Queries on Encrypted Data Dan Boneh Stanford University Brent Waters SRI Motivation: a few examples Example 1: Visa gateway: Forwarding encrypted CC transactions to the visa system Enc(PKvisa,
Download
Report
Transcript Queries on Encrypted Data Dan Boneh Stanford University Brent Waters SRI Motivation: a few examples Example 1: Visa gateway: Forwarding encrypted CC transactions to the visa system Enc(PKvisa,
Queries on Encrypted Data
Dan Boneh
Stanford University
Brent Waters
SRI
1
Motivation: a few examples
Example 1:
Visa gateway:
Forwarding encrypted CC transactions
to the visa system
Enc(PKvisa, Transaction)
?
VALUE > 1000$
VALUE
Exp-Date
SKvisa T1000
D
VISA
Gateway
Transaction
T1000
Yes
No
D
High
Security
Processor
Low
Security
Processor
2
Conjunction queries
Goal: gateway should not learn which conjunct failed.
Visa cannot simply give gateway two tokens
VALUE > 1000
AND
exp-date < Jan. 2007
VALUE
Exp-Date
SKvisa TP
D
VISA
Gateway
Transaction
TP
Yes
No
D
High
Security
Processor
Low
Security
Processor
3
Filtering Encrypted Email
Set containment queries:
Server learns nothing other than containment status.
email
From:
Subject:
E( PKalice, email)
Tspam
SKalice
From spamhaus
Mail
Server
No
Yes
Tspam
4
Routing Encrypted Email
Conjunction queries:
email
From:
Subject:
E( PKalice, email)
Tcell
From Friends
AND
subject = “urgent”
Mail
Server
SKalice
No
Yes
Tcell
5
Long term goal …
Goal:
Public-key encryption system supporting
any predicate
(poly-size circuits)
Sample application:
Spam predicate:
P(m) = 1
if
m is spam email
Mail server filters out encrypted
spam email without decrypting email.
… but no known construction
6
History
To date: primary focus on equality queries
SWP’00, GO’87:
Equality queries on symmetric-key encrypted data
BDOP’04, AB…’05:
Equality queries on public-key encrypted data
OS’05, BSW’06:
Equality queries that hide predicate from server
BBO’06: Efficient equality searches in databases
BCPSS’06: Range queries in a weaker security model
7
Definitions
Let = {P1 , … , Pn} be a set of predicates over .
Pi : {0,1}
Pj(m) = 1 m j ]
A -query system consists of 4 algorithms:
Setup ():
Encrypt (PK, S, M)
GenToken (SK, <P>) Token TP
[e.g:
outputs
PK
SK
Ciphertext C
Query ( TP, C) Output
Note: no decryption
and
M
if P(S) = 1
otherwise
(S)
(P)
(but can easily be added in) .
8
Security
= {1, … , n} ,
[ Pj(x) = 1 x j ]
Example:
Adversary can request arbitrary tokens:
x
1
z
a
b
c
n
Clearly, adversary can distinguish
Encrypt(PK, x, m)
y
from Encrypt(PK, y, m)
… but Encrypt(PK, x, m) and Encrypt(PK, z, m)
should be indistinguishable
9
Secure -query systems
Semantic security in the presence of arbitrary tokens:
P1 , P2 , … , Pq
T1 , T2 , … , T q
Attacker
Challenger
PK
Run
Setup()
(S0,M0) , (S1,M1)
s.t.:
j:
Pj(S0) = Pj(S1)
M0M1 j: Pj(S0) = Pj(S1)=0
b{0,1}
CEncrypt(PK,Sb,Mb)
b’ {0,1}
Adversary wins if: b = b’
