a review of database reconstructionbminaud/slides/db-rec-brown.pdfbig picture 33 access pattern...
TRANSCRIPT
![Page 1: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/1.jpg)
A Review of Database Reconstruction
Brice Minaud (Inria/ENS)
joint work with: Paul Grubbs (Cornell), Marie-Sarah Lacharité (RHUL), Kenny Paterson (ETH)
[LMP18] (S&P 2018), [GLMP18] (CCS 2018), [GLMP19] (S&P 2019)
ICERM workshop, Brown University, 2019
![Page 2: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/2.jpg)
Outsourcing Data
2
Data upload
Data access
Client Server
Searchable Encryption: encrypted database allowing search queries. In the static case: no updates.
Adversary: honest-but-curious host server.
Security goal: confidentiality of data and queries.
![Page 3: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/3.jpg)
Security Model
3
Generic solutions (FHE) are infeasible at scale → for efficiency reasons, some leakage is allowed.
Client Adversarial Server
Data upload
Data access
Security model: parametrized by a leakage function L.
Server learns nothing except for the output of the leakage function.
Server learns
L(query, DB)
![Page 4: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/4.jpg)
Keyword Search
4
Data upload
Search queryMatching records
Client Server
Symmetric Searchable Encryption (SSE) = keyword search:
• Data = collection of documents. e.g. messages.
• Serch query = find documents containing given keyword(s).
![Page 5: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/5.jpg)
Beyond Keyword Search
5
Data upload
Search queryMatching records
Client Server
For an encrypted database management system:
• Data = collection of records. e.g. health records.
• Basic query examples: - find records with given value. e.g. patients aged 57. - find records within a given range. e.g. patients aged 55-65.
![Page 6: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/6.jpg)
Range Queries
6
In this talk: range queries.‣Fundamental for any encrypted DB system.‣Many constructions out there.‣Simplest type of query that can't “just” be handled by an index.
Natural solutions:
Order-Preserving, Order-Revealing Encryption.
- Plaintexts are ordered, ciphertexts are ordered.
- The encryption map preserves order.
![Page 7: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/7.jpg)
0
30
60
90
0% 25% 50% 75% 100%Records below age
Age
15
Attacks Exploiting ORE*
7
‣“Sorting” attack: if every possible value appears in the DB...Just sort the ciphertexts and you learn their value!
‣“CDF-matching” attack: say the attacker has an approximation of the Cumulative Distribution Function of DB values...
3 11 5 1 8 7 10 6 2 4 91 2 3 4 5 6 7 8 9 10 11
*not L/R ORE.
![Page 8: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/8.jpg)
Leakage-Abuse Attacks
8
→ “Second-generation” schemes enable range queries without relying on OPE/ORE.
“Leakage-abuse attacks” (coined by Cash et al. CCS'15):
‣ Do not contradict security proofs.
‣ Can be devastating in practice.
ORE: order information can be used to infer (approximate) values. Leaking order is too revealing.
![Page 9: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/9.jpg)
Cryptanalysis and Leakage Abuse
9
What is the point of these attacks?
- Understand concrete security implications of leakage.
- “Impossibility results” → help guide design.
Approach: consider general settings. Pioneered by [KKNO16].
Here:
‣ Range queries.
‣ Passive, persistent adversary. No injections, no chosen queries.
![Page 10: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/10.jpg)
Roadmap
10
1. Access pattern leakage.
3. Volume leakage.
![Page 11: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/11.jpg)
Access Pattern Leakage
1 3
![Page 12: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/12.jpg)
Range Queries
12
Range = [40,100]
Client Server
451
833
451
62
833
284
What can the server learn from the above leakage?
SE schemes supporting range queries are proven secure w.r.t. a leakage function including access pattern leakage.
Let N = number of possible values.
![Page 13: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/13.jpg)
KKNO16 Attack
13
1 N
Less probable More probableAssume a uniform distribution on range queries.
Idea: for each record...1. Count frequency at which the record is hit. → gives estimate of probability it’s hit by uniform query. 2. deduce estimate of its value by “inverting” f.
values
f
Induces a distribution f on the prob. that a given value is hit.
