1 / 47

Multi-Dimensional Range Query over Encrypted Data

Multi-Dimensional Range Query over Encrypted Data. Authors: Elaine Shi, Joint work with John Bethencourt, Hubert Chan, Dawn Song, Adrian Perrig Slides originated from Elaine Shi, modified by Michael Chen CSC 774 Advanced Network Security Instructor: Dr. Peng Ning Presenter: Michael Chen

keely
Download Presentation

Multi-Dimensional Range Query over Encrypted Data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Multi-Dimensional Range Query over Encrypted Data Authors: Elaine Shi, Joint work with John Bethencourt, Hubert Chan, Dawn Song, Adrian Perrig Slides originated from Elaine Shi, modified by Michael Chen CSC 774 Advanced Network Security Instructor: Dr. Peng Ning Presenter: Michael Chen April 19, 2007

  2. Motivation - Network Audit Logs Network gateway Data center

  3. An Ideal Solution Network gateway Data center

  4. Auditor Query: (100 · port · 200) Æ ( ip 2 128.1.*.*) Trusted authority auditor

  5. Auditor Query: (100 · port · 200) Æ ( ip 2 128.1.*.*) Capability: (100 · port · 200) Æ ( ip 2 128.1.*.*) Trusted authority auditor

  6. Security Query: (100·port ·200) Æ (ip 2128.1.*.*) • Can decrypt all matching entries • Cannot learn additional information for non-matching entries • Except for the fact that they do not match

  7. The Challenges • Current practices: • No encryption • All-or-nothing decryption • Challenge: • How to design such an encryption scheme • Efficiency • Security

  8. Related work • Search on encrypted data (SoE) • Not clear if can be extended to range query over multiple attributes. • Anonymous hierarchical IBE (AHIBE) • Could be used to implement MRQED, encryption cost O(TD) • Concurrent work • BonehWaters06: Complex query over encrypted data. More expensive public key size, encryption cost, cheaper decryption cost and shorter decryption key size.

  9. Generalized Problem Definition • Time-stamp t, source address a, destination port p • A tuple (t, a, p) can be viewed as a point x in 3 dimensional space. • Query for flows with • Hyper-rectangle B in space • x is in B ?

  10. Generalized Problem Definition • KeyGen • Key generation • Encrypt • Encryption • DeriveKey • Compute a decryption key • QueryDecrypt • Attempt to decrypt using a capability

  11. KeyGen (, n) • Input • k: security parameter • n: bit-length of x • Output • public key PK & master private key SK KeyGen(, n) Trusted authority

  12. Encrypt(PK, x, msg) x – a point Cipher_Text à Encrypt(PK, x, msg)

  13. DeriveKey(PK, SK, B ) DKB t1 B – “hyper-rectangle” t2 r1 r2

  14. QueryDecrypt(PK, DK, C) • Output • msg if • if

  15. Roadmap • Trivial construction • AIBE – MRQED1 • Efficient representation for ranges • 1 dimensional scheme • Extension to multiple dimensions

  16. Trivial Construction • 1 dimensionOne public key pair for each possible range - O(T2) public key pairs - O(T2) cipher texts and decryption keys for each range Performance of D dimensions T: # different values along each dimension D: # dimensions

  17. Roadmap • Trivial construction • AIBE – MRQED1 • Efficient representation for ranges • 1 dimensional scheme • Extension to multiple dimensions

  18. AIBE – MRQED1 • Try to decrease storage and computation cost • Efficient representation of range: - Define Interval Tree tr(T) as a binary tree over [1, T], each node represents a range - ith leaf node: cv(ID) = i - non-leaf node: cv(ID) = cv(ID1) U cv(ID2) in which ID1 & ID2 are its children nodes

  19. AIBE – MRQED1– cont’d • Set of IDs covering a point x - if , ID covers x if . - Define P(x) to be the set such IDs. - P(x) includes all nodes on the path from leaf x to root. • Range as a collection of IDs - Define (s, t) to be the minimum set of nodes that cover range [s, t].

