Queries on Encrypted Data

1
Queries on Encrypted Data
Dan Boneh Brent Waters Stanford
University SRI
2
Motivation a few examples

• Example 1
• Visa gateway Forwarding encrypted CC
  transactions to the visa system

Enc(PKvisa, Transaction)
High Security Processor
D
VISA Gateway
Yes
Transaction
VALUE
Exp-Date
D
Low Security Processor
No
SKvisa ? T1000
T1000
3
Conjunction queries

• Goal gateway should not learn which conjunct
  failed.
• ? Visa cannot simply give gateway two tokens

VALUE gt 1000 AND exp-date lt Jan. 2007
High Security Processor
D
VISA Gateway
Yes
Transaction
VALUE
Exp-Date
D
Low Security Processor
No
SKvisa ? TP
TP
4
Filtering Encrypted Email

• Set containment queries
• Server learns nothing other than containment
  status.

SKalice
email
From ? spamhaus
MailServer
No
E( PKalice, email)
Yes
Tspam
5
Routing Encrypted Email

• Conjunction queries

SKalice
email
From ? Friends AND subject urgent
MailServer
No
E( PKalice, email)
Yes
Tcell
6
Long term goal

• Goal Public-key encryption system supporting
  any predicate (poly-size circuits)
• Sample application
• Spam predicate P(m) 1 if m is spam
  email
• ? Mail server filters out encrypted
  spam email without decrypting email.
• but no known construction

7
History

• To date primary focus on equality queries
• SWP00, GO87 Equality queries on
  symmetric-key encrypted data
• BDOP04, AB05 Equality queries on
  public-key encrypted data
• OS05, BSW06 Equality queries that hide
  predicate from server
• BBO06 Efficient equality searches in databases
• BCPSS06 Range queries in a weaker security
  model

8
Definitions

• Let ? P1 , , Pn be a set of predicates
  over ? .
• Pi ? ? 0,1 e.g
  Pj(m) 1 ? m ? j
• A ?-query system consists of 4 algorithms
• Setup (?) outputs PK and SK
• Encrypt (PK, S, M) ? Ciphertext C (S??)
• GenToken (SK, ltPgt) ? Token TP (P??)
• Query ( TP, C) ? Output
• Note no decryption (but can easily be added
  in) .

9
Security

• Example ? 1, , n , Pj(x) 1
  ? x ? j
• Adversary can request arbitrary tokens
• Clearly, adversary can distinguish
• Encrypt(PK, x, m) from Encrypt(PK, y, m)
• but Encrypt(PK, x, m) and Encrypt(PK, z,
  m)
• should be indistinguishable

1
n
10
Secure ?-query systems

• Semantic security in the presence of arbitrary
  tokens

Challenger
Attacker
RunSetup(?)
, P2 , , Pq
, T2 , , Tq
s.t. ?j Pj(S0) Pj(S1) M0?M1 ?
?j Pj(S0) Pj(S1)0
Adversary wins if b b
11
Selectively secure ?-query systems
S0 , S1
Challenger
Attacker
RunSetup(?)
, P2 , , Pq
, T2 , , Tq
(S0,M0) , (S1,M1)
M0 , M1
S0
S1
s.t. ?j Pj(S0) Pj(S1) M0?M1 ?
?j Pj(S0) Pj(S1)0
Adversary wins if b b
12
The trivial brute-force system

• ? P1 , , Pn (KeyGen, Enc, Dec)
  pub-key system
• Setup(?) Run KeyGen(?) n times
• PK ? ( PK1 , , PKn ) , SK ? ( SK1, ,
  SKn )
• Encrypt( PK, S, M)
• output C ? (C1 , , Cn )
• GenToken( SK, Pi ) output T ? SKi
• Query( T, C) output Dec( SKi , Ci )
• Parameters CT O(n) T O(1)

13
Best known constructions BSW06, BW06

• Encrypt S ? 1 ,, n
• Encrypt S (S1,,Sw) ? 1 ,, n w ---
  conjunctions

Trivial CT Lower Bound Best KnownCT T Best KnownCT T
Equality (S a) O(n) O(log n) O(log n) O(log n)
Comparison (S?a) O(n) O(log n) O(?n) O(?n)
Subset (S ? A) O(2n) O(log n) O(n) O(n-A)
Trivial CT Lower Bound Best KnownCT T Best KnownCT T
S1a1 ? ? Swaw O(nw) O(w?log n) O(w?log n) O(w?log n)
S1?a1 ? ? Sw?aw O(nw) O(w?log n) O(nw) O(w?log n)
S1?A1 ? ? Sw?Aw O(2nw) O(w?log n) O(nw) O(w?A)
14
Connections
15
Comparisons ? Traitor Tracing CFN94

• What if secret key Ki is exposed?
• Goal Trace pirate decoder D to key Ku.
• Then kill user u (or revoke his
  key).

K1
CT EM
K2
K3
16
Tracing Traitors

• SetupTT (n,?) outputs private keys K1 , ,
  Kn
• public-key PK
• User i gets private key Ki
• EncryptTT (PK, M) ? Ciphertext C
• DecryptTT (Ki, C) ? Message M
• Trace D ( PK ) ? i ? 1,,n
• Outputs index of at least one key used to build
  D
• D -- stateless black-box pirate decoder.

