The Core Issues and Ideas of This Paper

Problem

  • Baseline Searchable Symmetric Encryption (SSE) could not avoid access-pattern leakage.
  • ORAM algorithm performance is extremely low and cannot be applied in practice.

Idea

Solve the Access-pattern Leakage of current SSE by introducing differential privacy.

Important knowledge

Searchable Symmetric Encryption (SSE)

An SSE scheme is a tuple (KeyGen, BuildIndex, Token, Search, SKE) and asymmetric key encryption scheme.

  • (\(`K_I`\), \(`K_D`\) ) ← KeyGen(\(`1^\kappa`\) ): Probabilistic key generation.

    • Security parameter \(`\kappa`\): input.
    • Secret key \(`K_I`\): For the secure index,
    • Secret key \(`K_D`\) ← SKE.Gen(\(`1^\kappa`\)): For the document collection.
  • \(`I`\) ← BuildIndex(\(`K_I`\), \(`(D, W)`\)): Probabilistic algorithm for the client to build a secure index.
    • \(`K_I`\): input.
    • \(`D`\): Document collection.
    • \(`W`\): keyword lists W.
    • \(`I`\): Secure index.
  • \(`\tau`\) ← Token(\(`K_I`\), \(`w`\)): (Probabilistic) algorithm for the client to generate search tokens.
  • \(`R`\) ← Search(\(`I`\), \(`\tau`\)): Deterministic algorithm for the server.
    • \(`R`\): Document identifications.
  • \(`c`\) ← SKE.Enc(\(`K_D`\), \(`D`\)): Probabilistic algorithm for the client to encrypt the document collection.
  • \(`D`\) ← SKE.Dec(\(`K_D`\), \(`c`\)): Deterministic algorithm for the client to decrypt a ciphertext of a document.

Access-pattern Leakage

In the practical application of SSE, there is Access-pattern Leakage. The main reasons are list as flow:

  • The cloud server is able to observe which files are accessed in the encrypted database by the client.
  • To be used in practice, most existing SSE schemes allow it.
  • With some a priori knowledge of the outsourced documents, the adversary could recover the content of the queries with high accuracy.

Query Recovery Attack (IKK Attack)

IKK attack is a typical attack method for SSE with Access-pattern Leakage.

Assumption

The adversary has the knowledge of a (\(`r\times r`\) matrix \(`M`\) that depicts the probability of keyword co-occurrence (r is the number of keywords).

Method

  1. Compute \(`l\times l`\) co-occurrence matrix \(`\hat{M}`\) by the observed access patterns(a sub-matrix of \(`M`\)).
  2. The best match of \(`\hat{M}`\) to \(`M`\) can be generated by optimization methods (e.g. Simulated Annealing).

ORAM Algorithm

This algorithm allows SSE to defend against Access-pattern Leakage (with IKK attack method), but has serious performance problems and is of low practical value.

  • Allows a client to hide its access pattern from the remote server by continuously shuffling and re-encrypting data as they are accessed.
  • Access one of n documents in the storage, at least o(log n) documents need to be accessed. [Too much overhead for SSE]

Differential Privacy

Differential Privacy introduction: The Differential Privacy Frontier (Extended Abstract)

Assuming a positive real number \(`\epsilon`\), \(`A`\) is a random algorithm that takes a data set as input (representing the data owned by the relying party). \(`imA`\) represents the mapping of \(`A`\). For all data sets \(`D_1`\) and \(`D_2`\) of non-single elements (i.e., one person's data) and all subsets \(`S`\) of \(`imA`\), algorithm \(`A`\) is \(`\epsilon - differential \quad privacy`\), where the probability depends on the randomness of the algorithm.

Pr[A(D_1)\in S]\leqslant e^\epsilon \times Pr[A(D_2) \in S]

If an attacker is required to receive a \(`Q_i`\) (\(`i_{th}`\) query) value through a \(`\epsilon - differential \quad privacy`\) algorithm, he will not be able to distinguish between the two data sets if \(`\epsilon`\) is small enough.