10
Selectively secure -query systems
S0 , S1
P1 , P2 , … , Pq
T1 , T2 , … , T q
Attacker
Challenger
PK
Run
Setup()
S00,M
M0 ) ,, (S
S1,M
M11)
(S
s.t.:
j:
Pj(S0) = Pj(S1)
M0M1 j: Pj(S0) = Pj(S1)=0
b{0,1}
CEncrypt(PK,Sb,Mb)
b’ {0,1}
Adversary wins if: b = b’
11
The trivial brute-force system
= {P1 , … , Pn}
Setup():
;
Run
(KeyGen, Enc, Dec) pub-key system
KeyGen()
PK ( PK1 , … , PKn )
,
n times
SK ( SK1, … , SKn )
Encrypt( PK, S, M):
for j = 1,…,n:
Cj
Enc( PKj , M ) if Pj(S) = 1
Enc( PKj , ) otherwise
output C (C1 , … , Cn )
GenToken( SK, Pi ):
output T SKi
Query( T, C) :
output
Parameters:
|CT| = O(n)
Dec( SKi , Ci )
|T| = O(1)
12
Best known constructions
[BSW’06, BW’06]
Encrypt S {1 ,…, n }
Trivial
|CT|
Lower
Bound
Equality (S = a)
O(n)
O(log n)
O(log n)
O(log n)
Comparison (Sa)
O(n)
O(log n)
O(n)
O(n)
Subset (S A)
O(2n)
O(log n)
O(n)
O(n-|A|)
Encrypt S = (S1,…,Sw) {1 ,…, n }
Best Known
|CT|
|T|
w
---
conjunctions
Trivial
|CT|
Lower
Bound
Best Known
|CT|
|T|
S1=a1 … Sw=aw
O(nw)
O(wlog n)
O(wlog n) O(wlog n)
S1a1 … Swaw
O(nw)
O(wlog n)
O(nw)
O(wlog n)
S1A1 … SwAw
O(2nw)
O(wlog n)
O(nw)
O(w|A|)
13
Connections
14
Comparisons Traitor Tracing
[CFN’94]
K1
CT = E[M]
K2
K3
What if secret key Ki is exposed?
Goal: Trace pirate decoder D to key Ku.
Then kill user u (or revoke his key).
15
Tracing Traitors
SetupTT (n,): outputs private keys
public-key PK
K1 , …, Kn
User i gets private key Ki
EncryptTT (PK, M)
Ciphertext C
DecryptTT (Ki, C)
Message M
Trace D ( PK ) i {1,…,n}
Outputs index of at least one key used to build D
D -- stateless black-box pirate decoder.
16
Comparisons Traitor Tracing
SetupTT (n,): Run setup() to generate PK,SK
For i{1,…,n} key
EncryptTT (PK, M):
DecryptTT (Ki , C):
Ki GenToken(SK, i)
C Encrypt( PK, 1, M)
M Query(Ki , C)
Decryption works since i 1
Tracing:
next slide
17
D
Trace (PK):
R
For j = 1, …, n+1 define for M
M:
pj := Pr[
[BF99, NNL00, KY02]
Then:
D( Encrypt(PK, j ,M) ) = M ]
p1 > 1- ;
pn+1 0
n
n
1- < |pn+1 – p1 | =
| i=1
p
i+1
– pi
|
|
p
i=1
Exists i{1,…,n} s.t.
User i must be one of the pirates.
i+1
– pi
|
| pi+1 – pi | (1- )/n
18
Security Theorem
Tracing algorithm estimates:
| pi - pi | < (1-)/4n
Need O(n2) samples per pi.
Cubic time tracing.
(D – stateless)
(can be improved to quadratic)
Thm:
underlying comparison query system is selectively secure
no eff. adv wins tracing game with non-neg adv.
19
Other connections:
BE, IBE
Membership queries: S {1,…,n} ;
Membership Private Broadcast Encryption
Pj (S) = 1 j S
[BBW’05]
SetupBE (n,): Run setup() to generate PK,SK
For j{1,…,n} key
Kj GenToken(SK, j)
EncryptBE (PK, S, M):
C Encrypt( PK, S, M)
DecryptBE (Kj , C):
M Query(C, Kj)
Decryption works when j S
Best membership construction:
|CT| = O(|S|)
[BBW’05]
20
Constructions
21
Crash course in pairings
Standard groups where discrete-log may be hard:
Zp*
for prime p.
