Searchable Encryption in Cloud Presented by Myunggu Kang

Security Threats for Public Cloud • Remote and cloud storage is widely used for backups or outsourcing data to reduce operational costs. • However, these remote servers cannot be trusted - administrators, or hackers with root rights can have a full access to data • Thus, sensitive data must be encrypted before outsourcing - This reduces security and privacy risks.

What is the Searchable Encryption? • Encryption makes it impossible for both insiders and outsiders to access data without the keys, but it is hard to search data. • One possible solution to re-enable searching functionality is to download the all data, decrypt them, and then search for the desired results in the data. - For most applications, this approach would be impractical. • Server decrypt the data, runs the query on the server side, and sends only the results back to user. - This allows the server to learn the plaintext data

What is the Searchable Encryption? • Search functionality on the server side - Without decrypting data - With the smallest possible loss of data confidentiality

“Practical Techniques for Searches on Encrypted Data” • [Song-Wagner-Perrig-S&P’00] • First practical scheme for searching in encrypted data • Symmetric key, single keyword search • Perform a sequential scan without an index • Basic Scheme - Encrypt each word separately and then embed a hash value inside ciphertext - To search, the server extract the hash value and check

“Practical Techniques for Searches on Encrypted Data” • Encryption (Create searchable ciphertext) - Step1: Each document is divided up into ‘words’, each ‘word’ may be a 64-bit block 𝑊 𝑖 - Step2: Encrypt word as 𝑋 𝑖 = 𝐸(𝑊 𝑖 ) split into two parts as 𝑋 𝑖 = <𝐿 𝑖 , 𝑅 𝑖 > - Step3: Generate key 𝑘 𝑖 as 𝑘 𝑖 = 𝐹 𝑘 1 ( 𝐿 𝑖 ) generate 𝑆 𝑖 using the pseudo-random generator generate 𝐹 𝑘 𝑖 ( 𝑆 𝑖 ) using the pseudo-random function - Step4: Compute <𝐿 𝑖 , 𝑅 𝑖 >  <𝑆 𝑖 , 𝐹 𝑘 𝑖 ( 𝑆 𝑖 )> - Step5: Store the ciphertext on Bob

“Practical Techniques for Searches on Encrypted Data” • Decryption (Searching) - Step1: In order to retrieve certain word from the ciphertext, Alice creates trapdoor 𝐸 𝑘 1 ( 𝑊 𝑖 ) = (𝐿 𝑖 ||𝑅 𝑖 ) and key 𝑘 𝑖 = 𝑓 𝑘 2 ( 𝐿 𝑖 ) - Step2: Bob computes 𝐶 𝑖  𝐸 𝑘 1 ( 𝑊 𝑖 ) - Step3: If the result is 𝑆 𝑖 || 𝑓 𝑘 1 (S), the ciphertext contains the searching word, thus, Bob sends the ciphertext to Alice

“Practical Techniques for Searches on Encrypted Data” • Leaks the potential positions of the queried keywords in a document - After several queries, it is possible to learn the words inside the documents with statistical analysis. • The complexity of the encryption and search algorithms is linear in the total number of words per document. - Encryption: one encryption, one XOR, and two pseudo-random functions - Trapdoor: one encryption and a pseudo-random function - Search: one XOR and one pseudo-random function => Supports very slow search • For better efficiency, index-based approach can be adopted.

“Secure Indexes” • [Goh-ePrint-03] • Address the limitations of “Song” by adding an index for each document - Use of fixed-size words, special document encryption • Use a Bloom Filter as a per-document index - A Bloom Filter is a data structure that is used to answer set membership queries. - No false negative: Rejection is always correct - A false positive possible: Acceptance might be wrong • Index Scheme consists of the following four algorithms:

“Secure Indexes” • Build Index Kpriv = (k1, . . . , kr) {0, 1}sr - Keygen(s) by Alice: Given a security parameter s, choose a pseudo-random function f : {0, 1}n×{0, 1}s {0, 1}s and the master key Kpriv = (k1, . . . , kr) {0, 1}sr - BuildIndex(D,Kpriv) by Alice: Document D : Did {0, 1}n A list of words (w0, . . . ,wt) {0, 1}nt Kpriv = (k1, . . . , kr) {0, 1}sr Output IDid = (Did, BF) trapdoor codeword x1 = f (wi , k1) . . . xr = f (wi , kr) y1 = f (Did , x1) . . . yr = f (Did , xr) Wi BF for Did

“Secure Indexes” • Search Index - SearchIndex(Tw, IDid) by Server: - Keygen(s) by Alice: Given a security parameter s, choose a pseudo-random function f : {0, 1}n×{0, 1}s {0, 1}s and the master key Kpriv = (k1, . . . , kr) {0, 1}sr - Trapdoor(Kpriv,w) by Alice: Given the master key Kpriv = (k1, . . . , kr) {0, 1}sr and word w, output the trapdoor for word w as Tw = (f(w, k1) , . . . , f(w, kr)) {0, 1}sr - SearchIndex(Tw, IDid) by Server: Input trapdoor Tw = (x1,…, xr) {0, 1}sr index IDid = (Did , BF) for document Did R y1 = f (Did , x1) . . . yr = f (Did , xr) Test if BF contains 1’s in all r locations denoted by y1, . . . , yr If so, output 1; Otherwise, output 0

“Secure Indexes” • Inefficient for managing key (k1, . . . , kr) • Weak search semantics - Simple Boolean keyword search: very hard to control the false positive • Search performance is linear to # of files in collection - Given search trapdoor, server needs to test the Bloom filter for every file.

Public Key Encryption with Keyword Search • [Boneh et al. EUROCRYPT’04] • First searchable encryption scheme using a public key system • Index: a list of encrypted keywords appended as an index per file document - Contributor of each file encrypts a set of keywords individually with the public key • PEKS Scheme consists of the following four algorithms:

Public Key Encryption with Keyword Search • Basic scheme - To create a searchable ciphertext, sender encrypts message with a standard public key system and appends the PEKS of each keyword. The sender then sends the ciphertext - To search, the receiver uses the master secret key to derive a secret key for a specific keyword. The resulting secret key is used as the trapdoor and sent to the server. The server tries to decrypt the ciphertext. If the decryption is successful, the attached encrypted message contains the keyword.

Public Key Encryption with Keyword Search - Summary • Pros. - Multiple contributors -> Example applications: secure email gateway, e.g., spam filtering • Cons. - Search Inefficiency -> Linearly scan the appended encrypted keywords in every document, and do pairing computation - Keyword privacy may not be guaranteed -> Dictionary attack: Server encrypts every possible keyword with the public key, and then do the search with trapdoor. Based on the search result, sever knows the keyword hidden in the trapdoor.

Conclusion • Symmetric Searchable Encryption - More efficient, but less expressive - Multi-keyword search functionalities rarely supported • Public key based searchable encryption - More expressive, but less efficient - Supports multi-keyword • Most studies focus on text-formed data, regardless of complex data structures in reality

Question?

“Secure Indexes” – Membership Verification • Test the existence of a keyword by verifying its membership in the Bloom filter