14 research outputs found
Homomorphic string search with constant multiplicative depth
String search finds occurrences of patterns in a larger text. This general problem occurs in various application scenarios, f.e. Internet search, text processing, DNA analysis, etc. Using somewhat homomorphic encryption with SIMD packing, we provide an efficient string search protocol that allows to perform a private search in outsourced data with minimal preprocessing. At the base of the string search protocol lies a randomized homomorphic equality circuit whose depth is independent of the pattern length. This circuit not only improves the performance but also increases the practicality of our protocol as it requires the same set of encryption parameters for a wide range of patterns of different lengths. This constant depth algorithm is about 10 times faster than the prior work. It takes about 5 minutes on an average laptop to find the positions of a string with at most 50 UTF-32 characters in a text with 1000 characters. In addition, we provide a method that compresses the search results, thus reducing the communication cost of the protocol. For example, the communication complexity for searching a string with 50 characters in a text of length 10000 is about 347 KB and 13.9 MB for a text with 1000000 characters
Setup-Free Secure Search on Encrypted Data: Faster and Post-Processing Free
We present a novel protocol on data and queries encrypted with Fully Homomorphic Encryption (FHE).
Our protocol enables organizations (client) to (1) securely upload an unsorted data array to an untrusted honest-but-curious sever, where data may be uploaded over time and from multiple data-sources; and (2) securely issue repeated search queries for retrieving the first element satisfying an agreed matching criterion , as well as fetching the next matching elements with further interaction.
For security, the client encrypts the data and queries with FHE prior to uploading, and the server processes the ciphertexts to produce the result ciphertext for the client to decrypt.
Our secure search protocol improves over the prior state-of-the-art for secure search on FHE encrypted data (Akavia, Feldman, Shaul (AFS), CCS\u272018) in achieving:
(1) protocol where the server produces a ciphertext for the correct search outcome with overwhelming success probability.This is in contrast to returning a list of candidates for the client to post-process, or suffering from a noticeable error probability, in AFS. Our post-processing freeness enables the server to use secure search as a sub-component in a larger computation without interaction with the client.
(2) (a) Client time and communication bandwidth are improved by a factor. (b) Server evaluates a polynomial of degree linear in (compare to cubic in AFS), and overall number of multiplications improved by up to factor.(c) Employing only computations (compare to for in AFS) to gain both further speedup and compatibility to all current FHE candidates.
(3) we executed on identical hardware for implementations of ours versus AFS\u27s protocols.
Additionally, like other FHE based solutions, out solution is setup-free: to outsource elements from the client to the server, no additional actions are performed on except for encrypting it element by element (each element bit by bit) and uploading the resulted ciphertexts to the server
Secure Search via Multi-Ring Fully Homomorphic Encryption
Secure search is the problem of securely retrieving from a database table (or any unsorted array) the records matching specified attributes, as in SQL ``SELECT...WHERE...\u27\u27 queries, but where the database and the query are encrypted. Secure search has been the leading example for practical applications of Fully Homomorphic Encryption (FHE) since Gentry\u27s seminal work in 2009, attaining the desired properties of a single-round low-communication protocol with semantic security for database and query (even during search). Nevertheless, the wide belief was that the high computational overhead of current FHE candidates is too prohibitive in practice for secure search solutions (except for the restricted case of searching for a uniquely identified record as in SQL UNIQUE constrain and Private Information Retrieval). This is due to the high degree in existing solutions that is proportional at least to the number of database records m.
We present the first algorithm for secure search that is realized by a polynomial of logarithmic degree (log m)^c for a small constant c>0. We implemented our algorithm in an open source library based on HElib, and ran experiments on Amazon\u27s EC2 cloud with up to 100 processors. Our experiments show that we can securely search to retrieve database records in a rate of searching in millions of database records in less than an hour on a single machine.
We achieve our result by:
(1) Designing a novel sketch that returns the first strictly-positive entry in a (not necessarily sparse) array of non-negative real numbers; this sketch may be of independent interest.
(2) Suggesting a multi-ring evaluation of FHE -- instead of a single ring as in prior works -- and leveraging this to achieve an exponential reduction in the degree
Chameleon: A Secure Cloud-Enabled and Queryable System with Elastic Properties
There are two dominant themes that have become increasingly more important in our
technological society. First, the recurrent use of cloud-based solutions which provide
infrastructures, computation platforms and storage as services. Secondly, the use of applicational
large logs for analytics and operational monitoring in critical systems. Moreover,
auditing activities, debugging of applications and inspection of events generated by errors
or potential unexpected operations - including those generated as alerts by intrusion
detection systems - are common situations where extensive logs must be analyzed, and
easy access is required. More often than not, a part of the generated logs can be deemed
as sensitive, requiring a privacy-enhancing and queryable solution.
