Secure Cloud Database

Introduction Cloud computing – IT as a service from third party service provider Security in cloud environment – Adversary corrupts the service provider? – Goal: protect sensitive data

Related Work Encryption Approach – NetDB2, IBM (Outsourced database) – Relational Cloud, CryptDB (MIT, CIDR 2011) TrustedDB using secure hardware (VLDB 2011 demo, Radu Sion) Fully homomorphic encryption (STOC 2009) Secure Multi-Party Computation Approach – ShareMind

NetDB2 Tuple 1xxxyyy Tuple 2aaabbb Tuple 1!a4a3g Tuple 2L%jm*K Value-level encryption SELECT * WHERE value = `xxx’SELECT * WHERE value = `!a4’ DB Encrypted DB Tuple 1P2 Tuple 2P1 + Partition information Partition: P1: < `m’; otherwise P2 SELECT * WHERE value < `xxx’SELECT * WHERE value in [P1, P2] Simple deterministic encryption

CryptDB Onion-encryption: multiple encryption done on 1 data 10 Original data encrypt E 1 (10) = A*65h OPES: numeric comparisons E 2 (A*65h) = BB647 Deterministic encryption Equality can be done Non-deterministic encryption No computation is feasible E 3 (BB647) = If the user wants more computation power, decrypt to the desired level (one way!)

Weakness of encryption approach Functions supported are not generic – For example: Supported (OPES): SELECT * WHERE SALARY > 6000 Not supported: SELECT * WHERE SALARY + BONUS > 6000

TrustedDB Provides generic functionality – Owner puts its keys in a secure hardware – The hardware is given to service provider – When there is computation on sensitive data, it can be done by the secure hardware Weakness – Processing power limited by secure hardware – Hardware management by owner IBM 4764 PCI-X Cryptographic Coprocessor

Fully homomorphic encryption Property: (E : encryption function) – E(x) + E(y) = E(x + y) ---- XOR gate for [0, 1] – E(x) E(y) = E(xy) ---- AND gate for [0, 1] Conceptually support any computations that can be represented by circuits – Difference: No branch operation (if-then-else) Weakness – Naturally not supporting select statement – Poor efficiency for large circuit so far

ShareMind Key: Secret sharing + recursive processing A B C Service Provider 1 Service Provider 2 Service Provider 3 Query Result D E F D + E + F = Result DB DB = A + B + C

Properties of ShareMind Generic operations – Recursive processing: the result of one computation can be the input of another computation, both result and input are hided in shares Weakness – Requires multiple non-colluding parties – Owner has no control (no key), poor sense of security

Objective Two party problem: owner and service provider (SP) The owner keeps a `key’ SP keeps an encrypted database Functions to be supported: generic selection Efficient operations

Overview of our approach MPC supports generic operations – Data hided in shares In other words: we encrypt by secret sharing Following questions: – How to encrypt exactly? – How to compute queries?

Our approach DB ABC SP2SP1SP3 Owner DBA BC SP1SP2 Owner MPC-based approach The owner keeps a copy; but it is large and the owner has to involve in query computation

Our approach Owner keeps a small share A (small storage) Without A, SP cannot recover DB (similar security strength as MPC) Owner has minimal involvement in MPC (low cost) DB A B SP Owner Our Model Share compression Message compression Functionality generality inherits from MPC

Background

Secret sharing (around 1980) 10 Secret 4 6 shares AliceBob 6+4 = 10 What is the secret value? Alice’s share would be 5? 20? -3? The secret is recovered only when the two parties exchange their shares

Secret sharing General case s Secret s1s1 s2s2 …snsn The secret can be divided into n parties, for any n s = g(s 1, s 2, …, s n ) Example: Sum of all shares (modular) Bitwise XOR of all shares Product, string concatenation, etc… Security requirement: Given k < n shares, it is hard to recover s

To design a generic secure database

How secure? The security model Negative result – Ideal security: Querying workflow: user issues query => service providers compute result and return to user Knowledge gained by service providers: NONE. Not even anything about query and result! – A solution achieving ideal security is not more efficient than a non-outsourcing solution (not using cloud)

