Note: Differentially Private Access Patterns for Searchable Symmetric Encryption
The Core Issues and Ideas of This Paper
Problem
- Baseline Searchable Symmetric Encryption (SSE) could not avoid access-pattern leakage.
- ORAM algorithm performance is extremely low and cannot be applied in practice.
Idea
Solve the Access-pattern Leakage of current SSE by introducing differential privacy.
Important knowledge
Searchable Symmetric Encryption (SSE)
An SSE scheme is a tuple (KeyGen, BuildIndex, Token, Search, SKE) and asymmetric key encryption scheme.
- (\(`K_I`\), \(`K_D`\) ) ← KeyGen(\(`1^\kappa`\) ): Probabilistic key generation.
- Security parameter \(`\kappa`\): input.
- Secret key \(`K_I`\): For the secure index,
- Secret key \(`K_D`\) ← SKE.Gen(\(`1^\kappa`\)): For the document collection.
- \(`I`\) ← BuildIndex(\(`K_I`\), \(`(D, W)`\)): Probabilistic algorithm for the client to build a secure index.
- \(`K_I`\): input.
- \(`D`\): Document collection.
- \(`W`\): keyword lists W.
- \(`I`\): Secure index.
- \(`\tau`\) ← Token(\(`K_I`\), \(`w`\)): (Probabilistic) algorithm for the client to generate search tokens.
- \(`R`\) ← Search(\(`I`\), \(`\tau`\)): Deterministic algorithm for the server.
- \(`R`\): Document identifications.
- \(`c`\) ← SKE.Enc(\(`K_D`\), \(`D`\)): Probabilistic algorithm for the client to encrypt the document collection.
- \(`D`\) ← SKE.Dec(\(`K_D`\), \(`c`\)): Deterministic algorithm for the client to decrypt a ciphertext of a document.
Access-pattern Leakage
In the practical application of SSE, there is Access-pattern Leakage. The main reasons are list as flow:
- The cloud server is able to observe which files are accessed in the encrypted database by the client.
- To be used in practice, most existing SSE schemes allow it.
- With some a priori knowledge of the outsourced documents, the adversary could recover the content of the queries with high accuracy.
Query Recovery Attack (IKK Attack)
IKK attack is a typical attack method for SSE with Access-pattern Leakage.
Assumption
The adversary has the knowledge of a (\(`r\times r`\) matrix \(`M`\) that depicts the probability of keyword co-occurrence (r is the number of keywords).
Method
- Compute \(`l\times l`\) co-occurrence matrix \(`\hat{M}`\) by the observed access patterns(a sub-matrix of \(`M`\)).
- The best match of \(`\hat{M}`\) to \(`M`\) can be generated by optimization methods (e.g. Simulated Annealing).
ORAM Algorithm
This algorithm allows SSE to defend against Access-pattern Leakage (with IKK attack method), but has serious performance problems and is of low practical value.
- Allows a client to hide its access pattern from the remote server by continuously shuffling and re-encrypting data as they are accessed.
- Access one of n documents in the storage, at least o(log n) documents need to be accessed. [Too much overhead for SSE]
Differential Privacy
Differential Privacy introduction: The Differential Privacy Frontier (Extended Abstract)
Assuming a positive real number \(`\epsilon`\), \(`A`\) is a random algorithm that takes a data set as input (representing the data owned by the relying party). \(`imA`\) represents the mapping of \(`A`\). For all data sets \(`D_1`\) and \(`D_2`\) of non-single elements (i.e., one person's data) and all subsets \(`S`\) of \(`imA`\), algorithm \(`A`\) is \(`\epsilon - differential \quad privacy`\), where the probability depends on the randomness of the algorithm.
Pr[A(D_1)\in S]\leqslant e^\epsilon \times Pr[A(D_2) \in S]
If an attacker is required to receive a \(`Q_i`\) (\(`i_{th}`\) query) value through a \(`\epsilon - differential \quad privacy`\) algorithm, he will not be able to distinguish between the two data sets if \(`\epsilon`\) is small enough.
Erasure Coding
The erasure code is the main method for adding redundancy to the Secure index.
Notes on erasure codes that I have posted on cnblogs
Key points
Assumption
- Adversary has complete knowledge of the document collection.
- Server simply passively monitors the storage access patterns and infers the content of the corresponding queries.
Why Introduce Differential Privacy for SSE
Differential privacy is a strong privacy guarantee for an individual’s input to a (randomized) function or sequence of functions.
Differential Privacy rules imply that the adversary cannot distinguish between queries using distinct search terms that induce access patterns that are within the specified distance of one another.
d-privacy
Here, \(`d`\) represents the Hamming distance in the access-pattern vector. By the parameter \(`d`\), the generalized \(`\epsilon - differential \quad privacy`\) definition is designed (add \(`d`\) as a parameter of \(`e^{\epsilon d}`\)).
d-private Access-pattern Obfuscation Mechanism
Add the two following part to SSE:
- Obfuscate the access patterns: Add false positives and false negatives to the search results.
- To handle the correctness issue: Introduce redundancy to the document collection using erasure codes.