In this dissertation, our main goal is to propose a novel approach of storing encrypted
critical data in an elastic and scalable cloud-based storage, focusing on handling JSONbased
ciphered documents. To this end, we make use of Searchable and Homomorphic
Encryption methods to allow operations on the ciphered documents. Additionally, our
solution allows for the user to be near oblivious to our systemās internals, providing
transparency while in use. The achieved end goal is a unified middleware system capable
of providing improved system usability, privacy, and rich querying over the data. This
previously mentioned objective is addressed while maintaining server-side auditable logs,
allowing for searchable capabilities by the log owner or authorized users, with integrity
and authenticity proofs.
Our proposed solution, named Chameleon, provides rich querying facilities on ciphered
data - including conjunctive keyword, ordering correlation and boolean queries
- while supporting field searching and nested aggregations. The aforementioned operations
allow our solution to provide data analytics upon ciphered JSON documents, using
Elasticsearch as our storage and search engine.O uso recorrente de soluƧƵes baseadas em nuvem tornaram-se cada vez mais importantes
na nossa sociedade. Tais soluƧƵes fornecem infraestruturas, computaĆ§Ć£o e armazenamento
como serviƧos, para alem do uso de logs volumosos de sistemas e aplicaƧƵes para
anĆ”lise e monitoramento operacional em sistemas crĆticos. Atividades de auditoria, debugging
de aplicaƧƵes ou inspeĆ§Ć£o de eventos gerados por erros ou possĆveis operaƧƵes
inesperadas - incluindo alertas por sistemas de detecĆ§Ć£o de intrusĆ£o - sĆ£o situaƧƵes comuns
onde logs extensos devem ser analisados com facilidade. Frequentemente, parte dos
logs gerados podem ser considerados confidenciais, exigindo uma soluĆ§Ć£o que permite
manter a confidencialidades dos dados durante procuras.
Nesta dissertaĆ§Ć£o, o principal objetivo Ć© propor uma nova abordagem de armazenar
logs crĆticos num armazenamento elĆ”stico e escalĆ”vel baseado na cloud. A soluĆ§Ć£o proposta
suporta documentos JSON encriptados, fazendo uso de Searchable Encryption e
mĆ©todos de criptografia homomĆ³rfica com provas de integridade e autenticaĆ§Ć£o. O objetivo
alcanƧado Ʃ um sistema de middleware unificado capaz de fornecer privacidade,
integridade e autenticidade, mantendo registos auditƔveis do lado do servidor e permitindo
pesquisas pelo proprietĆ”rio dos logs ou usuĆ”rios autorizados. A soluĆ§Ć£o proposta,
Chameleon, visa fornecer recursos de consulta atuando em cima de dados cifrados - incluindo
queries conjuntivas, de ordenaĆ§Ć£o e booleanas - suportando pesquisas de campo
e agregaƧƵes aninhadas. As operaƧƵes suportadas permitem Ć nossa soluĆ§Ć£o suportar data
analytics sobre documentos JSON cifrados, utilizando o Elasticsearch como armazenamento
e motor de busca
Compressed Oblivious Encoding for Homomorphically Encrypted Search
Fully homomorphic encryption (FHE) enables a simple, attractive
framework for secure search. Compared to other secure search systems,
no costly setup procedure is necessary; it is sufficient for the client
merely to upload the encrypted database to the server. Confidentiality
is provided because the server works only on the encrypted query and
records. While the search functionality is enabled by the full
homomorphism of the encryption scheme.
For this reason, researchers have been paying increasing attention to
this problem. Since Akavia et al. (CCS 2018) presented a framework for
secure search on FHE encrypted data and gave a working implementation
called SPiRiT, several more efficient realizations have been proposed.
In this paper, we identify the main bottlenecks of this framework and
show how to significantly improve the performance of FHE-base secure
search. In particular,
1. To retrieve matching items, the existing framework needs to
repeat the protocol times sequentially. In our new framework, all
matching items are retrieved in parallel in a single protocol
execution.
2. The most recent work by Wren et al. (CCS 2020) requires
multiplications to compute the first matching index. Our solution
requires no homomorphic multiplication, instead using only
additions and scalar multiplications to encode all matching indices.
