searching on encrypted data without revealing the search predicate

Searching on Encrypted Data Without Revealing the Search Predicate

Ananth RaghunathanStanford University

(joint work with Dan Boneh & Gil Segev)

Searching on Encrypted Data (Boneh, Raghunathan, Segev) SINET ITSEF 2013

Public-Key Encryption

mc

Learns nothing!

m

Alice Bob

More precisely: ≈ (to )

public keysecret

key


Public-Key Encryption with Keyword Search

Payment Routing Gateway

Scenario 1: Payment Gateway


Public-Key Encryption with Keyword Search

Email routing proxy

Scenario 2: Email forwarding

Assistant

Urgent!

Later


Requirements

An encryption scheme that allow untrusted proxies to test for keywords (“tokens”)– Without a token, the proxy learns nothing.

– With a token, the proxy learns whether message contains the keyword or not and nothing else.

– (Implied) Tokens generated by secret key holder.


PEKS definition (Boneh et al. ‘04)

Payment Routing Gateway

public keysecret key

PEKS (pk, “BoA”)

“BoA”

TokBoA

• PEKS(pk,w) is publicly computable• Generating Tokw requires the secret key• Given TokBoA and PEKS(pk, w), the

gateway can check if keyword w=“BoA” or not (algorithm Test)

TokBoA

TokChase

TokWF


Security: OverviewInformally: the attacker is given tokens of his choice and should not be able to Test for w for which he does not have a token.

(to )Payment Routing Gateway

PEKS (pk, “BoA”)

TokBoA

TokChase

TokWF

Yes for “BoA”


Security: OverviewInformally: the attacker is given tokens of his choice and should not be able to Test for w for which he does not have a token.

(to )Payment Routing Gateway

PEKS (pk, “JP Morgan”)

TokBoA

TokChase

TokWF


Predicate privacy

• Previous research did not consider information leaked by Tok

• Several schemes even explicitly leak w in Tokw

• Motivation 1: Payment gateway– Routing information might be sensitive – Transactions tagged with “suspected fraudulent” or other attributes

that affect routing but shouldn’t be revealed to a gateway

• Motivation 2: Encrypted email filter– Keywords are sensitive: “Urgent” keywords might leak information

about personal life or medical data

• Can we model a realistic notion of predicate privacy?• Can we construct schemes that satisfy predicate privacy?


Our work

• Model predicate privacy (“Tokw leaks no more information than necessary”)– Closely related to program obfuscation– If attacker can guess w then he can check quickly:

Compute PEKS(pk,w) and test if Tok outputs “yes” or “no”– Our definition: If the keyword w “cannot be guessed” by

the attacker, then Tokw ≈ Tokrandom

• Constructions: First PEKS schemes with predicate privacy– We give a general approach to add predicate privacy to

existing schemes

Email example: Proxy encrypts PEKS(pk, “Doctor’s appointment”)

and sees whether Tok outputs Y or N


More expressive predicates

• A different formulation– Encrypt a tuple (id,m)– Secret key skp

– Decryption algorithm given Enc(id,m) and skp recover m only if p(id)=1

• [Boneh et al. ‘04]: Equality predicate (point function)• [Boneh-Waters ‘07]: Conjunctive, subset, and range queries• [Katz-Sahai-Waters ‘08, Agrawal-Freeman-Vaikuntanathan ‘11]: Inner

product, polynomial equations, and disjunctions• [Shen-Shi-Waters ‘09]: Inner product (but symmetric-key setting)• [Shi-Waters ‘08, Okamoto-Takashima ‘09, Lewko et al. ‘10]: Hierarchical

inner product systems

In PEKS, p(id) checks if id = w or not and sk corresponds to

Tok

Thank you!Any [email protected]

searching on encrypted data without revealing the search predicate

Documents