TY - GEN
T1 - Obfuscated databases and group privacy
AU - Narayanan, Arvind
AU - Shmatikov, Vitaly
PY - 2005
Y1 - 2005
N2 - We investigate whether it is possible to encrypt a database and then give it away in such a form that users can still access it, but only in a restricted way. In contrast to conventional privacy mechanisms that aim to prevent any access to individual records, we aim to restrict the set of queries that can be feasibly evaluated on the encrypted database. We start with a simple form of database obfuscation which makes database records indistinguishable from lookup functions. The only feasible operation on an obfuscated record is to look up some attribute Y by supplying the value of another attribute X that appears in the same record (i.e., someone who does not know X cannot feasibly retrieve Y). We then (i) generalize our construction to conjunctions of equality tests on any attributes of the database, and (ii) achieve a new property we call group privacy. This property ensures that it is easy to retrieve individual records or small subsets of records from the encrypted database by identifying them precisely, but "mass harvesting" queries matching a large number of records are computationally infeasible. Our constructions are non-interactive. The database is transformed in such a way that all queries except those explicitly allowed by the privacy policy become computationally infeasible, i.e., our solutions do not rely on any access-control software or hardware.
AB - We investigate whether it is possible to encrypt a database and then give it away in such a form that users can still access it, but only in a restricted way. In contrast to conventional privacy mechanisms that aim to prevent any access to individual records, we aim to restrict the set of queries that can be feasibly evaluated on the encrypted database. We start with a simple form of database obfuscation which makes database records indistinguishable from lookup functions. The only feasible operation on an obfuscated record is to look up some attribute Y by supplying the value of another attribute X that appears in the same record (i.e., someone who does not know X cannot feasibly retrieve Y). We then (i) generalize our construction to conjunctions of equality tests on any attributes of the database, and (ii) achieve a new property we call group privacy. This property ensures that it is easy to retrieve individual records or small subsets of records from the encrypted database by identifying them precisely, but "mass harvesting" queries matching a large number of records are computationally infeasible. Our constructions are non-interactive. The database is transformed in such a way that all queries except those explicitly allowed by the privacy policy become computationally infeasible, i.e., our solutions do not rely on any access-control software or hardware.
KW - Database privacy
KW - Obfuscation
UR - http://www.scopus.com/inward/record.url?scp=33745784545&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=33745784545&partnerID=8YFLogxK
U2 - 10.1145/1102120.1102135
DO - 10.1145/1102120.1102135
M3 - Conference contribution
AN - SCOPUS:33745784545
SN - 1595932267
SN - 9781595932266
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 102
EP - 111
BT - CCS 2005 - Proceedings of the 12th ACM Conference on Computer and Communications Security
T2 - CCS 2005 - 12th ACM Conference on Computer and Communications Security
Y2 - 7 November 2005 through 11 November 2005
ER -