300 likes | 470 Views
Queries on Encrypted Data. Dan Boneh Brent Waters Stanford University SRI. ?. VALUE > 1000$. Motivation: a few examples. Example 1: Visa gateway: Forwarding encrypted CC transactions to the visa system. Enc(PK visa , Transaction). High Security Processor. D.
E N D
Queries on Encrypted Data Dan Boneh Brent Waters Stanford University SRI
? VALUE > 1000$ Motivation: a few examples • Example 1: • Visa gateway: Forwarding encrypted CC transactions to the visa system Enc(PKvisa, Transaction) High Security Processor D VISA Gateway Transaction Yes VALUE Exp-Date D Low Security Processor No SKvisa T1000 T1000
Conjunction queries • Goal: gateway should not learn which conjunct failed. Visa cannot simply give gateway two tokens VALUE > 1000 AND exp-date < Jan. 2007 High Security Processor D VISA Gateway Transaction Yes VALUE Exp-Date D Low Security Processor No SKvisa TP TP
From: Subject: Tspam Filtering Encrypted Email • Set containment queries: • Server learns nothing other than containment status. SKalice email From spamhaus MailServer No E( PKalice, email) Yes Tspam
Tcell From: Subject: Routing Encrypted Email • Conjunction queries: SKalice email FromFriends AND subject = “urgent” MailServer No E( PKalice, email) Yes Tcell
Long term goal … • Goal: Public-key encryption system supporting any predicate (poly-size circuits) • Sample application: • Spam predicate: P(m) = 1 if m is spam email Mail server filters out encrypted spam email without decrypting email. • … but no known construction
History • To date: primary focus on equality queries • SWP’00, GO’87: Equality queries on symmetric-key encrypted data • BDOP’04, AB…’05: Equality queries on public-key encrypted data • OS’05, BSW’06: Equality queries that hide predicate from server • BBO’06: Efficient equality searches in databases • BCPSS’06: Range queries in a weaker security model
M if P(S) = 1 otherwise Definitions • Let = {P1 , … , Pn} be a set of predicates over . Pi : {0,1} [e.g: Pj(m) = 1 m j ] • A-query system consists of 4 algorithms: • Setup ():outputs PK and SK • Encrypt (PK, S, M) Ciphertext C (S) • GenToken (SK, <P>) Token TP (P) • Query ( TP, C) Output • Note: no decryption (but can easily be added in) .
y z x a b c Security • Example: = {1, … , n} , [ Pj(x) = 1 x j ] • Adversary can request arbitrary tokens: • Clearly, adversary can distinguish Encrypt(PK, x, m) from Encrypt(PK, y, m) • … but Encrypt(PK, x, m) and Encrypt(PK, z, m) should be indistinguishable 1 n
PK (S0,M0) , (S1,M1) P1 T1 b{0,1} CEncrypt(PK,Sb,Mb) b’ {0,1} Secure -query systems • Semantic security in the presence of arbitrary tokens: Challenger Attacker RunSetup() , P2 , … , Pq , T2 , … , Tq s.t.: j: Pj(S0) = Pj(S1) M0M1 j: Pj(S0) = Pj(S1)=0 Adversary wins if: b = b’
PK P1 T1 b{0,1} CEncrypt(PK,Sb,Mb) b’ {0,1} Selectively secure -query systems S0 , S1 Challenger Attacker RunSetup() , P2 , … , Pq , T2 , … , Tq S0 M0 , M1 S1 (S0,M0) , (S1,M1) s.t.: j: Pj(S0) = Pj(S1) M0M1 j: Pj(S0) = Pj(S1)=0 Adversary wins if: b = b’
Enc( PKj ,M ) if Pj(S) = 1 Enc( PKj , ) otherwise for j = 1,…,n: Cj The trivial brute-force system = {P1 , … , Pn} ; (KeyGen, Enc, Dec) pub-key system • Setup(): Run KeyGen() n times PK ( PK1 , … , PKn ) , SK ( SK1, … , SKn ) • Encrypt( PK, S, M): output C (C1 , … , Cn ) • GenToken( SK, Pi ): output T SKi • Query( T, C) : output Dec( SKi , Ci ) • Parameters: |CT| = O(n) |T| = O(1)
Best known constructions [BSW’06, BW’06] • Encrypt S {1 ,…, n } • Encrypt S = (S1,…,Sw) {1 ,…, n }w --- conjunctions
Comparisons Traitor Tracing [CFN’94] • What if secret key Ki is exposed? • Goal: Trace pirate decoder D to key Ku. Then kill user u (or revoke his key). K1 CT = E[M] K2 K3
Tracing Traitors • SetupTT (n,): outputs private keys K1 , …, Kn public-key PK User i gets private key Ki • EncryptTT (PK, M) Ciphertext C • DecryptTT (Ki, C) Message M • TraceD( PK ) i {1,…,n} • Outputs index of at least one key used to build D • D -- stateless black-box pirate decoder.
