VERIFIABLE SEARCHABLE SYMMETRIC ENCRYPTION


 Fay Stevenson
 1 years ago
 Views:
Transcription
1 VERIFIABLE SEARCHABLE SYMMETRIC ENCRYPTION BY ZACHARY A. KISSEL B.S. MERRIMACK COLLEGE (2005) M.S. NORTHEASTERN UNIVERSITY (2007) SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY COMPUTER SCIENCE UNIVERSITY OF MASSACHUSETTES LOWELL Signature of Author: Date: Signature of Dissertation Chair: Dr. Jie Wang Signatures of Other Dissertation Committee Members Committee Member Signature: Committee Member Signature: Committee Member Signature: Dr. Xinwen Fu Dr. Tingjian Ge Dr. Yan Luo
2 VERIFIABLE SEARCHABLE SYMMETRIC ENCRYPTION BY ZACHARY A. KISSEL ABSTRACT OF A DISSERTATION SUBMITTED TO THE FACULTY OF THE DEPARTMENT OF COMPUTER SCIENCE IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY COMPUTER SCIENCE UNIVERSITY OF MASSACHUSETTS LOWELL 2013 Dissertation Supervisor: Jie Wang, Ph.D. Professor and Chair, Department of Computer Science
3 Cloud storage has become increasingly prevalent in recent years. It provides a convenient platform for users to store data that can be accessed from anywhere at anytime without the cost of maintaining a storage infrastructure. However, cloud storage is inherently insecure, hindering general acceptance of the paradigm shift. To make use of storage services provided by a cloud, users would need to place their trust, at least implicitly, in the provider. There have been a number of attempts to alleviate the need for this trust through cryptographic methods. An immediate approach would be to encrypt each file before uploading it to the cloud. This approach, calls for a new searching mechanism over encrypted data stored in the cloud. This dissertation considers a solution to this problem using Symmetric Searchable Encryption (SSE). SSE allows users to offload search queries to the cloud. The cloud is then responsible for returning the encrypted files that match the search queries (also encrypted). Most previous work was focused on keyword search in the Honestbut Curious (HBC) cloud model, while some more recent work has considered searching on phrases. Recently, a new cloud model was introduced that supersedes the HBC model. This new model, called SemiHonest but Curious (SHBC), is less restrictive over the actions a cloud can take. In this dissertation, we present three systems that are secure under this new SHBC model. Two systems provide phrase search and the other provides hierarchical access control over keyword search. ii
4 Acknowledgements I would like to begin by thanking the person responsible most for the success of this dissertation, my advisor, Prof. Jie Wang. Prof. Wang provided me with the unique opportunity to look at the problems that interested me, providing encouragement and guidance as I progressed. I would also like to thank my committee members Professors Xinwen Fu, Tingjian Ge, and Yan Luo. Together, they provided helpful comments that improved this work. In particular, the article that became Chapter 5 was in preparation at the time of the proposal; their comments around investigating access control over searching validated the need to submit that work. While completing the last year of my PhD studies, I was fortunate to have the opportunity to join the faculty at Merrimack College as a visiting professor. This appointment gave me a chance to branch out in all facets of academia. I am most indebted to the friendships and hallway conversations with Lisa Michaud, Vance Poteat, and Chris Stuetzle. In particular, I wish to thank Chris Stuetzle for early reviews of the material that would become Chapter 3. I would also like to thank Vance Poteat for serving as a mentor for my transition from industry to teaching this year, and for sparking my interest in networking and security many years ago. I would like to thank my parents Dan and Deb for their continued love, support, and encouragement over all these years, specifically for demonstrating to me the most important lesson, with hard work there are no limits. To Wendy, thank you for sharing this journey with me. Thank you for all the encouragement and understanding for iii
5 all the hours and late nights it took to write this dissertation. iv
6 Contents List of Figures vii 1 Introduction Applications of Searchable Encryption Overview of Results Dissertation Structure Background Background on Probability Background on Cryptography PseudoRandom Primitives Symmetric Encryption Cryptographic Hash Functions Searchable Encryption Framework Index Data Structures Models of Clouds and Security Previous Work A First Solution Early Indexed Approaches Improved SSE Constructions Phrase Searching v
7 2.6.5 NonHBC Systems Verifiable Phrase Search Verifiable Encrypted Phrase Search Verifiable Keyword Search Verified Phrase Searching Correctness Conclusion Verifiable Phrase Search in a Single Phase Notations Notations Background Background on NextWord Indexing Secure Linked Lists Basic Construction Constructing an Encrypted NextWord Index An SSE Construction Security and Efficiency Adding Verification Discussion of Security Guarantees Conclusion Hierarchical Access Control Model Key Regression Construction of HACSSE and Security Security Guarantees of HACSSE Adding Revocation and Verification vi
8 5.4.1 Security Guarantees Conclusion Conclusion Results Future Work Bibliography 78 Biography 80 vii
