Multi-Dimensional Range Query over Encrypted Data
description
Transcript of Multi-Dimensional Range Query over Encrypted Data
Multi-Dimensional Range Query over Encrypted Data
Authors: Elaine Shi, Joint work with John Bethencourt, Hubert Chan, Dawn Song, Adrian PerrigSlides originated from Elaine Shi, modified by Michael ChenCSC 774 Advanced Network SecurityInstructor: Dr. Peng NingPresenter: Michael ChenApril 19, 2007
2Speaking Requirement Talk
Motivation - Network Audit Logs
Network gateway
Data center
3Speaking Requirement Talk
An Ideal Solution
Network gateway
Data center
4Speaking Requirement Talk
Auditor
auditor
Trusted authority
Query:(100 · port · 200) Æ ( ip 2 128.1.*.* )
5Speaking Requirement Talk
Auditor
auditor
Trusted authority
Capability: (100 · port · 200) Æ ( ip 2 128.1.*.* )
Query:(100 · port · 200) Æ ( ip 2 128.1.*.* )
6Speaking Requirement Talk
Security
Query:
(100 · port · 200) Æ (ip 2 128.1.*.*)
• Can decrypt all matching entries
• Cannot learn additional information for non-matching entries– Except for the fact that they do not match
7Speaking Requirement Talk
The Challenges
• Current practices:– No encryption– All-or-nothing decryption
• Challenge:– How to design such an encryption scheme– Efficiency– Security
8Speaking Requirement Talk
Related work
• Search on encrypted data (SoE)– Not clear if can be extended to range query
over multiple attributes.
• Anonymous hierarchical IBE (AHIBE)– Could be used to implement MRQED,
encryption cost O(TD)
• Concurrent work– BonehWaters06: Complex query over
encrypted data. More expensive public key size, encryption cost, cheaper decryption cost and shorter decryption key size.
9Speaking Requirement Talk
Generalized Problem Definition
• Time-stamp t, source address a, destination
port p• A tuple (t, a, p) can be viewed as a point x in
3 dimensional space. • Query for flows with• Hyper-rectangle B in space
• x is in B ?
1 2 1 2 1 2[ , ], [ , ], [ , ]t t t a a a p p p
1 2 1 2 1 2[ , ] [ , ] [ , ]t t a a p p
10Speaking Requirement Talk
Generalized Problem Definition
• KeyGen– Key generation
• Encrypt– Encryption
• DeriveKey– Compute a decryption key
• QueryDecrypt– Attempt to decrypt using a capability
11Speaking Requirement Talk
KeyGen (, n)
• Input– k: security parameter– n: bit-length of x
• Output– public key PK & master
private key SK
KeyGen(, n)
Trusted authority
12Speaking Requirement Talk
Encrypt(PK, x, msg)
x – a point
Cipher_Text à Encrypt(PK, x, msg)
13Speaking Requirement Talk
DeriveKey(PK, SK, B )
B – “hyper-rectangle”
DKB
t1
t2
r1 r2
14Speaking Requirement Talk
QueryDecrypt(PK, DK, C)
• Output – msg if– if
x B x B
15Speaking Requirement Talk
Roadmap
• Trivial construction
• AIBE – MRQED1
– Efficient representation for ranges
– 1 dimensional scheme
• Extension to multiple dimensions
16Speaking Requirement Talk
Trivial Construction
Scheme PK. size Enc. Cost CT. Size DK. Size Dec. Cost
Trivial O(T2D) O(T2D) O(T2D) O(D) O(D)
T: # different values along each dimensionD: # dimensions
• 1 dimensionOne public key pair for each possible range - O(T2) public key pairs - O(T2) cipher texts and decryption keys for each range
Performance of D dimensions
[ , ] [1, ]s t T
17Speaking Requirement Talk
Roadmap
• Trivial construction• AIBE – MRQED1
– Efficient representation for ranges– 1 dimensional scheme
• Extension to multiple dimensions
18Speaking Requirement Talk
AIBE – MRQED1
• Try to decrease storage and computation cost
• Efficient representation of range:- Define Interval Tree tr(T) as a binary tree
over [1, T], each node represents a range
- ith leaf node: cv(ID) = i
- non-leaf node: cv(ID) = cv(ID1) U cv(ID2)
in which ID1 & ID2 are its children nodes
19Speaking Requirement Talk
AIBE – MRQED1– cont’d
• Set of IDs covering a point x
- if , ID covers x if .
- Define P(x) to be the set such IDs.
- P(x) includes all nodes on the path from leaf x to root.
• Range as a collection of IDs
- Define (s, t) to be the minimum set of nodes that cover range [s, t].