![Page 14: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/14.jpg)
KKNO16 Attack
14
1 N
Step 1: for every record, estimate prob of the record being hit.
Step 2: “invert” f.
f
values
After O(N4 log N) uniform queries, previous alg. recovers the exact value of all records.
Step 3: break the symmetry, i.e. reconcile which values are on the same side of N/2.
![Page 15: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/15.jpg)
KKNO16 Attack
15
After O(N4 log N) uniform queries, previous alg. recovers the exact value of all records.
Remarks:
- Requires uniform distribution.
- Expensive. In fact, uses up all possible leakage information!
- Lower bound of Ω(N4).
![Page 16: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/16.jpg)
Revisiting the Analysis, Part I [GLMP19]
16
1 N
Step 1: for every record, estimate distance to anchor.
Step 2: “invert” f.
f
values
Step 3: break the symmetry, i.e. reconcile which values are on the same side of N/2.
costs a square factor!
Step 0: find suitable “anchor” record.
⚓f
costs a constant factor!
After O(N4 log N) uniform queries, previous alg. recovers the exact value of all records.
After O(N2 log N) uniform queries, previous alg. recovers the exact value of all records.
![Page 17: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/17.jpg)
Cheaper KKNO16 attack
17
After O(N2 log N) uniform queries, previous alg. recovers the exact value of all records.
Remarks:
- Requires uniform distribution.
- Requires existence of a favorably placed record.
- Still fairly expensive.
- Lower bound of Ω(N2). Can't hope to get below.
![Page 18: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/18.jpg)
Approximate Reconstruction
18
Strongest goal: full database reconstruction = recovering the exact value of every record.More general: approximate database reconstruction = recovering all values within εN.
ε = 0.05 is recovery within 5%. ε = 1/N is full recovery.
(“Sacrificial” recovery: values very close to 1 and N are excluded.)
![Page 19: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/19.jpg)
Database Reconstruction
19
[KKNO16]: full reconstruction in O(N 4 log N) queries.
[GLMP19]:‣ O(ε-4 log ε-1) for approx. reconstruction.‣ O(ε-2 log ε-1) with mild hypothesis.
Full. Rec.
O(N4 log N)O(N2 log N)
Lower BoundΩ(ε-4)Ω(ε-2)
recovers
Scale-free: does not depend on size of DB or number of possible values.→ Recovering all values in DB within 5% costs O(1) queries!
Analysis: uses VC theory + draws connection to machine learning. See Paul's talk!
![Page 20: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/20.jpg)
Intuition for Scale-Freeness
20
1 N
Step 1: for every record, estimate prob of the record being hit.
Step 2: “invert” f.
f
values
Instead of support = integers 1 to N, take reals [0,1].
...so “N = ∞” !
0 1
The previous algorithm still works!
![Page 21: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/21.jpg)
On the i.i.d. Assumption
21
+ Scale-freeness. N and DB size irrelevant for query complexity.
- We are assuming uniformly distributed queries.
In reality we are assuming:‣Queries are uniform.‣ The adversary knows the query distribution.‣Queries are independent and identically distributed.
This is not realistic.
What can we learn without that hypothesis?
![Page 22: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/22.jpg)
Order Reconstruction
P
Q...
...
![Page 23: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/23.jpg)
Problem Statement
23
Range = [40,100]
Client Server
451
833
451
62
833
284
This time we don't assume i.i.d. queries, or knowledge of their distribution.
What can the server learn from the above leakage?
![Page 24: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/24.jpg)
Range Query Leakage
24
Query A matches records a, b, c.Query B matches records b, c, d.
→ we learn that records b, c are between a and d.
We learn something about the order of records.
Then this is the only configuration (up to symmetry)!
0 NA
a b c d
B
![Page 25: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/25.jpg)
Range Query Leakage
25
Query A matches records a, b, c.Query B matches records b, c, d.Query C matches records c, d.
Then the only possible order is a, b, c, d (or d, c, b, a)!
0 NA
a b c d
BC
Challenges:‣How do we extract order information? (What algorithm?)‣How do we quantify and analyze how fast order is
learned as more queries are observed?
