Binh D. Vo

Blind Seer: A Scalable Private DBMS

Query privacy in secure DBMS is an important feature, although rarely formally considered outside the theoretical community. Because of the high overheads of guaranteeing privacy in complex queries, almost all previous works addressing practical applications consider limited queries (e.g., just keyword search), or provide a weak guarantee of privacy. In this work, we address a major open problem in private DB: efficient sub linear search for arbitrary Boolean queries. We consider scalable DBMS with provable security for all parties, including protection of the data from both server (who stores encrypted data) and client (who searches it), as well as protection of the query, and access control for the query. We design, build, and evaluate the performance of a rich DBMS system, suitable for real-world deployment on today medium-to large-scale DBs. On a modern server, we are able to query a formula over 10TB, 100M-record DB, with 70 searchable index terms per DB row, in time comparable to (insecure) MySQL (many practical queries can be privately executed with work 1.2-3 times slower than MySQL, although some queries are costlier). We support a rich query set, including searching on arbitrary boolean formulas on keywords and ranges, support for stemming, and free keyword searches over text fields. We identify and permit a reasonable and controlled amount of leakage, proving that no further leakage is possible. In particular, we allow leakage of some search pattern information, but protect the query and data, provide a high level of privacy for individual terms in the executed search formula, and hide the difference between a query that returned no results and a query that returned a very small result set. We also support private and complex access policies, integrated in the search process so that a query with empty result set and a query that fails the policy are hard to tell apart.

Secure anonymous database search

There exist many large collections of private data that must be protected on behalf of the entities that hold them or the clients they serve. However, there are also often many legitimate reasons for sharing that data in a controlled manner. How can two parties decide to share data without prior knowledge of what data they have? For example, two intelligence agencies might be willing to cooperate by sharing documents about a specific case, and need a way of determining which documents might be of interest to each other. We introduce and address the problem of allowing such entities to search each others data securely and anonymously. We aim to protect the content of the queries, as well as the content of documents unrelated to those queries, while concealing the identity of the participants. Although there exist systems for solving similar problems, to our knowledge we are the first to address this specific need and also the first to present a secure anonymous search system that is practical for real-time querying. In order to achieve this in an efficient manner, we make use of Bloom filters [5], definitions of security for deterministic encryption [22] that we adapt and instantiate in the private key setting and of a novel encryption primitive, reroutable encryption.

Malicious-Client Security in Blind Seer: A Scalable Private DBMS

The Blind Seer system (Oakland 2014) is an efficient and scalable DBMS that affords both client query privacy and server data protection. It also provides the ability to enforce authorization policies on the system, restricting clients queries while maintaining the privacy of both query and policy. Blind Seer supports a rich query set, including arbitrary boolean formulas, and is provably secure with respect to a controlled amount of search pattern leakage. No other system to date achieves this tradeoff of performance, generality, and provable privacy. A major shortcoming of Blind Seer is its reliance on semi-honest security, particularly for access control and data protection. A malicious client could easily cheat the query authorization policy and obtain any database records satisfying any query of its choice, thus violating basic security features of any standard DBMS. In sum, Blind Seer offers additional privacy to a client, but sacrifices a basic security tenet of DBMS. In the present work, we completely resolve the issue of a malicious client. We show how to achieve robust access control and data protection in Blind Seer with virtually no added cost to performance or privacy. Our approach also involves a novel technique for a semi-private function secure function evaluation (SPF-SFE) that may have independent applications. We fully implement our solution and report on its performance.

Using column dependency to compress tables

Large amounts of business data are kept in tables of fixed-length records. Columns in such a table may be functionally dependent on one another, resulting in low overall information content. This paper shows how to exploit this source of information redundancy to compress table data. Experiments with a wide variety of massive tables including telecom data and stock quotes show that this technique compresses table data well, up to 48:1 or even 100:1 reduction in some cases.

Usable, Secure, Private Search

Real-world applications commonly require untrusting parties to share sensitive information securely. This article describes a secure anonymous database search (SADS) system that provides exact keyword match capability. Using a new reroutable encryption and the ideas of Bloom filters and deterministic encryption, SADS lets multiple parties efficiently execute exact-match queries over distributed encrypted databases in a controlled manner. This article further considers a more general search setting allowing similarity searches, going beyond existing work that considers similarity in terms of error tolerance and Hamming distance. This article presents a general framework, built on the cryptographic and privacy-preserving guarantees of the SADS primitive, for engineering usable private secure search systems.

Compressing table data with column dependency

Tables are two-dimensional arrays given in row-major order. Such data have unique features that could be exploited for effective compression. For example, tables often represent database files with rows as records so certain columns or fields in a table may have few distinct values. This means that simply transposing the data can make it compress better. Further, a large source of information redundancy in a table is the correlation among columns representing related types of data. This paper formalizes the notion of column dependency as a way to capture this information redundancy across columns and discusses how to automatically compute and use it to substantially improve table compression.

Cybersecurity through an Identity Management System

Cybersecurity is a concern of growing importance as internet usage continues to spread into new areas. Strong authentication combined with accountability is a powerful measure towards individuals’ protection against any type of identity theft. On the other hand, such strong identification raises privacy concerns. In this paper, we argue that authentication, accountability and privacy can be combined into a single, deployable identity management system which can be adopted to current citizenship database infrastructures. More specifically, we present the properties that such a system would need in order to meet the applications of current infrastructures, aid in general operations of day to day life, and take into consideration the privacy of individuals.

Anonymous Publish-Subscribe Systems

Publish-subscribe protocols offer a unique means of data distribution, that has many applications for distributed systems. These protocols enable message delivery based on subscription rather than specific addressing; meaning a message is addressed by a subject string rather than to a specific recipient. Recipients may then subscribe to subjects they are interested in receiving using a variety of parameters, and receive these messages immediately without having to poll for them. This format is a natural match for anonymous delivery systems: systems that enable users to send messages without revealing their identity. These systems are an area of great interest, ranging from messaging relays like Tor, to publication systems like FreeHaven. However, existing systems do not allow delivery based on topics, a mechanism which is a natural match for anonymous communication since it is not addressed based on identity. We concretely describe the properties of and propose a system that allows publish-subscribe based delivery, while protecting the identities of both the publishers and subscribers from each other, from outside parties, and from entities that handle the implementation of the system.

Privacy-preserving, taxable bank accounts

Current banking systems do not aim to protect user privacy. Purchases made from a single bank account can be linked to each other by many parties. This could be addressed in a straight-forward way by generating unlinkable credentials from a single master credential using Camenisch and Lysyanskayas algorithm; however, if bank accounts are taxable, some report must be made to the tax authority about each account. Assuming a flat-rate taxation mechanism (which can be extended to a progressive one) and using unlinkable credentials, digital cash, and zero knowledge proofs of knowledge, we present a solution that prevents anyone, even the tax authority, from knowing which accounts belong to which users, or from being able to link any account to another or to purchases or deposits.

Trade-offs in Private Search

Encrypted search — performing queries on protected data — is a well researched problem. However, existing solutions have inherent inefficiency that raises questions of practicality. Here, we step back from the goal of achieving maximal privacy guarantees in an encrypted search scenario to consider efficiency as a priority. We propose a privacy framework for search that allows tuning and optimization of the tradeoffs between privacy and efficiency. As an instantiation of the privacy framework we introduce a tunable search system based on the SADS scheme and provide detailed measurements demonstrating the tradeoffs of the constructed system. We also analyze other existing encrypted search schemes with respect to this framework. We further propose a protocol that addresses the challenge of document content retrieval in a search setting with relaxed privacy requirements.