9 List of Figures 2.1 A secure linked list on the set {D 1, D 3, D 5, D 6 } An example of a phase two table based index An example nextword index Example arrays A and N for = {w 1, w 2, w 3 }. The arcs represent a logical connection An annotated trie for dictionaries 1 = {cat, dog} and 2 = {car, do} Final trie based on Figure 5.1. The values P h denotes the parents hash value and l denotes the current nodes level Modification to the BuildIndex algorithm to add verification support to the trie The HVerify algorithm The HRevokeUser algorithm viii
10 1 Chapter 1 Introduction Imagine for the moment that Alice has a large collection of documents, D, that she wishes to store in a distributed storage environment owned by Bob. Bob has been known to be nosy, which means Alice must encrypt all the documents in her document collection before uploading them to Bob s distributed storage environment. Assume, now, that Alice wants to read the documents in D that contain a certain word or phrase. What does she do? Trivially, she could ask Bob to send her all the files, decrypt them locally, and then search for the documents that contain the information she is looking for. Retrieving all the files and then decrypting them, however, will incur a great cost in both communication and time. It would be far more efficient, for Alice, if Bob could perform the search and only send the documents that match her query. Alice s problem is known as the searchable encryption problem. Song, Wagner, and Perrig offered the first glimpse of a solution to Alice s problem [1]. They introduced Searchable Symmetric Encryption (SSE). This new SSE construction allows for Alice to ask Bob to query the encrypted document collection for a specific word or phrase. Alice enables Bob to perform the search by providing Bob, at query time, with some special information known as a trapdoor. Bob then returns the results of the query to Alice. The guarantees that they provided are that
11 2 the queries remain unknown to the Bob (query privacy) and any information beyond the number of results and size of the encrypted documents is unknown to Bob (query result privacy). Though not its original intention, we can adapt the searchable encryption to cloud storage. We assume that a collection of encrypted documents, D, are stored in the cloud such that a search query can be executed over all the documents in the collection. The cloud is responsible for both executing the query and returning the results. We have the added security guarantee that the cloud should be unable to learn the nature of the query. If one uses only symmetric cryptography in the solution, the problem is called the Symmetric Searchable Encryption (SSE) problem. While there do exist asymmetric forms of searchable encryption [2], we will only consider the SSE problem,for it is more efficient in comparison to asymmetric solutions to the searchable encryption problem. 1.1 Applications of Searchable Encryption Searchable Encryption over phrases can be used to support a large number of diverse applications. For example, in human resource management, one may want to look for a series of phrases that assess the performance of an employee. In medical record management, a doctor may want to retrieve all records where a certain phrase of ailments occur next to each other. At an educational institution an instructor may want to search for student information based on phrases related to the course performance. All of these applications share the common need of querying for phrases that are not necessarily preknown. In the case we have access to a hierarchical access control mechanism on encrypted keyword search we have even more applications. For example, a company can outsource their data to the cloud and different employees can have different access. For
12 3 example, only members of the finance department should be able to search for financial information and only the members of the engineering department should be able to search for blueprint information. In the area of parental controls, envision a search engine where you do not have to forgo query privacy for filtering of explicit content. All the applications presented share common needs: confidentiality of data, query privacy, and query result privacy. Thus, they are perfect for the application of searchable encryption. 1.2 Overview of Results In this dissertation we provide efficient solutions to two problems in Symmetric Searchable Encryption. Both solutions exhibit the property of verifiability. By verifiability we mean the client, in an SSE scheme, can detect if the cloud has returned incomplete or inaccurate results. Therefore, the cloud should be allowed to fabricate results that are inconsistent with the truth about the document collection. This can be achieved by considering SSE solutions under the model developed by Chai and Gong in [3]. The model is called the SemiHonest but Curious model (SHBC). In this model, the cloud does the following: (1) honestly store data; (2) honestly execute the search operations or a fraction of them; (3) return a nonzero fraction of the query results honestly; and (4) try to learn as much information as possible. If a solution has the property of verifiability over its returned results, we say that we have a solution to the Verifiable SSE problem. Our first result is structured around providing a verifiable phrase search mechanism. This result is based on the two phase protocol presented in [4]. Given a phrase, p, the first phase finds all the documents in D that contain all the words in p. The second phase, using the results of the first, determines which documents in D contain all the words in p, ordered according to p.
