Searchable Encryption

Nagendra Posani

Georgia Institute of Technology

December 12, 2016

Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 1 / 24

Data breaches

Become the norm rather than the exception!

Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 2 / 24

Data breaches

Become the norm rather than the exception!

Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 2 / 24

Data breaches

Become the norm rather than the exception!

Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 2 / 24

Data breaches

Become the norm rather than the exception!

Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 2 / 24

Data breaches

Become the norm rather than the exception!

Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 2 / 24

Motivation

Data can be sensitive.

Server may be untrusted or subject to attacks.

Obvious solution is encryption

Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 3 / 24

Goals

Search Functionality

Efficiency

Security

Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 4 / 24

How to encrypt data?

Encrypting with ”good” encryption schemes solves privacy, butfunctionality?

Search query becomes problematic since good encryption schemesencrypt plaintext differently (randomize ciphertexts)

Figure: Searchable Database

Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 5 / 24

Literature

Order Preserving Encryption (OPE) [1], [2]

Variants of OPE [3]

Partical Order Preserving Encryption (POPE) [4]

Order Revealing Encryption (ORE) [5], [6]

Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 6 / 24

Order Preserving Encryption

A symmetric encryption scheme is order preserving if encryptionmaintains order relations

Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 7 / 24

Range Queries in OPE

Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 8 / 24

Security Notion for OPE

Provable security notions: IND-CPA?

Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 9 / 24

Security Notion for OPE

Provable security notions: IND-CPA? No

Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 10 / 24

Security Notion for OPE

Provable security notions: IND-CPA? No

IND-OrderedCPA?

Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 11 / 24

Security Notion for OPE

Provable security notions: IND-CPA? No

IND-OrderedCPA? No

Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 12 / 24

Alternative Security Notions for OPE

Provable security notions: IND-CPA? No

IND-OCPA? No

POPF Secure? PRF style definition

No, reveals half of the plaintext bits.

ROPF - (r,z) Window One-Wayness Secure?

Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 13 / 24

Alternative Security Notions for OPE

Provable security notions: IND-CPA? No

IND-OCPA? No

POPF Secure? PRF style definition

No, reveals half of the plaintext bits.

ROPF - (r,z) Window One-Wayness Secure

Secure for small r, and insecure for large r (Corresponding lowerboundaries and upper boundaries are defined)

Similarly, (r, z) Distance Window One-Wayness Secure.

Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 14 / 24

Order Revealing Encryption

Generalized form of OPE

Lets define for small domain messages {0,1,2,...,N}

Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 15 / 24

How to encrypt in ORE?

Defined for small plaintext space, keys k1,K2, ...KN are derived fromPRF.

Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 16 / 24

Encryption in ORE

Encrypt with the keys

Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 17 / 24

Encryption in ORE

For comparison we give the key, but security?

Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 18 / 24

Encryption in ORE

Solution: apply random permutation π (part of the secret key) to theslots

Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 19 / 24

Encryption in ORE

Extending it to large domain plaintext space.

Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 20 / 24

Partial Order Preserving Encryption (POPE)

Server stores a partially ordered B-tree

Every node contains an unordered buffer of key/value pairs

Non-leaf nodes also have a small ordered list of ciphertexts

Encryption uses any (randomized) symmetric cipher

Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 21 / 24

Landscape comparision

Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 22 / 24

References I

Y. Lee A. Boldyreva, N. Chenette and A. O’Neill.Order-preserving symmetric encryption.EUROCRYPT 2009, volume 5479, 2009.

N. Chenette A. Boldyreva and A. O’Neill.Order-preserving encryption revisited: Improved security analysis andalternative solutions.CRYPTO 2011.

David Cash F. Betl Durak, Thomas M. DuBuisson.What else is revealed by order-revealing encryption?ACM CCS, 2016.

Seung Geol Choi Daniel S. Roche, Daniel Apon.Pope: Partial order preserving encoding.ACM CCS, 2016.

Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 23 / 24

References II

M. Raykova A. Sahai M. Zhandry D. Boneh, K. Lewi andJ. Zimmerman.Semantically secure order-revealing encryption: Multi-input functionalencryption without obfuscation.EUROCRYPT 2015.

Kevin Lewi and David J. Wu.Order-revealing encryption: New constructions, applications, andlower bounds.ACM CCS, 2016.

Nagendra Posani (GaTech) Searchable Encryption December 12, 2016 24 / 24