Note: Differentially Private Access Patterns for Searchable Symmetric Encryption
The Core Issues and Ideas of This Paper
Problem
- Baseline Searchable Symmetric Encryption (SSE) could not avoid access-pattern leakage.
- ORAM algorithm performance is extremely low and cannot be applied in practice.
Idea
Solve the Access-pattern Leakage of current SSE by introducing differential privacy.
Important knowledge
Searchable Symmetric Encryption (SSE)
An SSE scheme is a tuple (KeyGen, BuildIndex, Token, Search, SKE) and asymmetric key encryption scheme.
- (\(`K_I`\), \(`K_D`\) ) ← KeyGen(\(`1^\kappa`\) ): Probabilistic key generation.
- Security parameter \(`\kappa`\): input.
- Secret key \(`K_I`\): For the secure index,
- Secret key \(`K_D`\) ← SKE.Gen(\(`1^\kappa`\)): For the document collection.
- \(`I`\) ← BuildIndex(\(`K_I`\), \(`(D, W)`\)): Probabilistic algorithm for the client to build a secure index.
- \(`K_I`\): input.
- \(`D`\): Document collection.
- \(`W`\): keyword lists W.
- \(`I`\): Secure index.
- \(`\tau`\) ← Token(\(`K_I`\), \(`w`\)): (Probabilistic) algorithm for the client to generate search tokens.
- \(`R`\) ← Search(\(`I`\), \(`\tau`\)): Deterministic algorithm for the server.
- \(`R`\): Document identifications.
- \(`c`\) ← SKE.Enc(\(`K_D`\), \(`D`\)): Probabilistic algorithm for the client to encrypt the document collection.
- \(`D`\) ← SKE.Dec(\(`K_D`\), \(`c`\)): Deterministic algorithm for the client to decrypt a ciphertext of a document.
Access-pattern Leakage
In the practical application of SSE, there is Access-pattern Leakage. The main reasons are list as flow:
- The cloud server is able to observe which files are accessed in the encrypted database by the client.
- To be used in practice, most existing SSE schemes allow it.
- With some a priori knowledge of the outsourced documents, the adversary could recover the content of the queries with high accuracy.
Query Recovery Attack (IKK Attack)
IKK attack is a typical attack method for SSE with Access-pattern Leakage.
Assumption
The adversary has the knowledge of a (\(`r\times r`\) matrix \(`M`\) that depicts the probability of keyword co-occurrence (r is the number of keywords).
Method
- Compute \(`l\times l`\) co-occurrence matrix \(`\hat{M}`\) by the observed access patterns(a sub-matrix of \(`M`\)).
- The best match of \(`\hat{M}`\) to \(`M`\) can be generated by optimization methods (e.g. Simulated Annealing).
ORAM Algorithm
This algorithm allows SSE to defend against Access-pattern Leakage (with IKK attack method), but has serious performance problems and is of low practical value.
- Allows a client to hide its access pattern from the remote server by continuously shuffling and re-encrypting data as they are accessed.
- Access one of n documents in the storage, at least o(log n) documents need to be accessed. [Too much overhead for SSE]
Differential Privacy
Differential Privacy introduction: The Differential Privacy Frontier (Extended Abstract)
Assuming a positive real number \(`\epsilon`\), \(`A`\) is a random algorithm that takes a data set as input (representing the data owned by the relying party). \(`imA`\) represents the mapping of \(`A`\). For all data sets \(`D_1`\) and \(`D_2`\) of non-single elements (i.e., one person's data) and all subsets \(`S`\) of \(`imA`\), algorithm \(`A`\) is \(`\epsilon - differential \quad privacy`\), where the probability depends on the randomness of the algorithm.
Pr[A(D_1)\in S]\leqslant e^\epsilon \times Pr[A(D_2) \in S]
If an attacker is required to receive a \(`Q_i`\) (\(`i_{th}`\) query) value through a \(`\epsilon - differential \quad privacy`\) algorithm, he will not be able to distinguish between the two data sets if \(`\epsilon`\) is small enough.