3. Our implementation and experiments show that to fetch 16 matching
records, our system gives an 1800X speed-up over the state of the art
in fetching the query results resulting in a 26X speed-up for the full
search functionality
User-Centric Security and Privacy Mechanisms in Untrusted Networking and Computing Environments
Our modern society is increasingly relying on the collection, processing, and sharing of digital information. There are two fundamental trends: (1) Enabled by the rapid developments in sensor, wireless, and networking technologies, communication and networking are becoming more and more pervasive and ad hoc. (2) Driven by the explosive growth of hardware and software capabilities, computation power is becoming a public utility and information is often stored in centralized servers which facilitate ubiquitous access and sharing. Many emerging platforms and systems hinge on both dimensions, such as E-healthcare and Smart Grid. However, the majority information handled by these critical systems is usually sensitive and of high value, while various security breaches could compromise the social welfare of these systems. Thus there is an urgent need to develop security and privacy mechanisms to protect the authenticity, integrity and confidentiality of the collected data, and to control the disclosure of private information. In achieving that, two unique challenges arise: (1) There lacks centralized trusted parties in pervasive networking; (2) The remote data servers tend not to be trusted by system users in handling their data. They make existing security solutions developed for traditional networked information systems unsuitable. To this end, in this dissertation we propose a series of user-centric security and privacy mechanisms that resolve these challenging issues in untrusted network and computing environments, spanning wireless body area networks (WBAN), mobile social networks (MSN), and cloud computing. The main contributions of this dissertation are fourfold. First, we propose a secure ad hoc trust initialization protocol for WBAN, without relying on any pre-established security context among nodes, while defending against a powerful wireless attacker that may or may not compromise sensor nodes. The protocol is highly usable for a human user. Second, we present novel schemes for sharing sensitive information among distributed mobile hosts in MSN which preserves user privacy, where the users neither need to fully trust each other nor rely on any central trusted party. Third, to realize owner-controlled sharing of sensitive data stored on untrusted servers, we put forward a data access control framework using Multi-Authority Attribute-Based Encryption (ABE), that supports scalable fine-grained access and on-demand user revocation, and is free of key-escrow. Finally, we propose mechanisms for authorized keyword search over encrypted data on untrusted servers, with efficient multi-dimensional range, subset and equality query capabilities, and with enhanced search privacy. The common characteristic of our contributions is they minimize the extent of trust that users must place in the corresponding network or computing environments, in a way that is user-centric, i.e., favoring individual owners/users
New Fundamental Technologies in Data Mining
The progress of data mining technology and large public popularity establish a need for a comprehensive text on the subject. The series of books entitled by "Data Mining" address the need by presenting in-depth description of novel mining algorithms and many useful applications. In addition to understanding each section deeply, the two books present useful hints and strategies to solving problems in the following chapters. The contributing authors have highlighted many future research directions that will foster multi-disciplinary collaborations and hence will lead to significant development in the field of data mining
Principled Flow Tracking in IoT and Low-Level Applications
Significant fractions of our lives are spent digitally, connected to and dependent on Internet-based applications, be it through the Web, mobile, or IoT. All such applications have access to and are entrusted with private user data, such as location, photos, browsing habits, private feed from social networks, or bank details.In this thesis, we focus on IoT and Web(Assembly) apps. We demonstrate IoT apps to be vulnerable to attacks by malicious app makers who are able to bypass the sandboxing mechanisms enforced by the platform to stealthy exfiltrate user data. We further give examples of carefully crafted WebAssembly code abusing the semantics to leak user data.We are interested in applying language-based technologies to ensure application security due to the formal guarantees they provide. Such technologies analyze the underlying program and track how the information flows in an application, with the goal of either statically proving its security, or preventing insecurities from happening at runtime. As such, for protecting against the attacks on IoT apps, we develop both static and dynamic methods, while for securing WebAssembly apps we describe a hybrid approach, combining both.While language-based technologies provide strong security guarantees, they are still to see a widespread adoption outside the academic community where they emerged.In this direction, we outline six design principles to assist the developer in choosing the right security characterization and enforcement mechanism for their system.We further investigate the relative expressiveness of two static enforcement mechanisms which pursue fine- and coarse-grained approaches for tracking the flow of sensitive information in a system.\ua0Finally, we provide the developer with an automatic method for reducing the manual burden associated with some of the language-based enforcements