conjunctive, subset, and range queries on encrypted data
DESCRIPTION
Conjunctive, Subset, and Range Queries on Encrypted Data. Dan Boneh Brent Waters Stanford University SRI International. Salil gives private key to assistant Charlie Charlie learns everything. PK Salil. Encryption Systems – Traditional View. Subj: TCC. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Conjunctive, Subset, and Range Queries on Encrypted Data](https://reader035.vdocuments.net/reader035/viewer/2022062423/568148fe550346895db6237b/html5/thumbnails/1.jpg)
1
Conjunctive, Subset, and Range Queries on
Encrypted Data Dan Boneh Brent Waters
Stanford University SRI International
![Page 2: Conjunctive, Subset, and Range Queries on Encrypted Data](https://reader035.vdocuments.net/reader035/viewer/2022062423/568148fe550346895db6237b/html5/thumbnails/2.jpg)
2
Encryption Systems – Traditional View
PKSalil
Salil gives private key to assistant Charlie
Charlie learns everything
![Page 3: Conjunctive, Subset, and Range Queries on Encrypted Data](https://reader035.vdocuments.net/reader035/viewer/2022062423/568148fe550346895db6237b/html5/thumbnails/3.jpg)
3
Encryption Systems – New View
PKSalil
Salil gives partial capabilities to Charlie
Charlie learns what he needs to know
Focus on “Searching Systems”
TCC
Subj: TCC
Subj:personal Subj:our paper
![Page 4: Conjunctive, Subset, and Range Queries on Encrypted Data](https://reader035.vdocuments.net/reader035/viewer/2022062423/568148fe550346895db6237b/html5/thumbnails/4.jpg)
4
Filtering Encrypted Email Set containment queries:
Server learns nothing other than containment status.
MailServer
SKalice
From:
Subject:From Blacklist
Yes
No
E( PKalice, email)
Tspam
Tspam
![Page 5: Conjunctive, Subset, and Range Queries on Encrypted Data](https://reader035.vdocuments.net/reader035/viewer/2022062423/568148fe550346895db6237b/html5/thumbnails/5.jpg)
5
Routing Encrypted Email Conjunction queries:
MailServer
SKalice
From:
Subject:
From Friends
ANDsubject = “urgent”
Yes
No
E( PKalice, email)
Tcell
Tcell
![Page 6: Conjunctive, Subset, and Range Queries on Encrypted Data](https://reader035.vdocuments.net/reader035/viewer/2022062423/568148fe550346895db6237b/html5/thumbnails/6.jpg)
6
Long term goal …
Goal: Public-key encryption system supporting
any predicate (poly-size circuits)
Sample application:
Spam predicate: P(m) = 1 if m is spam email
Mail server filters out encrypted
spam email without decrypting email.
… seems far off
![Page 7: Conjunctive, Subset, and Range Queries on Encrypted Data](https://reader035.vdocuments.net/reader035/viewer/2022062423/568148fe550346895db6237b/html5/thumbnails/7.jpg)
7
History To date: primary focus on equality queries
SWP’00, GO’87:
Equality queries on symmetric-key encrypted
data
BDOP’04, AB…’05:
Equality queries on public-key encrypted data
![Page 8: Conjunctive, Subset, and Range Queries on Encrypted Data](https://reader035.vdocuments.net/reader035/viewer/2022062423/568148fe550346895db6237b/html5/thumbnails/8.jpg)
8
Definitions Let = {P1 , … , Pn} be a set of predicates over .
