Queries on Encrypted Data - PowerPoint PPT Presentation

About This Presentation
Title:

Queries on Encrypted Data

Description:

G: group of order N=pq. ( p,q) secret. bilinear map: e: G G GT. G = Gp Gq. ... G: bilinear group. w, u, u1,..., v1,... G, L. GT Encrypt (PK, b = (b1,...,bn) ... – PowerPoint PPT presentation

Number of Views:32
Avg rating:3.0/5.0
Slides: 31
Provided by: danb2
Category:
Tags: data | encrypted | gp | queries

less

Transcript and Presenter's Notes

Title: Queries on Encrypted Data


1
Queries on Encrypted Data
Dan Boneh Brent Waters Stanford
University SRI
2
Motivation a few examples
  • Example 1
  • Visa gateway Forwarding encrypted CC
    transactions to the visa system

Enc(PKvisa, Transaction)
High Security Processor
D
VISA Gateway
Yes
Transaction
VALUE
Exp-Date
D
Low Security Processor
No
SKvisa ? T1000
T1000
3
Conjunction queries
  • Goal gateway should not learn which conjunct
    failed.
  • ? Visa cannot simply give gateway two tokens

VALUE gt 1000 AND exp-date lt Jan. 2007
High Security Processor
D
VISA Gateway
Yes
Transaction
VALUE
Exp-Date
D
Low Security Processor
No
SKvisa ? TP
TP
4
Filtering Encrypted Email
  • Set containment queries
  • Server learns nothing other than containment
    status.

SKalice
email
From ? spamhaus
MailServer
No
E( PKalice, email)
Yes
Tspam
5
Routing Encrypted Email
  • Conjunction queries

SKalice
email
From ? Friends AND subject urgent
MailServer
No
E( PKalice, email)
Yes
Tcell
6
Long term goal
  • Goal Public-key encryption system supporting
    any predicate (poly-size circuits)
  • Sample application
  • Spam predicate P(m) 1 if m is spam
    email
  • ? Mail server filters out encrypted
    spam email without decrypting email.
  • but no known construction

7
History
  • To date primary focus on equality queries
  • SWP00, GO87 Equality queries on
    symmetric-key encrypted data
  • BDOP04, AB05 Equality queries on
    public-key encrypted data
  • OS05, BSW06 Equality queries that hide
    predicate from server
  • BBO06 Efficient equality searches in databases
  • BCPSS06 Range queries in a weaker security
    model

8
Definitions
  • Let ? P1 , , Pn be a set of predicates
    over ? .
  • Pi ? ? 0,1 e.g
    Pj(m) 1 ? m ? j
  • A ?-query system consists of 4 algorithms
  • Setup (?) outputs PK and SK
  • Encrypt (PK, S, M) ? Ciphertext C (S??)
  • GenToken (SK, ltPgt) ? Token TP (P??)
  • Query ( TP, C) ? Output
  • Note no decryption (but can easily be added
    in) .

9
Security
  • Example ? 1, , n , Pj(x) 1
    ? x ? j
  • Adversary can request arbitrary tokens
  • Clearly, adversary can distinguish
  • Encrypt(PK, x, m) from Encrypt(PK, y, m)
  • but Encrypt(PK, x, m) and Encrypt(PK, z,
    m)
  • should be indistinguishable

1
n
10
Secure ?-query systems
  • Semantic security in the presence of arbitrary
    tokens

Challenger
Attacker
RunSetup(?)
, P2 , , Pq
, T2 , , Tq
s.t. ?j Pj(S0) Pj(S1) M0?M1 ?
?j Pj(S0) Pj(S1)0
Adversary wins if b b
11
Selectively secure ?-query systems
S0 , S1
Challenger
Attacker
RunSetup(?)
, P2 , , Pq
, T2 , , Tq
(S0,M0) , (S1,M1)
M0 , M1
S0
S1
s.t. ?j Pj(S0) Pj(S1) M0?M1 ?
?j Pj(S0) Pj(S1)0
Adversary wins if b b
12
The trivial brute-force system
  • ? P1 , , Pn (KeyGen, Enc, Dec)
    pub-key system
  • Setup(?) Run KeyGen(?) n times
  • PK ? ( PK1 , , PKn ) , SK ? ( SK1, ,
    SKn )
  • Encrypt( PK, S, M)
  • output C ? (C1 , , Cn )
  • GenToken( SK, Pi ) output T ? SKi
  • Query( T, C) output Dec( SKi , Ci )
  • Parameters CT O(n) T O(1)