13 4 Our second result, improving on our first result, presenting a single phase search protocol. This new single phase protocol reduces both communication complexity as well as reducing the work that must be performed by the client to do a successful search. Like our first result, the second result is also verifiable. In a second vein, we investigate an efficient verifiable searchable encryption scheme which provides access control over keywords that appear in a document collection. The most trivial access control is creating one group of users and allowing dynamic changes to the group. This problem has a good constructive solution provided by Curtmola et. al. in [5]. We demonstrate a hierarchical access control mechanism where we divide the users into numbered groups such that if a user in group i has the ability to successfully search for a particular search term, then any user in any group j > i can also successfully search for the same search term. 1.3 Dissertation Structure The remainder of this dissertation is structured as follows. In Chapter 2 we will discuss the cryptography, theory, and data structures needed to realize SSE. We will conclude this chapter with a discussion of existing work on SSE. In Chapter 3 we will present a verifiable phrase search SSE scheme. In Chapter 4 we will improve our system in Chapter 3 by introducing a single phase protocol. In Chapter 5 we will present a hierarchical access control mechanism for SSE. We conclude in Chapter 6 by discussing future directions based on the results presented.
14 5 Chapter 2 Background Song, Wagner and Perrig posed the question [1]: Given an encrypted document, how does one search for a word in that document? They created a system known as Searchable Symmetric Encryption (SSE) to answer just this question. In this chapter we present all the background information necessary to understand SSE. We start by reviewing a few details from probability and cryptography. We proceed to discuss two formal models of clouds and the existing security models for SSE. We conclude by discussing the existing work in the area. 2.1 Background on Probability In order to understand modern cryptography, one needs a firm grasp on probability theory. In this section we will review the probability theory needed to understand Section 2.2. The ideas that must be understood are the notions of probability distributions, statistical distance, and computational indisguishability. We begin by discussing the idea of negligible functions. In cryptography we do not require that the adversary always fail, but that the adversary only succeeds with some very small nonzero probability. Formally, we call this small nonzero probability negligible, denoted by negl. This is an asymptotic notion which we formally define in
15 6 Definition Definition (Negligible Function [6]). A function f(n) is called negligible, if for all polynomial functions, poly (n), and for all n > n 0, we have f(n) < 1 poly(n). If the bound holds, we denote f(n) by negl (n). We are interested in making statements about probability distributions. Define a sample space S as the set of possible outcomes of some experiment and an event A as a subset of S. A probability distribution is defined as follows: Definition (Probability Distribution [7]). A probability distribution Pr ( ) on a sample space S is a mapping from events of S to real numbers satisfying the following axioms: 1. Pr (A) 0 for any event A. 2. Pr (S) = Pr (A B) = Pr (A) + Pr (B) for any two mutually exclusive events A and B. More generally, for any (finite or countably infinite) sequence of events A 1, A 2,... that are pairwise mutually exclusive, ( ) Pr A i = i i Pr (A i ). The notation Pr (A) also denotes the probability of event A. A random variable is a function X : S R, where S is a sample space. Given Definition and the notion of a random variable we can define the notion of a probability ensemble. A probability ensemble is a, possibly infinite, collection of probability distributions. Formally, we define them as follows: Definition (Probability Ensemble [6]). Let I be a countable set. A probability ensemble indexed by I is a collection of random variables {X i } i I.
