F1 0 F1 1
F2 F8 F1 4
F1 F2
F4 F1 0 F1 2
1. Build inverted/reverse index
F1 1 F8 F2 F1 0
F1 F4 F1 2 F1 0
F2 F2 F1 4 #
2. Randomly permute array & nodes
Posting list
12
![Page 13: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/13.jpg)
GOOG
I B M
A A P L
M SFT
GOOG
I B M
A A P L
M SFT
SSE-1 [CGKO06]
F1 1 F8 F2 F1 0
F1 F4 F1 2 F1 0
F2 F2 F1 4 #
2. Randomly permute array & nodes
3. Encrypt nodes
13
![Page 14: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/14.jpg)
SSE-1 [CGKO06]
3. Encrypt nodes
4. “Hash” keyword & encrypt pointer
GOOG
I B M
A A P L
M SFT
FK(GOOG) Enc(•)
FK(IBM) Enc(•)
FK(AAPL) Enc(•)
FK(MSFT) Enc(•)
14
![Page 15: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/15.jpg)
Limitations of SSE-1
Non-adaptively secure ⇒ adaptive security
Idea #1 [Chase-K.-10]
replace encryption scheme with symmetric non-committing
encryption
only requires a PRF + XOR
: doesn’t work for dynamic data
Idea #2
Use RO + XOR
15
![Page 16: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/16.jpg)
Limitations of SSE-1
Static data ⇒ dynamic data
Problem #1:
given new file FN = (AAPL, …, MSFT)
append node for F to list of every wi in F
M SFT
GOOG
A A P L
I B M
F2 F1 0 F1 1
F2 F8 F1 4
F1 F2
F4 F1 0 F1 2
FN
FN
FK(GOOG) Enc(•)
FK(IBM) Enc(•)
FK(AAPL) Enc(•)
FK(MSFT) Enc(•)
1. Over unencrypted index
2. Over encrypted index ???
16
![Page 17: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/17.jpg)
Limitations of SSE-1
Static data ⇒ dynamic data
Problem #2:
When deleting a file F2 = (AAPL, …, MSFT)
delete all nodes for F2 in every list
M SFT
GOOG
A A P L
I B M
F2 F1 0 F1 1
F2 F8 F1 4
F1 F2
F4 F1 0 F1 2 FK(GOOG) Enc(•)
FK(IBM) Enc(•)
FK(AAPL) Enc(•)
FK(MSFT) Enc(•)
1. Over unencrypted index
2. Over encrypted index ???
17
![Page 18: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/18.jpg)
Dynamic SSE [K.-Papamanthou-Roeder12]
Static data ⇒ dynamic data
Idea #1
Memory management over encrypted data
Encrypted free list
Idea #2
List manipulation over encrypted data
Use homomorphic encryption (here just XOR) so that pointers can be updated obliviously
Idea #3
deletion is handled using a “dual” SSE scheme
given deletion/search token for F2 , returns pointers to F2 ‘s nodes
then add them to the free list homomorphically
18
![Page 19: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/19.jpg)
Structured Encryption
19
![Page 20: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/20.jpg)
Structured Encryption
Searchable encryption
Private keyword search over encrypted text data
Q: can we privately query other types of enc. data?