[1, ]x T ( )x cv ID
20Speaking Requirement Talk
AIBE – MRQED1– cont’d
0 1 2 3 4 5 6 7
[0, 1] [2, 3] [4, 5] [6, 7]
[0, 3] [4, 7]
[0, 7]
[1, 7]
21Speaking Requirement Talk
AIBE – MRQED1: Encrypt
0 1 2 3 4 5 6 7
C0=Encrypt(PK, IDA, msg)
C1=Encrypt(PK, IDB, msg)
C2
C3
A
B
22Speaking Requirement Talk
AIBE – MRQED1: Encrypt
0 1 2 3 4 5 6 7
C0
C1
C2
C3
O(logT) ciphertext size
23Speaking Requirement Talk
AIBE – MRQED1: DeriveKey
0 1 2 3 4 5 6 7
[2, 6]
24Speaking Requirement Talk
AIBE – MRQED1: DeriveKey
0 1 2 3 4 5 6 7
[2, 6]
[2, 3] [4, 5]
[6, 6]
25Speaking Requirement Talk
AIBE – MRQED1: DeriveKey
0 1 2 3 4 5 6 7
[2, 6]
SKSK
SK
26Speaking Requirement Talk
AIBE – MRQED1: DeriveKey
0 1 2 3 4 5 6 7
[2, 6]
SKSK
SK
O(logT) decryption key size
27Speaking Requirement Talk
AIBE – MRQED1: QueryDecrypt
Observations: • If x 2 [s, t], then | P(x) Å (s, t) | = 1• If x 2 [s, t], P(x) Å (s, t) = ;
28Speaking Requirement Talk
AIBE – MRQED1: Decrypt
0 1 2 3 4 5 6 7
C1
C2
C3
C0
29Speaking Requirement Talk
AIBE – MRQED1: Decrypt
0 1 2 3 4 5 6 7
[2, 6]
C1
C2
C3
C0
SKSK
SK
30Speaking Requirement Talk
AIBE – MRQED1: Decrypt
0 1 2 3 4 5 6 7
C1
C2
C3
C0
31Speaking Requirement Talk
AIBE – MRQED1: Decrypt
0 1 2 3 4 5 6 7
[0, 3]
C1
C2
C3
C0
SK
32Speaking Requirement Talk
AIBE – MRQED1: Decrypt
0 1 2 3 4 5 6 7
[4, 7]
C1
C2
C3
C0
SK
33Speaking Requirement Talk
AIBE – MRQED1: Performance
Scheme PK. size Enc. Cost CT. Size DK. Size Dec. Cost
Trivial O(T2D) O(T2D) O(T2D) O(D) O(D)
AIBE-MRQED1 O(1) O(logT) O(logT) O(logT) O(logT)
T: # different values along each dimensionD: # dimensions
34Speaking Requirement Talk
AIBE – MRQEDD – EncryptionD = 2 dimensional exampleTo encrypt point x = (3,5)
35Speaking Requirement Talk
AIBE – MRQEDD – DeriveKeyQuery range:[2,6] x [7,3]1st dimension: (2, 6)2nd dimension: (3,7)
36Speaking Requirement Talk
AIBE – MRQEDD Performance
• O(1) PK size• O(D¢logT)
– Encryption cost– Cipher Text. size– Decryption key size
• O((logT)D) decrypt. cost • Good performance, but has a serious
vulnerability – prone to collusion attack
37Speaking Requirement Talk
Collusion Attack
Kx1 Kx2
SKy2
SKy1 {SKx1, SKy1}
{SKx2, SKy2}
R1 R2
R3 R4{SKx1, SKy2}
{SKx2, SKy1}
How fix the problem but preserve the AIBE – MRQEDD efficiency?
38Speaking Requirement Talk
Collusion Attack solution - “Binding”
SKx1 SKx2
SKy2
SKy1 {SKx1, SKy1}
{SKx2, SKy2}
{SKx1, SKy1}
x ¢y = c
39Speaking Requirement Talk
Collusion Attack solution - “Binding”
SKx1 SKx2
SKy2
SKy1 {SKx1, SKy1}
{SKx2, SKy2}
x ¢y = c
x 4 SKx1
{SKx1, SKy1}
40Speaking Requirement Talk
Collusion Attack solution - “Binding”
SKx1 SKx2
SKy2
SKy1 {SKx1, SKy1}
{SKx2, SKy2}
x ¢y = c
xSKx1
{SKx1, SKy1}
41Speaking Requirement Talk
Collusion Attack solution - “Binding”
SKx1 SKx2
SKy2
SKy1 {SKx1, SKy1}
{SKx2, SKy2}
x ¢y = c
xSKx1
{SKx1, SKy1}
ySKy1
42Speaking Requirement Talk
Collusion Attack solution - “Binding”
SKx1 SKx2
SKy2
SKy1 {SKx1, SKy1}
{SKx2, SKy2}x ¢ y = c {SKx2, SKy2}
xSKx2
ySKy2
43Speaking Requirement Talk
The “Binding” Construction
• Use Bilinear Groups
• Rely on well-known difficult problem:– Decision BDH Assumption– Decision linear Assumption
• Algebraically intensive
44Speaking Requirement Talk
Conclusion
Scheme PK. size Enc. Cost CT. Size DK. Size Dec. Cost
Trivial O(T2D) O(T2D) O(T2D) O(D) O(D)
BW06 O(D¢T) O(D¢T) O(D¢T) O(D) O(D)
RQEQD O(D∙logT) O(D∙logT) O(D∙logT) O(D∙logT) O((logT)D)
T: # different values along each dimensionD: # dimensions
45Speaking Requirement Talk
Future work
• Further exploration of ways to decrease the decryption co
• Possible other privacy-preserving applications in addition to network audit logs, financial audit logs, etc.
46Speaking Requirement Talk
Question
Observations: • If x 2 [s, t], then | P(x) Å (s, t) | = 1• If x 2 [s, t], P(x) Å (s, t) = ;
Why is this always true?
Thank you!