overview of monomi

Processing Analytical Queriesover Encrypted Data

Stephen Tu, M. Frank Kaashoek,Samuel Madden, and Nickolai Zeldovich

39th International Conference on Very Large Data BasesRiva del Garda, Trento, Italy, August 2013

SWIM SeminarMay 19th, 2015Mateus Cruz

Introduction Split Execution Optimization Techniques Designer and Planner Experiments Conclusion

OUTLINE

1 Introduction

2 Split Execution

3 Optimization Techniques

4 Designer and Planner

5 Experiments

6 Conclusion

2 / 31


OUTLINE

1 Introduction

2 Split Execution



5 Experiments

6 Conclusion

3 / 31


OVERVIEW

System called MONOMII Extension of CryptDB

Analytical queries over encrypted dataI Data protected against server compromises

Modest overheadI Slowdown of 1.03 to 2.33×

4 / 31


MAIN IDEAS

Split client/server executionOptimization techniques

I Per-row precomputationI Space-efficient encryptionI Grouped homomorphic additionI Pre-filtering

DesignerI Physical data layout

PlannerI Efficient execution plan for queries

5 / 31


USED ENCRYPTION SCHEMES

6 / 31


ARCHITECTURE

7 / 31


OUTLINE

1 Introduction

2 Split Execution



5 Experiments

6 Conclusion

8 / 31


INTUITION

The server cannot execute all queriesI Limitations of cryptosystems

Cannot transfer all data to the clientI Large amount of data

Divide executionI Execute as much as possible on serverI Transfer data to the client when it is not

possible to execute on the server

9 / 31


LIMITATIONS OF SERVER EXECUTION

Example (TPC-H Q11)SELECT ps partkey,

SUM (ps supplycost * ps availqty) AS valueFROM partsupp JOIN supplier JOIN nationWHERE n name = :1GROUP BY ps partkeyHAVING SUM (ps supplycost * ps availqty) > (SELECT SUM (ps supplycost * ps availqty) * 0.0001FROM partsupp JOIN supplier JOIN nationWHERE n name = :1 )

ORDER BY value DESC;

10 / 31




SUM (ps supplycost * ps availqty) AS valueFROM partsupp JOIN supplier JOIN nationWHERE n name = :1GROUP BY ps partkeyHAVING SUM

Addition and comparison in-volve incompatible encryptionschemes

(ps supplycost * ps availqty) > (SELECT SUM (ps supplycost * ps availqty) * 0.0001FROM partsupp JOIN supplier JOIN nationWHERE n name = :1 )


10 / 31




SUM (ps supplycost * ps availqty) AS valueFROM partsupp JOIN supplier JOIN nationWHERE n name = :1GROUP BY ps partkeyHAVING SUM (ps supplycost * ps availqty) > (SELECT SUM (ps supplycost * ps availqty)

No efficient encryptionscheme allows multiplica-tion of two encrypted values

* 0.0001FROM partsupp JOIN supplier JOIN nationWHERE n name = :1 )


10 / 31


SPLIT QUERY PLAN


SUM (ps supplycost * ps availqty)AS VALUE

FROM partsupp JOIN supplier JOIN nationWHERE n name = :1GROUP BY ps partkeyHAVING SUM (ps supplycost * ps availqty) > (SELECT SUM (ps supplycost * ps availqty)



LocalSortkey:[$1]

LocalProjectionexprs: [$0, sum($1)]

LocalGroupFilterfilter: sum($1) > subquery0()

LocalDecryptpos: [$0, $1]

LocalProjectionexprs: [sum($0) * 0.0001]

RemoteSQLSELECT

ps parkey DET,GROUP(precomp DET)

FROM ... WHEREn name DET = 0xabcdef

GROUP BY ps partkey DET

LocalDecryptpos: [$0]

RemoteSQLSELECT

GROUP(precomp DET)FROM ... WHERE

n name DET = 0xabcdef

11 / 31


SPLIT QUERY PLAN






LocalSortkey:[$1]





RemoteSQLSELECT

ps parkey DET,GROUP(precomp DET

Precomputedmultiplication

)FROM ... WHERE

n name DET = 0xabcdefGROUP BY ps partkey DET


RemoteSQLSELECT



11 / 31


SPLIT QUERY PLAN






LocalSortkey:[$1]



LocalDecryptpos: [$0, $1

Reference tothe columnsof the childoperator

]LocalProjection

exprs: [sum($0) * 0.0001]

RemoteSQLSELECT





RemoteSQLSELECT



11 / 31


SPLIT QUERY PLAN






LocalSortkey:[$1]





RemoteSQLSELECT



Deterministicencryption of thevalue :1



RemoteSQLSELECT



11 / 31


SPLIT QUERY PLAN






LocalSortkey:[$1]





RemoteSQLSELECT





RemoteSQLSELECT

GROUP

Concatenation of all valuesfrom each GROUP BY group

(precomp DET)FROM ... WHERE


11 / 31


SPLIT QUERY PLAN






LocalSortkey:[$1]





RemoteSQLSELECT





RemoteSQLSELECT



11 / 31


SPLIT QUERY PLAN






LocalSortkey:[$1]





RemoteSQLSELECT

Outmost SELECT





RemoteSQLSELECT



11 / 31


SPLIT QUERY PLAN






LocalSortkey:[$1]





RemoteSQLSELECT





RemoteSQLSELECT

Innermost SELECT



11 / 31


SPLIT QUERY PLAN






LocalSortkey:[$1]





RemoteSQLSELECT




LocalDecrypt

Decrypts the dataat the client

pos: [$0]

RemoteSQLSELECT



11 / 31


SPLIT QUERY PLAN






LocalSortkey:[$1]




LocalProjectionexprs:

Multiplicationby constant

[sum($0) * 0.0001]