Pi : {0,1} [e.g: Pj(S) = 1 S j ]
A -query system consists of 4 algorithms:
Setup (): outputs PK and SK
Encrypt (PK, S) Ciphertext C (S)
GenToken (SK, <P>) Token TP (P)
Query ( TP, C) Output
(Can allow message decryption on “hit” when P(S)=1)
P(S)
![Page 9: Conjunctive, Subset, and Range Queries on Encrypted Data](https://reader035.vdocuments.net/reader035/viewer/2022062423/568148fe550346895db6237b/html5/thumbnails/9.jpg)
9
Security Example: = {1, … , n} , [ Pj(x) = 1 x j ]
Adversary can request arbitrary tokens:
Clearly, adversary can distinguish
Encrypt(PK, x) from Encrypt(PK, y)
… but Encrypt(PK, x) and Encrypt(PK, z)
should be indistinguishable
1 na b c
x yz
![Page 10: Conjunctive, Subset, and Range Queries on Encrypted Data](https://reader035.vdocuments.net/reader035/viewer/2022062423/568148fe550346895db6237b/html5/thumbnails/10.jpg)
10
Secure -query systems Semantic security in the presence of arbitrary tokens:
Ch
alle
ng
er
Atta
cker
RunSetup()
PK
P1
T1
Adversary wins if: b = b’
, P2 , … , Pq
, T2 , … , Tq
(S0) , (S1)
s.t.: j: Pj(S0) = Pj(S1)
b{0,1}
CEncrypt(PK,Sb)
b’ {0,1}
![Page 11: Conjunctive, Subset, and Range Queries on Encrypted Data](https://reader035.vdocuments.net/reader035/viewer/2022062423/568148fe550346895db6237b/html5/thumbnails/11.jpg)
11
The trivial brute-force system = {P1 , … , Pn} ; (KeyGen, Enc, Dec) pub-key system
Setup(): Run KeyGen() n times
PK ( PK1 , … , PKn ) , SK ( SK1, … , SKn )
Encrypt( PK, S):
output C (C1 , … , Cn )
GenToken( SK, Pi ): output T SKi
Query( T, C) : output Dec( SKi , Ci )
Parameters: |CT| = O(n) |T| = O(1)
Enc( PKj , M ) if Pj(S) = 1
Enc( PKj , ) otherwisefor j = 1,…,n: Cj
![Page 12: Conjunctive, Subset, and Range Queries on Encrypted Data](https://reader035.vdocuments.net/reader035/viewer/2022062423/568148fe550346895db6237b/html5/thumbnails/12.jpg)
12
Best known constructions [BSW’06, BW’06] Encrypt S {1 ,…, n } (Sizes in # of group elements)
Encrypt S = (S1,…,Sw) {1 ,…, n }w --- conjunctions
Trivial |CT|
Best Known|CT|
Equality (S = a) O(n) O(1)
Comparison (Sa) O(n) O(n)
Subset (S A) O(2n) O(n)
Trivial |CT|
Best Known|CT|
S1=a1 … Sw=aw O(nw) O(w)
S1a1 … Swaw O(nw) O(nw)
S1A1 … SwAw O(2nw) O(nw)
![Page 13: Conjunctive, Subset, and Range Queries on Encrypted Data](https://reader035.vdocuments.net/reader035/viewer/2022062423/568148fe550346895db6237b/html5/thumbnails/13.jpg)
13
Bilinear maps G , GT : finite cyclic groups of prime order q.
Def: An admissible bilinear map e: GG GT is:
Bilinear: e(ga, gb) = e(g,g)ab a,bZ, gG
Non-degenerate: g generates G e(g,g) generates GT .
“Efficiently” computable.
![Page 14: Conjunctive, Subset, and Range Queries on Encrypted Data](https://reader035.vdocuments.net/reader035/viewer/2022062423/568148fe550346895db6237b/html5/thumbnails/14.jpg)
14
Bilinear groups of order N=pq [BGN’05]
G: group of order N=pq. (p,q) – secret.
bilinear map: e: G G GT
G = Gp Gq . gp = gq Gp ; gq = gp Gq
Facts: h G h = (gq)a (gp)
b
e( gp , gq ) = e(gp , gq) = e(g,g)N = 1
e( gp , h ) = e( gp , gp)b !!