16 7 Several cryptographic discussions rely on the notion of one probability distribution being computationally indistinguishable from another. What this means is that one cannot construct a probabilistic polynomialtime algorithm that can distinguish one distribution from another with more than a negligible probability. Given Definition we define computational indistinguishability formally as follows: Definition (Computational Indistinguishablility [6]). Two probability ensembles X = {X n } n N and Y = {Y n } n N are computationally indistinguishable, denoted X c Y, if for every probabilistic polynomialtime distinguisher D there exists a negligible function negl (n) such that Pr (D (1 n, X n ) = 1) Pr (D (1 n, Y n ) = 1) negl (n) where D (1 n, X n ) means to choose x according to distribution X n, and then run D (1 n, x). 2.2 Background on Cryptography Searchable Symmetric Encryption is based on several cryptographic primitives. The necessary primitives are pseudorandom generators, pseudorandom functions, pseudorandom permutations, symmetric key encryption, and cryptographic hash functions. For discussions of these primitives please see, for example, [8, 6, 9] PseudoRandom Primitives We consider a pseudorandom generator (PRG). A pseudorandom generator is a function provided with an nbit input that expands its input to a longer sequence in a way that the distribution generated by the pseudorandom generator is computationally indistinguishable from being truly random. The precise definition appears in
17 8 Definition Definition (PseudoRandom Generator [6]). Let l( ) be a polynomial and G a deterministic polynomialtime algorithm such that for any input s {0, 1} n, algorithm G outputs a string of length l(n). We say that G is a pseudorandom generator if the following two conditions hold: 1. For every n it holds that l(n) > n. 2. For any probabilistic polynomialtime distinguisher D, there exists a negligible function negl (n) such that Pr (D(r) = 1) Pr (D(G(s)) = 1) negl (n), where r is chosen uniformly at random from {0, 1} l(n), the seed, s, is chosen uniformly at random from {0, 1} n, and the probabilities are taken over the random coin tosses used by D and the choice of r and s. A stronger pseudorandom primitive comes in the form of a pseudorandom function (PRF). A pseudorandom function is a member of the family of functions where the behavior of one function, drawn randomly from the family, is computationally indistinguishable from any other random function. A family of functions as a set of keyed functions F : {0, 1} k {0, 1} n {0, 1} l, where k, n, l > 1. If k = n = l then we have a pseudorandom permutation (PRP). Formally, a pseudorandom function is defined by Definition Definition (PseudoRandom Function). A keyed function F : {0, 1} k {0, 1} n {0, 1} l is pseudorandom if for any probabilistic polynomialtime distinguisher D, given oracle access to F k = F (k, ), there exists a negligible function, negl(n) such that Pr ( D F K( ) (1 n ) = 1 ) Pr ( D f( ) (1 n ) = 1 ) negl (n),
18 9 where K R {0, 1} k is chosen uniformly at random and f is chosen uniformly at random from all functions that map {0, 1} n to {0, 1} l. If we have a family of length preserving functions, then we get a PRP. We say a function is length preserving if F (k, x) = x = k. Formally, this is given by Definition Definition (PseudoRandom Permutation [6]). Let F : {0, 1} {0, 1} {0, 1} be an efficient, lengthpreserving, keyed function. We say that F is a pseudorandom permutation if for any probabilistic polynomialtime distinguisher D, there exists a negligible function negl(n) such that Pr ( D F K ( ) (1 n ) = 1 ) Pr ( D f( ) (1 n ) = 1 ) negl (n), where K R {0, 1} n is chosen uniformly at random and f is chosen uniformly at random from the set of functions mapping {0, 1} n to {0, 1} n. Notationally, D f( ) ( ) means that D uses f as an oracle and D can query f a polynomial number of times Symmetric Encryption Given a set M known as the message space, a set C known as the ciphertext space, and a set K known as the key space we define symmetric encryption as a tuple (G, E, D) of probabilistic polynomialtime algorithms. G : 1 λ K: The key generation algorithm, takes a security parameter, 1 λ, and selects a key k K. E : M K C: The encryption algorithm takes a message and a key as input and outputs a string of ciphertext.
