Queries on Encrypted Data Dan Boneh Stanford University Brent Waters SRI Motivation: a few examples  Example 1:  Visa gateway: Forwarding encrypted CC transactions to the visa system Enc(PKvisa,

Download Report

Transcript Queries on Encrypted Data Dan Boneh Stanford University Brent Waters SRI Motivation: a few examples  Example 1:  Visa gateway: Forwarding encrypted CC transactions to the visa system Enc(PKvisa, 

Queries on Encrypted Data
Dan Boneh
Stanford University
Brent Waters
SRI
1
Motivation: a few examples

Example 1:
 Visa gateway:
Forwarding encrypted CC transactions
to the visa system
Enc(PKvisa, Transaction)
?
VALUE > 1000$
VALUE
Exp-Date
SKvisa  T1000
D
VISA
Gateway
Transaction
T1000
Yes
No
D
High
Security
Processor
Low
Security
Processor
2
Conjunction queries

Goal: gateway should not learn which conjunct failed.
 Visa cannot simply give gateway two tokens
VALUE > 1000
AND
exp-date < Jan. 2007
VALUE
Exp-Date
SKvisa  TP
D
VISA
Gateway
Transaction
TP
Yes
No
D
High
Security
Processor
Low
Security
Processor
3
Filtering Encrypted Email

Set containment queries:
 Server learns nothing other than containment status.
email
From:
Subject:
E( PKalice, email)
Tspam
SKalice
From  spamhaus
Mail
Server
No
Yes
Tspam
4
Routing Encrypted Email

Conjunction queries:
email
From:
Subject:
E( PKalice, email)
Tcell
From  Friends
AND
subject = “urgent”
Mail
Server
SKalice
No
Yes
Tcell
5
Long term goal …

Goal:
Public-key encryption system supporting
any predicate

(poly-size circuits)
Sample application:

Spam predicate:
P(m) = 1
if
m is spam email
 Mail server filters out encrypted
spam email without decrypting email.

… but no known construction
6
History

To date: primary focus on equality queries





SWP’00, GO’87:
Equality queries on symmetric-key encrypted data
BDOP’04, AB…’05:
Equality queries on public-key encrypted data
OS’05, BSW’06:
Equality queries that hide predicate from server
BBO’06: Efficient equality searches in databases
BCPSS’06: Range queries in a weaker security model
7
Definitions

Let  = {P1 , … , Pn} be a set of predicates over  .
Pi :   {0,1}

Pj(m) = 1  m  j ]
A -query system consists of 4 algorithms:

Setup ():

Encrypt (PK, S, M)

GenToken (SK, <P>)  Token TP


[e.g:
outputs
PK
SK
 Ciphertext C
Query ( TP, C)  Output
Note: no decryption
and
M
if P(S) = 1

otherwise
(S)
(P)
(but can easily be added in) .
8
Security
 = {1, … , n} ,
[ Pj(x) = 1  x  j ]

Example:

Adversary can request arbitrary tokens:
x
1

z
a
b
c
n
Clearly, adversary can distinguish
Encrypt(PK, x, m)

y
from Encrypt(PK, y, m)
… but Encrypt(PK, x, m) and Encrypt(PK, z, m)
should be indistinguishable
9
Secure -query systems

Semantic security in the presence of arbitrary tokens:
P1 , P2 , … , Pq
T1 , T2 , … , T q
Attacker
Challenger
PK
Run
Setup()
(S0,M0) , (S1,M1)
s.t.:
j:
Pj(S0) = Pj(S1)
M0M1  j: Pj(S0) = Pj(S1)=0
b{0,1}
CEncrypt(PK,Sb,Mb)
b’  {0,1}
Adversary wins if: b = b’
10
Selectively secure -query systems
S0 , S1
P1 , P2 , … , Pq
T1 , T2 , … , T q
Attacker
Challenger
PK
Run
Setup()
S00,M
M0 ) ,, (S
S1,M
M11)
(S
s.t.:
j:
Pj(S0) = Pj(S1)
M0M1  j: Pj(S0) = Pj(S1)=0
b{0,1}
CEncrypt(PK,Sb,Mb)
b’  {0,1}
Adversary wins if: b = b’
11
The trivial brute-force system
 = {P1 , … , Pn}