RemoteSQLSELECT





RemoteSQLSELECT



11 / 31


SPLIT QUERY PLAN






LocalSortkey:[$1]


LocalGroupFilterfilter:

Filter referring tothe HAVING clause

sum($1) > subquery0()



RemoteSQLSELECT





RemoteSQLSELECT



11 / 31


SPLIT QUERY PLAN






LocalSortkey:[$1]

LocalProjection

Selection of ps partkey andof the summation of the pre-computed expression

exprs: [$0, sum($1)]




RemoteSQLSELECT





RemoteSQLSELECT



11 / 31


SPLIT QUERY PLAN






LocalSort

Sorting referring to theORDER BY clause

key:[$1]





RemoteSQLSELECT





RemoteSQLSELECT



11 / 31


OUTLINE

1 Introduction

2 Split Execution



5 Experiments

6 Conclusion

12 / 31


PER-ROW PRECOMPUTATION

Prior computation of certain expressionsMaterialized using additional columnsDecision made by the designer module

ExampleSUM (ps supplycost * ps availqty)

13 / 31


SPACE-EFFICIENT ENCRYPTION

Minimize ciphertext expansionI FFX mode of operation: n bits to n bits

Pack multiple columns in a rowPack multiple rows into a single PaillierPacked ciphertexts are kept in separate fileson the local file system

14 / 31


GROUPED HOMOMORPHIC ADDITION

Packed aggregates computed with a singlemodular multiplication

(a1||...||an) + (b1||...||bn) = (a1 + b1)||...||(an + bn)

E(a1||...||an)×E(b1||...||bn) = E((a1+b1)||...||(an+bn))

15 / 31


PRE-FILTERING

Minimize data sent to the clientApply filtering to encrypted data

ExampleSELECT l orderkey FROM lineitemGROUP BY l orderkeyHAVING SUM(l quantity) > :1

16 / 31


PRE-FILTERING


ExampleSELECT l orderkey FROM lineitemGROUP BY l orderkeyHAVING SUM(l quantity) > :1

Incompatible schemes for SUMand comparison (>)

16 / 31


PRE-FILTERING


ExampleSELECT l orderkey det,

PAILLIER SUM(l quantity paillier)FROM lineitemGROUP BY l orderkey detHAVING MAX(l quantity ope) > encrypt ope(m)

OR COUNT(*) > (:1 / m)

16 / 31


PRE-FILTERING


ExampleSELECT l orderkey det,

PAILLIER SUM(l quantity paillier)FROM lineitemGROUP BY l orderkey detHAVING MAX(l quantity ope) > encrypt ope(m

Maximum valueof the columnl quantity

)OR COUNT(*) > (:1 / m)

16 / 31


OUTLINE

1 Introduction

2 Split Execution



5 Experiments

6 Conclusion

17 / 31


INTUITION

Optimizations are not always betterDesigner

I Best physical design– Encryption schemes– Precomputed expressions

PlannerI Best query plan at runtime

18 / 31


DESIGNER: INPUT AND OUTPUT

InputI Representative query workload

– Q0,Q1, ...,Qn– Chosen by the administrator

I Sample dataI Space constraint factor (optional)

OutputI Physical design of the server

– Set of encrypted columns to materialize

19 / 31


DESIGNER: ALGORITHM

1 Consider all operations in query QiI Check what expression would allow execution

on the serverI EncSeti

– Set of 〈value, scheme〉 pairs for Qi

ExampleWHERE x = :1 generates a 〈x,DET〉 pair,referring to the x columnORDER BY x + y generates a 〈x + y,OPE〉pair, referring to a precomputed x + y value

20 / 31


DESIGNER: ALGORITHM

2 The designer invokes the planner todetermine the best way to execute Qi

I The planner computes PowSeti– Contains the subsets of EncSeti

I The planner constructs an execution plan for Qifor each element of the power set

3 The planner uses a cost model to estimatethe fastest execution plan

20 / 31


COST MODEL

Sum of three componentsI Execution time on the serverI Data transfer timeI Post-processing on client (decryption)

Constraints are considered using an IntegerLinear Programming (ILP) formulation

21 / 31


OUTLINE

1 Introduction

2 Split Execution



5 Experiments

6 Conclusion

22 / 31


IMPLEMENTATION

8.000 lines of Scala for designer/planner4.000 lines of C++ for client libraryOpenSSL for cryptographyEach table is mapped to an encrypted table

I Copies of columns (different cryptosystems)Do not support

I ViewsI Pattern matching with two or more patterns

ExampleLIKE ’%foo%bar%’

23 / 31


ENVIRONMENT

ClientI Four 4-core 2.2GHz Intel Xeon E5520I 24GB RAM

ServerI Four 4-core 2.4GHz Intel Xeon E5530I 24GB RAM

Multiple cores used for decryptionPostgres 8.4

I Memory limit: 8GB

TPC-H scale 10 dataset

24 / 31


OVERALL EFFICIENCY

Median overhead of 1.24×

25 / 31


TECHNIQUE PERFORMANCE

Cumulative use of optimization techniques

26 / 31


SPACE OVERHEAD

27 / 31


SENSITIVITY TO DESIGNER INPUT

Choosing representative queriesI Aggregation over expressionsI Expressions requiring precomputationI Very selective WHERE on large relations

28 / 31


SECURITY

Plaintext is never revealedOPE is used infrequently

I Leaks order

29 / 31


OUTLINE

1 Introduction

2 Split Execution



5 Experiments

6 Conclusion

30 / 31


CONCLUSION

Novel system: MONOMIAnalytic queries over confidential dataNew optimization techniquesUse of designer and plannerModest overheads

I Execution: 1.24×I Space: 1.72×

31 / 31

overview of monomi

Technology