13
Best known constructions BSW06, BW06
  • Encrypt S ? 1 ,, n
  • Encrypt S (S1,,Sw) ? 1 ,, n w ---
    conjunctions

Trivial CT Lower Bound Best KnownCT T Best KnownCT T
Equality (S a) O(n) O(log n) O(log n) O(log n)
Comparison (S?a) O(n) O(log n) O(?n) O(?n)
Subset (S ? A) O(2n) O(log n) O(n) O(n-A)
Trivial CT Lower Bound Best KnownCT T Best KnownCT T
S1a1 ? ? Swaw O(nw) O(w?log n) O(w?log n) O(w?log n)
S1?a1 ? ? Sw?aw O(nw) O(w?log n) O(nw) O(w?log n)
S1?A1 ? ? Sw?Aw O(2nw) O(w?log n) O(nw) O(w?A)
14
Connections
15
Comparisons ? Traitor Tracing CFN94
  • What if secret key Ki is exposed?
  • Goal Trace pirate decoder D to key Ku.
  • Then kill user u (or revoke his
    key).

K1
CT EM
K2
K3
16
Tracing Traitors
  • SetupTT (n,?) outputs private keys K1 , ,
    Kn
  • public-key PK
  • User i gets private key Ki
  • EncryptTT (PK, M) ? Ciphertext C
  • DecryptTT (Ki, C) ? Message M
  • Trace D ( PK ) ? i ? 1,,n
  • Outputs index of at least one key used to build
    D
  • D -- stateless black-box pirate decoder.

17
Comparisons ? Traitor Tracing
  • SetupTT (n,?) Run setup(?) to generate PK,SK
  • For i?1,,n key Ki ? GenToken(SK, i)
  • EncryptTT (PK, M) C ? Encrypt( PK, 1, M)
  • DecryptTT (Ki , C) M ? Query(Ki , C)
  • Decryption works since i ? 1
  • Tracing next slide

18
TraceD(PK) BF99, NNL00, KY02
R
  • For j 1, , n1 define for M ? M
  • pj Pr D( Encrypt(PK, j ,M) ) M
  • Then p1 gt 1- ? pn1 ? 0
  • 1-? lt pn1 p1 ? pi1 pi ?
    ? pi1 pi
  • ? Exists i?1,,n s.t. pi1 pi
    ? (1- ?)/n
  • ? User i must be one of the pirates.

19
Security Theorem
?
  • Tracing algorithm estimates pi - pi
    lt (1-?)/4n
  • Need O(n2) samples per pi. (D
    stateless)
  • Cubic time tracing. (can be improved to
    quadratic)
  • Thm
  • underlying comparison query system is
    selectively secure
  • ?
  • no eff. adv wins tracing game with non-neg adv.

20
Other connections BE, IBE
  • Membership queries S ? 1,,n Pj (S)
    1 ? j ? S
  • Membership ? Private Broadcast Encryption
    BBW05
  • SetupBE (n,?) Run setup(?) to generate PK,SK
  • For j?1,,n key Kj ? GenToken(SK,
    j)
  • EncryptBE (PK, S, M) C ? Encrypt( PK, S,
    M)
  • DecryptBE (Kj , C) M ? Query(C, Kj)
  • Decryption works when j ? S
  • Best membership construction CT O(S)
    BBW05

21
Constructions
22
Crash course in pairings
  • Standard groups where discrete-log may be hard
  • Zp for prime p.
  • Elliptic Curves E/Fp y2 x3 ax b
  • Extra structure on elliptic curves bilinear
    maps.
  • Defined by A. Weil (1946).
  • Miller 84 Algorithm for computing.
  • MOV 93 Used to attack certain EC systems.
  • Recently (2000-5) lots of positive crypto apps.

