rct2 scenario

Transcription

rct2 scenario
NordSec 2014
Tromsø, Norway, October 16th
Processing private queries over an
obfuscated databased using hidden vector
encryption
Alberto Trombetta
Università dell’Insubria
Giuseppe Persiano
Università di Salerno
Stefano Braghin
IBM Dublin
Scenario
• User U1 manages its private database DB1
U1
U2
DB1
U3
Scenario
• User U1 manages its private databases DB1
• Users U2 and U3 access DB1 according to their policies
U1
U2
DB1
U3
Access policies and
queries
• Any user satisfying P may access the result of
query Q
• Q: ”Alice can retrieve name and address of
customers having income equal to 50k $ and
age equal to 40"
• Q: view (selection-projection) on a table
Desiderata
• Users satisfying P should access only the answer
set of query Q
• The query language should be expressive
• The protection mechanism should be efficient
Solution overview
• We propose an attribute-based encryption
scheme such that:
• Data are encrypted according to the values
stored in the DB
• Decryption keys depend on query Q and are
distributed to legitimate users
• Legitimate users access only data satisfying
query Q
More in detail
1) encrypt with an attribute-based scheme
U1
DB1
2) generate decryption keys related to Q
More in detail
3) distribute decryption keys
U1
DB1
U2
More in detail
3) use decryption keys
DB1
U2
4) get the answer set of Q
Hidden Vector
Encryption
• Encryption vector ~
x
• Attribute vector ~y
x
• Encryption depends on ~
• Decryption key depends on ~y
x and ~y “agree”
• Decryption ok if ~
Hidden Vector
Encryption
• Setup(k, l) = hmpk, mski (and groups parameters)
x) = ct
• Enc(mpk, m, ~
y ) = tk
• KeyGen(msk, ~
Dec(ct, tk) = m if
Match(~x, ~y ) = 1
Match ok if xi
= yi or yi = ⇤
Bilinear pairing
• groups G and GT
• non-degenerate bilinear pairing map e : G ⇥ G ! GT
• That is,
• for all g ≠ 1
a
e(g, g) 6= 1
b
• e(g , g ) = e(g, g)
Note:
g generator of G
ab
e is easily computable
a, b 2 Zp
e(g, g) generator of GT
Dual Pairing Vector Space
framework
• Extend the bilinear map to vectors over G
Y
e(xi , yi )
• e(~x, ~y ) =
i
• B
B
⇤
-orthogonal matrices over G :
2 Fq
⇤
e(Bi , Bi )
= e(g, g)
⇤
e(Bi , Bj )
= 1T
Dual Pairing Vector Space
framework
• matrices X
n⇥n
T
⇤
F
X
·
X
=
s.t.
X over q
⇤
. . . , 0, g, 0, . . . , 0i
• Given Ai = h0,
| {z } | {z }
i 1
n i
• Compute vectors
Bi =
n
X
-orthogonal
• Denote with (x1 , . . . , xn )B
Bi⇤ =
j=1
• The matrices B = hB1 , . . . , Bn i
are
xij Aj
·I
n
X
x⇤ij Aj
j=1
B ⇤ = hB1⇤ , . . . , Bn⇤ i
the sum
n
X
i=1
xi Bi
Why use DPVS?
