1 Conjunctive, Subset, and Range Queries on Encrypted Data Dan Boneh Brent Waters Stanford University SRI International

2 Encryption Systems – Traditional View PK Salil  Salil gives private key to assistant Charlie  Charlie learns everything

3 Encryption Systems – New View PK Salil  Salil gives partial capabilities to Charlie  Charlie learns what he needs to know  Focus on “Searching Systems” TCC Subj: TCC Subj:personalSubj:our paper

4 Filtering Encrypted Set containment queries:  Server learns nothing other than containment status. Mail Server SK alice From: Subject: From  Blacklist Yes No E( PK alice, ) T spam

5 Routing Encrypted Conjunction queries: Mail Server SK alice From: Subject: From  Friends AND subject = “urgent” Yes No E( PK alice, ) T cell T cell

6 Long term goal … Goal: Public-key encryption system supporting any predicate (poly-size circuits) Sample application:  Spam predicate: P(m) = 1 if m is spam  Mail server filters out encrypted spam without decrypting . … seems far off

7 History To date: primary focus on equality queries  SWP’00, GO’87: Equality queries on symmetric-key encrypted data  BDOP’04, AB…’05: Equality queries on public-key encrypted data

8 Definitions Let  = {P 1, …, P n } be a set of predicates over . P i :   {0,1} [e.g: P j (S) = 1  S  j ] A  -query system consists of 4 algorithms:  Setup ( ):outputs PK and SK  Encrypt (PK, S)  Ciphertext C (S  )  GenToken (SK, )  Token T P (P  )  Query ( T P, C)  Output  (Can allow message decryption on “hit” when P(S)=1) P(S)

9 Security Example:  = {1, …, n}, [ P j (x) = 1  x  j ] Adversary can request arbitrary tokens:  Clearly, adversary can distinguish Encrypt(PK, x ) from Encrypt(PK, y )  … but Encrypt(PK, x ) and Encrypt(PK, z ) should be indistinguishable 1n aa bb cc x yz

10 Secure  -query systems Semantic security in the presence of arbitrary tokens: Challenger Attacker Run Setup( ) PK P1P1 T1T1 Adversary wins if: b = b’, P 2, …, P q, T 2, …, T q (S 0 ), (S 1 ) s.t.:  j: P j (S 0 ) = P j (S 1 ) b  {0,1} C  Encrypt(PK,S b ) b’  {0,1}

11 The trivial brute-force system  = {P 1, …, P n } ; (KeyGen, Enc, Dec) pub-key system  Setup( ): Run KeyGen( ) n times PK  ( PK 1, …, PK n ), SK  ( SK 1, …, SK n )  Encrypt( PK, S): output C  (C 1, …, C n )  GenToken( SK, P i ):output T  SK i  Query( T, C) :output Dec( SK i, C i ) Parameters: |CT| = O(n) |T| = O(1) Enc( PK j, M ) if P j (S) = 1 Enc( PK j,  ) otherwise for j = 1,…,n: C j 

12 Best known constructions [BSW’06, BW’06] Encrypt S  {1,…, n } (Sizes in # of group elements) Encrypt S = (S 1,…,S w )  {1,…, n } w --- conjunctions Trivial |CT| Best Known |CT| Equality (S = a)O(n)O(1) Comparison (S  a) O(n) O(  n) Subset (S  A) O(2 n )O(n) Trivial |CT| Best Known |CT| S 1 =a 1  …  S w =a w O(n w )O(w) S 1  a 1  …  S w  a w O(n w ) S 1  A 1  …  S w  A w O(2 nw )O(nw)

13 Bilinear maps G, G T : finite cyclic groups of prime order q. Def: An admissible bilinear map e: G  G  G T is:  Bilinear: e(g a, g b ) = e(g,g) ab  a,b  Z, g  G  Non-degenerate: g generates G  e(g,g) generates G T.  “Efficiently” computable.

14 Bilinear groups of order N=pq [BGN’05] G: group of order N=pq. (p,q) – secret. bilinear map: e: G  G  G T G = G p  G q. g p = g q  G p ; g q = g p  G q Facts: h  G  h = (g q ) a  (g p ) b e( g p, g q ) = e(g p, g q ) = e(g,g) N = 1 e( g p, h ) = e( g p, g p ) b !!

15 Subset query system Goal: for any S  {1,…,n} and A  {1,…,n} answer queries of type: P A (S) = 1  S  A  Example: FromAddress  Friends  Trivial system: |CT| = O(2 n ), Our goal: |CT| = O(n) Approach: reformulate as conjunctive equality query  Encode S  {1,…,n} in uniary:  (S) = (s 1,…,s n )  {0,1} n  Then S  A  (s a = 0) … 1 … a  A c

16 Construction Intuition 1 st Attempt  Use IBE techniques to encrypt to “vector” identity (s 1,…,s n )  Get message if “true”  Problem: Can test identity by testing for DDH tuples between CT and PK Solution  Make CTs, PK random in G q  not DDH tuples  Tokens in G p  G q does not matter after pairing  Intuiton: Disallow unintended application of pairing

17 Security Thm: The system is a selectively secure subset query system assuming:  Bilinear-DH assumption, and  Composite 3-party DH assumption Implied by Boneh’s Uber-Assumption

18 Summary and Open Problems Queries on public key encrypted data:  Equality queries: efficient  Comparison queries:plaintext  t Implies traitor tracing Best construction : |CT| = O(sqrt(n)) Open: |CT| = O(log n)  Subset queries:plaintext  A Best construction: |CT| = O(n) Open: |CT| = O(log n)  Similar constructions/questions for conjunctive queries ? ?

