Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Conjunctive, Subset, and Range Queries on Encrypted Data Dan Boneh Brent Waters Stanford University SRI International.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Conjunctive, Subset, and Range Queries on Encrypted Data Dan Boneh Brent Waters Stanford University SRI International."— Presentation transcript:

1 1 Conjunctive, Subset, and Range Queries on Encrypted Data Dan Boneh Brent Waters Stanford University SRI International

2 2 Encryption Systems – Traditional View PK Salil  Salil gives private key to assistant Charlie  Charlie learns everything

3 3 Encryption Systems – New View PK Salil  Salil gives partial capabilities to Charlie  Charlie learns what he needs to know  Focus on “Searching Systems” TCC Subj: TCC Subj:personalSubj:our paper

4 4 Filtering Encrypted Email Set containment queries:  Server learns nothing other than containment status. Mail Server SK alice From: Subject: From  Blacklist Yes No E( PK alice, email) T spam email

5 5 Routing Encrypted Email Conjunction queries: Mail Server SK alice From: Subject: From  Friends AND subject = “urgent” Yes No E( PK alice, email) T cell email T cell

6 6 Long term goal … Goal: Public-key encryption system supporting any predicate (poly-size circuits) Sample application:  Spam predicate: P(m) = 1 if m is spam email  Mail server filters out encrypted spam email without decrypting email. … seems far off

7 7 History To date: primary focus on equality queries  SWP’00, GO’87: Equality queries on symmetric-key encrypted data  BDOP’04, AB…’05: Equality queries on public-key encrypted data

8 8 Definitions Let  = {P 1, …, P n } be a set of predicates over . P i :   {0,1} [e.g: P j (S) = 1  S  j ] A  -query system consists of 4 algorithms:  Setup ( ):outputs PK and SK  Encrypt (PK, S)  Ciphertext C (S  )  GenToken (SK, )  Token T P (P  )  Query ( T P, C)  Output  (Can allow message decryption on “hit” when P(S)=1) P(S)

9 9 Security Example:  = {1, …, n}, [ P j (x) = 1  x  j ] Adversary can request arbitrary tokens:  Clearly, adversary can distinguish Encrypt(PK, x ) from Encrypt(PK, y )  … but Encrypt(PK, x ) and Encrypt(PK, z ) should be indistinguishable 1n aa bb cc x yz

10 10 Secure  -query systems Semantic security in the presence of arbitrary tokens: Challenger Attacker Run Setup( ) PK P1P1 T1T1 Adversary wins if: b = b’, P 2, …, P q, T 2, …, T q (S 0 ), (S 1 ) s.t.:  j: P j (S 0 ) = P j (S 1 ) b  {0,1} C  Encrypt(PK,S b ) b’  {0,1}

11 11 The trivial brute-force system  = {P 1, …, P n } ; (KeyGen, Enc, Dec) pub-key system  Setup( ): Run KeyGen( ) n times PK  ( PK 1, …, PK n ), SK  ( SK 1, …, SK n )  Encrypt( PK, S): output C  (C 1, …, C n )  GenToken( SK, P i ):output T  SK i  Query( T, C) :output Dec( SK i, C i ) Parameters: |CT| = O(n) |T| = O(1) Enc( PK j, M ) if P j (S) = 1 Enc( PK j,  ) otherwise for j = 1,…,n: C j 

12 12 Best known constructions [BSW’06, BW’06] Encrypt S  {1,…, n } (Sizes in # of group elements) Encrypt S = (S 1,…,S w )  {1,…, n } w --- conjunctions Trivial |CT| Best Known |CT| Equality (S = a)O(n)O(1) Comparison (S  a) O(n) O(  n) Subset (S  A) O(2 n )O(n) Trivial |CT| Best Known |CT| S 1 =a 1  …  S w =a w O(n w )O(w) S 1  a 1  …  S w  a w O(n w ) S 1  A 1  …  S w  A w O(2 nw )O(nw)

13 13 Bilinear maps G, G T : finite cyclic groups of prime order q. Def: An admissible bilinear map e: G  G  G T is:  Bilinear: e(g a, g b ) = e(g,g) ab  a,b  Z, g  G  Non-degenerate: g generates G  e(g,g) generates G T.  “Efficiently” computable.