  20. AIBE – MRQED1– cont’d [0, 7] [0, 3] [4, 7] [0, 1] [2, 3] [4, 5] [6, 7] 0 1 2 3 4 5 6 7 [1, 7]

  21. AIBE – MRQED1: Encrypt C0=Encrypt(PK, IDA, msg) A C1=Encrypt(PK, IDB, msg) B C2 C3 0 1 2 3 4 5 6 7

  22. AIBE – MRQED1: Encrypt C0 O(logT) ciphertext size C1 C2 C3 0 1 2 3 4 5 6 7

  23. AIBE – MRQED1: DeriveKey 0 1 2 3 4 5 6 7 [2, 6]

  24. AIBE – MRQED1: DeriveKey [2, 3] [4, 5] [6, 6] 0 1 2 3 4 5 6 7 [2, 6]

  25. AIBE – MRQED1: DeriveKey SK SK SK 0 1 2 3 4 5 6 7 [2, 6]

  26. AIBE – MRQED1: DeriveKey O(logT) decryption key size SK SK SK 0 1 2 3 4 5 6 7 [2, 6]

  27. Observations: • If x 2 [s, t], then | P(x)Å(s, t) | = 1 • If x2[s, t], P(x) Å(s, t)=; AIBE – MRQED1: QueryDecrypt

  28. AIBE – MRQED1: Decrypt C0 C1 C2 C3 0 1 2 3 4 5 6 7

  29. AIBE – MRQED1: Decrypt C0 C1 SK SK C2 SK C3 0 1 2 3 4 5 6 7 [2, 6]

  30. AIBE – MRQED1: Decrypt C0 C1 C2 C3 0 1 2 3 4 5 6 7

  31. AIBE – MRQED1: Decrypt C0 C1 SKB C2 C3 0 1 2 3 4 5 6 7 [0, 3]

  32. AIBE – MRQED1: Decrypt C0 C1 SKB C2 C3 0 1 2 3 4 5 6 7 [4, 7]

  33. AIBE – MRQED1: Performance T: # different values along each dimension D: # dimensions

  34. AIBE – MRQEDD – Encryption D = 2 dimensional example To encrypt point x = (3,5)

  35. AIBE – MRQEDD – DeriveKey Query range: [2,6] x [7,3] 1st dimension: (2, 6) 2nd dimension: (3,7)

  36. AIBE – MRQEDD Performance • O(1) PK size • O(D¢logT) • Encryption cost • Cipher Text. size • Decryption key size • O((logT)D) decrypt. cost • Good performance, but has a serious vulnerability – prone to collusion attack

  37. Collusion Attack SKy2 R3 R4 {SKx1, SKy2} {SKx2, SKy2} SKy1 R1 R2 {SKx1, SKy1} {SKx2, SKy1} Kx1 Kx2 How fix the problem but preserve the AIBE – MRQEDD efficiency?

  38. Collusion Attack solution - “Binding” x ¢y = c SKy2 {SKx2, SKy2} SKy1 {SKx1, SKy1} {SKx1, SKy1} SKx1 SKx2

  39. Collusion Attack solution - “Binding” x ¢y = c SKy2 {SKx2, SKy2} x 4SKx1 SKy1 {SKx1, SKy1} {SKx1, SKy1} SKx1 SKx2

  40. Collusion Attack solution - “Binding” x ¢y = c SKy2 {SKx2, SKy2} xSKx1 SKy1 {SKx1, SKy1} {SKx1, SKy1} SKx1 SKx2

  41. Collusion Attack solution - “Binding” x ¢y = c SKy2 {SKx2, SKy2} xSKx1 ySKy1 SKy1 {SKx1, SKy1} {SKx1, SKy1} SKx1 SKx2

  42. Collusion Attack solution - “Binding” x ¢y= c SKy2 {SKx2, SKy2} {SKx2, SKy2} xSKx2 ySKy2 SKy1 {SKx1, SKy1} SKx1 SKx2

  43. The “Binding” Construction • Use Bilinear Groups • Rely on well-known difficult problem: • Decision BDH Assumption • Decision linear Assumption • Algebraically intensive

  44. Conclusion T: # different values along each dimension D: # dimensions

  45. Future work • Further exploration of ways to decrease the decryption co • Possible other privacy-preserving applications in addition to network audit logs, financial audit logs, etc.

  46. Observations: • If x 2 [s, t], then | P(x)Å(s, t) | = 1 • If x2[s, t], P(x) Å(s, t)=; Question Why is this always true?

  47. Thank you!

More Related