Note: Differentially Private Access Patterns for Searchable Symmetric Encryption

The Core Issues and Ideas of This Paper

Problem

Baseline Searchable Symmetric Encryption (SSE) could not avoid access-pattern leakage.
ORAM algorithm performance is extremely low and cannot be applied in practice.

Idea

Solve the Access-pattern Leakage of current SSE by introducing differential privacy.

Important knowledge

Searchable Symmetric Encryption (SSE)

An SSE scheme is a tuple (KeyGen, BuildIndex, Token, Search, SKE) and asymmetric key encryption scheme.

(\(`K_I`\), \(`K_D`\) ) ← KeyGen(\(`1^\kappa`\) ): Probabilistic key generation.
- Security parameter \(`\kappa`\): input.
- Secret key \(`K_I`\): For the secure index,
- Secret key \(`K_D`\) ← SKE.Gen(\(`1^\kappa`\)): For the document collection.
\(`I`\) ← BuildIndex(\(`K_I`\), \(`(D, W)`\)): Probabilistic algorithm for the client to build a secure index.
- \(`K_I`\): input.
- \(`D`\): Document collection.
- \(`W`\): keyword lists W.
- \(`I`\): Secure index.
\(`\tau`\) ← Token(\(`K_I`\), \(`w`\)): (Probabilistic) algorithm for the client to generate search tokens.
\(`R`\) ← Search(\(`I`\), \(`\tau`\)): Deterministic algorithm for the server.
- \(`R`\): Document identifications.
\(`c`\) ← SKE.Enc(\(`K_D`\), \(`D`\)): Probabilistic algorithm for the client to encrypt the document collection.
\(`D`\) ← SKE.Dec(\(`K_D`\), \(`c`\)): Deterministic algorithm for the client to decrypt a ciphertext of a document.

Access-pattern Leakage

In the practical application of SSE, there is Access-pattern Leakage. The main reasons are list as flow:

The cloud server is able to observe which files are accessed in the encrypted database by the client.
To be used in practice, most existing SSE schemes allow it.
With some a priori knowledge of the outsourced documents, the adversary could recover the content of the queries with high accuracy.

Query Recovery Attack (IKK Attack)

IKK attack is a typical attack method for SSE with Access-pattern Leakage.

Assumption

The adversary has the knowledge of a (\(`r\times r`\) matrix \(`M`\) that depicts the probability of keyword co-occurrence (r is the number of keywords).

Method

Compute \(`l\times l`\) co-occurrence matrix \(`\hat{M}`\) by the observed access patterns(a sub-matrix of \(`M`\)).
The best match of \(`\hat{M}`\) to \(`M`\) can be generated by optimization methods (e.g. Simulated Annealing).

ORAM Algorithm

This algorithm allows SSE to defend against Access-pattern Leakage (with IKK attack method), but has serious performance problems and is of low practical value.

Allows a client to hide its access pattern from the remote server by continuously shuffling and re-encrypting data as they are accessed.
Access one of n documents in the storage, at least o(log n) documents need to be accessed. [Too much overhead for SSE]

Differential Privacy

Differential Privacy introduction: The Differential Privacy Frontier (Extended Abstract)

Assuming a positive real number \(`\epsilon`\), \(`A`\) is a random algorithm that takes a data set as input (representing the data owned by the relying party). \(`imA`\) represents the mapping of \(`A`\). For all data sets \(`D_1`\) and \(`D_2`\) of non-single elements (i.e., one person's data) and all subsets \(`S`\) of \(`imA`\), algorithm \(`A`\) is \(`\epsilon - differential \quad privacy`\), where the probability depends on the randomness of the algorithm.

Pr[A(D_1)\in S]\leqslant e^\epsilon \times Pr[A(D_2) \in S]

If an attacker is required to receive a \(`Q_i`\) (\(`i_{th}`\) query) value through a \(`\epsilon - differential \quad privacy`\) algorithm, he will not be able to distinguish between the two data sets if \(`\epsilon`\) is small enough.

Erasure Coding

The erasure code is the main method for adding redundancy to the Secure index.

Notes on erasure codes that I have posted on cnblogs

Key points

Assumption

Adversary has complete knowledge of the document collection.
Server simply passively monitors the storage access patterns and infers the content of the corresponding queries.

Why Introduce Differential Privacy for SSE

Differential privacy is a strong privacy guarantee for an individual’s input to a (randomized) function or sequence of functions.

Differential Privacy rules imply that the adversary cannot distinguish between queries using distinct search terms that induce access patterns that are within the specified distance of one another.

d-privacy

Here, \(`d`\) represents the Hamming distance in the access-pattern vector. By the parameter \(`d`\), the generalized \(`\epsilon - differential \quad privacy`\) definition is designed (add \(`d`\) as a parameter of \(`e^{\epsilon d}`\)).

d-private Access-pattern Obfuscation Mechanism

Add the two following part to SSE:

Obfuscate the access patterns: Add false positives and false negatives to the search results.
To handle the correctness issue: Introduce redundancy to the document collection using erasure codes.

The way to establish d-privacy APO

Define an access-pattern obfuscation mechanism \(`K`\) : \(`X \rightarrow Y`\) gives \(`\epsilon d_{h}-privacy`\), iff \(`\forall x,x' \in X`\) and \(`\forall S \subseteq Y`\) (using the Hamming distance \(`d_h`\))

Pr[K(x)\in S]\leqslant e^{\epsilon d_h(x,x')} \times Pr[K(x') \in S]

Define an obfuscation mechanism \(`K_f`\) such that, given an access pattern \(`x \in X`\), it outputs any \(`y \in Y`\) with probability

Pr[K_f(x)=y]=Pr[x|y]=\prod^n_{i=1}Pr[y_i|x_i]

Where

Pr[y_i=1|x_i=1]=p \qquad Pr[y_i=1|x_i=0]=q

Pr[y_i=0|x_i=1]=1-p \quad Pr[y_i=0|x_i=0]=1-q

Enforce two constraints on p and q to make the mechanism practical:

\(`Pr[y_i = 1|x_i = 0] < Pr[y_i = 1|x_i = 1]`\): non-matching shard should have a lower probability to be retrieved than a matching shard;
\(`Pr[y_i = 1|x_i = 0] < Pr[y_i = 0|x_i = 1]`\): non-matching shard should have a lower probability to be flipped than a matching shard.

Means that \(`q < p`\) and \(`q < 1-p`\). And find out that \(`\epsilon = ln(\frac{p}{q})`\).

By using the (m,k) erasure code, six parameter optimization conditions are established, and the values of all the variables required are obtained.

Workloads

Defined d-privacy for access patterns of general SSE schemes.
Proposed a d-private access-pattern obfuscation mechanism that is compatible with existing SSE schemes.
Implemented a prototype of the proposed obfuscation mechanism.

Evaluation

Based on the Enron Email Dataset.

Security

Baseline IKK attack on SSE with and without access-pattern obfuscation method.
Improved IKK attack (Adversary can successfully figure out which shards belong to the same documents) on SSE with and without access-pattern obfuscation method.

Performance

Storage and Communication Overhead
Precision
Runtime Overhead (build SSE local)