![Page 15: Conjunctive, Subset, and Range Queries on Encrypted Data](https://reader035.vdocuments.net/reader035/viewer/2022062423/568148fe550346895db6237b/html5/thumbnails/15.jpg)
15
Subset query system Goal: for any S {1,…,n} and A {1,…,n}
answer queries of type: PA(S) = 1 S A
Example: FromAddress Friends
Trivial system: |CT| = O(2n) , Our goal: |CT| = O(n)
Approach: reformulate as conjunctive equality query
Encode S {1,…,n} in uniary:
(S) = (s1,…,sn) {0,1}n
Then S A (sa = 0)
0 0 0 … 1 … 0 0 0
a Ac
![Page 16: Conjunctive, Subset, and Range Queries on Encrypted Data](https://reader035.vdocuments.net/reader035/viewer/2022062423/568148fe550346895db6237b/html5/thumbnails/16.jpg)
16
Construction Intuition 1st Attempt
Use IBE techniques to encrypt to “vector” identity (s1,…,sn) Get message if “true”
Problem: Can test identity by testing for DDH tuples between CT and PK
Solution Make CTs, PK random in Gq not DDH tuples
Tokens in Gp Gq does not matter after pairing Intuiton: Disallow unintended application of pairing
![Page 17: Conjunctive, Subset, and Range Queries on Encrypted Data](https://reader035.vdocuments.net/reader035/viewer/2022062423/568148fe550346895db6237b/html5/thumbnails/17.jpg)
17
Security
Thm: The system is a selectively secure subset query system assuming: Bilinear-DH assumption, and Composite 3-party DH assumption
Implied by Boneh’s Uber-Assumption
![Page 18: Conjunctive, Subset, and Range Queries on Encrypted Data](https://reader035.vdocuments.net/reader035/viewer/2022062423/568148fe550346895db6237b/html5/thumbnails/18.jpg)
18
Summary and Open Problems Queries on public key encrypted data:
Equality queries: efficient
Comparison queries: plaintext t Implies traitor tracing Best construction: |CT| = O(sqrt(n)) Open: |CT| = O(log n)
Subset queries: plaintext A Best construction: |CT| = O(n) Open: |CT| = O(log n)
Similar constructions/questions for conjunctive queries
?
?
![Page 19: Conjunctive, Subset, and Range Queries on Encrypted Data](https://reader035.vdocuments.net/reader035/viewer/2022062423/568148fe550346895db6237b/html5/thumbnails/19.jpg)
19
THE END
![Page 20: Conjunctive, Subset, and Range Queries on Encrypted Data](https://reader035.vdocuments.net/reader035/viewer/2022062423/568148fe550346895db6237b/html5/thumbnails/20.jpg)
20
History To date: primary focus on equality queries
SWP’00, GO’87:
Equality queries on symmetric-key encrypted
data
BDOP’04, AB…’05:
Equality queries on public-key encrypted data
OS’05, BSW’06:
Equality queries that hide predicate from server
BBO’06: Efficient equality searches in databases
BCPSS’06: Range queries in a weaker security model
![Page 21: Conjunctive, Subset, and Range Queries on Encrypted Data](https://reader035.vdocuments.net/reader035/viewer/2022062423/568148fe550346895db6237b/html5/thumbnails/21.jpg)
21
Motivation: a few examples
Example 1: Visa gateway: Forwarding encrypted CC transactions
to the visa system
VIS
A G
ate
way
Yes
No
VALUE > $1000?
SKvisa T1000
TransactionVALUE Exp-Date D
Enc(PKvisa, Transaction)
LowSecurity
Processor
HighSecurity
ProcessorD
T1000
![Page 22: Conjunctive, Subset, and Range Queries on Encrypted Data](https://reader035.vdocuments.net/reader035/viewer/2022062423/568148fe550346895db6237b/html5/thumbnails/22.jpg)
22
Conjunction queries
Goal: gateway should not learn which conjunct failed.
