Download
1 / 59
590 likes | 759 Views
Multi-Dimensional Range Query over Encrypted Data. Elaine Shi, John Bethencourt, T-H. Hubert Chan, Dawn Song and Adrian Perrig. IEEE Symposium on Security and Privacy, May, 2007. Presenter: 陳國璋. Outline. Induction Problem Definition and Preliminary AIBE-Based MRQED 1 Scheme
E N D
Multi-Dimensional Range Query over Encrypted Data Elaine Shi, John Bethencourt, T-H. Hubert Chan, Dawn Song and Adrian Perrig IEEE Symposium on Security and Privacy, May, 2007 Presenter: 陳國璋
Outline • Induction • Problem Definition and Preliminary • AIBE-Based MRQED1 Scheme • AIBE-Based MRQEDD Scheme • Main Construction • Conclusion
Introduction • 接續上一次報告的HVE (Hidden Vector Encryption)方法,裡面提到3種Query形式,Comparison / Range / Subset,此篇重點在Conjunctive Range Queries. • Recall: HVE
Introduction GenTokenHVE Conjunctive General Predicate Predicate Vector Token QueryHVE SK Data / ⊥ Multi-cell Practical Value Practical Vector Ciphertext PK EncryptHVE Data
Introduction • Multi-dimensional Range Query over Encrypted Data, MRQED • For example • Network audit log has 3 attributes, time-stamp t, source address a and destination port number p. • (t, a, p) tuple • Conjunctive ranges: [t1, t2], [a1, a2] and [p1, p2]
Introduction D: #(Dimension), T: #(Point)
Introduction • Application • Financial audit log • Medical privacy • Untrusted remote storage • Using biometrics in anonymous IBE
Outline • Induction • Problem Definition and Preliminary • AIBE-Based MRQED1 Scheme • AIBE-Based MRQEDD Scheme • Main Construction • Conclusion
Problem Definition • Network audit log has 3 attributes, time-stamp t, source address a and destination port number p. • (t, a, p) tuple • Conjunctive ranges: [t1, t2], [a1, a2] and [p1, p2]
Problem Definition [p1, p2] [a1, a2] Testing whether a point X falls inside the Hyper-rectangle B [t1, t2] X = (t, a, p) Hyper-rectangle B
Problem Definition • An attribute can be encoded using discrete integer values 1 through T. • [T]={1, …, T} • S≦T, [S, T]={S, S+1, …, T} • D different attributes, each of them can take on value in [T1], [T2], …, [TD] respectively.
Problem Definition • D-dimensional lattice, point, hyper-rectangle • Δ=(T1, …, TD) • LΔ = [T1] × [T2] ×…× [TD] • D-dimensional lattice • X = (x1, …, xD) • Point • B(s1, t1, s2, t2, …, sD, tD) = {(x1, …, xD) | ∀d∈[D], xd∈[sd, td]} • Hyper-rectangle
Problem Definition • Network audit log • Time-stamp t, address a, port number p • D = 3 • Time-stamp [Tt]={0000, …, 1439} • Address [Ta]={0, …, 255} • Port number [Tp]={0, …, 65535}
Problem Definition • Δ=(Tt, Ta, Tp) • LΔ= [Tt] × [Ta] × [Tp] =[1439] × [255] × [65535] • X = (t, a, p) = (603, 97, 777) • B(540, 720, 84, 124, 700, 800)
Problem Definition [Tp]=[65535] [Ta]=[255] [700, 800] [84, 124] [Tt]=[1439] [540, 720] X = (603, 97, 777) B(540, 720, 84, 124, 700, 800) LΔ= [1439] × [255] × [65535]
Problem Definition • MRQED scheme consists of 4 polynomial time algorithms: • Setup • Encrypt • DeriveKey • QueryDecrypt
Problem Definition • Setup(Σ, LΔ) • Input a security parameter Σ and D-dimensional lattice LΔ • Output public key PK amd master private key SK
Problem Definition • Encrypt(PK, X, Msg) • Input a public key PK, a point X and a message Mag • Output a ciphertext C
Problem Definition • DeriveKey(PK, SK, B) • Take a public key PK, a master private key SK and a hyper-rectangle B • Output decryption key DK for hyper-rectangle B
Problem Definition • QueryDecrypt(PK, DK, C) • Take a public key PK, a decryption key DK and a ciphertext C • Output either a plaintext Msg or ⊥
Problem Definition • Correctness • ∀message Msg ∈message space M, hyper-rectangle B ⊆ LΔ, and a point X ∈ LΔ, the above algorithm must satisfy the following consistency constraints:
Preliminary • Decision BDH Assumption • Given[g, ga, gb, gc, Z]∈G4×G’, where exponents a, b, c are picked at ramdom from Zp, decide whether Z=e(g, g)abc