19 10 D : C K M: The decryption algorithm takes a string of ciphertext and a key as input and outputs the plaintext if, and only if, the ciphertext was encrypted with the key. Otherwise, is returned. There is one correctness guarantee, namely, D k (E k (m)) = m must hold for all keys k and messages m. Notationally, we will write the key used for encryption and decryption as a subscript of the function, not as an argument. The simplest, practical, security guarantee that a symmetric encryption scheme can exhibit is that of semantic security, meaning that an attacker is unable to learn anything about the plaintext except what is leaked by the ciphertext (e.g., length of the message). IN other words, the probability of finding the plaintext from teh ciphertext is no much differnt from gussing the plaintext without the ciphertext. Formally, this can be defined as follows: Definition (Semantic Security for Symmetric Encryption [6]). A symmetric encryption scheme (G, E, D) is semantically secure in the presence of an eavesdropper if for every probabilistic polynomialtime algorithm A, there exists a probabilistic polynomialtime algorithm A, such that for all efficientlysampleable distributions X = (X 1,...) and all polynomialtime computable functions f and h, there exists a negligible function negl (n) such that Pr (A (1 n, E k (m), h (m)) = f (m)) Pr (A (1 n, h (m)) = f (m)) negl (n), where m is chosen according to distribution X n, and the probabilities are taken over the choice of m and the key k, and any random coins used by A, A, and the encryption process. This definition is based on the pioneering work of Goldwasser and Micali [10]. From Goldwasser and Micali s work, Bellare, Desai, Jokipii, and Rogaway [11] defined semantic security for symmetric encryption systems
20 11 Using pseudorandom generators, pseudorandom functions, and pseudorandom permutations one can construct symmetric encryption schemes. Onetime pad encryption systems can be constructed from pseudorandom generators and block ciphers can be constructed from pseudorandom permutations or pseudorandom functions. In particular, block ciphers can be constructed using the LubyRackoff construction [12]. In the remainder of this dissertation we will consider a symmetric encryption system to be modeled as one of the pseudorandom primitives to exhibit its properties Cryptographic Hash Functions We define a hash family H as a family of surjective functions h s : {0, 1} n {0, 1} m for m < n. We say that the hash function, h s H, is collision resistant if it is hard to find different strings x 1, x 2 {0, 1} n that hash to the same value v {0, 1} m. We say that the hash function h s is preimage resistant if given the value h s (x), an attacker can recover x with negligible probability. Lastly, we say that the hash function h s is second preimage resistant if given a value x {0, 1} n, an attacker can find, with only negligible probability, an x {0, 1} n such that h s (x) = h s (x ). Cryptographic hash functions are a family of collision, preimage, and second preimage resistant hash functions which are used in many areas of cryptography. They consist of a pair of probabilistic polynomialtime functions (G, H). G is used to select, at random, a key s. This key is an index of the hash function in the family. The function h s : {0, 1} {0, 1} l(n) is drawn from H according to s. The range of h s (i.e., l(n)) must be less than, or equal to, the length of the message being hashed. Cryptographic hash functions can be constructed from block ciphers using the MerkleDamgård construction [13, 14]. Generally, the security of hash functions is modeled in two ways. The first is called the standard security model. In the standard model, one only uses the three properties of cryptographic hash functions stated above. The second model, called the
21 12 random oracle model, treats a hash function as a random oracle. This random oracle responds with a random value for each query. However, if a query is repeated the oracle will respond with the same value. This model was first proposed by Goldreich, Goldwasser, and Micali in 1985 [15]. 2.3 Searchable Encryption Framework We make use of the following notation for discussing the results of research into SSE. Let D = {D 1, D 2,..., D n } denote a collection of n encrypted documents in the cloud storage, Σ the alphabet over which characters from strings are drawn, and = {w 1, w 2,..., w d } a dictionary of d words drawn from Σ. We associate with each document in collection D a number used as an index. The function is denoted by id : D Z. Let D (w i ) denote the set of document identifiers that contain the word w i. We will use m 1 m 2 to denote the concatenation of message m 1 and m 2. For the remainder of this dissertation we will define our SSE systems following the rigorous framework of Curtmola, Garay, Kamara, and Ostrovsky in [5]. Their model consists of a tuple of four algorithms (Keygen, BuildIndex, Trapdoor, Search). These algorithms are defined as follows: Keygen ( 1 λ) : A probabilistic algorithm run by the owner to setup the scheme. It takes a security parameter λ, as input, and returns a secret key K. BuildIndex (K, D): A probabilistic algorithm run by the owner to generate the indexes. It takes a key K and a document collection D as input and returns an index I. Trapdoor (K, w): An algorithm run by the owner to generate a trapdoor T w, give a word w and a key K.
