rct2 scenario
Transcription
rct2 scenario
NordSec 2014 Tromsø, Norway, October 16th Processing private queries over an obfuscated databased using hidden vector encryption Alberto Trombetta Università dell’Insubria Giuseppe Persiano Università di Salerno Stefano Braghin IBM Dublin Scenario • User U1 manages its private database DB1 U1 U2 DB1 U3 Scenario • User U1 manages its private databases DB1 • Users U2 and U3 access DB1 according to their policies U1 U2 DB1 U3 Access policies and queries • Any user satisfying P may access the result of query Q • Q: ”Alice can retrieve name and address of customers having income equal to 50k $ and age equal to 40" • Q: view (selection-projection) on a table Desiderata • Users satisfying P should access only the answer set of query Q • The query language should be expressive • The protection mechanism should be efficient Solution overview • We propose an attribute-based encryption scheme such that: • Data are encrypted according to the values stored in the DB • Decryption keys depend on query Q and are distributed to legitimate users • Legitimate users access only data satisfying query Q More in detail 1) encrypt with an attribute-based scheme U1 DB1 2) generate decryption keys related to Q More in detail 3) distribute decryption keys U1 DB1 U2 More in detail 3) use decryption keys DB1 U2 4) get the answer set of Q Hidden Vector Encryption • Encryption vector ~ x • Attribute vector ~y x • Encryption depends on ~ • Decryption key depends on ~y x and ~y “agree” • Decryption ok if ~ Hidden Vector Encryption • Setup(k, l) = hmpk, mski (and groups parameters) x) = ct • Enc(mpk, m, ~ y ) = tk • KeyGen(msk, ~ Dec(ct, tk) = m if Match(~x, ~y ) = 1 Match ok if xi = yi or yi = ⇤ Bilinear pairing • groups G and GT • non-degenerate bilinear pairing map e : G ⇥ G ! GT • That is, • for all g ≠ 1 a e(g, g) 6= 1 b • e(g , g ) = e(g, g) Note: g generator of G ab e is easily computable a, b 2 Zp e(g, g) generator of GT Dual Pairing Vector Space framework • Extend the bilinear map to vectors over G Y e(xi , yi ) • e(~x, ~y ) = i • B B ⇤ -orthogonal matrices over G : 2 Fq ⇤ e(Bi , Bi ) = e(g, g) ⇤ e(Bi , Bj ) = 1T Dual Pairing Vector Space framework • matrices X n⇥n T ⇤ F X · X = s.t. X over q ⇤ . . . , 0, g, 0, . . . , 0i • Given Ai = h0, | {z } | {z } i 1 n i • Compute vectors Bi = n X -orthogonal • Denote with (x1 , . . . , xn )B Bi⇤ = j=1 • The matrices B = hB1 , . . . , Bn i are xij Aj ·I n X x⇤ij Aj j=1 B ⇤ = hB1⇤ , . . . , Bn⇤ i the sum n X i=1 xi Bi Why use DPVS? • The cleartext’s alphabet has cardinality |GT | • GT is big 1000 ⇠2 (see experiments) • That is, lots of values can be mapped in GT Setup q l 2 Fq r g2G U1 r gT = e(g, g) i 0 l msk = hB , . . . , B , gT i 0 l mpk = hC , . . . , C i i (B , C ) i = 0, . . . , l -orthogonal 3x3 matrices with coefficients in G Encryption mpk ~x m 2 Gt ~x = hx1 , . . . , xl i 2 Fq l z, w0 , . . . , wl 2 Fq r m c = m · gT U1 z c0 = (w0 , z, 0)B 0 ci = (wi , wi · xi , w0 )B i ct = hc, c0 , . . . , cl i i = 0, . . . , l KeyGen S set of indexes s.t. yi 6= ⇤ ~y = hy1 , . . . , yl i 2 (Fq [ {⇤}) l ~y msk ⌘ 2 Fq r d i , s i 2 Fq i2S r X s0 = si U1 i2S k0 = (s0 , 1, ⌘)C 0 ki = (di · yi , di , si )C i tk = hk0 , (ki )i2S i U2 Decryption Assume Match(~ x, ~y ) = 1 Compute e(k0 , c0 ) · c Q i2S e(ki , ci ) tk By ct 0 and C -orthogonality of B 0 s0 e(k0 , c0 ) = e(g , g U2 w0 +z m By pairing bilinearity = s0 w0 +z gT ) Decryption Assume Match(~ x, ~y ) = 1 Compute e(k0 , c0 ) · c Q i2S e(ki , ci ) tk By ct 0 and C -orthogonality of B 0 s0 e(k0 , c0 ) = e(g , g U2 w0 +z m By pairing bilinearity = s0 w0 +z gT ) Decryption Assume Match(~ x, ~y ) = 1 Compute e(k0 , c0 ) · c Q i2S e(ki , ci ) tk By ct 0 and C -orthogonality of B 0 s0 e(k0 , c0 ) = e(g , g U2 w0 +z m By pairing bilinearity = s0 w0 +z gT ) Decryption By i and (and by bilinearity) C -orthogonality of B i e(ki , ci ) = tk ct di wi (xi yi )+w0 si gT If xi = yi U2 Y e(ki , ci ) = w0 gt i2S m = gt P i2S s0 w 0 si Decryption = tk ct e(c0 , k0 ) · c Q i2S m · gTz = s0 w0 +z s0 w 0 gT · gT U2 m e(ci , ki ) Selection A1 A2 A3 A4 v11 v21 v31 v41 v12 v22 ... ... Q:“columns A1 and A2 have values a1 and a2” U1 U2 Setup: use HVE-DPVS with l=4 Encryption A1 ct1 A2 A3 A4 1) Encrypt row 1 with symmetric scheme with random secret key m1 rct1 v12 v22 ... ... U1 2) Encrypt row 2 with symmetric scheme with random secret key m2 ... 