Knowledge gained by service provider Output space of a simple selection query: varies from no tuple to the entire database – Even larger space if we consider joins Example knowledge gain – If the output size is small, the service provider knows it is not the case that the query selects entire table To hide the above information, each returned query result should be at least of size = entire table

Our security model Provides adequate security for practical use – Level 1 model: An attacker observes an instance of encrypted database but not other values. Security is said to be enforced if the attacker cannot recover the original database Example: Hack into the cloud server and copy the instance – Level 2 model: An attacker observes an instance of encrypted database and knows the original values of some of the tuples. Security is said to be enforced if the attacker cannot recover the values of other tuples Example: Hacker plants adversary programs on SP and observes the encrypted value and Similar to chosen-ciphertext attack (CPA)

Which level to use? Check which model fits! Example: – Name of 40 students in a class Domain size is small and is assumed to be public Easy to be mapped to the encrypted tuple Level 2 is recommended – Account balance in banks Values are not known to public Level 1 should be good enough At the same time, we will try to hide as much other information as possible

Information revealed to SP The service provider can observe – Query content The tables that are related to the query Number of conditions, types of conditions, attributes that are related – Query answer the set of shares of tuples in some query answer

Example query SELECT Name FROM Employer WHERE Salary > 6000 Transformed query may look like to one service provider SELECT ATTRIBUTE_7 FROM TABLE_A WHERE ATTRIBUTE_3 - X > 0 WITH PARAM_X = [1234, 3335, 222, 1119] WITH PARAM_CMP_X = [335, 17778]

Some basic design – level 2 model To hide the database, we use secret sharing DB = A + B In our case, we use multiplicative secret sharing – To store value v, we have ab = v (mod D) D: domain size The shares are a, b DB A B SP Owner

Sharing the sign bit We separate sign bit from the magnitude Example sharing – Sign bit can be recovered by multiplying the shares together Value Owner copy +2 SP copy Magnitude domain size: 3 The shares here are randomly generated

Share Compression (Ignore sign bit now) The shares of the DB is generated randomly Who decides the random shares? Lets use a pseudo random function

Share compression function Input: – key (secret to owner) – Tuple ID Requirements: – Support generic functionality (show later) – Secure (note: now considering level 2) IDX IDShare f(ID) = mID k mod n IDShare Share A Kept by owner Share B By SP k,m: secret key; n: public key k=2 m=1

Storage cost Linear to number of columns – Assuming the IDs are from 1-t Just need to remember t Note on the random function: – To make the input look like random, we have » f(ID) = mh(ID) k mod n h: any one-way hash Storage part is easy, how about computation? IDShare …… f(ID) = mID k mod n

How to do multiplication? Column-column multiplication – The two values are both in share format AB 1020 IDA (k = 1, m=5) B (k =2,m=1) 2104 AB 15 Real value Owner SP C = A X B (k = 3, m=5) m 1 m 2 x k1 x k2 = m 1 m 2 x k1+k2 k = 2 m=1 resharing 4 50 k=1 m=5 A = a1a2 B = b1b2 C = (a1b1)(a2b2) mID k = 10

Recap: operations at the parties A (k = 1, m=5) B (k =2,m=1) Owner SP AB …… C (k=2,m=1) C 50 … … …

Column-constant multiplication A 10 IDA (k = 1, m=1) 22 A 5 Real value Owner SP Constant B = 20 C = A X B (k = 1, m=20) k = 2 m=5 resharing k=-1 m=4 mID k = 2

Column-column addition A = a 1 a 2 B = b 1 b 2 – C = A + B => a 1 a 2 + b 1 b 2 – Goal: C = c 1 c 2 = a 1 a 2 + b 1 b 2 c 2 = a 1 c 1 -1 a 2 + b 1 c 1 -1 b 2 Owner: a1, b1 SP: a2, b2 Kept by owner

