multi-dimensional range query over encrypted data

Multi-Dimensional Range Query over Encrypted Data

Authors: Elaine Shi, John Bethencourt, Hubert Chan, Dawn Song, Adrian Perrig

Slides borrowed from Michael Chen and revised

2Speaking Requirement Talk

Motivation - Network Audit Logs

Network gateway

Data center


An Ideal Solution

Network gateway

Data center


Auditor

auditor

Trusted authority

Query:(100 · port · 200) Æ ( ip 2 128.1.*.* )


Auditor

auditor

Trusted authority

Capability: (100 · port · 200) Æ ( ip 2 128.1.*.* )

Query:(100 · port · 200) Æ ( ip 2 128.1.*.* )


Security

Query:

(100 · port · 200) Æ (ip 2 128.1.*.*)

• Can decrypt all matching entries

• Cannot learn additional information for non-matching entries– Except for the fact that they do not match


The Challenges

• Current practices:– No encryption– All-or-nothing decryption

• Challenge:– How to design such an encryption scheme– Efficiency– Security


Related work

• Search on encrypted data (SoE)– Not clear if can be extended to range query

over multiple attributes.

• Anonymous hierarchical IBE (AHIBE)– Could be used to implement MRQED,

encryption cost O(TD)

• Concurrent work– BonehWaters06: Complex query over

encrypted data. More expensive public key size, encryption cost, cheaper decryption cost and shorter decryption key size.

Different from general DB range query

• Data is discrete (a small cardinality)

• Search is still linear scan

• Need to check multiple decrypt keys– Multiple linear scans



Generalized Problem Definition

• Time-stamp t, source address a, destination

port p• A tuple (t, a, p) can be viewed as a point x in

3 dimensional space. • Query for flows with• Hyper-rectangle B in space

• x is in B ?

1 2 1 2 1 2[ , ], [ , ], [ , ]t t t a a a p p p

1 2 1 2 1 2[ , ] [ , ] [ , ]t t a a p p


Generalized Problem Definition

• KeyGen– Key generation

• Encrypt– Encryption

• DeriveKey– Compute a decryption key

• QueryDecrypt– Attempt to decrypt using a capability


KeyGen (, n)

• Input– k: security parameter– n: bit-length of x

• Output– public key PK & master

private key SK

KeyGen(, n)

Trusted authority


Encrypt(PK, x, msg)

x: a point

Cipher_Text Ã Encrypt(PK, x, msg)


DeriveKey(PK, SK, B )

B : “hyper-rectangle”

DKB

t1

t2

r1 r2


QueryDecrypt(PK, DK, C)

• Output – msg if– if

x B x B


Roadmap

• Trivial construction

• AIBE – MRQED1

– Efficient representation for ranges

– 1 dimensional scheme

• Extension to multiple dimensions


Trivial Construction

Scheme PK. size Enc. Cost CT. Size DK. Size Dec. Cost

Trivial O(T2D) O(T2D) O(T2D) O(D) O(D)

T: # different values along each dimensionD: # dimensions

• 1 dimensionOne public key pair for each possible range - O(T2) public key pairs - O(T2) cipher texts and decryption keys for each range: the same message is encrypted many times!

Performance of D dimensions

[ , ] [1, ]s t T


Roadmap

• Trivial construction• AIBE – MRQED1

– Efficient representation for ranges– 1 dimensional scheme

• Extension to multiple dimensions

Identity based encryption (IBE)

Master PK + ID (e.g., a string) ID-specific PK

ID + SK_manager ID-specific SK

Benefit: needs only to maintain one MasterPK; can invalidate the specific ID at anytime.

For details of IBE, check •Dan Boneh and Matthew Franklin. Identity-based encryption from the weil pairing. SIAM J. Comput., 32(3):586–615, 2003.

19


AIBE – MRQED1

• Try to decrease storage and computation cost

• Efficient representation of range:- Define Interval Tree tr(T) as a binary tree

over [1, T], each node represents a range

- ith leaf node: cv(ID) = i

- non-leaf node: cv(ID) = cv(ID1) U cv(ID2)

in which ID1 & ID2 are its children nodes


AIBE – MRQED1– cont’d

• Set of IDs covering a point x

- if , ID covers x if .

- Define P(x) to be the set such IDs.

- P(x) includes all nodes on the path from leaf x to root.

• Range as a collection of IDs

- Define (s, t) to be the minimum set of nodes that cover range [s, t].

[1, ]x T ( )x cv ID


AIBE – MRQED1– cont’d

0 1 2 3 4 5 6 7

[0, 1] [2, 3] [4, 5] [6, 7]

[0, 3] [4, 7]

[0, 7]

[1, 7]


AIBE – MRQED1: Encrypt

0 1 2 3 4 5 6 7

C0=Encrypt(PK, IDA, msg)

C1=Encrypt(PK, IDB, msg)

C2

C3

A

B


AIBE – MRQED1: Encrypt

0 1 2 3 4 5 6 7

C0

C1

C2

C3

O(logT) ciphertext size


AIBE – MRQED1: DeriveKey

0 1 2 3 4 5 6 7

[2, 6]



0 1 2 3 4 5 6 7

[2, 6]

[2, 3] [4, 5]

[6, 6]



0 1 2 3 4 5 6 7

[2, 6]

SKSK

SK



0 1 2 3 4 5 6 7

[2, 6]

SKSK

SK

O(logT) decryption key size


AIBE – MRQED1: QueryDecrypt

Observations: • If x 2 [s, t], then | P(x) Å (s, t) | = 1• If x 2 [s, t], P(x) Å (s, t) = ;


AIBE – MRQED1: Decrypt

0 1 2 3 4 5 6 7

C1

C2

C3

C0



0 1 2 3 4 5 6 7

[2, 6]

C1

C2

C3

C0

SKSK

SK



0 1 2 3 4 5 6 7

C1

C2

C3

C0



0 1 2 3 4 5 6 7

[0, 3]

C1

C2

C3

C0

SK



0 1 2 3 4 5 6 7

[4, 7]

C1

C2

C3

C0

SK


AIBE – MRQED1: Performance

Scheme PK. size Enc. Cost CT. Size DK. Size Dec. Cost

Trivial O(T2D) O(T2D) O(T2D) O(D) O(D)

AIBE-MRQED1 O(1) O(logT) O(logT) O(logT) O(logT)

T: # different values along each dimensionD: # dimensions


AIBE – MRQEDD – EncryptionD = 2 dimensional exampleTo encrypt point x = (3,5)


AIBE – MRQEDD – DeriveKey

Query range:[2,6] x [7,3]1st dimension: (2, 6)2nd dimension: (3,7)


AIBE – MRQEDD Performance

• O(1) PK size• O(D¢logT)

– Encryption cost– Cipher Text. size– Decryption key size

• O((logT)D) decrypt. cost • Good performance, but has a serious

vulnerability – prone to collusion attack

multi-dimensional range query over encrypted data

Documents