multi-dimensional range query over encrypted data

Multi-Dimensional Range Query over Encrypted Data

Authors: Elaine Shi, Joint work with John Bethencourt, Hubert Chan, Dawn Song, Adrian PerrigSlides originated from Elaine Shi, modified by Michael ChenCSC 774 Advanced Network SecurityInstructor: Dr. Peng NingPresenter: Michael ChenApril 19, 2007

2Speaking Requirement Talk

Motivation - Network Audit Logs

Network gateway

Data center


An Ideal Solution

Network gateway

Data center


Auditor

auditor

Trusted authority

Query:(100 · port · 200) Æ ( ip 2 128.1.*.* )


Auditor

auditor

Trusted authority

Capability: (100 · port · 200) Æ ( ip 2 128.1.*.* )

Query:(100 · port · 200) Æ ( ip 2 128.1.*.* )


Security

Query:

(100 · port · 200) Æ (ip 2 128.1.*.*)

• Can decrypt all matching entries

• Cannot learn additional information for non-matching entries– Except for the fact that they do not match


The Challenges

• Current practices:– No encryption– All-or-nothing decryption

• Challenge:– How to design such an encryption scheme– Efficiency– Security


Related work

• Search on encrypted data (SoE)– Not clear if can be extended to range query

over multiple attributes.

• Anonymous hierarchical IBE (AHIBE)– Could be used to implement MRQED,

encryption cost O(TD)

• Concurrent work– BonehWaters06: Complex query over

encrypted data. More expensive public key size, encryption cost, cheaper decryption cost and shorter decryption key size.


Generalized Problem Definition

• Time-stamp t, source address a, destination

port p• A tuple (t, a, p) can be viewed as a point x in

3 dimensional space. • Query for flows with• Hyper-rectangle B in space

• x is in B ?

1 2 1 2 1 2[ , ], [ , ], [ , ]t t t a a a p p p

1 2 1 2 1 2[ , ] [ , ] [ , ]t t a a p p


Generalized Problem Definition

• KeyGen– Key generation

• Encrypt– Encryption

• DeriveKey– Compute a decryption key

• QueryDecrypt– Attempt to decrypt using a capability


KeyGen (, n)

• Input– k: security parameter– n: bit-length of x

• Output– public key PK & master

private key SK

KeyGen(, n)

Trusted authority


Encrypt(PK, x, msg)

x – a point

Cipher_Text Ã Encrypt(PK, x, msg)


DeriveKey(PK, SK, B )

B – “hyper-rectangle”

DKB

t1

t2

r1 r2


QueryDecrypt(PK, DK, C)

• Output – msg if– if

x B x B


Roadmap

• Trivial construction

• AIBE – MRQED1

– Efficient representation for ranges

– 1 dimensional scheme

• Extension to multiple dimensions


Trivial Construction

Scheme PK. size Enc. Cost CT. Size DK. Size Dec. Cost

Trivial O(T2D) O(T2D) O(T2D) O(D) O(D)

T: # different values along each dimensionD: # dimensions

• 1 dimensionOne public key pair for each possible range - O(T2) public key pairs - O(T2) cipher texts and decryption keys for each range

Performance of D dimensions

[ , ] [1, ]s t T


Roadmap

• Trivial construction• AIBE – MRQED1

– Efficient representation for ranges– 1 dimensional scheme

• Extension to multiple dimensions


AIBE – MRQED1

• Try to decrease storage and computation cost

• Efficient representation of range:- Define Interval Tree tr(T) as a binary tree

over [1, T], each node represents a range

- ith leaf node: cv(ID) = i

- non-leaf node: cv(ID) = cv(ID1) U cv(ID2)

in which ID1 & ID2 are its children nodes


AIBE – MRQED1– cont’d

• Set of IDs covering a point x

- if , ID covers x if .

- Define P(x) to be the set such IDs.

- P(x) includes all nodes on the path from leaf x to root.

• Range as a collection of IDs

- Define (s, t) to be the minimum set of nodes that cover range [s, t].

