1 / 28

Conjunctive, Subset, and Range Queries on Encrypted Data

Conjunctive, Subset, and Range Queries on Encrypted Data. Dan Boneh Brent Waters Stanford University SRI International. Salil gives private key to assistant Charlie  Charlie learns everything. PK Salil. Encryption Systems – Traditional View. Subj: TCC.

gautam
Download Presentation

Conjunctive, Subset, and Range Queries on Encrypted Data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Conjunctive, Subset, and Range Queries on Encrypted Data Dan Boneh Brent Waters Stanford University SRI International

  2. Salil gives private key to assistant Charlie  Charlie learns everything PKSalil Encryption Systems – Traditional View

  3. Subj: TCC Subj:personal Subj:our paper TCC Encryption Systems – New View • Salil gives partial capabilities to Charlie • Charlie learns what he needs to know • Focus on “Searching Systems” PKSalil

  4. From: Subject: Tspam Filtering Encrypted Email • Set containment queries: • Server learns nothing other than containment status. SKalice email From Blacklist MailServer No E( PKalice, email) Yes Tspam

  5. Tcell From: Subject: Routing Encrypted Email • Conjunction queries: SKalice email FromFriends AND subject = “urgent” MailServer No E( PKalice, email) Yes Tcell

  6. Long term goal … • Goal: Public-key encryption system supporting any predicate (poly-size circuits) • Sample application: • Spam predicate: P(m) = 1 if m is spam email  Mail server filters out encrypted spam email without decrypting email. • … seems far off

  7. History • To date: primary focus on equality queries • SWP’00, GO’87: Equality queries on symmetric-key encrypted data • BDOP’04, AB…’05: Equality queries on public-key encrypted data

  8. Definitions • Let  = {P1 , … , Pn} be a set of predicates over  . Pi :   {0,1} [e.g: Pj(S) = 1  S  j ] • A-query system consists of 4 algorithms: • Setup ():outputs PK and SK • Encrypt (PK, S)  Ciphertext C (S) • GenToken (SK, <P>)  Token TP (P) • Query ( TP, C)  Output • (Can allow message decryption on “hit” when P(S)=1) P(S)

  9. y z x a b c Security • Example:  = {1, … , n} , [ Pj(x) = 1  x  j ] • Adversary can request arbitrary tokens: • Clearly, adversary can distinguish Encrypt(PK, x) from Encrypt(PK, y) • … but Encrypt(PK, x) and Encrypt(PK, z) should be indistinguishable 1 n

  10. PK (S0) , (S1) P1 T1 b{0,1} CEncrypt(PK,Sb) b’  {0,1} Secure -query systems • Semantic security in the presence of arbitrary tokens: Challenger Attacker RunSetup() , P2 , … , Pq , T2 , … , Tq s.t.: j: Pj(S0) = Pj(S1) Adversary wins if: b = b’

  11. Enc( PKj ,M ) if Pj(S) = 1 Enc( PKj ,  ) otherwise for j = 1,…,n: Cj The trivial brute-force system  = {P1 , … , Pn} ; (KeyGen, Enc, Dec) pub-key system • Setup(): Run KeyGen() n times PK  ( PK1 , … , PKn ) , SK  ( SK1, … , SKn ) • Encrypt( PK, S): output C  (C1 , … , Cn ) • GenToken( SK, Pi ): output T  SKi • Query( T, C) : output Dec( SKi , Ci ) • Parameters: |CT| = O(n) |T| = O(1)

  12. Best known constructions [BSW’06, BW’06] • Encrypt S  {1 ,…, n } (Sizes in # of group elements) • Encrypt S = (S1,…,Sw)  {1 ,…, n }w --- conjunctions

  13. Bilinear maps • G , GT :finite cyclic groups of prime order q. • Def: An admissible bilinear map e: GG GT is: • Bilinear: e(ga, gb) = e(g,g)ab a,bZ, gG • Non-degenerate: g generates G  e(g,g) generates GT . • “Efficiently” computable.

  14. Bilinear groups of order N=pq [BGN’05] • G: group of order N=pq. (p,q) – secret. bilinear map: e: G  G  GT • G = Gp  Gq . gp = gq  Gp ; gq = gp  Gq • Facts: h  G  h = (gq)a  (gp)b e( gp , gq ) = e(gp , gq) = e(g,g)N = 1 e( gp , h ) = e( gp , gp)b !!