Setup():
;
Run
(KeyGen, Enc, Dec) pub-key system
KeyGen()
PK  ( PK1 , … , PKn )

,
n times
SK  ( SK1, … , SKn )
Encrypt( PK, S, M):
for j = 1,…,n:
Cj 
Enc( PKj , M ) if Pj(S) = 1
Enc( PKj ,  ) otherwise
output C  (C1 , … , Cn )


GenToken( SK, Pi ):
output T  SKi

Query( T, C) :
output
Parameters:
|CT| = O(n)
Dec( SKi , Ci )
|T| = O(1)
12
Best known constructions


[BSW’06, BW’06]
Encrypt S  {1 ,…, n }
Trivial
|CT|
Lower
Bound
Equality (S = a)
O(n)
O(log n)
O(log n)
O(log n)
Comparison (Sa)
O(n)
O(log n)
O(n)
O(n)
Subset (S  A)
O(2n)
O(log n)
O(n)
O(n-|A|)
Encrypt S = (S1,…,Sw)  {1 ,…, n }
Best Known
|CT|
|T|
w
---
conjunctions
Trivial
|CT|
Lower
Bound
Best Known
|CT|
|T|
S1=a1  …  Sw=aw
O(nw)
O(wlog n)
O(wlog n) O(wlog n)
S1a1  …  Swaw
O(nw)
O(wlog n)
O(nw)
O(wlog n)
S1A1  …  SwAw
O(2nw)
O(wlog n)
O(nw)
O(w|A|)
13
Connections
14
Comparisons  Traitor Tracing
[CFN’94]
K1
CT = E[M]
K2
K3

What if secret key Ki is exposed?

Goal: Trace pirate decoder D to key Ku.
Then kill user u (or revoke his key).
15
Tracing Traitors

SetupTT (n,): outputs private keys
public-key PK
K1 , …, Kn
User i gets private key Ki

EncryptTT (PK, M)
 Ciphertext C

DecryptTT (Ki, C)
 Message M

Trace D ( PK )  i  {1,…,n}

Outputs index of at least one key used to build D

D -- stateless black-box pirate decoder.
16
Comparisons  Traitor Tracing

SetupTT (n,): Run setup() to generate PK,SK
For i{1,…,n} key

EncryptTT (PK, M):

DecryptTT (Ki , C):
Ki  GenToken(SK, i)
C  Encrypt( PK, 1, M)
M  Query(Ki , C)
Decryption works since i  1

Tracing:
next slide
17
D
Trace (PK):

R
For j = 1, …, n+1 define for M 
M:
pj := Pr[

[BF99, NNL00, KY02]
Then:
D( Encrypt(PK, j ,M) ) = M ]
p1 > 1-  ;
pn+1  0
n
n

1- < |pn+1 – p1 | =
| i=1
p
i+1
– pi
|
|
p
i=1

Exists i{1,…,n} s.t.

User i must be one of the pirates.
i+1
– pi
|
| pi+1 – pi |  (1- )/n
18
Security Theorem


Tracing algorithm estimates:

| pi - pi | < (1-)/4n

Need O(n2) samples per pi.

Cubic time tracing.
(D – stateless)
(can be improved to quadratic)
Thm:
underlying comparison query system is selectively secure

no eff. adv wins tracing game with non-neg adv.
19
Other connections:
BE, IBE

Membership queries: S  {1,…,n} ;

Membership  Private Broadcast Encryption

Pj (S) = 1  j  S
[BBW’05]
SetupBE (n,): Run setup() to generate PK,SK
For j{1,…,n} key
Kj  GenToken(SK, j)

EncryptBE (PK, S, M):
C  Encrypt( PK, S, M)

DecryptBE (Kj , C):
M  Query(C, Kj)
Decryption works when j  S

Best membership construction:
|CT| = O(|S|)
[BBW’05]
20
Constructions
21
Crash course in pairings

Standard groups where discrete-log may be hard:
 Zp*
for prime p.
 Elliptic Curves:

E/Fp:
y2 = x3 + ax + b
Extra structure on elliptic curves : bilinear maps.