17
Comparisons ? Traitor Tracing

• SetupTT (n,?) Run setup(?) to generate PK,SK
• For i?1,,n key Ki ? GenToken(SK, i)
• EncryptTT (PK, M) C ? Encrypt( PK, 1, M)
• DecryptTT (Ki , C) M ? Query(Ki , C)
• Decryption works since i ? 1
• Tracing next slide

18
TraceD(PK) BF99, NNL00, KY02
R

• For j 1, , n1 define for M ? M
• pj Pr D( Encrypt(PK, j ,M) ) M
• Then p1 gt 1- ? pn1 ? 0
• 1-? lt pn1 p1 ? pi1 pi ?
  ? pi1 pi
• ? Exists i?1,,n s.t. pi1 pi
  ? (1- ?)/n
• ? User i must be one of the pirates.

19
Security Theorem
?

• Tracing algorithm estimates pi - pi
  lt (1-?)/4n
• Need O(n2) samples per pi. (D
  stateless)
• Cubic time tracing. (can be improved to
  quadratic)
• Thm
• underlying comparison query system is
  selectively secure
• ?
• no eff. adv wins tracing game with non-neg adv.

20
Other connections BE, IBE

• Membership queries S ? 1,,n Pj (S)
  1 ? j ? S
• Membership ? Private Broadcast Encryption
  BBW05
• SetupBE (n,?) Run setup(?) to generate PK,SK
• For j?1,,n key Kj ? GenToken(SK,
  j)
• EncryptBE (PK, S, M) C ? Encrypt( PK, S,
  M)
• DecryptBE (Kj , C) M ? Query(C, Kj)
• Decryption works when j ? S
• Best membership construction CT O(S)
  BBW05

21
Constructions
22
Crash course in pairings

• Standard groups where discrete-log may be hard
• Zp for prime p.
• Elliptic Curves E/Fp y2 x3 ax b
• Extra structure on elliptic curves bilinear
  maps.
• Defined by A. Weil (1946).
• Miller 84 Algorithm for computing.
• MOV 93 Used to attack certain EC systems.
• Recently (2000-5) lots of positive crypto apps.

23
Bilinear maps

• G , GT finite cyclic groups of prime order
  q.
• Def An admissible bilinear map e G?G ? GT
  is
• Bilinear e(ga, gb) e(g,g)ab ?a,b?Z,
  g?G
• Non-degenerate g generates G ?
  e(g,g) generates GT .
• Efficiently computable.
• DDH is easy in G given (g, ga, h, hb)
  then
• a b ? e(g, hb) e(ga , h)

24
Bilinear groups of order Npq BGN05

• G group of order Npq. (p,q)
  secret.
• bilinear map e G ? G ? GT
• G Gp ? Gq . gp gq ? Gp
  gq gp ? Gq
• Facts h ? G ? h (gq)a ? (gp)b
• e( gp , gq ) e(gp , gq) e(g,g)N 1
• e( gp , h ) e( gp , gp)b !!

25
Subset query system

• Goal for any S ? 1,,n and A ?
  1,,n answer queries of type PA(S)
  1 ? S ? A
• Example FromAddress ? Friends
• Trivial system CT O(2n) , Our
  goal CT O(n)
• Approach reformulate as conjunctive equality
  query
• Encode S ? 1,,n in uniary
• ?(S) (s1,,sn) ? 0,1n
• Then S ? A ? (sa
  0)

0 0 0 1 0 0 0
26
Binary conjunctive equality queries

• A failed attempt using standard IBE technology
  BB04
• G bilinear group. w, u, u1,, v1, ? G,
  L?GT
• Encrypt (PK, b (b1,,bn), M) r ? Zq
• C ? M?Lr , ur , (u1b1 v1)r ,
  , (unbn vn)r
• GenToken( SKw, A ? 1,,n ) t1, , tn ?
  Zq
• TA ? w? ? (va)ta , ut1 ,
  , utn
• Query( TA, C) If (? a ?Ac ba0)
• then algebra returns M otherwise random
  in G
• Problem C leaks ( b1, , bn )
• bj 0 ? (u, vj , ur , (ujbj vj)r
  ) is a DDH tuple

a?Ac
27
Composite order groups to the rescue

• GGp?Gq composite order group. w, u, u1 , , v1
  , ? Gp
• PK Blind us and vs by Gq
• Ui?ui?Ri , Vi?vi?Ri where Ri,
  Ri ? Gq
• Encrypt (PK, b (b1,,bn), M) r ? ZN ,
  Z, Z1, ? Gq
• C ? M?Lr , Ur?Z , (U1b1 V1)r ?Z1 , ,
  (Unbn Vn)r ?Zn
• No change to GenToken and Query
• Note Rj , Zi terms cancel in Query.
• Main point now DDH attack fails bj
  0 , but
• (U, Vj , Ur?Z , (Ujbj Vj)r?Zj ) not a
  DDH tuple in G

28
The full system

• ... But cannot prove the system secure.
• The full system add y1, , yn to
  SK
• GenToken( SKw, A ? 1,,n ) t1,1, t1,2 ,
  ? ZN
• ( u1t1,1 , y1t1,2 )
• ( untn,1 , yntn,2 )
• Thm The system is a selectively secure
  subset query system assuming
• Bilinear-DH assumption, and
• Composite 3-party DH assumption

TA ? w? ? (va)ta,1 ?(ya)ta,2 ,
a?Ac
29
Summary and Open Problems

• Queries on public key encrypted data
• Equality queries efficient
• Comparison queries plaintext ? t
• Implies traitor tracing
• Best construction CT O(sqrt(n))
• Open CT O(log n)
• Subset queries plaintext ? A
• Best construction CT O(n)
• Open CT O(log n)
• Similar constructions/questions for conjunctive
  queries

?
?
30
THE END