1 / 30

Queries on Encrypted Data

Queries on Encrypted Data. Dan Boneh Brent Waters Stanford University SRI. ?. VALUE > 1000$. Motivation: a few examples. Example 1: Visa gateway: Forwarding encrypted CC transactions to the visa system. Enc(PK visa , Transaction). High Security Processor. D.

mirra
Download Presentation

Queries on Encrypted Data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Queries on Encrypted Data Dan Boneh Brent Waters Stanford University SRI

  2. ? VALUE > 1000$ Motivation: a few examples • Example 1: • Visa gateway: Forwarding encrypted CC transactions to the visa system Enc(PKvisa, Transaction) High Security Processor D VISA Gateway Transaction Yes VALUE Exp-Date D Low Security Processor No SKvisa T1000 T1000

  3. Conjunction queries • Goal: gateway should not learn which conjunct failed. Visa cannot simply give gateway two tokens VALUE > 1000 AND exp-date < Jan. 2007 High Security Processor D VISA Gateway Transaction Yes VALUE Exp-Date D Low Security Processor No SKvisa TP TP

  4. From: Subject: Tspam Filtering Encrypted Email • Set containment queries: • Server learns nothing other than containment status. SKalice email From spamhaus MailServer No E( PKalice, email) Yes Tspam

  5. Tcell From: Subject: Routing Encrypted Email • Conjunction queries: SKalice email FromFriends AND subject = “urgent” MailServer No E( PKalice, email) Yes Tcell

  6. Long term goal … • Goal: Public-key encryption system supporting any predicate (poly-size circuits) • Sample application: • Spam predicate: P(m) = 1 if m is spam email  Mail server filters out encrypted spam email without decrypting email. • … but no known construction

  7. History • To date: primary focus on equality queries • SWP’00, GO’87: Equality queries on symmetric-key encrypted data • BDOP’04, AB…’05: Equality queries on public-key encrypted data • OS’05, BSW’06: Equality queries that hide predicate from server • BBO’06: Efficient equality searches in databases • BCPSS’06: Range queries in a weaker security model

  8. M if P(S) = 1  otherwise Definitions • Let  = {P1 , … , Pn} be a set of predicates over  . Pi :   {0,1} [e.g: Pj(m) = 1  m  j ] • A-query system consists of 4 algorithms: • Setup ():outputs PK and SK • Encrypt (PK, S, M)  Ciphertext C (S) • GenToken (SK, <P>)  Token TP (P) • Query ( TP, C)  Output • Note: no decryption (but can easily be added in) .

  9. y z x a b c Security • Example:  = {1, … , n} , [ Pj(x) = 1  x  j ] • Adversary can request arbitrary tokens: • Clearly, adversary can distinguish Encrypt(PK, x, m) from Encrypt(PK, y, m) • … but Encrypt(PK, x, m) and Encrypt(PK, z, m) should be indistinguishable 1 n

  10. PK (S0,M0) , (S1,M1) P1 T1 b{0,1} CEncrypt(PK,Sb,Mb) b’  {0,1} Secure -query systems • Semantic security in the presence of arbitrary tokens: Challenger Attacker RunSetup() , P2 , … , Pq , T2 , … , Tq s.t.: j: Pj(S0) = Pj(S1) M0M1  j: Pj(S0) = Pj(S1)=0 Adversary wins if: b = b’

  11. PK P1 T1 b{0,1} CEncrypt(PK,Sb,Mb) b’  {0,1} Selectively secure -query systems S0 , S1 Challenger Attacker RunSetup() , P2 , … , Pq , T2 , … , Tq S0 M0 , M1 S1 (S0,M0) , (S1,M1) s.t.: j: Pj(S0) = Pj(S1) M0M1  j: Pj(S0) = Pj(S1)=0 Adversary wins if: b = b’

  12. Enc( PKj ,M ) if Pj(S) = 1 Enc( PKj ,  ) otherwise for j = 1,…,n: Cj The trivial brute-force system  = {P1 , … , Pn} ; (KeyGen, Enc, Dec) pub-key system • Setup(): Run KeyGen() n times PK  ( PK1 , … , PKn ) , SK  ( SK1, … , SKn ) • Encrypt( PK, S, M): output C  (C1 , … , Cn ) • GenToken( SK, Pi ): output T  SKi • Query( T, C) : output Dec( SKi , Ci ) • Parameters: |CT| = O(n) |T| = O(1)

  13. Best known constructions [BSW’06, BW’06] • Encrypt S  {1 ,…, n } • Encrypt S = (S1,…,Sw)  {1 ,…, n }w --- conjunctions

  14. Connections

  15. Comparisons  Traitor Tracing [CFN’94] • What if secret key Ki is exposed? • Goal: Trace pirate decoder D to key Ku. Then kill user u (or revoke his key). K1 CT = E[M] K2 K3

  16. Tracing Traitors • SetupTT (n,): outputs private keys K1 , …, Kn public-key PK User i gets private key Ki • EncryptTT (PK, M)  Ciphertext C • DecryptTT (Ki, C)  Message M • TraceD( PK )  i  {1,…,n} • Outputs index of at least one key used to build D • D -- stateless black-box pirate decoder.