Defined by A. Weil (1946).

Miller ’84: Algorithm for computing.

MOV ’93: Used to attack certain EC systems.

Recently (2000-5): lots of positive crypto apps.
22
Bilinear maps

G , GT :

Def: An admissible bilinear map
e(ga, gb) = e(g,g)ab

Bilinear:

Non-degenerate:
g generates G


finite cyclic groups of prime order q.

e: GG  GT
is:
a,bZ, gG
e(g,g) generates GT .
“Efficiently” computable.
DDH is easy in G:
a=b

given (g, ga, h, hb) then
e(g, hb) = e(ga , h)
23
Bilinear groups of order N=pq



(p,q) – secret.
G: group of order N=pq.
bilinear map:
G = Gp  Gq .
Facts:
hG
e: G  G  GT
gp = gq  Gp

[BGN’05]
;
gq = gp  Gq
h = (gq)  (gp)
a
p
b
q
N
e( gp , gq ) = e(g , g ) = e(g,g) = 1
e( gp , h ) = e( gp , gp)
b
!!
24
Subset query system

Goal:
for any S  {1,…,n}
answer queries of type:

and A  {1,…,n}
PA(S) = 1
 SA
FromAddress  Friends

Example:

Trivial system: |CT| = O(2n)
,
Our goal: |CT| = O(n)
Approach: reformulate as conjunctive equality query

Encode S  {1,…,n} in uniary:


0 0 0…1…0 0 0
(S) = (s1,…,sn)  {0,1}n
Then
SA

(sa = 0)
c
aA
25
Binary conjunctive equality queries

A failed attempt using standard IBE technology:
 G: bilinear group.
w, u, u1,…, v1,…  G,
 Encrypt (PK, b = (b1,…,bn), M):
r  Zq
r
b
C  [ ML , ur ,

w
Query( TA, C):
 (v )
aAc
LGT
b
(u1 1 v1) , … , (un n vn)
GenToken( SK=w, A  {1,…,n} ):
TA  [

r
[BB’04]
a
ta
,
u
t1
r
]
t1, … , tn  Zq
,…,
u
tn
]
( a Ac : ba=0)
If
then “algebra” returns M; otherwise random in G

Problem:
C
bj = 0

leaks
( b1, …, bn )
(u,
ur , (uj j vj)
vj ,
b
r
)
is a DDH tuple
26
Composite order groups to the rescue …

G=GpGq composite order group. w, u, u1 , …, v1 , …  Gp

PK:
Blind u’s and v’s
UiuiRi ,

r
U Z ,
r
where Ri, Ri’  Gq
r  ZN , Z, Z1,…  Gq
(U1 1 V1) Z1 , … ,
b
r
(Un n Vn) Zn
b
r
]
No change to GenToken and Query


ViviRi’
Encrypt (PK, b = (b1,…,bn), M):
C  [ ML ,

by Gq
Note: Rj , Zi terms cancel in Query.
Main point: now DDH attack fails:
(U,
r
Vj , U Z ,
b
bj = 0 , but
r
(Uj j Vj) Zj ) not a DDH tuple in G
27
The full system

... But cannot prove the system secure.

The full system:

y1, … , yn to SK
GenToken( SK=w, A  {1,…,n} ):
TA 

add
w
 (v )
aAc
a
ta,1
(ya)
ta,2
t1,1, t1,2 , …  ZN
( u1
t1,1
,
y1
t1,2
)
,
t
( un n,1 ,
Thm: The system is a selectively secure
subset query system assuming:
 Bilinear-DH assumption, and
 Composite 3-party DH assumption
t
yn n,2 )
28
Summary and Open Problems

Queries on public key encrypted data:


Equality queries:
Comparison queries:






?
plaintext  t
Implies traitor tracing
Best construction: |CT| = O(sqrt(n))
Open: |CT| = O(log n)
Subset queries:

efficient
?
plaintext  A
Best construction: |CT| = O(n)
Open: |CT| = O(log n)
Similar constructions/questions for conjunctive queries
29
THE END
30