searching on encrypted data without revealing the search predicate
DESCRIPTION
Searching on Encrypted Data Without Revealing the Search Predicate. Ananth Raghunathan Stanford University (joint work with Dan Boneh & Gil Segev ). Public-Key Encryption. public key. secret key. c. m. m. Bob. Alice. Learns nothing!. ≈. (to ). More precisely:. - PowerPoint PPT PresentationTRANSCRIPT
Searching on Encrypted Data Without Revealing the Search Predicate
Ananth RaghunathanStanford University
(joint work with Dan Boneh & Gil Segev)
Searching on Encrypted Data (Boneh, Raghunathan, Segev) SINET ITSEF 2013
Public-Key Encryption
mc
Learns nothing!
m
Alice Bob
More precisely: ≈ (to )
public keysecret
key
Searching on Encrypted Data (Boneh, Raghunathan, Segev) SINET ITSEF 2013
Public-Key Encryption with Keyword Search
Payment Routing Gateway
Scenario 1: Payment Gateway
Searching on Encrypted Data (Boneh, Raghunathan, Segev) SINET ITSEF 2013
Public-Key Encryption with Keyword Search
Email routing proxy
Scenario 2: Email forwarding
Assistant
Urgent!
Later
Searching on Encrypted Data (Boneh, Raghunathan, Segev) SINET ITSEF 2013
Requirements
An encryption scheme that allow untrusted proxies to test for keywords (“tokens”)– Without a token, the proxy learns nothing.
– With a token, the proxy learns whether message contains the keyword or not and nothing else.
– (Implied) Tokens generated by secret key holder.
Searching on Encrypted Data (Boneh, Raghunathan, Segev) SINET ITSEF 2013
PEKS definition (Boneh et al. ‘04)
Payment Routing Gateway
public keysecret key
PEKS (pk, “BoA”)
“BoA”
TokBoA
• PEKS(pk,w) is publicly computable• Generating Tokw requires the secret key• Given TokBoA and PEKS(pk, w), the
gateway can check if keyword w=“BoA” or not (algorithm Test)
TokBoA
TokChase
TokWF
Searching on Encrypted Data (Boneh, Raghunathan, Segev) SINET ITSEF 2013
Security: OverviewInformally: the attacker is given tokens of his choice and should not be able to Test for w for which he does not have a token.
(to )Payment Routing Gateway
PEKS (pk, “BoA”)
TokBoA
TokChase
TokWF
Yes for “BoA”
Searching on Encrypted Data (Boneh, Raghunathan, Segev) SINET ITSEF 2013
Security: OverviewInformally: the attacker is given tokens of his choice and should not be able to Test for w for which he does not have a token.
(to )Payment Routing Gateway
PEKS (pk, “JP Morgan”)
TokBoA
TokChase
TokWF
Searching on Encrypted Data (Boneh, Raghunathan, Segev) SINET ITSEF 2013
Predicate privacy
• Previous research did not consider information leaked by Tok
• Several schemes even explicitly leak w in Tokw
• Motivation 1: Payment gateway– Routing information might be sensitive – Transactions tagged with “suspected fraudulent” or other attributes
that affect routing but shouldn’t be revealed to a gateway
• Motivation 2: Encrypted email filter– Keywords are sensitive: “Urgent” keywords might leak information
about personal life or medical data
• Can we model a realistic notion of predicate privacy?• Can we construct schemes that satisfy predicate privacy?
Searching on Encrypted Data (Boneh, Raghunathan, Segev) SINET ITSEF 2013
Our work
• Model predicate privacy (“Tokw leaks no more information than necessary”)– Closely related to program obfuscation– If attacker can guess w then he can check quickly:
Compute PEKS(pk,w) and test if Tok outputs “yes” or “no”– Our definition: If the keyword w “cannot be guessed” by
the attacker, then Tokw ≈ Tokrandom
• Constructions: First PEKS schemes with predicate privacy– We give a general approach to add predicate privacy to
existing schemes
Email example: Proxy encrypts PEKS(pk, “Doctor’s appointment”)
and sees whether Tok outputs Y or N
Searching on Encrypted Data (Boneh, Raghunathan, Segev) SINET ITSEF 2013
More expressive predicates
• A different formulation– Encrypt a tuple (id,m)– Secret key skp
– Decryption algorithm given Enc(id,m) and skp recover m only if p(id)=1
• [Boneh et al. ‘04]: Equality predicate (point function)• [Boneh-Waters ‘07]: Conjunctive, subset, and range queries• [Katz-Sahai-Waters ‘08, Agrawal-Freeman-Vaikuntanathan ‘11]: Inner
product, polynomial equations, and disjunctions• [Shen-Shi-Waters ‘09]: Inner product (but symmetric-key setting)• [Shi-Waters ‘08, Okamoto-Takashima ‘09, Lewko et al. ‘10]: Hierarchical
inner product systems
In PEKS, p(id) checks if id = w or not and sk corresponds to
Tok
Thank you!Any [email protected]