Erasure Coding
The erasure code is the main method for adding redundancy to the Secure index.
Notes on erasure codes that I have posted on cnblogs
Key points
Assumption
- Adversary has complete knowledge of the document collection.
- Server simply passively monitors the storage access patterns and infers the content of the corresponding queries.
Why Introduce Differential Privacy for SSE
Differential privacy is a strong privacy guarantee for an individual’s input to a (randomized) function or sequence of functions.
Differential Privacy rules imply that the adversary cannot distinguish between queries using distinct search terms that induce access patterns that are within the specified distance of one another.
d-privacy
Here, \(`d`\) represents the Hamming distance in the access-pattern vector. By the parameter \(`d`\), the generalized \(`\epsilon - differential \quad privacy`\) definition is designed (add \(`d`\) as a parameter of \(`e^{\epsilon d}`\)).
d-private Access-pattern Obfuscation Mechanism
Add the two following part to SSE:
- Obfuscate the access patterns: Add false positives and false negatives to the search results.
- To handle the correctness issue: Introduce redundancy to the document collection using erasure codes.
The way to establish d-privacy APO
Define an access-pattern obfuscation mechanism \(`K`\) : \(`X \rightarrow Y`\) gives \(`\epsilon d_{h}-privacy`\), iff \(`\forall x,x' \in X`\) and \(`\forall S \subseteq Y`\) (using the Hamming distance \(`d_h`\))
Pr[K(x)\in S]\leqslant e^{\epsilon d_h(x,x')} \times Pr[K(x') \in S]
Define an obfuscation mechanism \(`K_f`\) such that, given an access pattern \(`x \in X`\), it outputs any \(`y \in Y`\) with probability
Pr[K_f(x)=y]=Pr[x|y]=\prod^n_{i=1}Pr[y_i|x_i]
Where
Pr[y_i=1|x_i=1]=p \qquad Pr[y_i=1|x_i=0]=q
Pr[y_i=0|x_i=1]=1-p \quad Pr[y_i=0|x_i=0]=1-q
Enforce two constraints on p and q to make the mechanism practical:
- \(`Pr[y_i = 1|x_i = 0] < Pr[y_i = 1|x_i = 1]`\): non-matching shard should have a lower probability to be retrieved than a matching shard;
- \(`Pr[y_i = 1|x_i = 0] < Pr[y_i = 0|x_i = 1]`\): non-matching shard should have a lower probability to be flipped than a matching shard.
Means that \(`q < p`\) and \(`q < 1-p`\). And find out that \(`\epsilon = ln(\frac{p}{q})`\).
By using the (m,k) erasure code, six parameter optimization conditions are established, and the values of all the variables required are obtained.
Workloads
- Defined d-privacy for access patterns of general SSE schemes.
- Proposed a d-private access-pattern obfuscation mechanism that is compatible with existing SSE schemes.
- Implemented a prototype of the proposed obfuscation mechanism.
Evaluation
Based on the Enron Email Dataset.
Security
- Baseline IKK attack on SSE with and without access-pattern obfuscation method.
- Improved IKK attack (Adversary can successfully figure out which shards belong to the same documents) on SSE with and without access-pattern obfuscation method.
Performance
- Storage and Communication Overhead
- Precision
- Runtime Overhead (build SSE local)
Note: Differentially Private Access Patterns for Searchable Symmetric Encryption的更多相关文章
- 安卓开发笔记(十六):'Request(okhttp3.Request.Builder)' has private access in 'okhttp3.Request
当出现了'Request(okhttp3.Request.Builder)' has private access in 'okhttp3.Request的错误的时候,实际上是我们在写代码的时候少打了 ...
- Public Private Protect Inheritance and access specifiers
In the previous lessons on inheritance, we've been making all of our data members public in order to ...