• The cleartext’s alphabet has cardinality |GT |
• GT is big
1000
⇠2
(see experiments)
• That is, lots of values can be mapped in GT
Setup
q
l
2 Fq
r
g2G
U1
r
gT = e(g, g)
i
0
l
msk = hB , . . . , B , gT i
0
l
mpk = hC , . . . , C i
i
(B , C )
i = 0, . . . , l
-orthogonal 3x3 matrices
with coefficients in G
Encryption
mpk
~x
m 2 Gt
~x = hx1 , . . . , xl i 2 Fq
l
z, w0 , . . . , wl 2 Fq
r
m
c = m · gT
U1
z
c0 = (w0 , z, 0)B 0
ci = (wi , wi · xi , w0 )B i
ct = hc, c0 , . . . , cl i
i = 0, . . . , l
KeyGen
S set of indexes
s.t. yi 6= ⇤
~y = hy1 , . . . , yl i 2 (Fq [ {⇤})
l
~y
msk
⌘ 2 Fq
r
d i , s i 2 Fq
i2S
r
X
s0 =
si
U1
i2S
k0 = (s0 , 1, ⌘)C 0
ki = (di · yi , di , si )C i
tk = hk0 , (ki )i2S i
U2
Decryption
Assume Match(~
x, ~y ) = 1
Compute
e(k0 , c0 ) ·
c
Q
i2S
e(ki , ci )
tk
By
ct
0
and
C
-orthogonality of B
0
s0
e(k0 , c0 ) = e(g , g
U2
w0 +z
m
By pairing bilinearity
=
s0 w0 +z
gT
)
Decryption
Assume Match(~
x, ~y ) = 1
Compute
e(k0 , c0 ) ·
c
Q
i2S
e(ki , ci )
tk
By
ct
0
and
C
-orthogonality of B
0
s0
e(k0 , c0 ) = e(g , g
U2
w0 +z
m
By pairing bilinearity
=
s0 w0 +z
gT
)
Decryption
Assume Match(~
x, ~y ) = 1
Compute
e(k0 , c0 ) ·
c
Q
i2S
e(ki , ci )
tk
By
ct
0
and
C
-orthogonality of B
0
s0
e(k0 , c0 ) = e(g , g
U2
w0 +z
m
By pairing bilinearity
=
s0 w0 +z
gT
)
Decryption
By
i
and
(and by bilinearity)
C
-orthogonality of B
i
e(ki , ci ) =
tk
ct
di wi (xi yi )+w0 si
gT
If xi = yi
U2
Y
e(ki , ci ) =
w0
gt
i2S
m
= gt
P
i2S
s0 w 0
si
Decryption
=
tk
ct
e(c0 , k0 ) ·
c
Q
i2S
m · gTz
= s0 w0 +z
s0 w 0
gT
· gT
U2
m
e(ci , ki )
Selection
A1
A2
A3
A4
v11
v21
v31
v41
v12
v22
...
...
Q:“columns A1 and A2
have values a1 and a2”
U1
U2
Setup: use HVE-DPVS with l=4
Encryption
A1
ct1
A2
A3
A4
1) Encrypt row 1 with symmetric scheme with random
secret key m1
rct1
v12
v22
...
...
U1
2) Encrypt row 2 with symmetric scheme
with random secret key m2
...
3) Encrypt mi with HVE-DPVS with encryption
vector <v1i,v2i,v3i,v4i>
4) publish <cti, rcti> for every row
KeyGen
1) generate tk with attribute vector <a1,a2,*,*>
ct1
rct1
ct2
rct2
ct3
rct3
...
...
...
...
U1
U2
2) send tk to U2
Decryption
1) try to decrypt every encrypted symmetric key with tk
ct1
rct1
2) only the ones having the right values
ct2
rct2
in the right places will succeed
m3
rct3
...
...
m5
rct5
U2
Decryption
1) try to decrypt every encrypted symmetric key with tk
ct1
rct1
2) only the ones having the right values
ct2
rct2
in the right places will succeed
m3 v13
v23
v43
U2
...
...
m5 v15
v33
v25
v35
v45
3) decrypt with AES the corresponding rows
Interestingly
One DB encryption...
ct1
rct1
ct2
rct2
ct3
rct3
...
...
...
...
U3
U1
U2
Interestingly
One DB encryption...
ct1
rct1
ct2
rct2
ct3
rct3
...
...
...
...
U3
tkU3
U1
tkU2
tk’U2
U2
...many queries
Selection/projection
A1
A2
A3
A4
v11
v21
v31
v41
v12
v22 ... ...
Q:“columns A3 and A4 where
column A1 has value a1”
Setup: same as HVE-DPVS with l=5
additional attribute encodes the
projected columns
Encryption
ct11
A1
A2
A3
A4
vct11
v21
v31
v41
v12
v22 ... ...
1) Encrypt value v11 with symmetric scheme with
random secret key m11
U1
2) Encrypt value v21 with symmetric scheme
with random secret key m21
...
