280 likes | 465 Views
Conjunctive, Subset, and Range Queries on Encrypted Data. Dan Boneh Brent Waters Stanford University SRI International. Salil gives private key to assistant Charlie Charlie learns everything. PK Salil. Encryption Systems – Traditional View. Subj: TCC.
E N D
Conjunctive, Subset, and Range Queries on Encrypted Data Dan Boneh Brent Waters Stanford University SRI International
Salil gives private key to assistant Charlie Charlie learns everything PKSalil Encryption Systems – Traditional View
Subj: TCC Subj:personal Subj:our paper TCC Encryption Systems – New View • Salil gives partial capabilities to Charlie • Charlie learns what he needs to know • Focus on “Searching Systems” PKSalil
From: Subject: Tspam Filtering Encrypted Email • Set containment queries: • Server learns nothing other than containment status. SKalice email From Blacklist MailServer No E( PKalice, email) Yes Tspam
Tcell From: Subject: Routing Encrypted Email • Conjunction queries: SKalice email FromFriends AND subject = “urgent” MailServer No E( PKalice, email) Yes Tcell
Long term goal … • Goal: Public-key encryption system supporting any predicate (poly-size circuits) • Sample application: • Spam predicate: P(m) = 1 if m is spam email Mail server filters out encrypted spam email without decrypting email. • … seems far off
History • To date: primary focus on equality queries • SWP’00, GO’87: Equality queries on symmetric-key encrypted data • BDOP’04, AB…’05: Equality queries on public-key encrypted data
Definitions • Let = {P1 , … , Pn} be a set of predicates over . Pi : {0,1} [e.g: Pj(S) = 1 S j ] • A-query system consists of 4 algorithms: • Setup ():outputs PK and SK • Encrypt (PK, S) Ciphertext C (S) • GenToken (SK, <P>) Token TP (P) • Query ( TP, C) Output • (Can allow message decryption on “hit” when P(S)=1) P(S)
y z x a b c Security • Example: = {1, … , n} , [ Pj(x) = 1 x j ] • Adversary can request arbitrary tokens: • Clearly, adversary can distinguish Encrypt(PK, x) from Encrypt(PK, y) • … but Encrypt(PK, x) and Encrypt(PK, z) should be indistinguishable 1 n
PK (S0) , (S1) P1 T1 b{0,1} CEncrypt(PK,Sb) b’ {0,1} Secure -query systems • Semantic security in the presence of arbitrary tokens: Challenger Attacker RunSetup() , P2 , … , Pq , T2 , … , Tq s.t.: j: Pj(S0) = Pj(S1) Adversary wins if: b = b’
Enc( PKj ,M ) if Pj(S) = 1 Enc( PKj , ) otherwise for j = 1,…,n: Cj The trivial brute-force system = {P1 , … , Pn} ; (KeyGen, Enc, Dec) pub-key system • Setup(): Run KeyGen() n times PK ( PK1 , … , PKn ) , SK ( SK1, … , SKn ) • Encrypt( PK, S): output C (C1 , … , Cn ) • GenToken( SK, Pi ): output T SKi • Query( T, C) : output Dec( SKi , Ci ) • Parameters: |CT| = O(n) |T| = O(1)
Best known constructions [BSW’06, BW’06] • Encrypt S {1 ,…, n } (Sizes in # of group elements) • Encrypt S = (S1,…,Sw) {1 ,…, n }w --- conjunctions
Bilinear maps • G , GT :finite cyclic groups of prime order q. • Def: An admissible bilinear map e: GG GT is: • Bilinear: e(ga, gb) = e(g,g)ab a,bZ, gG • Non-degenerate: g generates G e(g,g) generates GT . • “Efficiently” computable.
Bilinear groups of order N=pq [BGN’05] • G: group of order N=pq. (p,q) – secret. bilinear map: e: G G GT • G = Gp Gq . gp = gq Gp ; gq = gp Gq • Facts: h G h = (gq)a (gp)b e( gp , gq ) = e(gp , gq) = e(g,g)N = 1 e( gp , h ) = e( gp , gp)b !!
