Conjunctive, Subset, and Range Queries on Encrypted Data

1
Conjunctive, Subset, and Range Queries on
Encrypted Data
Dan Boneh Brent Waters Stanford
University SRI International
2
Encryption Systems Traditional View
3
Encryption Systems New View

• Salil gives partial capabilities to Charlie
• Charlie learns what he needs to know
• Focus on Searching Systems

PKSalil
4
Filtering Encrypted Email

• Set containment queries
• Server learns nothing other than containment
  status.

SKalice
email
From ? Blacklist
MailServer
No
E( PKalice, email)
Yes
Tspam
5
Routing Encrypted Email

• Conjunction queries

SKalice
email
From ? Friends AND subject urgent
MailServer
No
E( PKalice, email)
Yes
Tcell
6
Long term goal

• Goal Public-key encryption system supporting
  any predicate (poly-size circuits)
• Sample application
• Spam predicate P(m) 1 if m is spam
  email
• ? Mail server filters out encrypted
  spam email without decrypting email.
• seems far off

7
History

• To date primary focus on equality queries
• SWP00, GO87 Equality queries on
  symmetric-key encrypted data
• BDOP04, AB05 Equality queries on
  public-key encrypted data

8
Definitions

• Let ? P1 , , Pn be a set of predicates
  over ? .
• Pi ? ? 0,1 e.g
  Pj(S) 1 ? S ? j
• A ?-query system consists of 4 algorithms
• Setup (?) outputs PK and SK
• Encrypt (PK, S) ? Ciphertext C (S??)
• GenToken (SK, ltPgt) ? Token TP (P??)
• Query ( TP, C) ? Output
• (Can allow message decryption on hit when
  P(S)1)

P(S)
9
Security

• Example ? 1, , n , Pj(x) 1
  ? x ? j
• Adversary can request arbitrary tokens
• Clearly, adversary can distinguish
• Encrypt(PK, x) from Encrypt(PK, y)
• but Encrypt(PK, x) and Encrypt(PK, z)
• should be indistinguishable

1
n
10
Secure ?-query systems

• Semantic security in the presence of arbitrary
  tokens

Challenger
Attacker
RunSetup(?)
, P2 , , Pq
, T2 , , Tq
s.t. ?j Pj(S0) Pj(S1)
Adversary wins if b b
11
The trivial brute-force system

• ? P1 , , Pn (KeyGen, Enc, Dec)
  pub-key system
• Setup(?) Run KeyGen(?) n times
• PK ? ( PK1 , , PKn ) , SK ? ( SK1, ,
  SKn )
• Encrypt( PK, S)
• output C ? (C1 , , Cn )
• GenToken( SK, Pi ) output T ? SKi
• Query( T, C) output Dec( SKi , Ci )
• Parameters CT O(n) T O(1)

12
Best known constructions BSW06, BW06

• Encrypt S ? 1 ,, n (Sizes in of group
  elements)
• Encrypt S (S1,,Sw) ? 1 ,, n w ---
  conjunctions

Trivial CT Best KnownCT Best KnownCT
Equality (S a) O(n) O(1)
Comparison (S?a) O(n) O(?n)
Subset (S ? A) O(2n) O(n)
Trivial CT Best KnownCT Best KnownCT
S1a1 ? ? Swaw O(nw) O(w)
S1?a1 ? ? Sw?aw O(nw) O(nw)
S1?A1 ? ? Sw?Aw O(2nw) O(nw)
13
Bilinear maps

• G , GT finite cyclic groups of prime order
  q.
• Def An admissible bilinear map e G?G ? GT
  is
• Bilinear e(ga, gb) e(g,g)ab ?a,b?Z,
  g?G
• Non-degenerate g generates G ?
  e(g,g) generates GT .
• Efficiently computable.

14
Bilinear groups of order Npq BGN05

• G group of order Npq. (p,q)
  secret.
• bilinear map e G ? G ? GT
• G Gp ? Gq . gp gq ? Gp
  gq gp ? Gq
• Facts h ? G ? h (gq)a ? (gp)b
• e( gp , gq ) e(gp , gq) e(g,g)N 1
• e( gp , h ) e( gp , gp)b !!

15
Subset query system

• Goal for any S ? 1,,n and A ?
  1,,n answer queries of type PA(S)
  1 ? S ? A
• Example FromAddress ? Friends
• Trivial system CT O(2n) , Our goal
  CT O(n)
• Approach reformulate as conjunctive equality
  query
• Encode S ? 1,,n in uniary
• ?(S) (s1,,sn) ? 0,1n
• Then S ? A ? (sa
  0)

0 0 0 1 0 0 0
16
Construction Intuition

• 1st Attempt
• Use IBE techniques to encrypt to vector
  identity (s1,,sn) ? Get message if true
• Problem Can test identity by testing for DDH
  tuples between CT and PK
• Solution
• Make CTs, PK random in Gq ? not DDH tuples
• Tokens in Gp ? Gq does not matter after pairing
• Intuiton Disallow unintended application of
  pairing

