Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Queries on Encrypted Data Dan Boneh Brent Waters Stanford UniversitySRI.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Queries on Encrypted Data Dan Boneh Brent Waters Stanford UniversitySRI."— Presentation transcript:

1 1 Queries on Encrypted Data Dan Boneh Brent Waters Stanford UniversitySRI

2 2 Motivation: a few examples Example 1:  Visa gateway: Forwarding encrypted CC transactions to the visa system VISA Gateway Yes No VALUE > 1000$ ? SK visa  T 1000 Transaction VALUE Exp-Date D Enc(PK visa, Transaction) Low Security Processor High Security Processor D T 1000

3 3 Conjunction queries Goal: gateway should not learn which conjunct failed.  Visa cannot simply give gateway two tokens VISA Gateway Yes No VALUE > 1000 AND exp-date < Jan. 2007 SK visa  T P Transaction VALUE Exp-Date D Low Security Processor High Security Processor D TPTP

4 4 Filtering Encrypted Email Set containment queries:  Server learns nothing other than containment status. Mail Server SK alice From: Subject: From  spamhaus Yes No E( PK alice, email) T spam email

5 5 Routing Encrypted Email Conjunction queries: Mail Server SK alice From: Subject: From  Friends AND subject = “urgent” Yes No E( PK alice, email) T cell email T cell

6 6 Long term goal … Goal: Public-key encryption system supporting any predicate (poly-size circuits) Sample application:  Spam predicate: P(m) = 1 if m is spam email  Mail server filters out encrypted spam email without decrypting email. … but no known construction

7 7 History To date: primary focus on equality queries  SWP’00, GO’87: Equality queries on symmetric-key encrypted data  BDOP’04, AB…’05: Equality queries on public-key encrypted data  OS’05, BSW’06: Equality queries that hide predicate from server  BBO’06: Efficient equality searches in databases BCPSS’06: Range queries in a weaker security model

8 8 Definitions Let  = {P 1, …, P n } be a set of predicates over . P i :   {0,1} [e.g: P j (m) = 1  m  j ] A  -query system consists of 4 algorithms:  Setup ( ):outputs PK and SK  Encrypt (PK, S, M)  Ciphertext C (S  )  GenToken (SK, )  Token T P (P  )  Query ( T P, C)  Output Note: no decryption (but can easily be added in). M if P(S) = 1  otherwise

9 9 Security Example:  = {1, …, n}, [ P j (x) = 1  x  j ] Adversary can request arbitrary tokens:  Clearly, adversary can distinguish Encrypt(PK, x, m) from Encrypt(PK, y, m)  … but Encrypt(PK, x, m) and Encrypt(PK, z, m) should be indistinguishable 1n aa bb cc x yz

10 10 Secure  -query systems Semantic security in the presence of arbitrary tokens: Challenger Attacker Run Setup( ) PK P1P1 T1T1 Adversary wins if: b = b’, P 2, …, P q, T 2, …, T q (S 0,M 0 ), (S 1,M 1 ) s.t.:  j: P j (S 0 ) = P j (S 1 ) M 0  M 1   j: P j (S 0 ) = P j (S 1 )=0 b  {0,1} C  Encrypt(PK,S b,M b ) b’  {0,1}

11 11 Selectively secure  -query systems Challenger Attacker Run Setup( ) PK P1P1 T1T1 Adversary wins if: b = b’, P 2, …, P q, T 2, …, T q (S 0,M 0 ), (S 1,M 1 ) s.t.:  j: P j (S 0 ) = P j (S 1 ) M 0  M 1   j: P j (S 0 ) = P j (S 1 )=0 b  {0,1} C  Encrypt(PK,S b,M b ) b’  {0,1} S 0, S 1 M 0, M 1 S0S0 S1S1

12 12 The trivial brute-force system  = {P 1, …, P n } ; (KeyGen, Enc, Dec) pub-key system  Setup( ): Run KeyGen( ) n times PK  ( PK 1, …, PK n ), SK  ( SK 1, …, SK n )  Encrypt( PK, S, M): output C  (C 1, …, C n )  GenToken( SK, P i ):output T  SK i  Query( T, C) :output Dec( SK i, C i ) Parameters: |CT| = O(n) |T| = O(1) Enc( PK j, M ) if P j (S) = 1 Enc( PK j,  ) otherwise for j = 1,…,n: C j 