23
Bilinear maps
  • G , GT finite cyclic groups of prime order
    q.
  • Def An admissible bilinear map e G?G ? GT
    is
  • Bilinear e(ga, gb) e(g,g)ab ?a,b?Z,
    g?G
  • Non-degenerate g generates G ?
    e(g,g) generates GT .
  • Efficiently computable.
  • DDH is easy in G given (g, ga, h, hb)
    then
  • a b ? e(g, hb) e(ga , h)

24
Bilinear groups of order Npq BGN05
  • G group of order Npq. (p,q)
    secret.
  • bilinear map e G ? G ? GT
  • G Gp ? Gq . gp gq ? Gp
    gq gp ? Gq
  • Facts h ? G ? h (gq)a ? (gp)b
  • e( gp , gq ) e(gp , gq) e(g,g)N 1
  • e( gp , h ) e( gp , gp)b !!

25
Subset query system
  • Goal for any S ? 1,,n and A ?
    1,,n answer queries of type PA(S)
    1 ? S ? A
  • Example FromAddress ? Friends
  • Trivial system CT O(2n) , Our
    goal CT O(n)
  • Approach reformulate as conjunctive equality
    query
  • Encode S ? 1,,n in uniary
  • ?(S) (s1,,sn) ? 0,1n
  • Then S ? A ? (sa
    0)

0 0 0 1 0 0 0
26
Binary conjunctive equality queries
  • A failed attempt using standard IBE technology
    BB04
  • G bilinear group. w, u, u1,, v1, ? G,
    L?GT
  • Encrypt (PK, b (b1,,bn), M) r ? Zq
  • C ? M?Lr , ur , (u1b1 v1)r ,
    , (unbn vn)r
  • GenToken( SKw, A ? 1,,n ) t1, , tn ?
    Zq
  • TA ? w? ? (va)ta , ut1 ,
    , utn
  • Query( TA, C) If (? a ?Ac ba0)
  • then algebra returns M otherwise random
    in G
  • Problem C leaks ( b1, , bn )
  • bj 0 ? (u, vj , ur , (ujbj vj)r
    ) is a DDH tuple

a?Ac
27
Composite order groups to the rescue
  • GGp?Gq composite order group. w, u, u1 , , v1
    , ? Gp
  • PK Blind us and vs by Gq
  • Ui?ui?Ri , Vi?vi?Ri where Ri,
    Ri ? Gq
  • Encrypt (PK, b (b1,,bn), M) r ? ZN ,
    Z, Z1, ? Gq
  • C ? M?Lr , Ur?Z , (U1b1 V1)r ?Z1 , ,
    (Unbn Vn)r ?Zn
  • No change to GenToken and Query
  • Note Rj , Zi terms cancel in Query.
  • Main point now DDH attack fails bj
    0 , but
  • (U, Vj , Ur?Z , (Ujbj Vj)r?Zj ) not a
    DDH tuple in G

28
The full system
  • ... But cannot prove the system secure.
  • The full system add y1, , yn to
    SK
  • GenToken( SKw, A ? 1,,n ) t1,1, t1,2 ,
    ? ZN
  • ( u1t1,1 , y1t1,2 )
  • ( untn,1 , yntn,2 )
  • Thm The system is a selectively secure
    subset query system assuming
  • Bilinear-DH assumption, and
  • Composite 3-party DH assumption

TA ? w? ? (va)ta,1 ?(ya)ta,2 ,
a?Ac
29
Summary and Open Problems
  • Queries on public key encrypted data
  • Equality queries efficient
  • Comparison queries plaintext ? t
  • Implies traitor tracing
  • Best construction CT O(sqrt(n))
  • Open CT O(log n)
  • Subset queries plaintext ? A
  • Best construction CT O(n)
  • Open CT O(log n)
  • Similar constructions/questions for conjunctive
    queries

?
?
30
THE END
Write a Comment
User Comments (0)
About PowerShow.com