17
Security

• Thm The system is a selectively secure
  subset query system assuming
• Bilinear-DH assumption, and
• Composite 3-party DH assumption
• Implied by Bonehs Uber-Assumption

18
Summary and Open Problems

• Queries on public key encrypted data
• Equality queries efficient
• Comparison queries plaintext ? t
• Implies traitor tracing
• Best construction CT O(sqrt(n))
• Open CT O(log n)
• Subset queries plaintext ? A
• Best construction CT O(n)
• Open CT O(log n)
• Similar constructions/questions for conjunctive
  queries

?
?
19
THE END
20
History

• To date primary focus on equality queries
• SWP00, GO87 Equality queries on
  symmetric-key encrypted data
• BDOP04, AB05 Equality queries on
  public-key encrypted data
• OS05, BSW06 Equality queries that hide
  predicate from server
• BBO06 Efficient equality searches in databases
• BCPSS06 Range queries in a weaker security
  model

21
Motivation a few examples

• Example 1
• Visa gateway Forwarding encrypted CC
  transactions to the visa system

Enc(PKvisa, Transaction)
High Security Processor
D
VISA Gateway
Yes
Transaction
VALUE
Exp-Date
D
Low Security Processor
No
SKvisa ? T1000
T1000
22
Conjunction queries

• Goal gateway should not learn which conjunct
  failed.
• ? Visa cannot simply give gateway two tokens

VALUE gt 1000 AND exp-date lt April 2007
High Security Processor
D
VISA Gateway
Yes
Transaction
VALUE
Exp-Date
D
Low Security Processor
No
SKvisa ? TP
TP
23
Best known constructions BSW06, BW06

• Encrypt S ? 1 ,, n (Sizes in of group
  elements)
• Encrypt S (S1,,Sw) ? 1 ,, n w ---
  conjunctions

Trivial CT Lower Bound Best KnownCT T Best KnownCT T
Equality (S a) O(n) O(log n) O(log n) O(log n)
Comparison (S?a) O(n) O(log n) O(?n) O(?n)
Subset (S ? A) O(2n) O(log n) O(n) O(n-A)
Trivial CT Lower Bound Best KnownCT T Best KnownCT T
S1a1 ? ? Swaw O(nw) O(w?log n) O(w?log n) O(w?log n)
S1?a1 ? ? Sw?aw O(nw) O(w?log n) O(nw) O(w?log n)
S1?A1 ? ? Sw?Aw O(2nw) O(w?log n) O(nw) O(w?A)
24
The full system

• ... But cannot prove the system secure.
• The full system add y1, , yn to
  SK
• GenToken( SKw, A ? 1,,n ) t1,1, t1,2 ,
  ? ZN
• ( u1t1,1 , y1t1,2 )
• ( untn,1 , yntn,2 )
• Thm The system is a selectively secure
  subset query system assuming
• Bilinear-DH assumption, and
• Composite 3-party DH assumption

TA ? w? ? (va)ta,1 ?(ya)ta,2 ,
a?Ac
25
The full system

• ... But cannot prove the system secure. (Need a
  bit more)
• Thm The system is a selectively secure
  subset query system assuming
• Bilinear-DH assumption, and
• Composite 3-party DH assumption
• (Fragments of Uber-assumption)

26
Binary conjunctive equality queries

• A failed attempt using standard IBE technology
  BB04
• G bilinear group. w, u, u1,, v1, ? G,
  
• Encrypt (PK, b (b1,,bn), M) r ? Zq
• C ? e(u,w)r , ur , (u1b1 v1)r ,
  , (unbn vn)r
• GenToken( SKw, A ? 1,,n ) t1, , tn ?
  Zq
• TA ? w? ? (va)ta , ut1 ,
  , utn
• Query( TA, C) If (? a ?Ac ba0)
• then algebra returns M otherwise random
  in G
• Problem C leaks ( b1, , bn )
• bj 0 ? (u, vj , ur , (ujbj vj)r
  ) is a DDH tuple

a?Ac
27
Composite order groups to the rescue

• GGp?Gq composite order group. w, u, u1 , , v1
  , ? Gp
• PK Blind us and vs by Gq
• Ui?ui?Ri , Vi?vi?Ri where Ri,
  Ri ? Gq
• Encrypt (PK, b (b1,,bn), M) r ? ZN , Z,
  Z1, ? Gq
• C ? e(u,w)r , Ur?Z , (U1b1 V1)r ?Z1 , ,
  (Unbn Vn)r ?Zn
• No change to GenToken and Query
• Note Rj , Zi terms cancel in Query.
• Main point now DDH attack fails bj
  0 , but (U, Vj , Ur?Z , (Ujbj Vj)r?Zj
  ) not a DDH tuple in G

28
Selectively secure ?-query systems
S0 , S1
Challenger
Attacker
RunSetup(?)
, P2 , , Pq
, T2 , , Tq
S0 , S1
S0
S1
s.t. ?j Pj(S0) Pj(S1)
Adversary wins if b b