Conjunctive, Subset, and Range Queries on Encrypted Data
description
Transcript of Conjunctive, Subset, and Range Queries on Encrypted Data
1
Conjunctive, Subset, and Range Queries on
Encrypted Data Dan Boneh Brent Waters
Stanford University SRI International
2
Encryption Systems – Traditional View
PKSalil
Salil gives private key to assistant Charlie
Charlie learns everything
3
Encryption Systems – New View
PKSalil
Salil gives partial capabilities to Charlie
Charlie learns what he needs to know
Focus on “Searching Systems”
TCC
Subj: TCC
Subj:personal Subj:our paper
4
Filtering Encrypted Email Set containment queries:
Server learns nothing other than containment status.
MailServer
SKalice
From:
Subject:From Blacklist
Yes
No
E( PKalice, email)
Tspam
Tspam
5
Routing Encrypted Email Conjunction queries:
MailServer
SKalice
From:
Subject:
From Friends
ANDsubject = “urgent”
Yes
No
E( PKalice, email)
Tcell
Tcell
6
Long term goal …
Goal: Public-key encryption system supporting
any predicate (poly-size circuits)
Sample application:
Spam predicate: P(m) = 1 if m is spam email
Mail server filters out encrypted
spam email without decrypting email.
… seems far off
7
History To date: primary focus on equality queries
SWP’00, GO’87:
Equality queries on symmetric-key encrypted
data
BDOP’04, AB…’05:
Equality queries on public-key encrypted data
8
Definitions Let = {P1 , … , Pn} be a set of predicates over .
Pi : {0,1} [e.g: Pj(S) = 1 S j ]
A -query system consists of 4 algorithms:
Setup (): outputs PK and SK
Encrypt (PK, S) Ciphertext C (S)
GenToken (SK, <P>) Token TP (P)
Query ( TP, C) Output
(Can allow message decryption on “hit” when P(S)=1)
P(S)
9
Security Example: = {1, … , n} , [ Pj(x) = 1 x j ]
Adversary can request arbitrary tokens:
Clearly, adversary can distinguish
Encrypt(PK, x) from Encrypt(PK, y)
… but Encrypt(PK, x) and Encrypt(PK, z)
should be indistinguishable
1 na b c
x yz
10
Secure -query systems Semantic security in the presence of arbitrary tokens:
Ch
alle
ng
er
Atta
cker
RunSetup()
PK
P1
T1
Adversary wins if: b = b’
, P2 , … , Pq
, T2 , … , Tq
(S0) , (S1)
s.t.: j: Pj(S0) = Pj(S1)
b{0,1}
CEncrypt(PK,Sb)
b’ {0,1}
11
The trivial brute-force system = {P1 , … , Pn} ; (KeyGen, Enc, Dec) pub-key system
Setup(): Run KeyGen() n times
PK ( PK1 , … , PKn ) , SK ( SK1, … , SKn )
Encrypt( PK, S):
output C (C1 , … , Cn )
GenToken( SK, Pi ): output T SKi
Query( T, C) : output Dec( SKi , Ci )
Parameters: |CT| = O(n) |T| = O(1)
Enc( PKj , M ) if Pj(S) = 1
Enc( PKj , ) otherwisefor j = 1,…,n: Cj
12
Best known constructions [BSW’06, BW’06] Encrypt S {1 ,…, n } (Sizes in # of group elements)
Encrypt S = (S1,…,Sw) {1 ,…, n }w --- conjunctions
Trivial |CT|
Best Known|CT|
Equality (S = a) O(n) O(1)
Comparison (Sa) O(n) O(n)
Subset (S A) O(2n) O(n)
Trivial |CT|
Best Known|CT|
S1=a1 … Sw=aw O(nw) O(w)
S1a1 … Swaw O(nw) O(nw)
S1A1 … SwAw O(2nw) O(nw)
13
Bilinear maps G , GT : finite cyclic groups of prime order q.
Def: An admissible bilinear map e: GG GT is:
Bilinear: e(ga, gb) = e(g,g)ab a,bZ, gG
Non-degenerate: g generates G e(g,g) generates GT .
“Efficiently” computable.
14
Bilinear groups of order N=pq [BGN’05]
G: group of order N=pq. (p,q) – secret.
bilinear map: e: G G GT
G = Gp Gq . gp = gq Gp ; gq = gp Gq
Facts: h G h = (gq)a (gp)
b
e( gp , gq ) = e(gp , gq) = e(g,g)N = 1
e( gp , h ) = e( gp , gp)b !!