Preliminary • Decision Linear Assumption • Given [g, ga, gb, gac, gbd, Z]∈G4, where a, b, c, d are picked at random from Zp, decide whether Z=gc+d
Outline • Induction • Problem Definition and Preliminary • AIBE-Based MRQED1 Scheme • AIBE-Based MRQEDD Scheme • Main Construction • Conclusion
AIBE-Based MRQED1 Scheme • Interval tree • tr(T) denote a binary interval tree over integer from 1 to T. • Each node has a pre-assigned unique ID. • cv(ID) denote the range represented by node ID∈tr(T)
AIBE-Based MRQED1 Scheme • Interval tree • The set P(x) of IDs covering a point x∈[1, T] • The set Λ(s, t) of IDs representing a range [s, t]⊆[1, T] • If x∈[s, t], then P(x)∩Λ(s, t)≠φ • |P(x)∩Λ(s, t)| = 1 • If x [s, t], then P(x)∩Λ(s, t)=φ
AIBE-Based MRQED1 Scheme A cv(L)={5} cv(E)=[4,5] B C cv(C)=[5,8] D E F G P(3)={A, B, E, J} Λ(2, 7)={I, E, F, N} H I J K L M N O 1 2 3 4 5 6 7 8 tr(T)=tr(8)
AIBE-Based MRQED1 Scheme • MROED1 scheme • AIBE scheme • Setup*(Σ) • DeriveKey*(PK, SK, ID) • Encrypt*(PK, ID, Msg) • Decrypt*(PK, DK, C) • Setup(Σ, T) • Encrypt(PK, x, Msg) • DeriveKey(PK, SK, [s, t]) • QueryDecrypt(PK, DK, C)
AIBE-Based MRQED1 Scheme • Setup(Σ, T) • Call Setup*(Σ) • Output PK and SK
AIBE-Based MRQED1 Scheme • Encrypt(PK, x, Msg) • x→P(x) • ∀ID∈P(x), cID=Encrypt*(PK, ID, Msg||0m’), where 0m’ is fill the Msg to {0, 1}m • Output ciphertext C={cID | ∀ID∈P(x)}
AIBE-Based MRQED1 Scheme • DeriveKey(PK, SK, [s, t]) • [s, t]→Λ(s, t) • ∀ID∈Λ(s,t), kID=DeriveKey*(PK, SK, ID) • Output DK[s, t]={kID | ∀ID∈Λ(s, t)}
AIBE-Based MRQED1 Scheme • QueryDerive(PK, DK, C) • If x∈[s,t], then∃! ID, s.t. P(x)∩Λ(s,t)=ID • Call and output Decrypt*(PK, kID, cID) = Msg||0m’. • Otherwise, output ⊥.
AIBE-Based MRQED1 Scheme A cv(L)={5} cv(E)=[3,4] B C cv(C)=[5,8] D E F G P(3)={A, B, E, J} Λ(2, 7)={I, E, F, N} H I J K L M N O 1 2 3 4 5 6 7 8 tr(T)=tr(8)
Outline • Induction • Problem Definition and Preliminary • AIBE-Based MRQED1 Scheme • AIBE-Based MRQEDD Scheme • Main Construction • Conclusion
AIBE-Based MRQEDD Scheme • As AIBE-Based MRQED1 Scheme, the changed points as follows: • Encrypt(PK, X, Msg) • DeriveKey(PK, DK, C)
AIBE-Based MRQEDD Scheme • Encryption • A point X =(x1, x2, …, xD) • For each dimension, xd has each P(xd), ∀d∈[d] • Denote P×(X)=P(x1)×P(x2)×…×P(xD) • Call Encrypt*(PK, P×(X), Msg) = C
A P B C Q R D E F G S T U V H I J K L M N O W X Y Z A’ B’ C’ D’ 1 2 3 4 5 6 7 8 8 7 6 5 4 3 2 1 X=(x1, x2)=(3, 5) P(x1) = {A, B, E, J} P(x2) = {P, Q, T, Z} P×(X) = {A, B, E, J}×{P, Q, T, Z} X
AIBE-Based MRQEDD Scheme • Key Derivation • All dimension range combine a hyper-rectangle B(s1, t1, …, sD, tD) • Each range [sd, td] has Λ(sd, td), ∀d∈[d] • Denote Λ×(B)=Λ(s1, t2)×…×Λ(sD, tD) • Call DeriveKey*(PK, SK, Λ×(B)) = DK
A P B C Q R D E F G S T U V H I J K L M N O W X Y Z A’ B’ C’ D’ 1 2 3 4 5 6 7 8 8 7 6 5 4 3 2 1 B=(s1, t1, s2,, t2)=[2, 6]×[3, 7] Λ(s1, t1) = {E, F, I} Λ(s2, t2) = {T, U, X} Λ×(B) = {E, F, I}×{T, U, X}
AIBE-Based MRQEDD Scheme • Collusion attack ka kb kc R1 R2 kd R3 R4
Outline • Induction • Problem Definition and Preliminary • AIBE-Based MRQED1 Scheme • AIBE-Based MRQEDD Scheme • Main Construction • Conclusion
Main Construction • Reducing the ciphertext size • P×(X) = P(x1) × …× P(xD) ↓ • P∪(X) = P(x1) ∪ …∪ P(xD)
Main Construction • Reducing the decryption key size • Λ×(B)=Λ(s1, t2) × …× Λ(sD, tD) ↓ • Λ∪(B)=Λ(s1, t2)∪ …∪(sD, tD)
Main Construction • Preventing the collusion attack • Using binding technique • Using re-randomization to tie the sub-keys in different dimensions
Main Construction • Preventing the collusion attack ka kb kc R1 R2 In R1, {ka, kc}→{μ1ka, μ2kc} In R4, {kb, kd}→{μ3kb, μ4kd} (μ1, μ2) are independently from (μ3, μ4) μ1μ2=μ3μ4= some invariant kd R3 R4
Main Construction • Define L=O(log T) be the height of a tree • All IDs are picked from Z*P • Message Msg∈{0, 1} with a series of trailing zero 0m’
Main Construction • Setup(Σ, LΔ)
Main Construction • Setup(Σ, LΔ)
Main Construction • DeriveKey(PK, SK, B)
Main Construction • Encrypt(PK, X, Msg)