Erasure Coding

The erasure code is the main method for adding redundancy to the Secure index.

Notes on erasure codes that I have posted on cnblogs

Key points

Assumption

  • Adversary has complete knowledge of the document collection.
  • Server simply passively monitors the storage access patterns and infers the content of the corresponding queries.

Why Introduce Differential Privacy for SSE

Differential privacy is a strong privacy guarantee for an individual’s input to a (randomized) function or sequence of functions.

Differential Privacy rules imply that the adversary cannot distinguish between queries using distinct search terms that induce access patterns that are within the specified distance of one another.

d-privacy

Here, \(`d`\) represents the Hamming distance in the access-pattern vector. By the parameter \(`d`\), the generalized \(`\epsilon - differential \quad privacy`\) definition is designed (add \(`d`\) as a parameter of \(`e^{\epsilon d}`\)).

d-private Access-pattern Obfuscation Mechanism

Add the two following part to SSE:

  • Obfuscate the access patterns: Add false positives and false negatives to the search results.
  • To handle the correctness issue: Introduce redundancy to the document collection using erasure codes.

The way to establish d-privacy APO

Define an access-pattern obfuscation mechanism \(`K`\) : \(`X \rightarrow Y`\) gives \(`\epsilon d_{h}-privacy`\), iff \(`\forall x,x' \in X`\) and \(`\forall S \subseteq Y`\) (using the Hamming distance \(`d_h`\))

Pr[K(x)\in S]\leqslant e^{\epsilon d_h(x,x')} \times Pr[K(x') \in S]

Define an obfuscation mechanism \(`K_f`\) such that, given an access pattern \(`x \in X`\), it outputs any \(`y \in Y`\) with probability

Pr[K_f(x)=y]=Pr[x|y]=\prod^n_{i=1}Pr[y_i|x_i]

Where

Pr[y_i=1|x_i=1]=p \qquad Pr[y_i=1|x_i=0]=q
Pr[y_i=0|x_i=1]=1-p \quad Pr[y_i=0|x_i=0]=1-q

Enforce two constraints on p and q to make the mechanism practical:

  • \(`Pr[y_i = 1|x_i = 0] < Pr[y_i = 1|x_i = 1]`\): non-matching shard should have a lower probability to be retrieved than a matching shard;
  • \(`Pr[y_i = 1|x_i = 0] < Pr[y_i = 0|x_i = 1]`\): non-matching shard should have a lower probability to be flipped than a matching shard.

Means that \(`q < p`\) and \(`q < 1-p`\). And find out that \(`\epsilon = ln(\frac{p}{q})`\).

By using the (m,k) erasure code, six parameter optimization conditions are established, and the values of all the variables required are obtained.

Workloads

  • Defined d-privacy for access patterns of general SSE schemes.
  • Proposed a d-private access-pattern obfuscation mechanism that is compatible with existing SSE schemes.
  • Implemented a prototype of the proposed obfuscation mechanism.

Evaluation

Based on the Enron Email Dataset.

Security

  • Baseline IKK attack on SSE with and without access-pattern obfuscation method.
  • Improved IKK attack (Adversary can successfully figure out which shards belong to the same documents) on SSE with and without access-pattern obfuscation method.

Performance

  • Storage and Communication Overhead
  • Precision
  • Runtime Overhead (build SSE local)

Note: Differentially Private Access Patterns for Searchable Symmetric Encryption的更多相关文章

  1. 安卓开发笔记(十六):'Request(okhttp3.Request.Builder)' has private access in 'okhttp3.Request

    当出现了'Request(okhttp3.Request.Builder)' has private access in 'okhttp3.Request的错误的时候,实际上是我们在写代码的时候少打了 ...

  2. Public Private Protect Inheritance and access specifiers

    In the previous lessons on inheritance, we've been making all of our data members public in order to ...

  3. Ehcache(2.9.x) - API Developer Guide, Cache Usage Patterns

    There are several common access patterns when using a cache. Ehcache supports the following patterns ...