maps
image collections
social networks
web page archives
20
![Page 21: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/21.jpg)
Graph-structured Data
Communications
email headers, phone logs
Research papers
citations
Networks
Social networks
Web crawlers
Maps
21
![Page 22: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/22.jpg)
Structured Encryption
t
EncK
EncK EncK
22
![Page 23: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/23.jpg)
Structured Encryption
t
EncK
EncK EncK
23
![Page 24: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/24.jpg)
Structured Data
Email archive = Index + Email text
24
![Page 25: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/25.jpg)
Structured Data
Social network = Graph + Profiles
25
![Page 26: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/26.jpg)
Structured Encryption
Gen(1𝑘) K
Enc𝐾 𝛿, 𝑚 (𝛾, 𝑐)
Token𝐾(𝑞) 𝑡
Query(𝛾, 𝑡) 𝐼
Dec𝐾(𝑐𝑖) 𝑚𝑖
t
𝑐𝛾
26
![Page 27: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/27.jpg)
CQA2-Security
Simulation-based definition
``given the ciphertext no adversary can learn any
information about the data and the queries other than what
can be deduced from the access and search patterns…”
“…even if queries are made adaptively”
access pattern: pointers to (encrypted) data items that
satisfy query
query pattern: whether a query is repeated
Ω 𝜆 ∙ log n lower bound on token size (in std. model)
n: # of data items
𝜆: # of relevant items
27
![Page 28: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/28.jpg)
Constructions
Adjacency queries on encrypted graphs
from lookup queries on encrypted matrices
Neighbor queries on encrypted graphs
from keyword search on encrypted text (i.e., SSE)
Focused subgraph queries on encrypted web graphs
from keyword search on encrypted text
from neighbor queries on encrypted graphs
28
![Page 29: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/29.jpg)
Neighbor Queries on
Graphs
t
EncK
EncK EncK
29
![Page 30: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/30.jpg)
FSQ on Web Graphs
Web graphs
Text data -- pages
Graph data --- hyperlinks
Simple queries on web graphs
All pages linked from P
All pages that link to P
Complex queries on web graphs
``mix” both text and graph structure
search engine algorithms based on link-analysis
Kleinberg’s HITS [Kleinberg99]
SALSA
…
30
![Page 31: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/31.jpg)
Focused Subgraph Queries
Search engine algorithms
Step 1: compute focused subgraph
Step 2: run iterative algorithm on focused subgraph
Crypto
31
![Page 32: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/32.jpg)
FSQ on Encrypted Graphs
Encrypt
pages with SE-KW
graph with SE-NQ
does not work!
Chaining technique
combine SE schemes (e.g., SE-KW with SE-NQ)
preserves token size of first SE scheme
Requires associative SE
message space: private data items and semi-private information
answer: pointers to data items + associated semi-private information
[CGKO06]: associative SE-KW but not CQA2-secure!
32
![Page 33: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/33.jpg)
FSQ on Web Graphs
t
EncK
EncK EncK
33
![Page 34: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/34.jpg)
Private Information
Retrieval
34
![Page 35: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/35.jpg)
Private Information
Retrieval
#3
35
![Page 36: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/36.jpg)
A Simple Solution to PIR
All
Large comm
36
![Page 37: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/37.jpg)
An Ideal Solution
#$(dws#$
Small comm
37
![Page 38: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/38.jpg)
Private Information
Retrieval
38
![Page 39: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/39.jpg)
Private Information
Retrieval Multi-server PIR [Chor-Goldreich-Kushilevitz-Sudan95]
Servers cannot communicate
Information-theoretic security
Information theoretic security requires at least two servers
Single-server PIR [Kushilevitz-Ostrovsky97]
Homomorphic encryption, phi-hiding
Computational security
trapdoor permutations, number theory, lattices
Keyword PIR [Chor-Gilboa-Naor97]
Hardware-based PIR [Smith-Safford01,Asonov-Freytag02,…]
O(1) communication and O(n) computation [SS01]
O(1) communication and o(n) computation [AF02]
39
![Page 40: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/40.jpg)
PIR [KO97]
#3
a = 4xE(0) + 6xE(0) + 9xE(1) + 2xE(0)
O(n)
d = 4, 6, 9, 2
q = E(0), E(0), E(1), E(0)
E(9)
40
![Page 41: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/41.jpg)
PIR [KO97]
#3
a = 4xE(0) + 9xE(1) ; 6xE(0) + 2xE(1)
O( n)
d = 4 6
9 2
E(9), E(2)
q = E(0), E(1)
41
![Page 42: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/42.jpg)
PIR Connections
Oblivious Transfer
OT = symmetric PIR
Privacy for both client and server
Locally decodable codes [Katz-Trevisan00]
Multi-server PIR = locally decodable code
Collision-resistant hash functions [Ishai-Kushilevitz-Ostrovsky05]
Single-server single-round PIR ⇒ collision-resistant hash
function
42
![Page 43: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/43.jpg)
Oblivious RAMs
43
![Page 44: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/44.jpg)
Oblivious RAM
“Allows client to read & write to
memory/storage without revealing access pattern”
Read #104
Write #205
Read #748
Write #593
Read #23
Write #993
44
![Page 45: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/45.jpg)
ORAM vs. PIR
Generality
ORAM protects arbitrary computations
(traditionally) PIR protects lookups (+ keyword search)
Public/Private data
PIR does not hide data from server
ORAM hides data from server
Server
ORAM “server” does not compute!