22 13 Search (I, T w ): An algorithm, run by the cloud, that searches for a keyword in the document collection. It takes an index I and a trapdoor T w and returns the document identifiers for documents that contain word w. An index, I, is a data structure, or set of data structures, that tracks keywords and documents that contain those keywords. We note that in some chapters of this dissertation we will, in some cases, assume that the model will be using phrases p instead of words w. This will cause small modifications to both the Trapdoor and Search function inputs. There are two major forms of indexes used by SSE. They are the inverted index and the perdocument index. The inverted index structure, borrowed from the field of information retrieval, is a single data structure that is used to associate each keyword with the set of documents in the document collection that contain the word [16]. The perdocument index associates, with each document, a data structure that tracks the keywords stored in that document. 2.4 Index Data Structures In this section we will discuss two data structures that permeate the research. These data structures are used to construct both perdocument and inverted indexes. Indexes are required to provide two operations: Search and Insert with a third optional operation: Delete. The Search operation is used to determine if a search key occurs in the data structure. The Insert operation is used to add a new key, with its associated data, to the data structure. The Delete opertion is used to remove a key, and associated data, from the data, structure. We present two index structures in this section, the trie and the Bloom Filter. Devised by Fredkin [17], a tries is an index method, which supports three main operations: Insert, Search, and Delete; all take a word w Σ as input. A trie is a Σ {$} ary tree, where each node of the tree is labeled with an element of Σ {$}.
23 14 Moreover, a roottoleaf path through the tree denotes a word w Σ, which is terminated by a special character $ Σ. The Insert operation appends a $ to the input w. Starting at the root node of the tree, we use w to create a path. The first time we reach a node that does not have the current corresponding letter in w, we add a subpath as a child to the current node. Moreover, we label this subpath appropriately with the remaining letters of w, terminating the path with a $. We note that the insertion time with in the trie is O( w ). The Search operation uses input w as a path through the tree. The function first adds a $ to the path. If that path ends in a leaf, i.e., the path is a roottoleaf path, the search is successful. Otherwise, the word does not exist in the dictionary. We note that the search time with in the trie is Θ ( w ) in the worst case. The Delete operation uses input w as a path through the tree. This function will remove all nodes, in a bottom up fashion, according to the path given by w. There is an exception, a node will not be removed if it has children that do not match the symbol indicated by the previous level in w. We note that the Delete time in the trie is Θ ( w ). In this dissertation we will denote a trie by T and a node of the trie by T i,j, where i is the depth of the node and j the left to right placement of the node. We will denote the access to values stored in the node of T by T i,j [s], where s denotes the name of the field. Devised by B. H. Bloolm [18], a Bloom Filter is an index method, whch consists of a kbit vector and three hash functions h 1, h 2, and h 3 with range {1, 2,..., k} and supports two operations: Insert and Search. The Insert operations inserts input v by setting position h 1 (v), h 2 (v), and h 3 (v) in the kbit vector to 1. The Search operation determines if input v is in the filter. To do this it checks if all locations h 1 (v), h 2 (v), and h 3 (v) in the kbit vector are 1.
