9. Searchable Encryption
Searchable encryption schemes proposed
User Server
Search for documents
containing keyword
e.g. âurgentâ
Trapdoor function (âurgentâ)
Trapdoor function
(âurgentâ) + Index
10. Searchable Encryption
Searchable encryption schemes proposed
User Server
Search for documents
containing keyword
e.g. âurgentâ
Trapdoor function (âurgentâ)
Trapdoor function
(âurgentâ) + Index
Requested encrypted documents
11. Information leaked ???
Most previous research works
âą Do not leaked Encrypted documents
âą Do not leaked Searched keywords
However, most previous research works
âą leaked access pattern
12. Access Pattern Leaked
Access Pattern leaked:
âą Which data is being accessed
âą When the data was last accessed
âą Whether the same data is being accessed
âą Access randomly or sequentially
âą Whether the access is a read or write
What could be done
with access pattern ?
13. Client
Buy IBM
Buy EMC
?Buy IBM
Access patterns leak:
80% of search queries to
encrypted database
(Islam et. al)
?Buy IBM
Server
Search queries
Example Attack
?Buy PC
15. Oblivious RAM
âą Search over encrypted data
without revealing access pattern
âą Impractical O(N) bandwidth overhead
16. Path ORAM
âą Most practical ORAM construction to date
âą High efficiency and low overhead
Asymptotic breakthrough for large blocks
Instantiation Client Storage Bandwidth
Without Recursion đ¶ đ” đ¶ đ„đšđ đ”
With Recursion
~ đ¶
đ„đšđ đ” đ
đ„đšđ đ
đ¶
đ„đšđ đ” đ
đ„đšđ đ
18. Path ORAM
nodes can contain
multiple blocks
some nodes are empty
Server: data blocks stored in nodes of the tree
bucket
block
Block #
data
19. Path ORAM
1 2 3 4 5 6 7 8
âPositionâ comes from the leaf sequence number.
20. Path ORAM
1 2 3 4 5 6 7 8
A block must be placed on the path to its âpositionâ
If a BLOCKâs position is 5, it can only be in the this path
21. Path ORAM
1 2 3 4 5 6 7 8
A block must be placed on the path to its âpositionâ
If a BLOCKâs position is 1, it can only be in the this path
22. Path ORAM
1 2 3 4 5 6 7 8
Blocksâ position are chosen randomly from 1 to 2^L(number of leaves).
Some nodes(buckets) have multiple blocks while some are empty.
23. Path ORAM
Client storage: position map & stash
position map: to store each blockâs âpositionâ
(assume there are N blocks in the tree)
Block #
Blockâs âpositionâ
1 2 ⊠⊠âŠ. âŠ. N-1 N
5 4 ⊠⊠âŠ. âŠ. 1 7
24. Path ORAM
position map: to store each blockâs âpositionâ
(assume there are N blocks in the tree)
Block #
Blockâs âpositionâ
1 2 ⊠⊠âŠ. âŠ. 13 14
2 4 1 1
10 6
2 58
714 9 1
13
3 12 4 11
1 2 3 4
Client storage: position map & stash
25. Path ORAM
Stash: 1. block cash
2. to store blocks overflowed from the server
Client storage: position map & stash
one block
31. Path ORAM
10 6
2 5
714 1
13
3 12 4 11
1 2 3 4
Server
Client
stash
position map
1 2 3 4 5 6 7 8 9 10 11 12 13 14
2 4 3 4 3 1 2 2 1 1 4 3 2 1
Example: A user wants to modify block â7â
8 9
71 13 10 6
1 13 10 6
decrypt
7
3. Client can now
read/modify data in block
32. Path ORAM
10 6
2 58
714 9 1
13
3 12 4 11
1 2 3 4
Server
Client
position map
1 2 3 4 5 6 7 8 9 10 11 12 13 14
2 4 3 4 3 1 2 2 1 1 4 3 2 1
Example: A user wants to modify block â7â
Note:
the blocks on the tree are encrypted
4. Assign a new random position.
Position[block 7] = UniformRandom(1, 2, 3, 4)
here = 1 1 2 3 4 5 6 7 8 9 10 11 12 13 14
2 4 3 4 3 1 1 2 1 1 4 3 2 1
33. Path ORAM
10 6
2 5
14 1
13
3 12 4 11
1 2 3 4
Server
Client
Note:
the blocks on the tree are encrypted
5. Write path back
7
Principles:
A. Blocks should be pushed down as deep as possible
B. Blocks should always be on the path to its position
34. Path ORAM
10 6
2 5
14 1
13
3 12 4 11
1 2 3 4
Server
Client
position map
1 2 3 4 5 6 7 8 9 10 11 12 13 14
2 4 3 4 3 1 1 2 1 1 4 3 2 1
Note:
the blocks on the tree are encrypted
5. Write path back.
Principle A:
Push blocks as deep as
possible
stash 8 9 1 13 10 67
Try the deepest possible
node first
35. Path ORAM
10 6
2 5
14 1
13
3 12 4 11
1 2 3 4
Server
Client
position map
1 2 3 4 5 6 7 8 9 10 11 12 13 14
2 4 3 4 3 1 1 2 1 1 4 3 2 1
Note:
the blocks on the tree are encrypted
5. Write path back.
Principle A:
Push blocks as deep as
possible
stash 8 9 1 13 10 67
If full, try the upper level
36. Path ORAM
10 6
2 5
14 1
13
3 12 4 11
1 2 3 4
Server
Client
position map
1 2 3 4 5 6 7 8 9 10 11 12 13 14
2 4 3 4 3 1 1 2 1 1 4 3 2 1
Note:
the blocks on the tree are encrypted
5. Write path back.
Principle A:
Push blocks as deep as
possible
stash 8 9 1 13 10 67
If full, try the upper level
37. Path ORAM
10 6
2 5
14 1
13
3 12 4 11
1 2 3 4
Server
Client
position map
1 2 3 4 5 6 7 8 9 10 11 12 13 14
2 4 3 4 3 1 1 2 1 1 4 3 2 1
Note:
the blocks on the tree are encrypted
5. Write path back.
Principle A:
Push blocks as deep as
possible
stash 8 9 1 13 10 67
If root is full, store in the stash
38. Path ORAM
10 6
2 5
14 1
13
3 12 4 11
1 2 3 4
Server
Client
position map
1 2 3 4 5 6 7 8 9 10 11 12 13 14
2 4 3 4 3 1 1 2 1 1 4 3 2 1
Note:
the blocks on the tree are encrypted
5. Write path back
Principle B:
The block should always be on
its path to âpositionâ
stash 8 9 1 13 10 67
2 1 2 1 2 1 1âpositionsâ
7
39. Path ORAM
10 6
2 5
14 1
13
3 12 4 11
1 2 3 4
Server
Client
position map
1 2 3 4 5 6 7 8 9 10 11 12 13 14
2 4 3 4 3 1 1 2 1 1 4 3 2 1
Note:
the blocks on the tree are encrypted
5. Write path back
Block 8, 1, 13 can
end up at any buckets on
the entire path
Principle B:
The block should always be on
its path to âpositionâ
stash 8 9 1 13 10 67
2 1 2 1 2 1 1
7
40. Path ORAM
10 6
2 5
14 1
13
3 12 4 11
1 2 3 4
Server
Client
position map
1 2 3 4 5 6 7 8 9 10 11 12 13 14
2 4 3 4 3 1 1 2 1 1 4 3 2 1
Note:
the blocks on the tree are encrypted
5. Write path back
Block 9, 7, 10, 6 can only
end up at these buckets
Principle B:
The block should always be on
its path to âpositionâ
stash 8 9 1 13 10 67
2 1 2 1 2 1 1
7
41. Path ORAM
2 5
14 3 12 4 11
1 2 3 4
Server
Client
position map
1 2 3 4 5 6 7 8 9 10 11 12 13 14
2 4 3 4 3 1 1 2 1 1 4 3 2 1
Note:
the blocks on the tree are encrypted
5. Write path back
stash 8 9 1 13 10 67
2 1 2 1 2 1 1
3
2
1
Get back to our example:
42. Path ORAM
2 5
14 8 3 12 4 11
1 2 3 4
Server
Client
position map
1 2 3 4 5 6 7 8 9 10 11 12 13 14
2 4 3 4 3 1 1 2 1 1 4 3 2 1
Note:
the blocks on the tree are encrypted
5. Write path back
stash 8 9 1 13 10 67
2 1 2 1 2 1 1
3
2
1
13
43. Path ORAM
2 51
14 8
7
3 12 4 11
1 2 3 4
Server
Client
position map
1 2 3 4 5 6 7 8 9 10 11 12 13 14
2 4 3 4 3 1 1 2 1 1 4 3 2 1
Note:
the blocks on the tree are encrypted
5. Write path back
stash 8 9 1 13 10 67
2 1 2 1 2 1 1
3
2
1
13
44. Path ORAM
9 6
2 51
14 8
7
3 12 4 11
1 2 3 4
Server
Client
position map
1 2 3 4 5 6 7 8 9 10 11 12 13 14
2 4 3 4 3 1 1 2 1 1 4 3 2 1
Note:
the blocks on the tree are encrypted
5. Write path back
stash 8 9 1 13 10 67
2 1 2 1 2 1 1
3
2
1
13
45. Path ORAM
9 6
2 51
14 8
7
3 12 4 11
1 2 3 4
Server
Client
position map
1 2 3 4 5 6 7 8 9 10 11 12 13 14
2 4 3 4 3 1 1 2 1 1 4 3 2 1
Note:
the blocks on the tree are encrypted
5. Write path back
stash 10
3
2
1
13
47. Recursion
âą Store the position map in another ORAM.
âą Do this recursively.
Server
Client
âŠ
âŠ
O-RAM #1 O-RAM #2:
Position Map
for O-RAM #1 O-RAM #3:
Position Map
for O-RAM #2
48. Securityâą Security Definition:
Given two access sequences,
Computational indistinguishable by anyone but the user
âą Server only observes a single random number on access to each block
Each access number is random
not computational distinguishable by anyone but the user
49. Security - example
Server
Client
stashposition map
Suppose client
accesses blocks
1, 2, 3, 4.5
0 1 2 3 4 5 6 7positions:
1 6 4
Server observes:
5, 1, 6, 4
Client looks up in
position map.
5 1 6 4
equally likely
If client instead accesses:
46, 49, 53, 60
the two access patterns are
indistinguishable
50. Proof for Bounds on Stash Usage
Target: the probability for stash overflow is low
Equivalent to:
Find a subtree in ORAM binary tree
that after a sequences of access âsâ, the number of
Remaining blocks are bigger than n(T)Z+R
51. References
1. Path ORAM, Emil, S., et al. slides and papers,
2012
2. Access Pattern Disclosure on Searchable
Encryption. Mohammad, S. et al. , 2006