The way to establish d-privacy APO
Define an access-pattern obfuscation mechanism \(`K`\) : \(`X \rightarrow Y`\) gives \(`\epsilon d_{h}-privacy`\), iff \(`\forall x,x' \in X`\) and \(`\forall S \subseteq Y`\) (using the Hamming distance \(`d_h`\))
Pr[K(x)\in S]\leqslant e^{\epsilon d_h(x,x')} \times Pr[K(x') \in S]
Define an obfuscation mechanism \(`K_f`\) such that, given an access pattern \(`x \in X`\), it outputs any \(`y \in Y`\) with probability
Pr[K_f(x)=y]=Pr[x|y]=\prod^n_{i=1}Pr[y_i|x_i]
Where
Pr[y_i=1|x_i=1]=p \qquad Pr[y_i=1|x_i=0]=q
Pr[y_i=0|x_i=1]=1-p \quad Pr[y_i=0|x_i=0]=1-q
Enforce two constraints on p and q to make the mechanism practical:
- \(`Pr[y_i = 1|x_i = 0] < Pr[y_i = 1|x_i = 1]`\): non-matching shard should have a lower probability to be retrieved than a matching shard;
- \(`Pr[y_i = 1|x_i = 0] < Pr[y_i = 0|x_i = 1]`\): non-matching shard should have a lower probability to be flipped than a matching shard.
Means that \(`q < p`\) and \(`q < 1-p`\). And find out that \(`\epsilon = ln(\frac{p}{q})`\).
By using the (m,k) erasure code, six parameter optimization conditions are established, and the values of all the variables required are obtained.
Workloads
- Defined d-privacy for access patterns of general SSE schemes.
- Proposed a d-private access-pattern obfuscation mechanism that is compatible with existing SSE schemes.
- Implemented a prototype of the proposed obfuscation mechanism.
Evaluation
Based on the Enron Email Dataset.
Security
- Baseline IKK attack on SSE with and without access-pattern obfuscation method.
- Improved IKK attack (Adversary can successfully figure out which shards belong to the same documents) on SSE with and without access-pattern obfuscation method.
Performance
- Storage and Communication Overhead
- Precision
- Runtime Overhead (build SSE local)
Note: Differentially Private Access Patterns for Searchable Symmetric Encryption的更多相关文章
- 安卓开发笔记(十六):'Request(okhttp3.Request.Builder)' has private access in 'okhttp3.Request
当出现了'Request(okhttp3.Request.Builder)' has private access in 'okhttp3.Request的错误的时候,实际上是我们在写代码的时候少打了 ...
- Public Private Protect Inheritance and access specifiers
In the previous lessons on inheritance, we've been making all of our data members public in order to ...
- Ehcache(2.9.x) - API Developer Guide, Cache Usage Patterns
There are several common access patterns when using a cache. Ehcache supports the following patterns ...
- MySQL ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)的真正原因
在博客Linux mysql 5.6: ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: N ...
- Scala access modifiers and qualifiers in detail
来自:http://www.jesperdj.com/2016/01/08/scala-access-modifiers-and-qualifiers-in-detail/ Just like Jav ...
- MySQL ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO
MySQL安装完server端和客户端后,登录Mysql时报错:[root@rhel204 MySQL 5.6.23-RMP]# mysqlERROR 2002 (HY000): Can't conn ...
- [LeetCode] 351. Android Unlock Patterns 安卓解锁模式
Given an Android 3x3 key lock screen and two integers m and n, where 1 ≤ m ≤ n ≤ 9, count the total ...
- swift 中关于open ,public ,fileprivate,private ,internal,修饰的说明
关于 swift 中的open ,public ,fileprivate,private, internal的区别 以下按照修饰关键字的访问约束范围 从约束的限定范围大到小的排序进行说明 open,p ...
- 访问修饰符private
private(C# 参考) private 关键字是一个成员访问修饰符. 私有访问是允许的最低访问级别. 私有成员只有在声明它们的类和结构体中才是可访问的,如下例所示: class Employee ...
随机推荐
- SpringMVC简单实例(看起来有用)
SpringMVC简单实例(看起来有用) 参考: SpringMVC 基础教程 简单入门实例 - CSDN博客http://blog.csdn.net/swingpyzf/article/detail ...
- Delphi操作XML - 冰雪傲骨
Delphi操作XMl,只要使用 NativeXml.我是用的版本是4..NativeXML的使用方法比较简单,但是功能很强大. XE2的话,要在simdesign.inc后面加上: // Delph ...
- Python基础-列表推导式
python中列表推导式有三种数据类型可用:列表,字典,集合 列表推导式书写形式: [表达式 for 变量 in 列表] 或者 [表达式 for 变量 in 列表 if 条件] 1,列表推导式 ...
- es6的foreach循环遍历
forEach forEach是Array新方法中最基本的一个,就是遍历,循环.例如下面这个例子: 结果: 这段代码相当于: for (var k = 0, length = array.length ...
- IE input 去掉文本框的叉叉和密码输入框的眼睛图标
::-ms-clear, ::-ms-reveal{display: none;}
- POJ-2564 01背包问题
#include"cstdio" #include"cstring" #include"algorithm" using namespace ...
- qduoj 218 签到题
Description a坤和大明在一块由n个方块组成的棋盘(1 × n)上做游戏.一开始a坤在棋盘上放了k个矩形并且没有告诉大明具体位置.每个矩形都占a个连续方块(1 × a),任意两个矩形不可重叠 ...
- 错误名称:Uncaught SyntaxError: Unexpected identifier
控制台输出: 1.谷歌:Uncaught SyntaxError: Unexpected identifier 2.火狐:SyntaxError: missing ] after element li ...
- ACM学习历程—ZOJ3785 What day is that day?(数论)
Description It's Saturday today, what day is it after 11 + 22 + 33 + ... + NN days? Input There are ...
- Sublime Text 全程指南(转载)
摘要(Abstract) 本文系统全面的介绍了Sublime Text,旨在成为最优秀的Sublime Text中文教程. 更新记录 2014/09/27:完成初稿 2014/09/28: 更正打开控 ...