PIR server computes
Computational complexity
ORAM “server” can do o(n) work
PIR server has to do O(n) work
45
![Page 46: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/46.jpg)
ORAM vs. PIR
PIR parameters
communication complexity since θ(n) computation
required
ORAM parameters
round complexity, client storage, server storage
46
![Page 47: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/47.jpg)
Timeline of Previous Work
1990 Oct 2008 Jul 2010
[Ostrovsky] [Williams-Sion-Carbunar]
[Goodrich-Mitzenmacher]
……….
Papers
Jun 2010
[Pinkas-Reinman]
Feb 2008
[Williams-Sion]
from O. Ohrimenko
47
![Page 48: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/48.jpg)
Timeline of Previous Work
12/2010
[Goodrich-
Mitzenmacher-
Ohrimenko-
Tamassia]
Mar30
[Boneh-
Maziéres-Popa]
Jun18
[Stefanov-
Shi-Song]
Jul16 Jul29
[Shi-Chan-Stefanov-Li]
Jun16
[Kushilevitz-
Ostrovsky-Lu]
Jul15
[Lu-
Ostrovsky]
2011
[Goodrich-Mitzenmacher-Ohrimenko-Tamassia]
from O. Ohrimenko
48
![Page 49: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/49.jpg)
Square Root Scheme [Goldreich-Ostrovsky96]
a b c d
n
cache√nSetup
1. Add √n dummy items2. Add √n cache3. Randomly permute real &
dummy items
dummies√n
from O. Ohrimenko
49
![Page 50: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/50.jpg)
Setup1. Add √n dummy items2. Add √n cache3. Randomly permute real &
dummy items4. Encrypt
5. Send to server
Square Root Scheme [Goldreich-Ostrovsky96]
main memory
n + √ncache
√n
b a c d
from O. Ohrimenko
50
![Page 51: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/51.jpg)
Read #1
1. Scan cache
2. If item #1 is not in cache read P(1)
3. Write item to cache
Square Root Scheme [Goldreich-Ostrovsky96]
main memory
n + √ncache
√n
b a c d
Re
ad
#P
(1)
Cannot access location P(1) anymore!
from O. Ohrimenko
51
![Page 52: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/52.jpg)
Read #i
1. Scan cache
2. If item #i is not in cache read P(i)
3. Write item to cache
Square Root Scheme [Goldreich-Ostrovsky96]
main memory
n + √ncache
√n
b a c d a
Re
ad
#P
(1)
Cannot access location P(1) anymore!
from O. Ohrimenko
52
![Page 53: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/53.jpg)
Read #1 (again)1. Scan cache
2. If item #1 is not in cache read P(1)
3. Write item to cache
4. If item is in cache, read dummy item
5. Write dummy to cache
Square Root Scheme [Goldreich-Ostrovsky96]
main memory
n + √ncache
√n
b a c d a
Re
ad
#P
(n+
1)
Cannot access location P(1) anymore!
