Upload
mirra
View
84
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Queries on Encrypted Data. Dan Boneh Brent Waters Stanford UniversitySRI. ?. VALUE > 1000$. Motivation: a few examples. Example 1: Visa gateway: Forwarding encrypted CC transactions to the visa system. Enc(PK visa , Transaction). High Security Processor. D. - PowerPoint PPT Presentation
Citation preview
1
Queries on Encrypted Data
Dan Boneh Brent Waters
Stanford University SRI
2
Motivation: a few examples
Example 1: Visa gateway: Forwarding encrypted CC transactions
to the visa system
VIS
A G
ate
way
Yes
No
VALUE > 1000$?
SKvisa T1000
TransactionVALUE Exp-Date D
Enc(PKvisa, Transaction)
LowSecurity
Processor
HighSecurity
ProcessorD
T1000
3
Conjunction queries
Goal: gateway should not learn which conjunct failed.
Visa cannot simply give gateway two tokens
VIS
A G
ate
way
Yes
No
VALUE > 1000
ANDexp-date < Jan. 2007
SKvisa TP
TransactionVALUE Exp-Date D
LowSecurity
Processor
HighSecurity
ProcessorD
TP
4
Filtering Encrypted Email Set containment queries:
Server learns nothing other than containment status.
MailServer
SKalice
From:
Subject:From spamhaus
Yes
No
E( PKalice, email)
Tspam
Tspam
5
Routing Encrypted Email Conjunction queries:
MailServer
SKalice
From:
Subject:
From Friends
ANDsubject = “urgent”
Yes
No
E( PKalice, email)
Tcell
Tcell
6
Long term goal …
Goal: Public-key encryption system supporting
any predicate (poly-size circuits)
Sample application:
Spam predicate: P(m) = 1 if m is spam email
Mail server filters out encrypted
spam email without decrypting email.
… but no known construction
7
History To date: primary focus on equality queries
SWP’00, GO’87:
Equality queries on symmetric-key encrypted
data
BDOP’04, AB…’05:
Equality queries on public-key encrypted data
OS’05, BSW’06:
Equality queries that hide predicate from server
BBO’06: Efficient equality searches in databases
BCPSS’06: Range queries in a weaker security model
8
Definitions Let = {P1 , … , Pn} be a set of predicates over .
Pi : {0,1} [e.g: Pj(m) = 1 m j ]
A -query system consists of 4 algorithms:
Setup (): outputs PK and SK
Encrypt (PK, S, M) Ciphertext C (S)
GenToken (SK, <P>) Token TP (P)
Query ( TP, C) Output
Note: no decryption (but can easily be added in) .
M if P(S) = 1
otherwise
9
Security Example: = {1, … , n} , [ Pj(x) = 1 x j ]
Adversary can request arbitrary tokens:
Clearly, adversary can distinguish
Encrypt(PK, x, m) from Encrypt(PK, y, m)
… but Encrypt(PK, x, m) and Encrypt(PK, z, m)
should be indistinguishable
1 na b c
x yz
10
Secure -query systems Semantic security in the presence of arbitrary tokens:
Ch
alle
ng
er
Atta
cker
RunSetup()
PK
P1
T1
Adversary wins if: b = b’
, P2 , … , Pq
, T2 , … , Tq
(S0,M0) , (S1,M1)
s.t.: j: Pj(S0) = Pj(S1)
M0M1 j: Pj(S0) = Pj(S1)=0b{0,1}
CEncrypt(PK,Sb,Mb)
b’ {0,1}
11
Selectively secure -query systems
Ch
alle
ng
er
Atta
cker
RunSetup()
PK
P1
T1
Adversary wins if: b = b’
, P2 , … , Pq
, T2 , … , Tq
(S0,M0) , (S1,M1)
s.t.: j: Pj(S0) = Pj(S1)
M0M1 j: Pj(S0) = Pj(S1)=0b{0,1}
CEncrypt(PK,Sb,Mb)
b’ {0,1}
S0 , S1
M0 , M1S0 S1
12
The trivial brute-force system = {P1 , … , Pn} ; (KeyGen, Enc, Dec) pub-key system
Setup(): Run KeyGen() n times
PK ( PK1 , … , PKn ) , SK ( SK1, … , SKn )
Encrypt( PK, S, M):
output C (C1 , … , Cn )
GenToken( SK, Pi ): output T SKi
Query( T, C) : output Dec( SKi , Ci )
Parameters: |CT| = O(n) |T| = O(1)
Enc( PKj , M ) if Pj(S) = 1
Enc( PKj , ) otherwisefor j = 1,…,n: Cj
13
Best known constructions [BSW’06, BW’06] Encrypt S {1 ,…, n }
Encrypt S = (S1,…,Sw) {1 ,…, n }w --- conjunctions
Trivial |CT|
Lower Bound
Best Known|CT| |T|
Equality (S = a) O(n) O(log n) O(log n) O(log n)
Comparison (Sa) O(n) O(log n) O(n) O(n)
Subset (S A) O(2n) O(log n) O(n) O(n-|A|)
Trivial |CT|
Lower Bound
Best Known|CT| |T|
S1=a1 … Sw=aw O(nw) O(wlog n) O(wlog n) O(wlog n)
S1a1 … Swaw O(nw) O(wlog n) O(nw) O(wlog n)
S1A1 … SwAw O(2nw) O(wlog n) O(nw) O(w|A|)
14
Connections
15
Comparisons Traitor Tracing [CFN’94]
What if secret key Ki is exposed?
Goal: Trace pirate decoder D to key Ku.
Then kill user u (or revoke his key).
