Embed Size (px)
Citation preview
http://www.cs.ucla.edu/~rafail/
Private Keyword Private Keyword Search on Search on
Streaming DataStreaming Data
Rafail Ostrovsky William Skeith UCLA
(patent pending)(patent pending)
Motivating ExampleMotivating Example
The intelligence community collects data The intelligence community collects data from multiple sources that might potentially from multiple sources that might potentially be “useful” for future analysis.be “useful” for future analysis. Network trafficNetwork traffic Chat roomsChat rooms Web sites, etc…Web sites, etc…
However, what is “useful” is often However, what is “useful” is often classified.classified.
Current PracticeCurrent Practice
Continuously transfer all data to a Continuously transfer all data to a secure environment.secure environment.
After data is transferred, filter in the After data is transferred, filter in the classified environment, keep only classified environment, keep only small fraction of documents.small fraction of documents.
¢¢¢! D(1,3)! D(1,2)! D(1,1)!
¢¢¢! D(2,3)! D(2,2)! D(2,1)!
¢¢¢! D(3,3)! D(3,2)! D(3,1)!
Classified EnvironmentClassified Environment
FilterFilter StorageStorageD(3,1)D(1,1)D(1,2)D(2,2)D(2,3)D(3,2)D(2,1)D(1,3)D(3,3)
Filter rules are Filter rules are
written by an written by an
analyst and are analyst and are
classified!classified!
Current PracticeCurrent Practice
Drawbacks:Drawbacks:CommunicationCommunicationProcessingProcessing
How to improve performance?How to improve performance?
Distribute work to many locations on Distribute work to many locations on a networka network
Seemingly ideal solution, but…Seemingly ideal solution, but…Major problem:Major problem:
Not clear how to maintain privacy, which Not clear how to maintain privacy, which is the focus of this talkis the focus of this talk
¢¢¢! D(1,3)! D(1,2)! D(1,1)!
¢¢¢! D(2,3)! D(2,2)! D(2,1)!
¢¢¢! D(3,3)! D(3,2)! D(3,1)!
Classified Classified EnvironmentEnvironmentFilterFilter
StorageStorage
EE (D(D(1,2)(1,2)))
EE (D(D(1,3)(1,3)))
FilterFilter
StorageStorage
EE (D(D(2,2)(2,2)))
FilterFilter
StorageStorage
DecryptDecrypt
StorageStorage
DD(1,2)(1,2)
DD(1,3)(1,3)
DD(2,2)(2,2)
Example Filter:Example Filter:Look for all documents that contain special Look for all documents that contain special
classified keywords, selected by an analystclassified keywords, selected by an analystPerhaps an alias of a dangerous criminalPerhaps an alias of a dangerous criminal
PrivacyPrivacyMust hide what words are used to create the Must hide what words are used to create the
filterfilterOutput must be encryptedOutput must be encrypted
More generally:More generally:
We define the notion of Public Key We define the notion of Public Key Program ObfuscationProgram Obfuscation
Encrypted version of a programEncrypted version of a programPerforms same functionality as un-obfuscated Performs same functionality as un-obfuscated
program, but:program, but:Produces encrypted outputProduces encrypted output Impossible to reverse engineerImpossible to reverse engineer
A little more formally:A little more formally:
Public Key Program ObfuscationPublic Key Program Obfuscation
PrivacyPrivacy
Related NotionsRelated Notions
PIR (Private Information Retrieval) PIR (Private Information Retrieval) [CGKS],[KO],[CMS]…[CGKS],[KO],[CMS]…
Keyword PIR [KO],[CGN],[FIPR]Keyword PIR [KO],[CGN],[FIPR]Program Obfuscation [BGIRSVY]…Program Obfuscation [BGIRSVY]…
Here output is identical to un-obfuscated Here output is identical to un-obfuscated program, but in our case it is encrypted.program, but in our case it is encrypted.