Column-column addition c 2 = a 1 c 1 -1 a 2 + b 1 c 1 -1 b 2 AB 1020 IDA (k = 1, m=5) B (k =2,m=1) 2104 AB 15 Real value Owner SP C = A + B 30 f(ID) = mID k 3.75 A:k=-1 m=2.5 C (k = 2, m = 2) 8 B:k=0 m= * * 5

Column-constant addition Add a constant to each tuple – Becomes column-column addition A AZ

Take care of the sign bit Secret sharing How to generate the shares at the owner? – Again, use share compression OwnerSPValue 1(+) 2(-) 1(+)2(-) 1(+) multiplication (mod 3)

Multiplication with sign bit AB IDA’s sign (k = 2, m=1) B’s sign (k =1,m=1) 24 (1, +)2 (2, -) AB 2, - Real value Owner SP C = A X B , + 8 (2, -) m 1 m 2 x k1 x k2 = m 1 m 2 x k1+k2 k = 2 m=2 resharing 8 (2, -) 1, + k=1 m=2 -1 = 2 k = 3 m=1 mod 3 1, +

Addition with sign bit The math is the same A = a 1 a 2 B = b 1 b 2 – C = A + B => a 1 a 2 + b 1 b 2 – Goal: C = c 1 c 2 = a 1 a 2 + b 1 b 2 c 2 = a 1 c 1 -1 a 2 + b 1 c 1 -1 b 2

Addition with sign bit c 2 = a 1 c 1 -1 a 2 + b 1 c 1 -1 b 2 AB IDA (k = 1, m=5) B (k =2,m=1) 2104 Sign(k=1, m = 2) 4 (1, +) (k=2, m = 2) 8 (2, -) AB Value15 Sign2, - Real value Owner SP C = A + B 10 f(ID) = mID k 1.25 A:k=-1 m=2.5 C (k = 2, m = 2) Value8 Sign(k=1, m=2) 4 (1, +) B:k=0 m= * -1 + (-0.5) * (-5) (k=0, m = 1) => 1 (1, +) (k=1, m = 1) => 2 (2, -)

Implication with numeric operations Addition on [0, 1] represents XOR gate Multiplication on [0, 1] represents AND gate The above operations can be applied repeatedly – Function that can be expressed as a function can be computed, theoretically Branch operation, i.e., comparison?

Comparison operation Target: Column > 0 – General comparisons can be transformed to above by additions and multiplications Example: SELECT * WHERE X*X + Y+Y – 2* X*Y – 10 > 0 The above can be obtained by looking at the sign bit, shared by the owner and SP

Building logic gate Note 1: we represent positive as 1; negative as 2; 0 has no meaning The share compression function is the same for sign bit and magnitude. Multiplication and addition can be done on sign bits.

Logical operation Multiplying 2 (at SP) Multiplying two sign bits Sign 1Sign 2Result 1(+) T 2(-) F 1(+) T2(-) F 1(+) T XNOR gate Sign 1Result 1(+) T2(-) F 1(+) T NOT gate XOR gate

Logical operation (Sign1 – 1) * (sign2 – 1) + 1 – Sign1 sign2 – sign1 – sign2 + 2 sign1sign2(s1 – 1)(s2 – 1)Result 1(+) T 0 2(-) F01(+) T 2(-) F1(+) T0 2(-) F 1 OR gate NOR gate

Logical operation (2Sign1 – 1) * (2sign2 – 1) + 1 = 4Sign1 sign2 – 2sign1 – 2sign2 + 2 sign1sign22sign12sign22s1 – 12s2 – 1 1(+) T (-) F2110 1(+) T1201 2(-) F 1100 NAND gate AND gate (2s1 – 1)(2s2 – 1)Result 12(+) F 01(+) T 0 0

Summary Logical operations supported – Example SELECT * WHERE X > 100 AND Y < 200 The final predicate result is revealed to SP (owner sends SP its own share function on the final boolean value) Corresponding tuples are sent back to the owner