Visa cannot simply give gateway two tokens
VIS
A G
ate
way
Yes
No
VALUE > 1000
ANDexp-date < April 2007
SKvisa TP
TransactionVALUE Exp-Date D
LowSecurity
Processor
HighSecurity
ProcessorD
TP
![Page 23: Conjunctive, Subset, and Range Queries on Encrypted Data](https://reader035.vdocuments.net/reader035/viewer/2022062423/568148fe550346895db6237b/html5/thumbnails/23.jpg)
23
Best known constructions [BSW’06, BW’06] Encrypt S {1 ,…, n } (Sizes in # of group elements)
Encrypt S = (S1,…,Sw) {1 ,…, n }w --- conjunctions
Trivial |CT|
Lower Bound
Best Known|CT| |T|
Equality (S = a) O(n) O(log n) O(log n) O(log n)
Comparison (Sa) O(n) O(log n) O(n) O(n)
Subset (S A) O(2n) O(log n) O(n) O(n-|A|)
Trivial |CT|
Lower Bound
Best Known|CT| |T|
S1=a1 … Sw=aw O(nw) O(wlog n) O(wlog n) O(wlog n)
S1a1 … Swaw O(nw) O(wlog n) O(nw) O(wlog n)
S1A1 … SwAw O(2nw) O(wlog n) O(nw) O(w|A|)
![Page 24: Conjunctive, Subset, and Range Queries on Encrypted Data](https://reader035.vdocuments.net/reader035/viewer/2022062423/568148fe550346895db6237b/html5/thumbnails/24.jpg)
24
The full system ... But cannot prove the system secure.
The full system: add y1, … , yn to SK
GenToken( SK=w, A {1,…,n} ): t1,1, t1,2 , … ZN
( u1
t1,1 , y1
t1,2 )
( un
tn,1 , yn
tn,2 )
Thm: The system is a selectively secure subset query system assuming: Bilinear-DH assumption, and Composite 3-party DH assumption
TA w (va)ta,1 (ya)
ta,2 ,aAc
![Page 25: Conjunctive, Subset, and Range Queries on Encrypted Data](https://reader035.vdocuments.net/reader035/viewer/2022062423/568148fe550346895db6237b/html5/thumbnails/25.jpg)
25
The full system ... But cannot prove the system secure. (Need a bit more)
Thm: The system is a selectively secure subset query system assuming: Bilinear-DH assumption, and Composite 3-party DH assumption (Fragments of “Uber-assumption”)
![Page 26: Conjunctive, Subset, and Range Queries on Encrypted Data](https://reader035.vdocuments.net/reader035/viewer/2022062423/568148fe550346895db6237b/html5/thumbnails/26.jpg)
26
Binary conjunctive equality queries A failed attempt using standard IBE technology: [BB’04]
G: bilinear group. w, u, u1,…, v1,… G,
Encrypt (PK, b = (b1,…,bn), M): r Zq
C [ e(u,w)r , ur , (u1
b1 v1)
r , … , (un
bn vn)r ]
GenToken( SK=w, A {1,…,n} ): t1, … , tn Zq
TA [ w (va)ta , u
t1 , … , utn ]
Query( TA, C): If ( a Ac : ba=0)
then “algebra” returns M; otherwise random in G
Problem: C leaks ( b1, …, bn )
bj = 0 (u, vj , ur , (uj
bj vj)r ) is a DDH tuple
aAc
![Page 27: Conjunctive, Subset, and Range Queries on Encrypted Data](https://reader035.vdocuments.net/reader035/viewer/2022062423/568148fe550346895db6237b/html5/thumbnails/27.jpg)
27
Composite order groups to the rescue … G=GpGq composite order group. w, u, u1 , …, v1 , … Gp
PK: Blind u’s and v’s by Gq
UiuiRi , ViviRi’ where Ri, Ri’ Gq
Encrypt (PK, b = (b1,…,bn), M): r ZN , Z, Z1,… Gq
C [ e(u,w)r , U
rZ , (U1
b1 V1)r Z1 , … , (Un
bn Vn)r Zn ]
No change to GenToken and Query
Note: Rj , Zi terms cancel in Query.
Main point: now DDH attack fails: bj = 0 , but (U, Vj ,
UrZ , (Uj
bj Vj)rZj ) not a DDH tuple in G
![Page 28: Conjunctive, Subset, and Range Queries on Encrypted Data](https://reader035.vdocuments.net/reader035/viewer/2022062423/568148fe550346895db6237b/html5/thumbnails/28.jpg)
28
Selectively secure -query systems
Ch
alle
ng
er
Atta
cker
RunSetup()
PK
P1
T1
Adversary wins if: b = b’
, P2 , … , Pq
, T2 , … , Tq
S0 , S1
s.t.: j: Pj(S0) = Pj(S1)
b{0,1}
CEncrypt(PK,Sb)
b’ {0,1}
S0 , S1
S0 S1