3) Encrypt mi with HVE-DPVS with encryption vector <v1i,v2i,v3i,v4i> 4) publish <cti, rcti> for every row KeyGen 1) generate tk with attribute vector <a1,a2,*,*> ct1 rct1 ct2 rct2 ct3 rct3 ... ... ... ... U1 U2 2) send tk to U2 Decryption 1) try to decrypt every encrypted symmetric key with tk ct1 rct1 2) only the ones having the right values ct2 rct2 in the right places will succeed m3 rct3 ... ... m5 rct5 U2 Decryption 1) try to decrypt every encrypted symmetric key with tk ct1 rct1 2) only the ones having the right values ct2 rct2 in the right places will succeed m3 v13 v23 v43 U2 ... ... m5 v15 v33 v25 v35 v45 3) decrypt with AES the corresponding rows Interestingly One DB encryption... ct1 rct1 ct2 rct2 ct3 rct3 ... ... ... ... U3 U1 U2 Interestingly One DB encryption... ct1 rct1 ct2 rct2 ct3 rct3 ... ... ... ... U3 tkU3 U1 tkU2 tk’U2 U2 ...many queries Selection/projection A1 A2 A3 A4 v11 v21 v31 v41 v12 v22 ... ... Q:“columns A3 and A4 where column A1 has value a1” Setup: same as HVE-DPVS with l=5 additional attribute encodes the projected columns Encryption ct11 A1 A2 A3 A4 vct11 v21 v31 v41 v12 v22 ... ... 1) Encrypt value v11 with symmetric scheme with random secret key m11 U1 2) Encrypt value v21 with symmetric scheme with random secret key m21 ... 3) Encrypt mji with HVE with encryption vector <j,v1i,v2i,v3i,v4i> 4) publish <ctji, vctji> KeyGen 1) generate tk3 with attribute vector <3,a1,*,*,*> ct11 vct11 vct21 vct31 vct41 vct12 vct12 ... ... 2)generate tk4 with attribute vector <4,a1,*,*,*> U1 U2 3) send tk3 and tk4 to U2 ⚠ #encryptions = #columns ⋅ #rows Amortized HVE • For every row, encryption vectors of secret keys differ only in the first component ct21 1 ct3 vct11 vct21 ... ct41 ... ... ... ... ... ... h2, v11 , v21 , v31 , v41 i ct11 ... h1, v11 , v21 , v31 , v41 i Amortized HVE • Note: for every row, encryption vectors of secret keys differ only in the first component Is it possible to reduce the encryption size? ct21 1 ct3 vct11 vct21 ... ct41 ... ... ... ... ... ... h2, v11 , v21 , v31 , v41 i ct11 ... h1, v11 , v21 , v31 , v41 i Reusing pieces h1, v11 , v21 , v31 , v41 i h2, v11 , v21 , v31 , v41 i ct11 ct21 1 ct3 1 vct1 1 vct2 ct41 ... ... ... ... hk2 , X1 , X2 , X3 , X4 , M2 i ... ... ... hk1 , X1 , X2 , X3 , X4 , M1 i ... Reusing pieces ct11 h1, v11 , v21 , v31 , v41 i ct21 h2, v11 , v21 , v31 , v41 i 1 ct3 1 vct1 1 vct2 ct41 ... ... ... ... hk2 , , M2 i ... , M1 i ... ... hk1 , X1 , X2 , X3 , X4 ... Parametric queries Qp:“columns A1 and A2 have values x and y” U1 computes a parametric token tkQp without specifying the actual values to be searched U1 Parametric queries Qp:“columns A1 and A2 have values x and y” U1 computes a parametric token tkQp without specifying the actual values to be searched U1 tkQp plus values for x and y yield tkQ U2 Parametric queries Qp:“columns A1 and A2 have values a and b” U1 computes a parametric token tkQp without specifying the actual values to be searched U1 tkQp plus values for x and y yield tkQ U2 tkQ Security • Decision Linear assumption: • Given g a g b • Decide if v = g g ac g bd v2G c+d • HVE-DPVS is adaptively attribute-hiding secure against plaintext attack under DLIN assumption Architecture tkQ DB QP Architecture retrieve column with HVE-encrypted AES keys DB QP tkQ Architecture retrieve column with HVE-encrypted AES keys DB retrieve right AES-encrypted rows DecHVE QP tkQ Architecture retrieve column with HVE-encrypted AES keys DB retrieve right AES-encrypted rows DecHVE QP DecAES tkQ Architecture retrieve column with HVE-encrypted AES keys DB retrieve right AES-encrypted rows tkQ DecHVE QP DecAES answer to Q Experimental results 3.5e+06 QP implemented in Python using CHARM library 2.5e+06 2e+06 1.5e+06 1e+06 SQLite as RDBMS 500000 0 100 200 300 400 500 600 700 800 900 1000 Number of rows 16 SN512 MNT159 14 MNT224 G , GT elements’ bitsizes: SS512: 512, 1024 MNT159: 159, 954 12 Time in seconds Number of bytes Clear SS512 3e+06 MNT159 MNT224 10 8 6 4 2 MNT224: 224, 1344 0 1 2 3 4 5 Number of predicates 6 7 8 Future steps • More expressive queries (joins, inequality predicates, aggregation operators) • Better cost estimation of the query processor • Integration in a cloud architecture • More extensive experiments (TPC) Questions? [email protected]