13 13 Best known constructions [BSW’06, BW’06] Encrypt S  {1,…, n } Encrypt S = (S 1,…,S w )  {1,…, n } w --- conjunctions Trivial |CT| Lower Bound Best Known |CT| |T| Equality (S = a)O(n)O(log n) Comparison (S  a) O(n)O(log n) O(  n) Subset (S  A) O(2 n )O(log n)O(n)O(n-|A|) Trivial |CT| Lower Bound Best Known |CT| |T| S 1 =a 1  …  S w =a w O(n w ) O(w  log n) S 1  a 1  …  S w  a w O(n w ) O(w  log n) O(nw) O(w  log n) S 1  A 1  …  S w  A w O(2 nw ) O(w  log n) O(nw) O(w  |A|)

14 14 Connections

15 15 Comparisons  Traitor Tracing [CFN’94] What if secret key K i is exposed?  Goal: Trace pirate decoder D to key K u. Then kill user u (or revoke his key). K1K1 K2K2 K3K3 CT = E[M]

16 16 Tracing Traitors Setup TT (n, ):outputs private keys K 1, …, K n public-key PK User i gets private key K i Encrypt TT (PK, M)  Ciphertext C Decrypt TT (K i, C)  Message M Trace D ( PK )  i  {1,…,n}  Outputs index of at least one key used to build D  D -- stateless black-box pirate decoder.

17 17 Comparisons  Traitor Tracing Setup TT (n, ): Run setup( ) to generate PK,SK For i  {1,…,n} key K i  GenToken(SK, i) Encrypt TT (PK, M): C  Encrypt( PK, 1, M) Decrypt TT (K i, C):M  Query(K i, C) Decryption works since i  1 Tracing: next slide

18 18 Trace D ( PK ): [BF99, NNL00, KY02] For j = 1, …, n+1 define for M  M : p j := Pr [ D( Encrypt(PK, j,M ) ) = M ] Then: p 1 > 1-  ; p n+1  0 1-  < |p n+1 – p 1 | = |  p i+1 – p i |   | p i+1 – p i |  Exists i  {1,…,n} s.t. | p i+1 – p i |  (1-  )/n  User i must be one of the pirates. i=1 n n R

19 19  Security Theorem Tracing algorithm estimates: | p i - p i | < (1-  )/4n  Need O(n 2 ) samples per p i. (D – stateless)  Cubic time tracing. (can be improved to quadratic) Thm: underlying comparison query system is selectively secure  no eff. adv wins tracing game with non-neg adv.

20 20 Other connections: BE, IBE Membership queries: S  {1,…,n} ; P j (S) = 1  j  S Membership  Private Broadcast Encryption [BBW’05]  Setup BE (n, ): Run setup( ) to generate PK,SK For j  {1,…,n} key K j  GenToken(SK, j)  Encrypt BE (PK, S, M): C  Encrypt( PK, S, M)  Decrypt BE (K j, C): M  Query(C, K j ) Decryption works when j  S Best membership construction: |CT| = O(|S|) [BBW’05]

21 21 Constructions

22 22 Crash course in pairings Standard groups where discrete-log may be hard:  Z p * for prime p.  Elliptic Curves: E/F p : y 2 = x 3 + ax + b bilinear maps Extra structure on elliptic curves : bilinear maps.  Defined by A. Weil (1946).  Miller ’84 :Algorithm for computing.  MOV ’93 :Used to attack certain EC systems.  Recently ( 2000-5 ): lots of positive crypto apps.

23 23 Bilinear maps G, G T : finite cyclic groups of prime order q. Def: An admissible bilinear map e: G  G  G T is:  Bilinear: e(g a, g b ) = e(g,g) ab  a,b  Z, g  G  Non-degenerate: g generates G  e(g,g) generates G T.  “Efficiently” computable. DDH is easy in G: given (g, g a, h, h b ) then a = b  e(g, h b ) = e(g a, h)

24 24 Bilinear groups of order N=pq [BGN’05] G: group of order N=pq. (p,q) – secret. bilinear map: e: G  G  G T G = G p  G q. g p = g q  G p ; g q = g p  G q Facts: h  G  h = (g q ) a  (g p ) b e( g p, g q ) = e(g p, g q ) = e(g,g) N = 1 e( g p, h ) = e( g p, g p ) b !!