Public Key Program ObfuscationPublic Key Program ObfuscationA more general notion than PIR, with lots of A more general notion than PIR, with lots of
applicationsapplications
What we wantWhat we want
¢¢¢! D(1,3)! D(1,2)! D(1,1)! FilterFilterStorageStorage
This is matching document #2
This is a Non-matching document
This is matching document #1
This is matching document #3
This is a Non-matching document
This is a Non-matching document
How to accomplish this?How to accomplish this?
Several Solutions based on Several Solutions based on Homomorphic EncryptionsHomomorphic Encryptions
For this talk: Paillier EncryptionFor this talk: Paillier Encryption Properties:Properties:
Plaintext set = Plaintext set = ZZnn
Ciphertext set = Ciphertext set = ZZ**nn22
Homomorphic, i.e., Homomorphic, i.e., EE(x)(x)EE(y) = (y) = EE(x+y)(x+y)
Simplifying Assumptions for this Simplifying Assumptions for this TalkTalk
All keywords come from some poly-size All keywords come from some poly-size dictionarydictionary
Truncate documents beyond a certain Truncate documents beyond a certain lengthlength
wwt-2t-2 EE(1)(1)
wwt-1t-1 EE(0)(0)
wwtt EE(0)(0)
ww11 EE(0)(0)
ww22 EE(1)(1)
ww33 EE(0)(0)
ww44 EE(0)(0)
ww55 EE(1)(1)
.
.
.
D
EE(0(0))
EE(0(0))
EE(0(0))
EE(0(0))
EE(0(0))
EE(0(0))
EE(0(0))
EE(0(0))
EE(0(0))
EE(0(0))
(g,gD)
¤=
¤=
¤=
Dic
tiona
ry
Output Buffer
This is matching document #1
This is matching document#3
This is matching document #2
Here’s another matching document
Collisions cause two problems:
1. Good documents are destroyed
2. Non-existent documents could be fabricated
We’ll make use of two We’ll make use of two combinatorial lemmas…combinatorial lemmas…
How to detect collisions?How to detect collisions?
Append a highly structured, (yet random) Append a highly structured, (yet random) k-bit string to the messagek-bit string to the message
The sum of two or more such strings will The sum of two or more such strings will be another such string with negligible be another such string with negligible probability in kprobability in k
Specifically, partition k bits into triples of Specifically, partition k bits into triples of bits, and set exactly one bit from each bits, and set exactly one bit from each triple to 1triple to 1
100|001|100|010|010|100|001|010|010100|001|100|010|010|100|001|010|010
010|001|010|001|100|001|100|001|010010|001|010|001|100|001|100|001|010
010|100|100|100|010|001|010|001|010010|100|100|100|010|001|010|001|010
100|100|010|100|100|010|111111|100|100||100|100|111111|010|010|010|010
==
Detecting Overflow > mDetecting Overflow > m
Double buffer size from m to 2mDouble buffer size from m to 2m If m < #documents < 2m, output “overflow”If m < #documents < 2m, output “overflow” If #documents > 2m, then expected If #documents > 2m, then expected
number of collisions is large, thus output number of collisions is large, thus output “overflow” in this case as well.“overflow” in this case as well.
Not yet in eprint version, will appear soon, as well as some other Not yet in eprint version, will appear soon, as well as some other
extensionsextensions. .
More from the paper that we don’t More from the paper that we don’t have time to discuss…have time to discuss…
Reducing program size below dictionary Reducing program size below dictionary size (using size (using – Hiding from [CMS]) – Hiding from [CMS])
Queries containing AND (using [BGN] Queries containing AND (using [BGN] machinery)machinery)
Eliminating negligible error (using perfect Eliminating negligible error (using perfect hashing)hashing)
Scheme based on arbitrary homomorphic Scheme based on arbitrary homomorphic encryptionencryption
ConclusionsConclusions
Private searching on streaming dataPrivate searching on streaming dataPublic key program obfuscation, more Public key program obfuscation, more
general than PIRgeneral than PIRPractical, efficient protocolsPractical, efficient protocolsMany open problemsMany open problems
Thanks For Listening!