A Survey and Analysis of Solutions to the. Oblivious Memory Access Problem. Erin Elizabeth Chapman
A Survey and Analysis of Solutions to the Oblivious Memory Access Problem by Erin Elizabeth Chapman A thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in
More informationCLoud Computing is the long dreamed vision of
1 Enabling Secure and Efficient Ranked Keyword Search over Outsourced Cloud Data Cong Wang, Student Member, IEEE, Ning Cao, Student Member, IEEE, Kui Ren, Senior Member, IEEE, Wenjing Lou, Senior Member,
More informationChord: A Scalable Peertopeer Lookup Service for Internet Applications
Chord: A Scalable Peertopeer Lookup Service for Internet Applications Ion Stoica, Robert Morris, David Karger, M. Frans Kaashoek, Hari Balakrishnan MIT Laboratory for Computer Science chord@lcs.mit.edu
More informationEfficient Similarity Search over Encrypted Data
Efficient Similarity Search over Encrypted Data Mehmet Kuzu, Mohammad Saiful Islam, Murat Kantarcioglu Department of Computer Science, The University of Texas at Dallas Richardson, TX 758, USA {mehmet.kuzu,
More informationScalable Protocols for Authenticated Group Key Exchange
Scalable Protocols for Authenticated Group Key Exchange Jonathan Katz Moti Yung Abstract We consider the problem of authenticated group key exchange among n parties communicating over an insecure public
More informationCLOUD Computing has been envisioned as the nextgeneration
1 PrivacyPreserving Public Auditing for Secure Cloud Storage Cong Wang, Student Member, IEEE, Sherman S.M. Chow, Qian Wang, Student Member, IEEE, Kui Ren, Member, IEEE, and Wenjing Lou, Member, IEEE Abstract
More informationPatient Controlled Encryption: Ensuring Privacy of Electronic Medical Records
Patient Controlled Encryption: Ensuring Privacy of Electronic Medical Records Josh Benaloh, Melissa Chase, Eric Horvitz, and Kristin Lauter Microsoft Research Redmond, WA, USA {benaloh,melissac,horvitz,klauter}@microsoft.com
More informationObliviStore: High Performance Oblivious Cloud Storage
ObliviStore: High Performance Oblivious Cloud Storage Emil Stefanov University of California, Berkeley emil@cs.berkeley.edu Elaine Shi University of Maryland, College Park elaine@cs.umd.edu Abstract. We
More informationSecurity Architecture for the TEAMDEC System
Security Architecture for the TEAMDEC System Haiyuan Wang Thesis submitted to the Faculty of the Virginia Polytechnic Institute and State University in partial fulfillment of the requirements for the degree
More informationC3P: ContextAware Crowdsourced Cloud Privacy
C3P: ContextAware Crowdsourced Cloud Privacy Hamza Harkous, Rameez Rahman, and Karl Aberer École Polytechnique Fédérale de Lausanne (EPFL) hamza.harkous@epfl.ch, rrameez@gmail.com, karl.aberer@epfl.ch
More informationEnhanced Security Models for Network Protocols
Enhanced Security Models for Network Protocols by Shabsi Walfish A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy Department of Computer Science
More informationPHYSICALLAYER SECURITY: PRACTICAL ASPECTS OF CHANNEL CODING AND CRYPTOGRAPHY
PHYSICALLAYER SECURITY: PRACTICAL ASPECTS OF CHANNEL CODING AND CRYPTOGRAPHY A Dissertation Presented to The Academic Faculty by Willie K. Harrison In Partial Fulfillment of the Requirements for the Degree
More informationThe Predecessor Attack: An Analysis of a Threat to Anonymous Communications Systems
The Predecessor Attack: An Analysis of a Threat to Anonymous Communications Systems MATTHEW K. WRIGHT, MICAH ADLER, and BRIAN NEIL LEVINE University of Massachusetts Amherst and CLAY SHIELDS Georgetown
More informationPrivate Set Intersection: Are Garbled Circuits Better than Custom Protocols?
Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? Yan Huang David Evans University of Virginia Jonathan Katz University of Maryland http://mightbeevil.org Abstract Cryptographic
More informationOur Data, Ourselves: Privacy via Distributed Noise Generation
Our Data, Ourselves: Privacy via Distributed Noise Generation Cynthia Dwork 1, Krishnaram Kenthapadi 2,4,5, Frank McSherry 1, Ilya Mironov 1, and Moni Naor 3,4,6 1 Microsoft Research, Silicon Valley Campus,
More informationSECURE COLLABORATIVE INTEGRITY VERIFICATION FOR HYBRID CLOUD ENVIRONMENTS
International Journal of Cooperative Information Systems Vol. 21, No. 3 (2012) 165 197 c World Scientific Publishing Company DOI: 10.1142/S0218843012410018 SECURE COLLABORATIVE INTEGRITY VERIFICATION FOR
More informationLogical Cryptanalysis as a SAT Problem
Journal of Automated Reasoning 24: 165 203, 2000. 2000 Kluwer Academic Publishers. Printed in the Netherlands. 165 Logical Cryptanalysis as a SAT Problem Encoding and Analysis of the U.S. Data Encryption
More informationWhen Private Set Intersection Meets Big Data: An Efficient and Scalable Protocol
When Private Set Intersection Meets Big Data: An Efficient and Scalable Protocol Changyu Dong 1, Liqun Chen 2, Zikai Wen 1 1 Dept. of Computer and Information Sciences, 2 Cloud & Security Lab, University
More informationShroud: Ensuring Private Access to LargeScale Data in the Data Center
Shroud: Ensuring Private Access to LargeScale Data in the Data Center Abstract Jacob R. Lorch, Bryan Parno, James Mickens Mariana Raykova Joshua Schiffman Microsoft Research IBM Research AMD Recent events
More informationRobust Set Reconciliation
Robust Set Reconciliation Di Chen 1 Christian Konrad 2 Ke Yi 1 Wei Yu 3 Qin Zhang 4 1 Hong Kong University of Science and Technology, Hong Kong, China 2 Reykjavik University, Reykjavik, Iceland 3 Aarhus
More informationWhy Johnny Can t Encrypt: A Usability Evaluation of PGP 5.0
Why Johnny Can t Encrypt: A Usability Evaluation of PGP 5.0 Alma Whitten School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 alma@cs.cmu.edu J. D. Tygar 1 EECS and SIMS University
More informationGroup Signatures: Authentication with Privacy
Group Signatures: Authentication with Privacy Authors Prof. Dr. Mark Manulis, Nils Fleischhacker, Felix Günther, Franziskus Kiefer, Bertram Poettering Cryptographic Protocols Group Department of Computer
More informationTowards Statistical Queries over Distributed Private User Data
Towards Statistical Queries over Distributed Private User Data Ruichuan Chen Alexey Reznichenko Paul Francis Johannes Gehrke Max Planck Institute for Software Systems (MPISWS), Germany Cornell University,
More informationOn Cryptographic Properties of LFSRbased Pseudorandom Generators
On Cryptographic Properties of LFSRbased Pseudorandom Generators InauguralDissertation zur Erlangung des akademischen Grades eines Doktors der Naturwissenschaften der Universität Mannheim vorgelegt von
More informationRevealing Information while Preserving Privacy
Revealing Information while Preserving Privacy Irit Dinur Kobbi Nissim NEC Research Institute 4 Independence Way Princeton, NJ 08540 {iritd,kobbi }@research.nj.nec.com ABSTRACT We examine the tradeoff
More informationLoad Shedding for Aggregation Queries over Data Streams
Load Shedding for Aggregation Queries over Data Streams Brian Babcock Mayur Datar Rajeev Motwani Department of Computer Science Stanford University, Stanford, CA 94305 {babcock, datar, rajeev}@cs.stanford.edu
More informationFairplay A Secure TwoParty Computation System
Fairplay A Secure TwoParty Computation System Dahlia Malkhi 1, Noam Nisan 1, Benny Pinkas 2, and Yaron Sella 1 1 The School of Computer Science and Engineering The Hebrew University of Jerusalem Email:
More informationHypercomputation: computing more than the Turing machine
Hypercomputation: computing more than the Turing machine Abstract: Toby Ord Department of Philosophy * The University of Melbourne t.ord@pgrad.unimelb.edu.au In this report I provide an introduction to
More informationMultiDimensional Range Query over Encrypted Data
MultiDimensional Range Query over Encrypted Data Elaine Shi John Bethencourt TH. Hubert Chan Dawn Song Adrian Perrig Carnegie Mellon University Abstract We design an encryption scheme called Multidimensional
More informationProvable Data Possession at Untrusted Stores
Provable Data Possession at Untrusted Stores Giuseppe Ateniese Randal Burns Reza Curtmola Joseph Herring Lea Kissner Zachary Peterson Dawn Song ABSTRACT We introduce a model for provable data possession
More information