25 25 Subset query system Goal: for any S  {1,…,n} and A  {1,…,n} answer queries of type: P A (S) = 1  S  A  Example: FromAddress  Friends  Trivial system: |CT| = O(2 n ), Our goal: |CT| = O(n) Approach: reformulate as conjunctive equality query  Encode S  {1,…,n} in uniary:  (S) = (s 1,…,s n )  {0,1} n  Then S  A  (s a = 0) 0 0 0 … 1 … 0 0 0 a  A c

26 26 Binary conjunctive equality queries A failed attempt using standard IBE technology: [BB’04]  G: bilinear group. w, u, u 1,…, v 1,…  G, L  G T  Encrypt (PK, b = (b 1,…,b n ), M): r  Z q C  [ M  L r, u r, (u 1 b 1 v 1 ) r, …, (u n b n v n ) r ]  GenToken( SK=w, A  {1,…,n} ): t 1, …, t n  Z q T A  [ w   (v a ) t a, u t 1, …, u t n ]  Query( T A, C): If (  a  A c : b a =0) then “algebra” returns M; otherwise random in G Problem: C leaks ( b 1, …, b n ) b j = 0  ( u, v j, u r, (u j b j v j ) r ) is a DDH tuple aAcaAc

27 27 Composite order groups to the rescue … G=G p  G q composite order group. w, u, u 1, …, v 1, …  G p  PK: Blind u’s and v’s by G q U i  u i  R i, V i  v i  R i ’ where R i, R i ’  G q  Encrypt (PK, b = (b 1,…,b n ), M): r  Z N, Z, Z 1,…  G q C  [ M  L r, U r  Z, (U 1 b 1 V 1 ) r  Z 1, …, (U n b n V n ) r  Z n ]  No change to GenToken and Query Note: R j, Z i terms cancel in Query. Main point: now DDH attack fails: b j = 0, but ( U, V j, U r  Z, (U j b j V j ) r  Z j ) not a DDH tuple in G

28 28 The full system... But cannot prove the system secure. The full system: add y 1, …, y n to SK  GenToken( SK=w, A  {1,…,n} ): t 1,1, t 1,2, …  Z N ( u 1 t 1,1, y 1 t 1,2 ) ( u n t n,1, y n t n,2 ) Thm: The system is a selectively secure subset query system assuming:  Bilinear-DH assumption, and  Composite 3-party DH assumption T A  w   (v a ) t a, 1  ( y a ) t a, 2, aAcaAc

29 29 Summary and Open Problems Queries on public key encrypted data:  Equality queries: efficient  Comparison queries:plaintext  t Implies traitor tracing Best construction : |CT| = O(sqrt(n)) Open: |CT| = O(log n)  Subset queries:plaintext  A Best construction: |CT| = O(n) Open: |CT| = O(log n)  Similar constructions/questions for conjunctive queries ? ?

30 30 THE END

Download ppt "1 Queries on Encrypted Data Dan Boneh Brent Waters Stanford UniversitySRI."

Similar presentations

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
ElGamal Security Public key encryption from Diffie-Hellman

ElGamal Security Public key encryption from Diffie-Hellman
Trusted 3rd parties Basic key exchange

Trusted 3rd parties Basic key exchange
An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.

Dan Boneh Public key encryption from Diffie-Hellman ElGamal Variants With Better Security Online Cryptography Course Dan Boneh.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Dual System Encryption: Concept, History and Recent works Jongkil Kim.

Dual System Encryption: Concept, History and Recent works Jongkil Kim.
Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.

Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.

S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.

1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.
New Efficient Searchable Encryption Schemes from Bilinear Pairings Author:Chunxiang Gu and Yuefei Zhu International Journal of Network Security, 2007 Presenter:

New Efficient Searchable Encryption Schemes from Bilinear Pairings Author:Chunxiang Gu and Yuefei Zhu International Journal of Network Security, 2007 Presenter:
1 Fully Collusion Resistant Traitor Tracing with Short Ciphertexts and Private Keys Dan Boneh, Amit Sahai, and Brent Waters.

1 Fully Collusion Resistant Traitor Tracing with Short Ciphertexts and Private Keys Dan Boneh, Amit Sahai, and Brent Waters.
YSLInformation Security -- Public-Key Cryptography1 Elliptic Curve Cryptography (ECC) For the same length of keys, faster than RSA For the same degree.

YSLInformation Security -- Public-Key Cryptography1 Elliptic Curve Cryptography (ECC) For the same length of keys, faster than RSA For the same degree.

Similar presentations

Ads by Google