14 14 Bilinear groups of order N=pq [BGN’05] G: group of order N=pq. (p,q) – secret. bilinear map: e: G  G  G T G = G p  G q. g p = g q  G p ; g q = g p  G q Facts: h  G  h = (g q ) a  (g p ) b e( g p, g q ) = e(g p, g q ) = e(g,g) N = 1 e( g p, h ) = e( g p, g p ) b !!

15 15 Subset query system Goal: for any S  {1,…,n} and A  {1,…,n} answer queries of type: P A (S) = 1  S  A  Example: FromAddress  Friends  Trivial system: |CT| = O(2 n ), Our goal: |CT| = O(n) Approach: reformulate as conjunctive equality query  Encode S  {1,…,n} in uniary:  (S) = (s 1,…,s n )  {0,1} n  Then S  A  (s a = 0) 0 0 0 … 1 … 0 0 0 a  A c

16 16 Construction Intuition 1 st Attempt  Use IBE techniques to encrypt to “vector” identity (s 1,…,s n )  Get message if “true”  Problem: Can test identity by testing for DDH tuples between CT and PK Solution  Make CTs, PK random in G q  not DDH tuples  Tokens in G p  G q does not matter after pairing  Intuiton: Disallow unintended application of pairing

17 17 Security Thm: The system is a selectively secure subset query system assuming:  Bilinear-DH assumption, and  Composite 3-party DH assumption Implied by Boneh’s Uber-Assumption

18 18 Summary and Open Problems Queries on public key encrypted data:  Equality queries: efficient  Comparison queries:plaintext  t Implies traitor tracing Best construction : |CT| = O(sqrt(n)) Open: |CT| = O(log n)  Subset queries:plaintext  A Best construction: |CT| = O(n) Open: |CT| = O(log n)  Similar constructions/questions for conjunctive queries ? ?

19 19 THE END

20 20 History To date: primary focus on equality queries  SWP’00, GO’87: Equality queries on symmetric-key encrypted data  BDOP’04, AB…’05: Equality queries on public-key encrypted data  OS’05, BSW’06: Equality queries that hide predicate from server  BBO’06: Efficient equality searches in databases BCPSS’06: Range queries in a weaker security model

21 21 Motivation: a few examples Example 1:  Visa gateway: Forwarding encrypted CC transactions to the visa system VISA Gateway Yes No VALUE > $1000 ? SK visa  T 1000 Transaction VALUE Exp-Date D Enc(PK visa, Transaction) Low Security Processor High Security Processor D T 1000

22 22 Conjunction queries Goal: gateway should not learn which conjunct failed.  Visa cannot simply give gateway two tokens VISA Gateway Yes No VALUE > 1000 AND exp-date < April 2007 SK visa  T P Transaction VALUE Exp-Date D Low Security Processor High Security Processor D TPTP

23 23 Best known constructions [BSW’06, BW’06] Encrypt S  {1,…, n } (Sizes in # of group elements) Encrypt S = (S 1,…,S w )  {1,…, n } w --- conjunctions Trivial |CT| Lower Bound Best Known |CT| |T| Equality (S = a)O(n)O(log n) Comparison (S  a) O(n)O(log n) O(  n) Subset (S  A) O(2 n )O(log n)O(n)O(n-|A|) Trivial |CT| Lower Bound Best Known |CT| |T| S 1 =a 1  …  S w =a w O(n w ) O(w  log n) S 1  a 1  …  S w  a w O(n w ) O(w  log n) O(nw) O(w  log n) S 1  A 1  …  S w  A w O(2 nw ) O(w  log n) O(nw) O(w  |A|)

24 24 The full system... But cannot prove the system secure. The full system: add y 1, …, y n to SK  GenToken( SK=w, A  {1,…,n} ): t 1,1, t 1,2, …  Z N ( u 1 t 1,1, y 1 t 1,2 ) ( u n t n,1, y n t n,2 ) Thm: The system is a selectively secure subset query system assuming:  Bilinear-DH assumption, and  Composite 3-party DH assumption T A  w   (v a ) t a, 1  ( y a ) t a, 2, aAcaAc