from O. Ohrimenko
53
![Page 54: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/54.jpg)
Read #1 (again)1. Scan cache
2. If item #1 is not in cache read P(1)
3. Write item to cache
4. If item is in cache, read dummy item
5. Write dummy to cache
Square Root Scheme [Goldreich-Ostrovsky96]
main memory
n + √ncache
√n
b a c d a
Re
ad
#P
(n+
1)
from O. Ohrimenko
54
![Page 55: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/55.jpg)
Rebuild
1. Merge all items
2. Clear chache
3. Remove duplicates
4. Permute with new permutation
Square Root Scheme [Goldreich-Ostrovsky96]
main memory
n + √ncache
√n
b a c d a
Re
ad
#P
(n+
1)
Cache gets full after √n requests
from O. Ohrimenko
55
![Page 56: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/56.jpg)
Square Root Scheme [Goldreich-Ostrovsky96]
Analysis
Each request needs √n + 1 accesses
Each rebuild needs nlog2 n accesses every √n requests
Total accesses for r requests is O(r √n + n log2n r / √n)
Amortized complexity per request is O(√n log2n)
56
![Page 57: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/57.jpg)
Oblivious RAMs
Client
Storage
Round-
trips
Message
size
Server
Storage
[GO96] O(1) O(√n) O(1) O(n)
[SCSL11] O(log2 n) O(log n) O(log2 n) O(nlogn)
[GMOT12] O(√n) O(log n) O(1) O(n)
57
![Page 58: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/58.jpg)
Proofs of Storage
58
![Page 59: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/59.jpg)
Integrity
?
59
![Page 60: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/60.jpg)
Simple Solutions
?H
H
Cloud can just store hash!
?H
Linear comm. complexity
60
![Page 61: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/61.jpg)
Simple Solutions
K1
FK1
FK2
FK3 FK3
FK1
…Large client storageBounded # of verifications
61
![Page 62: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/62.jpg)
Proof of Storage [Ateniese+07,Juels-Kaliski07]
O(1)
Petabytes
π
K
c
62
![Page 63: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/63.jpg)
PoS = PoR ∨ PDP
Proof of retrievability [Juels-Kaliski07]
High tampering: detection
Low tampering: retrievability
Proof of data possession [Ateniese+07]
Detection
63
![Page 64: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/64.jpg)
PoS Security
Completeness
Soundness
COMP: “if Server possesses file, then Client accepts proof”
SOUND: “if Client accepts proof, then
Server possesses file”
64
![Page 65: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/65.jpg)
Formalizing Possession
Knowledge extractor
[Feige-Fiat-Shamir88, Feige-Shamir90, Bellare-Goldreich92]
Algorithm that extracts information from other algorithms
Typically done by rewinding
Adapted to PoS soundness
SOUND: “there exists an expected poly-time extractor
K that extracts the file from any poly-time A that
outputs valid proofs”
65
![Page 66: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/66.jpg)
Designing PoS
Based on sentinels
[Juels-Kaliski07]
Embed secret blocks in data and verify their integrity
Very efficient encoding
Only works with private data
Based on homomorphic linear authenticators (HLA)
[Ateniese+07]
Authenticates data with tags that can be aggregated
works with public data
66
![Page 67: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/67.jpg)
HLA-based PoS
Semi-compact PoR
Compact PDP
Semi-compact PDP
Compact PoR
Erasure code
1 2 3 4
HLA
1 2 3 4
t1 t2 t3 t4
1 2 3 4 EC EC
t1 t2 t3 t4 t5 t6
1 2 3 4 EC EC
HLA
PRF
PRF
67
![Page 68: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/68.jpg)
HLA-based PoS
SOUND: “there exists an expected poly-time extractor
K that extracts the file from any poly-time A that
outputs valid proofs”
K
c
π
c
π
68
![Page 69: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/69.jpg)
Extracting a File
SOUND: “there exists an expected poly-time extractor
K that extracts the file from any poly-time A that
outputs valid proofs”
K⟨c1, f⟩
⟨c2, f⟩
C1∈[ℤp]n
C2∈[ℤp]n
1 2f = =Extract f1. If c1 and c2 are lin. Indep.
2. solve for f using linear algebra
69
![Page 70: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/70.jpg)
Extracting a File
What if c1 and c2 are not linearly independent?