19 THE END

20 History To date: primary focus on equality queries  SWP’00, GO’87: Equality queries on symmetric-key encrypted data  BDOP’04, AB…’05: Equality queries on public-key encrypted data  OS’05, BSW’06: Equality queries that hide predicate from server  BBO’06: Efficient equality searches in databases BCPSS’06: Range queries in a weaker security model

21 Motivation: a few examples Example 1:  Visa gateway: Forwarding encrypted CC transactions to the visa system VISA Gateway Yes No VALUE > $1000 ? SK visa  T 1000 Transaction VALUE Exp-Date D Enc(PK visa, Transaction) Low Security Processor High Security Processor D T 1000

22 Conjunction queries Goal: gateway should not learn which conjunct failed.  Visa cannot simply give gateway two tokens VISA Gateway Yes No VALUE > 1000 AND exp-date < April 2007 SK visa  T P Transaction VALUE Exp-Date D Low Security Processor High Security Processor D TPTP

23 Best known constructions [BSW’06, BW’06] Encrypt S  {1,…, n } (Sizes in # of group elements) Encrypt S = (S 1,…,S w )  {1,…, n } w --- conjunctions Trivial |CT| Lower Bound Best Known |CT| |T| Equality (S = a)O(n)O(log n) Comparison (S  a) O(n)O(log n) O(  n) Subset (S  A) O(2 n )O(log n)O(n)O(n-|A|) Trivial |CT| Lower Bound Best Known |CT| |T| S 1 =a 1  …  S w =a w O(n w ) O(w  log n) S 1  a 1  …  S w  a w O(n w ) O(w  log n) O(nw) O(w  log n) S 1  A 1  …  S w  A w O(2 nw ) O(w  log n) O(nw) O(w  |A|)

24 The full system... But cannot prove the system secure. The full system: add y 1, …, y n to SK  GenToken( SK=w, A  {1,…,n} ): t 1,1, t 1,2, …  Z N ( u 1 t 1,1, y 1 t 1,2 ) ( u n t n,1, y n t n,2 ) Thm: The system is a selectively secure subset query system assuming:  Bilinear-DH assumption, and  Composite 3-party DH assumption T A  w   (v a ) t a, 1  ( y a ) t a, 2, aAcaAc

25 The full system... But cannot prove the system secure. (Need a bit more) Thm: The system is a selectively secure subset query system assuming:  Bilinear-DH assumption, and  Composite 3-party DH assumption  (Fragments of “Uber-assumption”)

26 Binary conjunctive equality queries A failed attempt using standard IBE technology: [BB’04]  G: bilinear group. w, u, u 1,…, v 1,…  G,  Encrypt (PK, b = (b 1,…,b n ), M): r  Z q C  [ e(u,w) r, u r, (u 1 b 1 v 1 ) r, …, (u n b n v n ) r ]  GenToken( SK=w, A  {1,…,n} ): t 1, …, t n  Z q T A  [ w   (v a ) t a, u t 1, …, u t n ]  Query( T A, C): If (  a  A c : b a =0) then “algebra” returns M; otherwise random in G Problem: C leaks ( b 1, …, b n ) b j = 0  ( u, v j, u r, (u j b j v j ) r ) is a DDH tuple aAcaAc

27 Composite order groups to the rescue … G=G p  G q composite order group. w, u, u 1, …, v 1, …  G p  PK: Blind u’s and v’s by G q U i  u i  R i, V i  v i  R i ’ where R i, R i ’  G q  Encrypt (PK, b = (b 1,…,b n ), M): r  Z N, Z, Z 1,…  G q C  [ e(u,w) r, U r  Z, (U 1 b 1 V 1 ) r  Z 1, …, (U n b n V n ) r  Z n ]  No change to GenToken and Query Note: R j, Z i terms cancel in Query. Main point: now DDH attack fails: b j = 0, but ( U, V j, U r  Z, (U j b j V j ) r  Z j ) not a DDH tuple in G

28 Selectively secure  -query systems Challenger Attacker Run Setup( ) PK P1P1 T1T1 Adversary wins if: b = b’, P 2, …, P q, T 2, …, T q S 0, S 1 s.t.:  j: P j (S 0 ) = P j (S 1 ) b  {0,1} C  Encrypt(PK,S b ) b’  {0,1} S 0, S 1 S0S0 S1S1