- Ehcache(2.9.x) - API Developer Guide, Cache Usage Patterns
There are several common access patterns when using a cache. Ehcache supports the following patterns ...
- MySQL ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)的真正原因
在博客Linux mysql 5.6: ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: N ...
- Scala access modifiers and qualifiers in detail
来自:http://www.jesperdj.com/2016/01/08/scala-access-modifiers-and-qualifiers-in-detail/ Just like Jav ...
- MySQL ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO
MySQL安装完server端和客户端后,登录Mysql时报错:[root@rhel204 MySQL 5.6.23-RMP]# mysqlERROR 2002 (HY000): Can't conn ...
- [LeetCode] 351. Android Unlock Patterns 安卓解锁模式
Given an Android 3x3 key lock screen and two integers m and n, where 1 ≤ m ≤ n ≤ 9, count the total ...
- swift 中关于open ,public ,fileprivate,private ,internal,修饰的说明
关于 swift 中的open ,public ,fileprivate,private, internal的区别 以下按照修饰关键字的访问约束范围 从约束的限定范围大到小的排序进行说明 open,p ...
- 访问修饰符private
private(C# 参考) private 关键字是一个成员访问修饰符. 私有访问是允许的最低访问级别. 私有成员只有在声明它们的类和结构体中才是可访问的,如下例所示: class Employee ...
随机推荐
- org.eclipse.core.resources.bak文件导致MyEclipse每次关闭时无法保存文件
MyEclipse关闭时提示如下信息 Problems occurred while trying to save the state of the workbench. Internal Error ...
- jquery的ajax(err)
load()方法 load()方法是jquery中最为简单和常用的ajax方法. 直接使用ajax技术的流程 1.创建xmlhttprequest对象 2.调用open函数("提交方式&qu ...
- Spring MVC工作原理(好用版)
Spring MVC工作原理 参考: SpringMVC工作原理 - 平凡希 - 博客园https://www.cnblogs.com/xiaoxi/p/6164383.html SpringMVC的 ...
- 原生JS实现淡入淡出效果(fadeIn/fadeOut/fadeTo)
淡入淡出效果,在日常项目中经常用到,可惜原生JS没有类似的方法,而有时小的页面并不值得引入一个jQuery库,所以就自己写了一个,已封装, 有用得着的朋友, 可以直接使用. 代码中另附有一个设置元素透 ...
- STL defalloc.h
defalloc.h . // Filename: defalloc.h . . // Comment By: 凝霜 . // E-mail: mdl2009@vip.qq.com . // Blog ...
- visual studio 高级选项及配置
visual studio 是一款强大的 IDE,所谓 IDE 即是将通过命令行(一系列复杂的参数选项)编译.链接等操作内置到 IDE 的界面按钮处. 为什么新建的工程,可以直接 #include & ...
- ffpanel --ffmpeg的GUI,让ffmpeg离开黑黑的命令行
程序及源码下载地址 :https://github.com/langsim/ffpanel from:http://blog.csdn.net/langsim/article/details/47 ...
- 系列文章--Node.js学习笔记系列
Node.js学习笔记系列总索引 Nodejs学习笔记(一)--- 简介及安装Node.js开发环境 Nodejs学习笔记(二)--- 事件模块 Nodejs学习笔记(三)--- 模块 Nodejs学 ...
- 闪回之 回收站、Flashback Drop (table、index、trigger等)
一: Flashback Drop 操作流程 模式一:drop table 后未新建同名表 SQL> create table flashdrop as select * from user_o ...
- CentOS 6.X 安装 EPEL 源
CentOS 6.X 自带的软件源可选的并不多,有时候要找到一个偏门一些的软件,用命令一搜怎么都没有源,考虑到使用软件源配合 yum 命令安装可以自动安装依赖,所以加一个新的软件源迫在眉睫. 考虑到同 ...