K1
K2
K3
CT = E[M]
16
Tracing Traitors SetupTT (n,): outputs private keys K1 , …, Kn
public-key PK
User i gets private key Ki
EncryptTT (PK, M) Ciphertext C
DecryptTT (Ki, C) Message M
Trace D ( PK ) i {1,…,n}
Outputs index of at least one key used to build D
D -- stateless black-box pirate decoder.
17
Comparisons Traitor Tracing SetupTT (n,): Run setup() to generate PK,SK
For i{1,…,n} key Ki GenToken(SK, i)
EncryptTT (PK, M): C Encrypt( PK, 1, M)
DecryptTT (Ki , C):M Query(Ki , C)
Decryption works since i 1
Tracing: next slide
18
TraceD(PK): [BF99, NNL00, KY02]
For j = 1, …, n+1 define for M M :
pj := Pr[ D( Encrypt(PK, j ,M) ) = M ]
Then: p1 > 1- ; pn+1 0
1- < |pn+1 – p1 | = | pi+1 – pi | |pi+1 – pi |
Exists i{1,…,n} s.t. | pi+1 – pi | (1- )/n
User i must be one of the pirates.
i=1
n n
i=1
R
19
Security Theorem
Tracing algorithm estimates: | pi - pi | < (1-)/4n
Need O(n2) samples per pi. (D – stateless)
Cubic time tracing. (can be improved to quadratic)
Thm:
underlying comparison query system is selectively secure
no eff. adv wins tracing game with non-neg adv.
20
Other connections: BE, IBE Membership queries: S {1,…,n} ; Pj (S) = 1 j S
Membership Private Broadcast Encryption [BBW’05]
SetupBE (n,): Run setup() to generate PK,SK
For j{1,…,n} key Kj GenToken(SK, j)
EncryptBE (PK, S, M): C Encrypt( PK, S, M)
DecryptBE (Kj , C): M Query(C, Kj)
Decryption works when j S
Best membership construction: |CT| = O(|S|) [BBW’05]
21
Constructions
22
Crash course in pairings Standard groups where discrete-log may be hard:
Zp* for prime p.
Elliptic Curves: E/Fp: y2 = x3 + ax + b
Extra structure on elliptic curves : bilinear mapsbilinear maps. Defined by A. Weil (1946).
Miller ’84: Algorithm for computing.
MOV ’93: Used to attack certain EC systems.
Recently (2000-5): lots of positive crypto apps.
23
Bilinear maps G , GT : finite cyclic groups of prime order q.
Def: An admissible bilinear map e: GG GT is:
Bilinear: e(ga, gb) = e(g,g)ab a,bZ, gG
Non-degenerate: g generates G e(g,g) generates GT .
“Efficiently” computable.
DDH is easy in G: given (g, ga, h, hb) then
a = b e(g, hb) = e(ga , h)
24
Bilinear groups of order N=pq [BGN’05]
G: group of order N=pq. (p,q) – secret.
bilinear map: e: G G GT
G = Gp Gq . gp = gq Gp ; gq = gp Gq
Facts: h G h = (gq)a (gp)
b
e( gp , gq ) = e(gp , gq) = e(g,g)N = 1
e( gp , h ) = e( gp , gp)b !!
25
Subset query system Goal: for any S {1,…,n} and A {1,…,n}
answer queries of type: PA(S) = 1 S A
Example: FromAddress Friends
Trivial system: |CT| = O(2n) , Our goal: |CT| = O(n)
Approach: reformulate as conjunctive equality query
Encode S {1,…,n} in uniary:
(S) = (s1,…,sn) {0,1}n
Then S A (sa = 0)
0 0 0 … 1 … 0 0 0
a Ac
26
Binary conjunctive equality queries A failed attempt using standard IBE technology: [BB’04]
G: bilinear group. w, u, u1,…, v1,… G, LGT
Encrypt (PK, b = (b1,…,bn), M): r Zq
C [ MLr , ur , (u1
b1 v1)
r , … , (un
bn vn)r ]
GenToken( SK=w, A {1,…,n} ): t1, … , tn Zq
TA [ w (va)ta , u
t1 , … , utn ]
Query( TA, C): If ( a Ac : ba=0)
then “algebra” returns M; otherwise random in G
Problem: C leaks ( b1, …, bn )
bj = 0 (u, vj , ur , (uj
bj vj)r ) is a DDH tuple
aAc
27
Composite order groups to the rescue … G=GpGq composite order group. w, u, u1 , …, v1 , … Gp
PK: Blind u’s and v’s by Gq
UiuiRi , ViviRi’ where Ri, Ri’ Gq
Encrypt (PK, b = (b1,…,bn), M): r ZN , Z, Z1,… Gq
C [ MLr , U
rZ , (U1
b1 V1)r Z1 , … , (Un
bn Vn)r Zn ]
No change to GenToken and Query
Note: Rj , Zi terms cancel in Query.
Main point: now DDH attack fails: bj = 0 , but
(U, Vj , UrZ , (Uj
bj Vj)rZj ) not a DDH tuple in G
28
The full system ... But cannot prove the system secure.
The full system: add y1, … , yn to SK
GenToken( SK=w, A {1,…,n} ): t1,1, t1,2 , … ZN
( u1
t1,1 , y1
t1,2 )
( un
tn,1 , yn
tn,2 )
Thm: The system is a selectively secure subset query system assuming: Bilinear-DH assumption, and Composite 3-party DH assumption
TA w (va)ta,1 (ya)
ta,2 ,aAc
29
Summary and Open Problems Queries on public key encrypted data:
Equality queries: efficient
Comparison queries: plaintext t Implies traitor tracing Best construction: |CT| = O(sqrt(n)) Open: |CT| = O(log n)
Subset queries: plaintext A Best construction: |CT| = O(n) Open: |CT| = O(log n)
Similar constructions/questions for conjunctive queries
?
?
30
THE END