Upload
nagendra-posani
View
165
Download
0
Embed Size (px)
Citation preview
Searchable Encryption
Nagendra Posani
Georgia Institute of Technology
December 12, 2016
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 1 / 24
Data breaches
Become the norm rather than the exception!
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 2 / 24
Data breaches
Become the norm rather than the exception!
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 2 / 24
Data breaches
Become the norm rather than the exception!
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 2 / 24
Data breaches
Become the norm rather than the exception!
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 2 / 24
Data breaches
Become the norm rather than the exception!
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 2 / 24
Motivation
Data can be sensitive.
Server may be untrusted or subject to attacks.
Obvious solution is encryption
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 3 / 24
Goals
Search Functionality
Efficiency
Security
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 4 / 24
How to encrypt data?
Encrypting with ”good” encryption schemes solves privacy, butfunctionality?
Search query becomes problematic since good encryption schemesencrypt plaintext differently (randomize ciphertexts)
Figure: Searchable Database
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 5 / 24
Literature
Order Preserving Encryption (OPE) [1], [2]
Variants of OPE [3]
Partical Order Preserving Encryption (POPE) [4]
Order Revealing Encryption (ORE) [5], [6]
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 6 / 24
Order Preserving Encryption
A symmetric encryption scheme is order preserving if encryptionmaintains order relations
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 7 / 24
Security Notion for OPE
Provable security notions: IND-CPA?
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 9 / 24
Security Notion for OPE
Provable security notions: IND-CPA? No
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 10 / 24
Security Notion for OPE
Provable security notions: IND-CPA? No
IND-OrderedCPA?
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 11 / 24
Security Notion for OPE
Provable security notions: IND-CPA? No
IND-OrderedCPA? No
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 12 / 24
Alternative Security Notions for OPE
Provable security notions: IND-CPA? No
IND-OCPA? No
POPF Secure? PRF style definition
No, reveals half of the plaintext bits.
ROPF - (r,z) Window One-Wayness Secure?
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 13 / 24
Alternative Security Notions for OPE
Provable security notions: IND-CPA? No
IND-OCPA? No
POPF Secure? PRF style definition
No, reveals half of the plaintext bits.
ROPF - (r,z) Window One-Wayness Secure
Secure for small r, and insecure for large r (Corresponding lowerboundaries and upper boundaries are defined)
Similarly, (r, z) Distance Window One-Wayness Secure.
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 14 / 24
Order Revealing Encryption
Generalized form of OPE
Lets define for small domain messages {0,1,2,...,N}
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 15 / 24
How to encrypt in ORE?
Defined for small plaintext space, keys k1,K2, ...KN are derived fromPRF.
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 16 / 24
Encryption in ORE
Encrypt with the keys
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 17 / 24
Encryption in ORE
For comparison we give the key, but security?
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 18 / 24
Encryption in ORE
Solution: apply random permutation π (part of the secret key) to theslots
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 19 / 24
Encryption in ORE
Extending it to large domain plaintext space.
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 20 / 24
Partial Order Preserving Encryption (POPE)
Server stores a partially ordered B-tree
Every node contains an unordered buffer of key/value pairs
Non-leaf nodes also have a small ordered list of ciphertexts
Encryption uses any (randomized) symmetric cipher
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 21 / 24
References I
Y. Lee A. Boldyreva, N. Chenette and A. O’Neill.Order-preserving symmetric encryption.EUROCRYPT 2009, volume 5479, 2009.
N. Chenette A. Boldyreva and A. O’Neill.Order-preserving encryption revisited: Improved security analysis andalternative solutions.CRYPTO 2011.
David Cash F. Betl Durak, Thomas M. DuBuisson.What else is revealed by order-revealing encryption?ACM CCS, 2016.
Seung Geol Choi Daniel S. Roche, Daniel Apon.Pope: Partial order preserving encoding.ACM CCS, 2016.
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 23 / 24
References II
M. Raykova A. Sahai M. Zhandry D. Boneh, K. Lewi andJ. Zimmerman.Semantically secure order-revealing encryption: Multi-input functionalencryption without obfuscation.EUROCRYPT 2015.
Kevin Lewi and David J. Wu.Order-revealing encryption: New constructions, applications, andlower bounds.ACM CCS, 2016.
Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 24 / 24