Note: Differentially Private Access Patterns for Searchable Symmetric Encryption

The Core Issues and Ideas of This Paper

Problem

  • Baseline Searchable Symmetric Encryption (SSE) could not avoid access-pattern leakage.
  • ORAM algorithm performance is extremely low and cannot be applied in practice.

Idea

Solve the Access-pattern Leakage of current SSE by introducing differential privacy.

Important knowledge

Searchable Symmetric Encryption (SSE)

An SSE scheme is a tuple (KeyGen, BuildIndex, Token, Search, SKE) and asymmetric key encryption scheme.
Screen Shot 2018-11-03 at 19.50.52

  • (\(`K_I`\), \(`K_D`\) ) ← KeyGen(\(`1^\kappa`\) ): Probabilistic key generation.
    • Security parameter \(`\kappa`\): input.
    • Secret key \(`K_I`\): For the secure index,
    • Secret key \(`K_D`\) ← SKE.Gen(\(`1^\kappa`\)): For the document collection.
  • \(`I`\) ← BuildIndex(\(`K_I`\), \(`(D, W)`\)): Probabilistic algorithm for the client to build a secure index.
    • \(`K_I`\): input.
    • \(`D`\): Document collection.
    • \(`W`\): keyword lists W.
    • \(`I`\): Secure index.
  • \(`\tau`\) ← Token(\(`K_I`\), \(`w`\)): (Probabilistic) algorithm for the client to generate search tokens.
  • \(`R`\) ← Search(\(`I`\), \(`\tau`\)): Deterministic algorithm for the server.
    • \(`R`\): Document identifications.
  • \(`c`\) ← SKE.Enc(\(`K_D`\), \(`D`\)): Probabilistic algorithm for the client to encrypt the document collection.
  • \(`D`\) ← SKE.Dec(\(`K_D`\), \(`c`\)): Deterministic algorithm for the client to decrypt a ciphertext of a document.

Access-pattern Leakage

In the practical application of SSE, there is Access-pattern Leakage. The main reasons are list as flow:

  • The cloud server is able to observe which files are accessed in the encrypted database by the client.
  • To be used in practice, most existing SSE schemes allow it.
  • With some a priori knowledge of the outsourced documents, the adversary could recover the content of the queries with high accuracy.

Query Recovery Attack (IKK Attack)

IKK attack is a typical attack method for SSE with Access-pattern Leakage.

Assumption

The adversary has the knowledge of a (\(`r\times r`\) matrix \(`M`\) that depicts the probability of keyword co-occurrence (r is the number of keywords).

Method
  1. Compute \(`l\times l`\) co-occurrence matrix \(`\hat{M}`\) by the observed access patterns(a sub-matrix of \(`M`\)).
  2. The best match of \(`\hat{M}`\) to \(`M`\) can be generated by optimization methods (e.g. Simulated Annealing).

ORAM Algorithm

This algorithm allows SSE to defend against Access-pattern Leakage (with IKK attack method), but has serious performance problems and is of low practical value.

  • Allows a client to hide its access pattern from the remote server by continuously shuffling and re-encrypting data as they are accessed.
  • Access one of n documents in the storage, at least o(log n) documents need to be accessed. [Too much overhead for SSE]

Differential Privacy

Differential Privacy introduction: The Differential Privacy Frontier (Extended Abstract)

Assuming a positive real number \(`\epsilon`\), \(`A`\) is a random algorithm that takes a data set as input (representing the data owned by the relying party). \(`imA`\) represents the mapping of \(`A`\). For all data sets \(`D_1`\) and \(`D_2`\) of non-single elements (i.e., one person's data) and all subsets \(`S`\) of \(`imA`\), algorithm \(`A`\) is \(`\epsilon - differential \quad privacy`\), where the probability depends on the randomness of the algorithm.

Pr[A(D_1)\in S]\leqslant e^\epsilon \times Pr[A(D_2) \in S]

If an attacker is required to receive a \(`Q_i`\) (\(`i_{th}`\) query) value through a \(`\epsilon - differential \quad privacy`\) algorithm, he will not be able to distinguish between the two data sets if \(`\epsilon`\) is small enough.

Erasure Coding

The erasure code is the main method for adding redundancy to the Secure index.
Notes on erasure codes that I have posted on cnblogs

Key points

Assumption

  • Adversary has complete knowledge of the document collection.
  • Server simply passively monitors the storage access patterns and infers the content of the corresponding queries.

Why Introduce Differential Privacy for SSE

Differential privacy is a strong privacy guarantee for an individual’s input to a (randomized) function or sequence of functions.