![Page 26: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/26.jpg)
Challenge 1: the Algorithm
26
Short answer: there is already an algorithm!
X: linearly ordered set. Order is unknown.
You are given a set S containing some intervals in X.
A PQ tree is a compact (linear in |X|) representation of the set of all permutations of X that are compatible with S.
Long answer: PQ-trees.
Note: was used in [DR13], didn’t target reconstruction.
Can be updated in linear time.
![Page 27: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/27.jpg)
PQ Trees
27
P
a b c
Order is completely unknown.‣ any permutation of abc.
a b c
Q Order is completely known (up to reflection).‣ abc’or ‘cba’.
P
d e
a b c
QCombines in the natural way.
‣ ‘abcde’, ‘abced’, ‘dabce’, ‘eabcd’, ‘deabc’, ‘edabc’, ‘cbade’ etc.
![Page 28: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/28.jpg)
Full Order Reconstruction
28
P
No informationr1 r2 r3 …… ……
Q
r1 r2 r3
Full reconstruction
observe enough queries
We want to quantify order learning...
![Page 29: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/29.jpg)
……
Challenge 2a: Quantify Order Learning
29
P Q
No informationr1 r2 r3 …… r1 r2 r3
Full reconstruction
ε-Approximate order reconstruction.
Roughly: we learn the order between two records as soon as their values are ≥ εN apart. (ε = 1/N is full reconstruction)
Note: compatible with “ORE-style” CDF matching.
![Page 30: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/30.jpg)
……
Approximate Order Reconstruction
30
P Q
No informationr1 r2 r3 …… r1 r2 r3
Full reconstruction
……
Q
Diameter ≤ εN
… … …
ε-Approximate reconstruction
#queries?
#queries?
![Page 31: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/31.jpg)
……
Approximate Order Reconstruction
31
P Q
No informationr1 r2 r3 …… r1 r2 r3
Full reconstruction
……
Q
… … …ε-Approximate reconstruction
O(N log N) queries
O(ε-1 log ε-1) queries
Note: some (weak) assumptions are swept under the rug.
Conclusion: learn order very quickly.
![Page 32: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/32.jpg)
Experiments
32
0 100 200 300 400 500Number of queries
0.00
0.02
0.04
0.06
0.08
0.10
0.12
Sym
met
ric
valu
e/bu
cket
diam
eter
(as
afrac
tion
ofN
)
Max. sacrificed symmetric value
N = 100
N = 1000
N = 10000
N = 100000
Max. bucket diameter
N = 100
N = 1000
N = 10000
N = 100000
✏�1 log ✏�1✏�1 log ✏�1
ApproxOrder experimental resultsR = 1000, compared to theoretical ✏-net bound
0 100 200 300 400 500Number of queries
0.00
0.02
0.04
0.06
0.08
0.10
0.12
Sym
met
ric
valu
e/bu
cket
diam
eter
(as
afrac
tion
ofN
)
Max. sacrificed symmetric value
N = 100
N = 1000
N = 10000
N = 100000
Max. bucket diameter
N = 100
N = 1000
N = 10000
N = 100000
✏�1 log ✏�1✏�1 log ✏�1
ApproxOrder experimental resultsR = 1000, compared to theoretical ✏-net bound
0 100 200 300 400 500Number of queries
0.00
0.02
0.04
0.06
0.08
0.10
0.12
Sym
met
ric
valu
e/bu
cket
diam
eter
(as
afrac
tion
ofN
)
Max. sacrificed symmetric value
N = 100
N = 1000
N = 10000
N = 100000
Max. bucket diameter
N = 100
N = 1000
N = 10000
N = 100000
✏�1 log ✏�1✏�1 log ✏�1
ApproxOrder experimental resultsR = 1000, compared to theoretical ✏-net bound
010
020
030
040
050
0N
umber
ofqu
erie
s
0.00
0.02
0.04
0.06
0.08
0.10
0.12
Symmetricvalue/bucketdiameter(asafractionofN)
Max
.sa
crifi
ced
sym
met
ric
valu
e
N=
100
N=
1000
N=
1000
0
N=
1000
00
Max
.bu
cket
diam
eter
N=
100
N=
1000
N=
1000
0
N=
1000
00
✏�1
log
✏�1
✏�1
log
✏�1
ApproxO
rder
expe
rim
enta
lre
sults
R=
1000
,co
mpa
red
toth
eore
tica
l✏-
net
boun
d
![Page 33: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/33.jpg)
Big Picture
33
Access Pattern
leaks order
+ query dist. (KKNO)
leaks values+ data dist. (GLMP19)
+ search p. (MT19, KPT19)
+ density
- Resilient, scale-free attacks.