Elliptic Curves:
E/Fp:
y2 = x3 + ax + b
Extra structure on elliptic curves : bilinear maps.
Defined by A. Weil (1946).
Miller ’84: Algorithm for computing.
MOV ’93: Used to attack certain EC systems.
Recently (2000-5): lots of positive crypto apps.
22
Bilinear maps
G , GT :
Def: An admissible bilinear map
e(ga, gb) = e(g,g)ab
Bilinear:
Non-degenerate:
g generates G
finite cyclic groups of prime order q.
e: GG GT
is:
a,bZ, gG
e(g,g) generates GT .
“Efficiently” computable.
DDH is easy in G:
a=b
given (g, ga, h, hb) then
e(g, hb) = e(ga , h)
23
Bilinear groups of order N=pq
(p,q) – secret.
G: group of order N=pq.
bilinear map:
G = Gp Gq .
Facts:
hG
e: G G GT
gp = gq Gp
[BGN’05]
;
gq = gp Gq
h = (gq) (gp)
a
p
b
q
N
e( gp , gq ) = e(g , g ) = e(g,g) = 1
e( gp , h ) = e( gp , gp)
b
!!
24
Subset query system
Goal:
for any S {1,…,n}
answer queries of type:
and A {1,…,n}
PA(S) = 1
SA
FromAddress Friends
Example:
Trivial system: |CT| = O(2n)
,
Our goal: |CT| = O(n)
Approach: reformulate as conjunctive equality query
Encode S {1,…,n} in uniary:
0 0 0…1…0 0 0
(S) = (s1,…,sn) {0,1}n
Then
SA
(sa = 0)
c
aA
25
Binary conjunctive equality queries
A failed attempt using standard IBE technology:
G: bilinear group.
w, u, u1,…, v1,… G,
Encrypt (PK, b = (b1,…,bn), M):
r Zq
r
b
C [ ML , ur ,
w
Query( TA, C):
(v )
aAc
LGT
b
(u1 1 v1) , … , (un n vn)
GenToken( SK=w, A {1,…,n} ):
TA [
r
[BB’04]
a
ta
,
u
t1
r
]
t1, … , tn Zq
,…,
u
tn
]
( a Ac : ba=0)
If
then “algebra” returns M; otherwise random in G
Problem:
C
bj = 0
leaks
( b1, …, bn )
(u,
ur , (uj j vj)
vj ,
b
r
)
is a DDH tuple
26
Composite order groups to the rescue …
G=GpGq composite order group. w, u, u1 , …, v1 , … Gp
PK:
Blind u’s and v’s
UiuiRi ,
r
U Z ,
r
where Ri, Ri’ Gq
r ZN , Z, Z1,… Gq
(U1 1 V1) Z1 , … ,
b
r
(Un n Vn) Zn
b
r
]
No change to GenToken and Query
ViviRi’
Encrypt (PK, b = (b1,…,bn), M):
C [ ML ,
by Gq
Note: Rj , Zi terms cancel in Query.
Main point: now DDH attack fails:
(U,
r
Vj , U Z ,
b
bj = 0 , but
r
(Uj j Vj) Zj ) not a DDH tuple in G
27
The full system
... But cannot prove the system secure.
The full system:
y1, … , yn to SK
GenToken( SK=w, A {1,…,n} ):
TA
add
w
(v )
aAc
a
ta,1
(ya)
ta,2
t1,1, t1,2 , … ZN
( u1
t1,1
,
y1
t1,2
)
,
t
( un n,1 ,
Thm: The system is a selectively secure
subset query system assuming:
Bilinear-DH assumption, and
Composite 3-party DH assumption
t
yn n,2 )
28
Summary and Open Problems
Queries on public key encrypted data:
Equality queries:
Comparison queries:
?
plaintext t
Implies traitor tracing
Best construction: |CT| = O(sqrt(n))
Open: |CT| = O(log n)
Subset queries:
efficient
?
plaintext A
Best construction: |CT| = O(n)
Open: |CT| = O(log n)
Similar constructions/questions for conjunctive queries
29
THE END
30