On-line databases, particularly databases available over a network, such as the Internet, can provide virtually unlimited access to various stored forms of information, whether by design or inadvertence. As a result, maintaining sensitive information securely in on-line databases has become increasingly important, especially in light of concerns over identity theft and compliance with medical information privacy laws. Ensuring the safety of sensitive information requires protecting the privacy interests of the user against unauthorized users and from the server seeing the user's queries.
Unauthorized users attempt to gain surreptitious access to sensitive information either directly or by inference. Direct access requires obtaining the sensitive information by circumventing security safeguards and compromising the data by direct attack. Inferential access is an indirect attempt to determine sensitive information through a sequence of queries of non-sensitive information whose answers, taken together, allow an improper inference to be drawn about the sensitive information. Such query sequences are known as inference channels. Access and inference control can respectively protect against direct or inferential sensitive information compromise by controlling each response to a query.
As repositories of the sensitive information, servers are generally viewed as disinterested in the nature of the sensitive information stored. However, the act of submitting a query to a server presents the possibility of a loss of privacy interests to an honest but “curious” server, where the user suffers a loss of privacy due to exposure of the query to the server. The mere fact of the attribute being searched, the frequency of searching and whether the response is blocked can be revealing, even if actual sensitive information is not compromised. Private information retrieval allows users to retrieve information from a server privately and without compromise due to queries.
Sensitive information must be safeguarded against compromise from unauthorized users, especially with respect to indirect means of compromise through inference channels. Similarly, a server is expected to safeguard against both unauthorized direct access and inference channels, even though the blocking of a query can remain secret. Thus, protecting the privacy interests of a user against unauthorized users and curious but honest servers creates a dilemma over how best to ensure that unauthorized users are not able to infer sensitive information without letting the server know what information is being retrieved.
U.S. Pat. No. 7,146,375, issued Dec. 5, 2006 to Egilsson et al., describes an inference control method in a data cube. Attributes used to determine how data is aggregated and viewed are rearranged by modifying hypercube realizations in such a way that modified schemes satisfy identity protection requirements for inference control. The same processes can also be used to enforce rewriting of hierarchies in such a way that modified structure reveals colorations and patterns in a dataset. However, the Egilsson reference fails to describe ensuring privacy of queries relative to an honest but curious server.
B. Aiello et al., “Priced Oblivious Transfer: How to Sell Digital Goods,” Advances in Cryptology-Eurocrypt '01 (2001), describes an inference channel control scheme that associates prices with attributes of records. Buyers can successfully retrieve selected items as long as the buyers' balance contains sufficient funds. Items whose costs exceed the remaining budget cannot be retrieved and the vendor, that is, server, learns nothing except the amount of interaction and initial deposit amount. However, the inference channel control scheme provides a specific solution to a subclass of inference control problems and cannot be applied to an arbitrary subset of inference channels selected from a set of potentially searchable data.
B. Chor et al., “Private Information Retrieval,” Proc. of FOCS '95 (1995), describes private inference control, whereby the server learns nothing about the query. However, the Chor reference fails to provide control over arbitrary inference channels.
X. Qian et al., “Detection and Elimination of Inference Channels in Multilevel Relational Database Systems,” Proc. of IEEE Symp. on Research in Security and Privacy, pp. 196-205 (1993), describes a tool for assisting database designers in detecting and eliminating potential sources of inference problems in multilevel relational database schemas. Inferences can be blocked by upgrading the security classification of some foreign key relationships. However, the Qian reference fails to provide protection against a server seeing the user's queries.
Therefore, there is a need for providing secure control over inference channels in combination with private information retrieval.