25 25 The full system... But cannot prove the system secure. (Need a bit more) Thm: The system is a selectively secure subset query system assuming:  Bilinear-DH assumption, and  Composite 3-party DH assumption  (Fragments of “Uber-assumption”)

26 26 Binary conjunctive equality queries A failed attempt using standard IBE technology: [BB’04]  G: bilinear group. w, u, u 1,…, v 1,…  G,  Encrypt (PK, b = (b 1,…,b n ), M): r  Z q C  [ e(u,w) r, u r, (u 1 b 1 v 1 ) r, …, (u n b n v n ) r ]  GenToken( SK=w, A  {1,…,n} ): t 1, …, t n  Z q T A  [ w   (v a ) t a, u t 1, …, u t n ]  Query( T A, C): If (  a  A c : b a =0) then “algebra” returns M; otherwise random in G Problem: C leaks ( b 1, …, b n ) b j = 0  ( u, v j, u r, (u j b j v j ) r ) is a DDH tuple aAcaAc

27 27 Composite order groups to the rescue … G=G p  G q composite order group. w, u, u 1, …, v 1, …  G p  PK: Blind u’s and v’s by G q U i  u i  R i, V i  v i  R i ’ where R i, R i ’  G q  Encrypt (PK, b = (b 1,…,b n ), M): r  Z N, Z, Z 1,…  G q C  [ e(u,w) r, U r  Z, (U 1 b 1 V 1 ) r  Z 1, …, (U n b n V n ) r  Z n ]  No change to GenToken and Query Note: R j, Z i terms cancel in Query. Main point: now DDH attack fails: b j = 0, but ( U, V j, U r  Z, (U j b j V j ) r  Z j ) not a DDH tuple in G

28 28 Selectively secure  -query systems Challenger Attacker Run Setup( ) PK P1P1 T1T1 Adversary wins if: b = b’, P 2, …, P q, T 2, …, T q S 0, S 1 s.t.:  j: P j (S 0 ) = P j (S 1 ) b  {0,1} C  Encrypt(PK,S b ) b’  {0,1} S 0, S 1 S0S0 S1S1

Download ppt "1 Conjunctive, Subset, and Range Queries on Encrypted Data Dan Boneh Brent Waters Stanford University SRI International."

Similar presentations

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The.

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The.
Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
ElGamal Security Public key encryption from Diffie-Hellman

ElGamal Security Public key encryption from Diffie-Hellman
Trusted 3rd parties Basic key exchange

Trusted 3rd parties Basic key exchange
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.

Chosen-Ciphertext Security from Slightly Lossy Trapdoor Functions PKC 2010 May 27, 2010 Petros Mol, Scott Yilek 1 UC, San Diego.
Multi-Dimensional Range Query over Encrypted Data Authors: Elaine Shi, Joint work with John Bethencourt, Hubert Chan, Dawn Song, Adrian Perrig Slides originated.

Multi-Dimensional Range Query over Encrypted Data Authors: Elaine Shi, Joint work with John Bethencourt, Hubert Chan, Dawn Song, Adrian Perrig Slides originated.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Dual System Encryption: Concept, History and Recent works Jongkil Kim.

Dual System Encryption: Concept, History and Recent works Jongkil Kim.
Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.

Cramer & Shoup Encryption Cramer and Shoup: A practical public key crypto system provably secure against adaptive chosen ciphertext attack. Crypto 1998.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.

S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
New Efficient Searchable Encryption Schemes from Bilinear Pairings Author:Chunxiang Gu and Yuefei Zhu International Journal of Network Security, 2007 Presenter:

New Efficient Searchable Encryption Schemes from Bilinear Pairings Author:Chunxiang Gu and Yuefei Zhu International Journal of Network Security, 2007 Presenter:
1 Fully Collusion Resistant Traitor Tracing with Short Ciphertexts and Private Keys Dan Boneh, Amit Sahai, and Brent Waters.

1 Fully Collusion Resistant Traitor Tracing with Short Ciphertexts and Private Keys Dan Boneh, Amit Sahai, and Brent Waters.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

Similar presentations

Ads by Google