  17. Comparisons  Traitor Tracing • SetupTT (n,): Run setup() to generate PK,SK For i{1,…,n} key Ki GenToken(SK, i) • EncryptTT (PK, M): C  Encrypt( PK,1, M) • DecryptTT (Ki , C): M  Query(Ki , C) Decryption works since i  1 • Tracing: next slide

  18. n n i=1 i=1 TraceD(PK): [BF99, NNL00, KY02] • For j = 1, …, n+1 define for M  M: pj := Pr[D( Encrypt(PK,j,M) ) = M ] • Then: p1 > 1-  ; pn+1  0 • 1- < |pn+1 – p1 | = | pi+1 – pi|   |pi+1 – pi|  Exists i{1,…,n} s.t. | pi+1 – pi |  (1- )/n User i must be one of the pirates. R

  19. Security Theorem • Tracing algorithm estimates: | pi - pi | < (1-)/4n • Need O(n2) samples per pi. (D – stateless) • Cubic time tracing. (can be improved to quadratic) • Thm: underlying comparison query system is selectively secure  no eff. adv wins tracing game with non-neg adv. 

  20. Other connections: BE, IBE • Membership queries: S  {1,…,n} ; Pj (S) = 1  j  S • Membership  Private Broadcast Encryption [BBW’05] • SetupBE (n,): Run setup() to generate PK,SK For j{1,…,n} key Kj GenToken(SK, j) • EncryptBE (PK, S, M): C  Encrypt( PK, S, M) • DecryptBE (Kj , C): M  Query(C, Kj) Decryption works when j  S • Best membership construction: |CT| = O(|S|) [BBW’05]

  21. Constructions

  22. Crash course in pairings • Standard groups where discrete-log may be hard: • Zp* for prime p. • Elliptic Curves: E/Fp:y2 = x3 + ax + b • Extra structure on elliptic curves : bilinear maps. • Defined by A. Weil (1946). • Miller ’84: Algorithm for computing. • MOV ’93: Used to attack certain EC systems. • Recently (2000-5): lots of positive crypto apps.

  23. Bilinear maps • G , GT :finite cyclic groups of prime order q. • Def: An admissible bilinear map e: GG GT is: • Bilinear: e(ga, gb) = e(g,g)ab a,bZ, gG • Non-degenerate: g generates G  e(g,g) generates GT . • “Efficiently” computable. • DDH is easy in G: given (g, ga, h, hb) then a = b  e(g, hb) = e(ga , h)

  24. Bilinear groups of order N=pq [BGN’05] • G: group of order N=pq. (p,q) – secret. bilinear map: e: G  G  GT • G = Gp  Gq . gp = gq  Gp ; gq = gp  Gq • Facts: h  G  h = (gq)a  (gp)b e( gp , gq ) = e(gp , gq) = e(g,g)N = 1 e( gp , h ) = e( gp , gp)b !!

  25. c a  A Subset query system • Goal: for any S  {1,…,n} and A  {1,…,n}answer queries of type: PA(S) = 1  S  A • Example: FromAddress  Friends • Trivial system: |CT| = O(2n) , Our goal: |CT| = O(n) • Approach: reformulate as conjunctive equality query • Encode S  {1,…,n} in uniary: • (S) = (s1,…,sn)  {0,1}n • Then S  A  (sa = 0) 0 0 0 … 1 … 0 0 0

  26. Binary conjunctive equality queries • A failed attempt using standard IBE technology: [BB’04] • G: bilinear group. w, u, u1,…, v1,…  G, LGT • Encrypt (PK, b = (b1,…,bn), M): r  Zq C  [ MLr , ur , (u1b1 v1)r , … , (unbn vn)r] • GenToken( SK=w, A  {1,…,n} ): t1, … , tn  Zq TA  [ w (va)ta , ut1 , … , utn ] • Query( TA, C): If ( a Ac : ba=0) then “algebra” returns M; otherwise random in G • Problem: C leaks ( b1, …, bn ) bj = 0  (u, vj , ur , (ujbjvj)r)is a DDH tuple aAc

  27. Composite order groups to the rescue … • G=GpGq composite order group. w, u, u1 , …, v1 , … Gp • PK: Blind u’s and v’s by Gq UiuiRi , ViviRi’ where Ri, Ri’  Gq • Encrypt (PK, b = (b1,…,bn), M): r  ZN , Z, Z1,…  Gq C  [ MLr , UrZ , (U1b1 V1)rZ1 , … , (Unbn Vn)rZn ] • No change to GenToken and Query • Note: Rj , Zi terms cancel in Query. • Main point: now DDH attack fails: bj = 0 , but (U, Vj , UrZ , (Ujbj Vj)rZj) not a DDH tuple in G

  28. The full system • ... But cannot prove the system secure. • The full system: add y1, … , yn to SK • GenToken( SK=w, A  {1,…,n} ): t1,1, t1,2 , …  ZN ( u1t1,1 , y1t1,2 ) (untn,1 , yntn,2) • Thm: The system is a selectively secure subset query system assuming: • Bilinear-DH assumption, and • Composite 3-party DH assumption TA  w (va)ta,1 (ya)ta,2, aAc

  29. Summary and Open Problems • Queries on public key encrypted data: • Equality queries: efficient • Comparison queries: plaintext  t • Implies traitor tracing • Best construction: |CT| = O(sqrt(n)) • Open: |CT| = O(log n) • Subset queries: plaintext  A • Best construction: |CT| = O(n) • Open: |CT| = O(log n) • Similar constructions/questions for conjunctive queries ? ?

  30. THE END

More Related