Comparisons Traitor Tracing • SetupTT (n,): Run setup() to generate PK,SK For i{1,…,n} key Ki GenToken(SK, i) • EncryptTT (PK, M): C Encrypt( PK,1, M) • DecryptTT (Ki , C): M Query(Ki , C) Decryption works since i 1 • Tracing: next slide
n n i=1 i=1 TraceD(PK): [BF99, NNL00, KY02] • For j = 1, …, n+1 define for M M: pj := Pr[D( Encrypt(PK,j,M) ) = M ] • Then: p1 > 1- ; pn+1 0 • 1- < |pn+1 – p1 | = | pi+1 – pi| |pi+1 – pi| Exists i{1,…,n} s.t. | pi+1 – pi | (1- )/n User i must be one of the pirates. R
Security Theorem • Tracing algorithm estimates: | pi - pi | < (1-)/4n • Need O(n2) samples per pi. (D – stateless) • Cubic time tracing. (can be improved to quadratic) • Thm: underlying comparison query system is selectively secure no eff. adv wins tracing game with non-neg adv.
Other connections: BE, IBE • Membership queries: S {1,…,n} ; Pj (S) = 1 j S • Membership Private Broadcast Encryption [BBW’05] • SetupBE (n,): Run setup() to generate PK,SK For j{1,…,n} key Kj GenToken(SK, j) • EncryptBE (PK, S, M): C Encrypt( PK, S, M) • DecryptBE (Kj , C): M Query(C, Kj) Decryption works when j S • Best membership construction: |CT| = O(|S|) [BBW’05]
Crash course in pairings • Standard groups where discrete-log may be hard: • Zp* for prime p. • Elliptic Curves: E/Fp:y2 = x3 + ax + b • Extra structure on elliptic curves : bilinear maps. • Defined by A. Weil (1946). • Miller ’84: Algorithm for computing. • MOV ’93: Used to attack certain EC systems. • Recently (2000-5): lots of positive crypto apps.
Bilinear maps • G , GT :finite cyclic groups of prime order q. • Def: An admissible bilinear map e: GG GT is: • Bilinear: e(ga, gb) = e(g,g)ab a,bZ, gG • Non-degenerate: g generates G e(g,g) generates GT . • “Efficiently” computable. • DDH is easy in G: given (g, ga, h, hb) then a = b e(g, hb) = e(ga , h)
Bilinear groups of order N=pq [BGN’05] • G: group of order N=pq. (p,q) – secret. bilinear map: e: G G GT • G = Gp Gq . gp = gq Gp ; gq = gp Gq • Facts: h G h = (gq)a (gp)b e( gp , gq ) = e(gp , gq) = e(g,g)N = 1 e( gp , h ) = e( gp , gp)b !!
c a A Subset query system • Goal: for any S {1,…,n} and A {1,…,n}answer queries of type: PA(S) = 1 S A • Example: FromAddress Friends • Trivial system: |CT| = O(2n) , Our goal: |CT| = O(n) • Approach: reformulate as conjunctive equality query • Encode S {1,…,n} in uniary: • (S) = (s1,…,sn) {0,1}n • Then S A (sa = 0) 0 0 0 … 1 … 0 0 0
Binary conjunctive equality queries • A failed attempt using standard IBE technology: [BB’04] • G: bilinear group. w, u, u1,…, v1,… G, LGT • Encrypt (PK, b = (b1,…,bn), M): r Zq C [ MLr , ur , (u1b1 v1)r , … , (unbn vn)r] • GenToken( SK=w, A {1,…,n} ): t1, … , tn Zq TA [ w (va)ta , ut1 , … , utn ] • Query( TA, C): If ( a Ac : ba=0) then “algebra” returns M; otherwise random in G • Problem: C leaks ( b1, …, bn ) bj = 0 (u, vj , ur , (ujbjvj)r)is a DDH tuple aAc
Composite order groups to the rescue … • G=GpGq composite order group. w, u, u1 , …, v1 , … Gp • PK: Blind u’s and v’s by Gq UiuiRi , ViviRi’ where Ri, Ri’ Gq • Encrypt (PK, b = (b1,…,bn), M): r ZN , Z, Z1,… Gq C [ MLr , UrZ , (U1b1 V1)rZ1 , … , (Unbn Vn)rZn ] • No change to GenToken and Query • Note: Rj , Zi terms cancel in Query. • Main point: now DDH attack fails: bj = 0 , but (U, Vj , UrZ , (Ujbj Vj)rZj) not a DDH tuple in G
The full system • ... But cannot prove the system secure. • The full system: add y1, … , yn to SK • GenToken( SK=w, A {1,…,n} ): t1,1, t1,2 , … ZN ( u1t1,1 , y1t1,2 ) (untn,1 , yntn,2) • Thm: The system is a selectively secure subset query system assuming: • Bilinear-DH assumption, and • Composite 3-party DH assumption TA w (va)ta,1 (ya)ta,2, aAc
Summary and Open Problems • Queries on public key encrypted data: • Equality queries: efficient • Comparison queries: plaintext t • Implies traitor tracing • Best construction: |CT| = O(sqrt(n)) • Open: |CT| = O(log n) • Subset queries: plaintext A • Best construction: |CT| = O(n) • Open: |CT| = O(log n) • Similar constructions/questions for conjunctive queries ? ?