  15. c a  A Subset query system • Goal: for any S  {1,…,n} and A  {1,…,n}answer queries of type: PA(S) = 1  S  A • Example: FromAddress  Friends • Trivial system: |CT| = O(2n) , Our goal: |CT| = O(n) • Approach: reformulate as conjunctive equality query • Encode S  {1,…,n} in uniary: • (S) = (s1,…,sn)  {0,1}n • Then S  A  (sa = 0) 0 0 0 … 1 … 0 0 0

  16. Construction Intuition • 1st Attempt • Use IBE techniques to encrypt to “vector” identity (s1,…,sn)  Get message if “true” • Problem: Can test identity by testing for DDH tuples between CT and PK • Solution • Make CTs, PK random in Gq not DDH tuples • Tokens in Gp  Gq does not matter after pairing • Intuiton: Disallow unintended application of pairing

  17. Security • Thm: The system is a selectively secure subset query system assuming: • Bilinear-DH assumption, and • Composite 3-party DH assumption • Implied by Boneh’s Uber-Assumption

  18. Summary and Open Problems • Queries on public key encrypted data: • Equality queries: efficient • Comparison queries: plaintext  t • Implies traitor tracing • Best construction: |CT| = O(sqrt(n)) • Open: |CT| = O(log n) • Subset queries: plaintext  A • Best construction: |CT| = O(n) • Open: |CT| = O(log n) • Similar constructions/questions for conjunctive queries ? ?

  19. THE END

  20. History • To date: primary focus on equality queries • SWP’00, GO’87: Equality queries on symmetric-key encrypted data • BDOP’04, AB…’05: Equality queries on public-key encrypted data • OS’05, BSW’06: Equality queries that hide predicate from server • BBO’06: Efficient equality searches in databases • BCPSS’06: Range queries in a weaker security model

  21. ? VALUE > $1000 Motivation: a few examples • Example 1: • Visa gateway: Forwarding encrypted CC transactions to the visa system Enc(PKvisa, Transaction) High Security Processor D VISA Gateway Transaction Yes VALUE Exp-Date D Low Security Processor No SKvisa T1000 T1000

  22. Conjunction queries • Goal: gateway should not learn which conjunct failed. Visa cannot simply give gateway two tokens VALUE > 1000 AND exp-date < April 2007 High Security Processor D VISA Gateway Transaction Yes VALUE Exp-Date D Low Security Processor No SKvisa TP TP

  23. Best known constructions [BSW’06, BW’06] • Encrypt S  {1 ,…, n } (Sizes in # of group elements) • Encrypt S = (S1,…,Sw)  {1 ,…, n }w --- conjunctions

  24. The full system • ... But cannot prove the system secure. • The full system: add y1, … , yn to SK • GenToken( SK=w, A  {1,…,n} ): t1,1, t1,2 , …  ZN ( u1t1,1 , y1t1,2 ) (untn,1 , yntn,2) • Thm: The system is a selectively secure subset query system assuming: • Bilinear-DH assumption, and • Composite 3-party DH assumption TA  w (va)ta,1 (ya)ta,2, aAc

  25. The full system • ... But cannot prove the system secure. (Need a bit more) • Thm: The system is a selectively secure subset query system assuming: • Bilinear-DH assumption, and • Composite 3-party DH assumption • (Fragments of “Uber-assumption”)

  26. Binary conjunctive equality queries • A failed attempt using standard IBE technology: [BB’04] • G: bilinear group. w, u, u1,…, v1,…  G, • Encrypt (PK, b = (b1,…,bn), M): r  Zq C  [ e(u,w)r , ur , (u1b1 v1)r , … , (unbn vn)r] • GenToken( SK=w, A  {1,…,n} ): t1, … , tn  Zq TA  [ w (va)ta , ut1 , … , utn ] • Query( TA, C): If ( a Ac : ba=0) then “algebra” returns M; otherwise random in G • Problem: C leaks ( b1, …, bn ) bj = 0  (u, vj , ur , (ujbjvj)r)is a DDH tuple aAc

  27. Composite order groups to the rescue … • G=GpGq composite order group. w, u, u1 , …, v1 , … Gp • PK: Blind u’s and v’s by Gq UiuiRi , ViviRi’ where Ri, Ri’  Gq • Encrypt (PK, b = (b1,…,bn), M): r  ZN , Z, Z1,…  Gq C  [ e(u,w)r , UrZ , (U1b1 V1)rZ1 , … , (Unbn Vn)rZn ] • No change to GenToken and Query • Note: Rj , Zi terms cancel in Query. • Main point: now DDH attack fails: bj = 0 , but(U, Vj , UrZ , (Ujbj Vj)rZj) not a DDH tuple in G

  28. PK P1 T1 b{0,1} CEncrypt(PK,Sb) b’  {0,1} Selectively secure -query systems S0 , S1 Challenger Attacker RunSetup() , P2 , … , Pq , T2 , … , Tq S0 S1 S0 , S1 s.t.: j: Pj(S0) = Pj(S1) Adversary wins if: b = b’

More Related