[1, ]x T ( )x cv ID


AIBE – MRQED1– cont’d

0 1 2 3 4 5 6 7

[0, 1] [2, 3] [4, 5] [6, 7]

[0, 3] [4, 7]

[0, 7]

[1, 7]


AIBE – MRQED1: Encrypt

0 1 2 3 4 5 6 7

C0=Encrypt(PK, IDA, msg)

C1=Encrypt(PK, IDB, msg)

C2

C3

A

B


AIBE – MRQED1: Encrypt

0 1 2 3 4 5 6 7

C0

C1

C2

C3

O(logT) ciphertext size


AIBE – MRQED1: DeriveKey

0 1 2 3 4 5 6 7

[2, 6]



0 1 2 3 4 5 6 7

[2, 6]

[2, 3] [4, 5]

[6, 6]



0 1 2 3 4 5 6 7

[2, 6]

SKSK

SK



0 1 2 3 4 5 6 7

[2, 6]

SKSK

SK

O(logT) decryption key size


AIBE – MRQED1: QueryDecrypt

Observations: • If x 2 [s, t], then | P(x) Å (s, t) | = 1• If x 2 [s, t], P(x) Å (s, t) = ;


AIBE – MRQED1: Decrypt

0 1 2 3 4 5 6 7

C1

C2

C3

C0



0 1 2 3 4 5 6 7

[2, 6]

C1

C2

C3

C0

SKSK

SK



0 1 2 3 4 5 6 7

C1

C2

C3

C0



0 1 2 3 4 5 6 7

[0, 3]

C1

C2

C3

C0

SK



0 1 2 3 4 5 6 7

[4, 7]

C1

C2

C3

C0

SK


AIBE – MRQED1: Performance



AIBE-MRQED1 O(1) O(logT) O(logT) O(logT) O(logT)



AIBE – MRQEDD – EncryptionD = 2 dimensional exampleTo encrypt point x = (3,5)


AIBE – MRQEDD – DeriveKeyQuery range:[2,6] x [7,3]1st dimension: (2, 6)2nd dimension: (3,7)


AIBE – MRQEDD Performance

• O(1) PK size• O(D¢logT)

– Encryption cost– Cipher Text. size– Decryption key size

• O((logT)D) decrypt. cost • Good performance, but has a serious

vulnerability – prone to collusion attack


Collusion Attack

Kx1 Kx2

SKy2

SKy1 {SKx1, SKy1}

{SKx2, SKy2}

R1 R2

R3 R4{SKx1, SKy2}

{SKx2, SKy1}

How fix the problem but preserve the AIBE – MRQEDD efficiency?


Collusion Attack solution - “Binding”

SKx1 SKx2

SKy2

SKy1 {SKx1, SKy1}

{SKx2, SKy2}

{SKx1, SKy1}

x ¢y = c



SKx1 SKx2

SKy2

SKy1 {SKx1, SKy1}

{SKx2, SKy2}

x ¢y = c

x 4 SKx1

{SKx1, SKy1}



SKx1 SKx2

SKy2

SKy1 {SKx1, SKy1}

{SKx2, SKy2}

x ¢y = c

xSKx1

{SKx1, SKy1}



SKx1 SKx2

SKy2

SKy1 {SKx1, SKy1}

{SKx2, SKy2}

x ¢y = c

xSKx1

{SKx1, SKy1}

ySKy1



SKx1 SKx2

SKy2

SKy1 {SKx1, SKy1}

{SKx2, SKy2}x ¢ y = c {SKx2, SKy2}

xSKx2

ySKy2


The “Binding” Construction

• Use Bilinear Groups

• Rely on well-known difficult problem:– Decision BDH Assumption– Decision linear Assumption

• Algebraically intensive


Conclusion



BW06 O(D¢T) O(D¢T) O(D¢T) O(D) O(D)

RQEQD O(D∙logT) O(D∙logT) O(D∙logT) O(D∙logT) O((logT)D)



Future work

• Further exploration of ways to decrease the decryption co

• Possible other privacy-preserving applications in addition to network audit logs, financial audit logs, etc.


Question

Observations: • If x 2 [s, t], then | P(x) Å (s, t) | = 1• If x 2 [s, t], P(x) Å (s, t) = ;

Why is this always true?

Thank you!

multi-dimensional range query over encrypted data

Documents

range s

multidimensional range

point x

leaf x

range ith leaf node

msgc2c3abaibe mrqed1

aibe mrqed1 contd0

shorter decryption key