c a A Subset query system • Goal: for any S {1,…,n} and A {1,…,n}answer queries of type: PA(S) = 1 S A • Example: FromAddress Friends • Trivial system: |CT| = O(2n) , Our goal: |CT| = O(n) • Approach: reformulate as conjunctive equality query • Encode S {1,…,n} in uniary: • (S) = (s1,…,sn) {0,1}n • Then S A (sa = 0) 0 0 0 … 1 … 0 0 0
Construction Intuition • 1st Attempt • Use IBE techniques to encrypt to “vector” identity (s1,…,sn) Get message if “true” • Problem: Can test identity by testing for DDH tuples between CT and PK • Solution • Make CTs, PK random in Gq not DDH tuples • Tokens in Gp Gq does not matter after pairing • Intuiton: Disallow unintended application of pairing
Security • Thm: The system is a selectively secure subset query system assuming: • Bilinear-DH assumption, and • Composite 3-party DH assumption • Implied by Boneh’s Uber-Assumption
Summary and Open Problems • Queries on public key encrypted data: • Equality queries: efficient • Comparison queries: plaintext t • Implies traitor tracing • Best construction: |CT| = O(sqrt(n)) • Open: |CT| = O(log n) • Subset queries: plaintext A • Best construction: |CT| = O(n) • Open: |CT| = O(log n) • Similar constructions/questions for conjunctive queries ? ?
History • To date: primary focus on equality queries • SWP’00, GO’87: Equality queries on symmetric-key encrypted data • BDOP’04, AB…’05: Equality queries on public-key encrypted data • OS’05, BSW’06: Equality queries that hide predicate from server • BBO’06: Efficient equality searches in databases • BCPSS’06: Range queries in a weaker security model
? VALUE > $1000 Motivation: a few examples • Example 1: • Visa gateway: Forwarding encrypted CC transactions to the visa system Enc(PKvisa, Transaction) High Security Processor D VISA Gateway Transaction Yes VALUE Exp-Date D Low Security Processor No SKvisa T1000 T1000
Conjunction queries • Goal: gateway should not learn which conjunct failed. Visa cannot simply give gateway two tokens VALUE > 1000 AND exp-date < April 2007 High Security Processor D VISA Gateway Transaction Yes VALUE Exp-Date D Low Security Processor No SKvisa TP TP
Best known constructions [BSW’06, BW’06] • Encrypt S {1 ,…, n } (Sizes in # of group elements) • Encrypt S = (S1,…,Sw) {1 ,…, n }w --- conjunctions
The full system • ... But cannot prove the system secure. • The full system: add y1, … , yn to SK • GenToken( SK=w, A {1,…,n} ): t1,1, t1,2 , … ZN ( u1t1,1 , y1t1,2 ) (untn,1 , yntn,2) • Thm: The system is a selectively secure subset query system assuming: • Bilinear-DH assumption, and • Composite 3-party DH assumption TA w (va)ta,1 (ya)ta,2, aAc
The full system • ... But cannot prove the system secure. (Need a bit more) • Thm: The system is a selectively secure subset query system assuming: • Bilinear-DH assumption, and • Composite 3-party DH assumption • (Fragments of “Uber-assumption”)
Binary conjunctive equality queries • A failed attempt using standard IBE technology: [BB’04] • G: bilinear group. w, u, u1,…, v1,… G, • Encrypt (PK, b = (b1,…,bn), M): r Zq C [ e(u,w)r , ur , (u1b1 v1)r , … , (unbn vn)r] • GenToken( SK=w, A {1,…,n} ): t1, … , tn Zq TA [ w (va)ta , ut1 , … , utn ] • Query( TA, C): If ( a Ac : ba=0) then “algebra” returns M; otherwise random in G • Problem: C leaks ( b1, …, bn ) bj = 0 (u, vj , ur , (ujbjvj)r)is a DDH tuple aAc
Composite order groups to the rescue … • G=GpGq composite order group. w, u, u1 , …, v1 , … Gp • PK: Blind u’s and v’s by Gq UiuiRi , ViviRi’ where Ri, Ri’ Gq • Encrypt (PK, b = (b1,…,bn), M): r ZN , Z, Z1,… Gq C [ e(u,w)r , UrZ , (U1b1 V1)rZ1 , … , (Unbn Vn)rZn ] • No change to GenToken and Query • Note: Rj , Zi terms cancel in Query. • Main point: now DDH attack fails: bj = 0 , but(U, Vj , UrZ , (Ujbj Vj)rZj) not a DDH tuple in G
PK P1 T1 b{0,1} CEncrypt(PK,Sb) b’ {0,1} Selectively secure -query systems S0 , S1 Challenger Attacker RunSetup() , P2 , … , Pq , T2 , … , Tq S0 S1 S0 , S1 s.t.: j: Pj(S0) = Pj(S1) Adversary wins if: b = b’