15
Subset query system Goal: for any S {1,…,n} and A {1,…,n}
answer queries of type: PA(S) = 1 S A
Example: FromAddress Friends
Trivial system: |CT| = O(2n) , Our goal: |CT| = O(n)
Approach: reformulate as conjunctive equality query
Encode S {1,…,n} in uniary:
(S) = (s1,…,sn) {0,1}n
Then S A (sa = 0)
0 0 0 … 1 … 0 0 0
a Ac
16
Construction Intuition 1st Attempt
Use IBE techniques to encrypt to “vector” identity (s1,…,sn) Get message if “true”
Problem: Can test identity by testing for DDH tuples between CT and PK
Solution Make CTs, PK random in Gq not DDH tuples
Tokens in Gp Gq does not matter after pairing Intuiton: Disallow unintended application of pairing
17
Security
Thm: The system is a selectively secure subset query system assuming: Bilinear-DH assumption, and Composite 3-party DH assumption
Implied by Boneh’s Uber-Assumption
18
Summary and Open Problems Queries on public key encrypted data:
Equality queries: efficient
Comparison queries: plaintext t Implies traitor tracing Best construction: |CT| = O(sqrt(n)) Open: |CT| = O(log n)
Subset queries: plaintext A Best construction: |CT| = O(n) Open: |CT| = O(log n)
Similar constructions/questions for conjunctive queries
?
?
19
THE END
20
History To date: primary focus on equality queries
SWP’00, GO’87:
Equality queries on symmetric-key encrypted
data
BDOP’04, AB…’05:
Equality queries on public-key encrypted data
OS’05, BSW’06:
Equality queries that hide predicate from server
BBO’06: Efficient equality searches in databases
BCPSS’06: Range queries in a weaker security model
21
Motivation: a few examples
Example 1: Visa gateway: Forwarding encrypted CC transactions
to the visa system
VIS
A G
ate
way
Yes
No
VALUE > $1000?
SKvisa T1000
TransactionVALUE Exp-Date D
Enc(PKvisa, Transaction)
LowSecurity
Processor
HighSecurity
ProcessorD
T1000
22
Conjunction queries
Goal: gateway should not learn which conjunct failed.
Visa cannot simply give gateway two tokens
VIS
A G
ate
way
Yes
No
VALUE > 1000
ANDexp-date < April 2007
SKvisa TP
TransactionVALUE Exp-Date D
LowSecurity
Processor
HighSecurity
ProcessorD
TP
23
Best known constructions [BSW’06, BW’06] Encrypt S {1 ,…, n } (Sizes in # of group elements)
Encrypt S = (S1,…,Sw) {1 ,…, n }w --- conjunctions
Trivial |CT|
Lower Bound
Best Known|CT| |T|
Equality (S = a) O(n) O(log n) O(log n) O(log n)
Comparison (Sa) O(n) O(log n) O(n) O(n)
Subset (S A) O(2n) O(log n) O(n) O(n-|A|)
Trivial |CT|
Lower Bound
Best Known|CT| |T|
S1=a1 … Sw=aw O(nw) O(wlog n) O(wlog n) O(wlog n)
S1a1 … Swaw O(nw) O(wlog n) O(nw) O(wlog n)
S1A1 … SwAw O(2nw) O(wlog n) O(nw) O(w|A|)
24
The full system ... But cannot prove the system secure.
The full system: add y1, … , yn to SK
GenToken( SK=w, A {1,…,n} ): t1,1, t1,2 , … ZN
( u1
t1,1 , y1
t1,2 )
( un
tn,1 , yn
tn,2 )
Thm: The system is a selectively secure subset query system assuming: Bilinear-DH assumption, and Composite 3-party DH assumption
TA w (va)ta,1 (ya)
ta,2 ,aAc
25
The full system ... But cannot prove the system secure. (Need a bit more)
Thm: The system is a selectively secure subset query system assuming: Bilinear-DH assumption, and Composite 3-party DH assumption (Fragments of “Uber-assumption”)
26
Binary conjunctive equality queries A failed attempt using standard IBE technology: [BB’04]
G: bilinear group. w, u, u1,…, v1,… G,
Encrypt (PK, b = (b1,…,bn), M): r Zq
C [ e(u,w)r , ur , (u1
b1 v1)
r , … , (un
bn vn)r ]
GenToken( SK=w, A {1,…,n} ): t1, … , tn Zq
TA [ w (va)ta , u
t1 , … , utn ]
Query( TA, C): If ( a Ac : ba=0)
then “algebra” returns M; otherwise random in G
Problem: C leaks ( b1, …, bn )
bj = 0 (u, vj , ur , (uj
bj vj)r ) is a DDH tuple
aAc
27
Composite order groups to the rescue … G=GpGq composite order group. w, u, u1 , …, v1 , … Gp
PK: Blind u’s and v’s by Gq
UiuiRi , ViviRi’ where Ri, Ri’ Gq
Encrypt (PK, b = (b1,…,bn), M): r ZN , Z, Z1,… Gq
C [ e(u,w)r , U
rZ , (U1
b1 V1)r Z1 , … , (Un
bn Vn)r Zn ]
No change to GenToken and Query
Note: Rj , Zi terms cancel in Query.
Main point: now DDH attack fails: bj = 0 , but (U, Vj ,
UrZ , (Uj
bj Vj)rZj ) not a DDH tuple in G
28
Selectively secure -query systems
Ch
alle
ng
er
Atta
cker
RunSetup()
PK
P1
T1
Adversary wins if: b = b’
, P2 , … , Pq
, T2 , … , Tq
S0 , S1
s.t.: j: Pj(S0) = Pj(S1)
b{0,1}
CEncrypt(PK,Sb)
b’ {0,1}
S0 , S1
S0 S1