  4. MySQL ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)的真正原因

    在博客Linux mysql 5.6: ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: N ...

  5. Scala access modifiers and qualifiers in detail

    来自:http://www.jesperdj.com/2016/01/08/scala-access-modifiers-and-qualifiers-in-detail/ Just like Jav ...

  6. MySQL ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO

    MySQL安装完server端和客户端后,登录Mysql时报错:[root@rhel204 MySQL 5.6.23-RMP]# mysqlERROR 2002 (HY000): Can't conn ...

  7. [LeetCode] 351. Android Unlock Patterns 安卓解锁模式

    Given an Android 3x3 key lock screen and two integers m and n, where 1 ≤ m ≤ n ≤ 9, count the total ...

  8. swift 中关于open ,public ,fileprivate,private ,internal,修饰的说明

    关于 swift 中的open ,public ,fileprivate,private, internal的区别 以下按照修饰关键字的访问约束范围 从约束的限定范围大到小的排序进行说明 open,p ...

  9. 访问修饰符private

    private(C# 参考) private 关键字是一个成员访问修饰符. 私有访问是允许的最低访问级别. 私有成员只有在声明它们的类和结构体中才是可访问的,如下例所示: class Employee ...

随机推荐

  1. sqlite3简单教程整理

    一.Ubuntu下安装sqlite3 1.介绍:sqlite3是linux上的小巧的数据库,一个文件就是一个数据库. 2.安装:   要安装sqlite3,可以在终端提示符后运行下列命令:   sud ...

  2. Ubuntu application

    inkscape 矢量画图 gimp 类PS gpick 抓色工具 kdenlive 视频编辑 blender 3D Tweaks 外观设置 Krita 绘画工具 Fontforge 字体制作工具 B ...

  3. myeclipes如何调试web项目

    你可以右击项目,然后选中那个debug as,然后选择open debug dialog,在project中选择要运行的项目,sever中选择服务器,然后单击debug就ok了,,

  4. 【BZOJ 3238】差异 后缀自动机+树形DP

    题意 给定字符串,令$s_i$表示第$i$位开始的后缀,求$\sum_{1\le i < j \le n} len(s_i)+len(s_j)-2\times lcp(s_i,s_j)$ 先考虑 ...

  5. 文件操作类(QFileDialog、QFileInfo、QDir、QDirIterator、QFile)

    一.QFileDialog 用于弹出打开或保存对话框,然后返回选择的文件或文件夹 1.可以筛选所需要的文件类型 2.可以设置是否多选 3.可以设置保存还是打开 二.QFileInfo 保存了文件相关信 ...

  6. pthread_cond_wait()用法分析

    很久没看APUE,今天一位朋友问道关于一个mutex的问题,又翻到了以前讨论过的东西,为了不让自己忘记,把曾经的东西总结一下. 先大体看下网上很多地方都有的关于pthread_cond_wait()的 ...

  7. ASP里面令人震撼地自定义Debug类(VBScript)

    不知道用ASP写代码的朋友是不是和我有一样的感受,ASP中最头疼的就是调试程序的时候不方便 我想可能很多朋友都会用这样的方法“response.write ”,然后输出相关的语句来看看是否正确.前几天 ...

  8. BZOJ1206:[HNOI2005]虚拟内存

    我对模拟的理解:https://www.cnblogs.com/AKMer/p/9064018.html 题目传送门:https://www.lydsy.com/JudgeOnline/problem ...

  9. android开发 解析服务器端xml文件数据存储到android客户端SQLite数据库

    以下面xml文件为例对其解析(假设此xml就在服务器端Server项目下的servlet包下的MenuServlet文件的输出流中): <?xml version="1.0" ...

  10. netty中的引导Bootstrap服务端

    引导一个应用程序是指对它进行配置,并使它运行起来的过程. 一.Bootstrap 类 引导类的层次结构包括一个抽象的父类和两个具体的引导子类,如图 8-1 所示 服务器致力于使用一个父 Channel ...