Differential Privacy rules imply that the adversary cannot distinguish between queries using distinct search terms that induce access patterns that are within the specified distance of one another.

d-privacy

Here, \(`d`\) represents the Hamming distance in the access-pattern vector. By the parameter \(`d`\), the generalized \(`\epsilon - differential \quad privacy`\) definition is designed (add \(`d`\) as a parameter of \(`e^{\epsilon d}`\)).

d-private Access-pattern Obfuscation Mechanism

Add the two following part to SSE:
  • Obfuscate the access patterns: Add false positives and false negatives to the search results.
  • To handle the correctness issue: Introduce redundancy to the document collection using erasure codes.
The way to establish d-privacy APO

Define an access-pattern obfuscation mechanism \(`K`\) : \(`X \rightarrow Y`\) gives \(`\epsilon d_{h}-privacy`\), iff \(`\forall x,x' \in X`\) and \(`\forall S \subseteq Y`\) (using the Hamming distance \(`d_h`\))

Pr[K(x)\in S]\leqslant e^{\epsilon d_h(x,x')} \times Pr[K(x') \in S]

Define an obfuscation mechanism \(`K_f`\) such that, given an access pattern \(`x \in X`\), it outputs any \(`y \in Y`\) with probability

Pr[K_f(x)=y]=Pr[x|y]=\prod^n_{i=1}Pr[y_i|x_i]

Where

Pr[y_i=1|x_i=1]=p \qquad Pr[y_i=1|x_i=0]=q
Pr[y_i=0|x_i=1]=1-p \quad Pr[y_i=0|x_i=0]=1-q

Enforce two constraints on p and q to make the mechanism practical:

  • \(`Pr[y_i = 1|x_i = 0] < Pr[y_i = 1|x_i = 1]`\): non-matching shard should have a lower probability to be retrieved than a matching shard;
  • \(`Pr[y_i = 1|x_i = 0] < Pr[y_i = 0|x_i = 1]`\): non-matching shard should have a lower probability to be flipped than a matching shard.

Means that \(`q < p`\) and \(`q < 1-p`\). And find out that \(`\epsilon = ln(\frac{p}{q})`\).

By using the (m,k) erasure code, six parameter optimization conditions are established, and the values of all the variables required are obtained.

Workloads

  • Defined d-privacy for access patterns of general SSE schemes.
  • Proposed a d-private access-pattern obfuscation mechanism that is compatible with existing SSE schemes.
  • Implemented a prototype of the proposed obfuscation mechanism.

Evaluation

Based on the Enron Email Dataset.

Security

  • Baseline IKK attack on SSE with and without access-pattern obfuscation method.
  • Improved IKK attack (Adversary can successfully figure out which shards belong to the same documents) on SSE with and without access-pattern obfuscation method.

Performance

  • Storage and Communication Overhead
  • Precision
  • Runtime Overhead (build SSE local)

转载于:https://www.cnblogs.com/tinoryj/p/10607412.html

Here is the completed code for Differentially Private Stochastic Gradient Descent, including per-example clipping and adding Gaussian noise as well as privacy budget composition: ```python import numpy as np from scipy import optimize from scipy.stats import norm import math def per_example_clipping(grad, clip_factor): """ Clip the gradient per example with a given clip factor. """ return np.clip(grad, -clip_factor, clip_factor) def add_gaussian_noise(grad, sigma): """ Add Gaussian noise to the gradient with a given standard deviation. """ return grad + np.random.normal(0, sigma, grad.shape) def get_epsilon(epoch, delta, sigma, sensitivity, batch_size, training_nums): """ Compute epsilon with basic composition from given epoch, delta, sigma, sensitivity, batch_size and the number of training set. """ steps = math.ceil(training_nums / batch_size) * epoch epsilon = sigma * math.sqrt(2 * math.log(1.25 / delta)) / sensitivity return epsilon * steps def dp_sgd(X, y, epochs, batch_size, clip_factor, sigma, delta): n, d = X.shape w = np.zeros(d) for epoch in range(epochs): for i in range(0, n, batch_size): X_batch = X[i:i+batch_size] y_batch = y[i:i+batch_size] grad = np.mean(X_batch * (sigmoid(X_batch.dot(w)) - y_batch).reshape(-1, 1), axis=0) clipped_grad = per_example_clipping(grad, clip_factor) noise_grad = add_gaussian_noise(clipped_grad, sigma) w -= noise_grad epsilon = get_epsilon(epoch+1, delta, sigma, clip_factor/batch_size, batch_size, n) print("Epoch {}: Epsilon = {}".format(epoch+1, epsilon)) return w ``` The `per_example_clipping` function clips the gradient per example with a given clip factor. The `add_gaussian_noise` function adds Gaussian noise to the gradient with a given standard deviation. The `get_epsilon` function computes epsilon with basic composition from given epoch, delta, sigma, sensitivity, batch_size and the number of training set. The `dp_sgd` function performs Differentially Private Stochastic Gradient Descent. For each epoch, it loops over the training set in batches and computes the gradient of the loss function using the sigmoid function. It then clips the gradient per example, adds Gaussian noise to the clipped gradient, and updates the weight vector. Finally, it computes the privacy budget using the `get_epsilon` function and prints it out. Note that the `get_epsilon` function uses basic composition to compute the privacy budget. It calculates the total number of steps based on the number of epochs and the batch size, and then uses the formula for epsilon with basic composition to compute the privacy budget for each epoch. It is worth noting that basic composition may not provide the tightest bound on privacy, and using the Moments Accountant method may provide a tighter bound.
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值