3) Encrypt mji with HVE with
encryption vector <j,v1i,v2i,v3i,v4i>
4) publish <ctji, vctji>
KeyGen
1) generate tk3 with attribute vector <3,a1,*,*,*>
ct11
vct11
vct21
vct31
vct41
vct12
vct12
... ...
2)generate tk4 with attribute vector <4,a1,*,*,*>
U1
U2
3) send tk3 and tk4 to U2
⚠ #encryptions = #columns ⋅ #rows
Amortized HVE
• For every row, encryption vectors of secret
keys differ only in the first component
ct21
1
ct3
vct11
vct21
...
ct41
...
...
...
...
...
...
h2, v11 , v21 , v31 , v41 i
ct11
...
h1, v11 , v21 , v31 , v41 i
Amortized HVE
• Note: for every row, encryption vectors of
secret keys differ only in the first component
Is it possible to
reduce the
encryption size?
ct21
1
ct3
vct11
vct21
...
ct41
...
...
...
...
...
...
h2, v11 , v21 , v31 , v41 i
ct11
...
h1, v11 , v21 , v31 , v41 i
Reusing pieces
h1, v11 , v21 , v31 , v41 i
h2, v11 , v21 , v31 , v41 i
ct11
ct21
1
ct3
1
vct1
1
vct2
ct41
...
...
...
...
hk2 , X1 , X2 , X3 , X4 , M2 i
...
...
...
hk1 , X1 , X2 , X3 , X4 , M1 i
...
Reusing pieces
ct11
h1, v11 , v21 , v31 , v41 i
ct21
h2, v11 , v21 , v31 , v41 i
1
ct3
1
vct1
1
vct2
ct41
...
...
...
...
hk2 ,
, M2 i
...
, M1 i
...
...
hk1 ,
X1 , X2 , X3 , X4
...
Parametric queries
Qp:“columns A1 and A2 have values x and y”
U1 computes a parametric token tkQp without specifying
the actual values to be searched
U1
Parametric queries
Qp:“columns A1 and A2 have values x and y”
U1 computes a parametric token tkQp without specifying
the actual values to be searched
U1
tkQp plus values for x and y yield tkQ
U2
Parametric queries
Qp:“columns A1 and A2 have values a and b”
U1 computes a parametric token tkQp without specifying
the actual values to be searched
U1
tkQp plus values for x and y yield tkQ
U2
tkQ
Security
• Decision Linear assumption:
• Given g
a
g
b
• Decide if v = g
g
ac
g
bd
v2G
c+d
• HVE-DPVS is adaptively attribute-hiding secure
against plaintext attack under DLIN assumption
Architecture
tkQ
DB
QP
Architecture
retrieve column with
HVE-encrypted
AES keys
DB
QP
tkQ
Architecture
retrieve column with
HVE-encrypted
AES keys
DB
retrieve right
AES-encrypted
rows
DecHVE
QP
tkQ
Architecture
retrieve column with
HVE-encrypted
AES keys
DB
retrieve right
AES-encrypted
rows
DecHVE
QP
DecAES
tkQ
Architecture
retrieve column with
HVE-encrypted
AES keys
DB
retrieve right
AES-encrypted
rows
tkQ
DecHVE
QP
DecAES
answer to Q
Experimental results
3.5e+06
QP implemented in Python
using CHARM library
2.5e+06
2e+06
1.5e+06
1e+06
SQLite as RDBMS
500000
0
100
200
300
400
500
600
700
800
900
1000
Number of rows
16
SN512
MNT159
14
MNT224
G , GT elements’ bitsizes:
SS512: 512, 1024
MNT159: 159, 954
12
Time in seconds
Number of bytes
Clear
SS512
3e+06 MNT159
MNT224
10
8
6
4
2
MNT224: 224, 1344
0
1
2
3
4
5
Number of predicates
6
7
8
Future steps
• More expressive queries (joins, inequality
predicates, aggregation operators)
• Better cost estimation of the query processor
• Integration in a cloud architecture
• More extensive experiments (TPC)
Questions?
[email protected]