Just pick them at random
What if A doesn’t compute inner product?
Use HLAs!
K⟨c1, f⟩
⟨c2, f⟩
C1∈[ℤp]n
C2∈[ℤp]n
1 2f = =Extract f1. If c1 and c2 are lin. Indep.
2. solve for f using linear algebra
70
![Page 71: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/71.jpg)
HLA
Syntax
Gen(1k) ⟾ K
Tag(K, f) ⟾ (t, st)
Chall(1k) ⟾ c
Auth(K, f, t, c) ⟾ α
Vrfy(K, μ, c, T) ⟾ b
SecurityUNF: “given f and c, no A can output a
valid α for an element μ ≠ ⟨c, f⟩”
71
![Page 72: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/72.jpg)
Simple HLA [Shacham-Waters08]
1 2 3 4
t1 t2 t3 t4
ti = HK(i) + fi ∙w
W, K
C⬿[ℤ*p]n
μ = ⟨c, f⟩ and α = ⟨c, t⟩
α = ⟨t, (HK(1), …, HK(n))⟩ + μ ∙w
72
![Page 73: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/73.jpg)
Simple HLA
UNF: α proves that μ is the inner product of f and c
Why is Simple HLA unforgeable?
For intuition see [Ateniese-K.-Katz10]
Connection to 3-move identification protocols
UNF: “given f and c, no A can output a
valid α for an element μ ≠ ⟨c, f⟩”
73
![Page 74: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/74.jpg)
Simple HLA = Semi-Compact PoS
1 2 3 4
t1 t2 t3 t4
ti = HK(i) + fi ∙w
W, K
Everything in ℤp
C⬿[ℤ*p]n
μ = ⟨c, f⟩ and α = ⟨c, t⟩
α = ⟨t, (HK(1), …, HK(n))⟩ + μ ∙w
O(n)!
O(1)
74
![Page 75: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/75.jpg)
Compressing Challenges
Idea #1
[Ateniese+07]
Send key to a PRF and have server generate challenge vector
Problem: how do we reduce to PRF security if A knows the PRF key?
Idea #2
[Shacham-Waters08] Use a random oracle
Idea #3
[Dodis-Vadhan-Wichs10] Use an expander-based derandomizedsampler
[Ateniese-K.-Katz10]
Idea#1 is secure
Security of PRF implies that PRF-generated vectors are linearly independent with high probability
75
![Page 76: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/76.jpg)
Other Topics
Order Preserving Encryption
[Agrawal+04, Boldyreva-Chenette-O’Neill11,…]
Private stream search
[Ostrovsky-Skeith05,…]
Verifiable computation
[Goldwasser-Kalai-Rothblum08, Gennaro-Gentry-Parno10,…]
76
![Page 77: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/77.jpg)
The End
77
![Page 78: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/78.jpg)
CKA2-Security [Curtmola-Garay-K.-Ostrovsky06]
Simulation-based definition
``given the encrypted index, encrypted files and search
tokens, no adversary can learn any information about the
files and the search keywords other than what can be
deduced from the access and search patterns…”
“…even if queries are made adaptively”
access pattern: pointers to (encrypted) files that satisfy
search query
query pattern: whether a search query is repeated
78
![Page 79: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/79.jpg)
CKA2-Security [Curtmola-Garay-K.-Ostrosvsky06]
Real World Ideal World
EncK
q
t
⋮
?$s!l)csd@#C
@#kj^%ks#
⋮
L1(q)q
L1
79
![Page 80: Cloud Security & Cryptography IIseny/slides/cloudsec2.pdf · Dynamic SSE [K.-Papamanthou-Roeder12] Static data ⇒dynamic data Idea #1 Memory management over encrypted data Encrypted](https://reader036.vdocuments.us/reader036/viewer/2022071117/6003634ccf8592192c583bd6/html5/thumbnails/80.jpg)
Equivocation
Ideal World
?$s!l)csd@#CE!@
@#kj^%ks#
⋮
L1(q)q
L1
80