- Effective in practice in some realistic scenarios.
- Watch out for additional leakage. E.g.:‣ Search pattern.‣ Rank information (e.g. L/R ORE). Damaging for low #queries.
![Page 34: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/34.jpg)
Volume Leakage
7
1
13
3
11
8
10
20
![Page 35: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/35.jpg)
Problem Statement
35
Range = [40,100]
Client Server
451
833
451
62
833
284
What can the server learn from the above leakage?
Attacker only sees volumes = number of records matching each query.
2 matches
![Page 36: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/36.jpg)
Volumes
36
3 7 1 12
1 2 3 4Value
Counts
A volume = number of records matching some range.
8
13
Some volumes
The attacker wants to learn exact counts.
![Page 37: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/37.jpg)
KKNO16 Volume Attack
37
Step 1: recover exact probability of every volume ➔ number of queries that have each volume.
Step 2: express and solve equation system linking above data back to DB counts. (Ends up as polynomial factorization.)
Assume uniform queries.
After O(N4 log N) uniform queries, previous alg. recovers all DB counts.
Remarks:
- Requires uniform distribution.
- Expensive. In fact, uses up all possible leakage information!
- Lower bound of Ω(N4).
![Page 38: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/38.jpg)
Elementary Volumes [GLMP18]
38
3 7 1 12
1 2 3 4Value
Counts
3
10
11
23
“Elementary” ranges
Elementary volumes = volumes of ranges [1,1], [1,2], [1,3]...
![Page 39: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/39.jpg)
Elementary Volumes
39
3 7 1 12
1 2 3 4Value
Counts
‣Knowing set of elementary volumes ⇔ knowing counts.
vol([a,b]) = vol([1,b]) - vol([1,a])
‣Every volume is = difference of two elementary volumes.so...
Fact:
Our goal: finding elementary volumes.
![Page 40: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/40.jpg)
The Attack
40
Assumption: the volumes of all queries are observed.
7
12
23
1
13
311
8
10
20
Draw an edge between volumes a and b iff |b-a| is a volume.
7
12
23
1
13
311
8
10
20
7
12
23
1
13
311
8
10
20
7
12
23
1
13
311
8
10
20
7
12
23
1
13
311
8
10
20
![Page 41: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/41.jpg)
Summary
41
Attack: elementary volumes form a clique in the volume graph → clique-finding algorithm reveals them.
For structured queries, even just volume leakage can be quite damaging. Attack requires strong assumption.
In the article:
‣Pre-processing to avoid clique finding.
‣Analysis of parameters + experiments.
‣Other attacks.
![Page 42: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/42.jpg)
Conclusion
![Page 43: A Review of Database Reconstructionbminaud/slides/DB-rec-Brown.pdfBig Picture 33 Access Pattern leaks order + query dist. (KKNO) + data dist. (GLMP19) leaks values + search p. (MT19,](https://reader036.vdocuments.net/reader036/viewer/2022071115/5ff82a4dfaecdd7d8052b23d/html5/thumbnails/43.jpg)
Conclusion
43
Access pattern:
- Resilient, scale-free attacks.
- Effective in practice in some realistic scenarios.
➔ non-trivial countermeasures are required.
Volume attacks:
- Fragile attacks. Currently.
- Expensive query complexity O(N2 log N).
- Unsatisfactory: limits of attacks not clear.
➔ “simple” countermeasures might be enough in most scenarios.
Some open problems: mixed queries, scale-free volumes.