multi-dimensional range query over encrypted data
DESCRIPTION
Multi-Dimensional Range Query over Encrypted Data. Authors: Elaine Shi, John Bethencourt, Hubert Chan, Dawn Song, Adrian Perrig Slides borrowed from Michael Chen and revised. Motivation - Network Audit Logs. Network gateway. Data center. An Ideal Solution. Network gateway. Data center. - PowerPoint PPT PresentationTRANSCRIPT
Multi-Dimensional Range Query over Encrypted Data
Authors: Elaine Shi, John Bethencourt, Hubert Chan, Dawn Song, Adrian Perrig
Slides borrowed from Michael Chen and revised
2Speaking Requirement Talk
Motivation - Network Audit Logs
Network gateway
Data center
3Speaking Requirement Talk
An Ideal Solution
Network gateway
Data center
4Speaking Requirement Talk
Auditor
auditor
Trusted authority
Query:(100 · port · 200) Æ ( ip 2 128.1.*.* )
5Speaking Requirement Talk
Auditor
auditor
Trusted authority
Capability: (100 · port · 200) Æ ( ip 2 128.1.*.* )
Query:(100 · port · 200) Æ ( ip 2 128.1.*.* )
6Speaking Requirement Talk
Security
Query:
(100 · port · 200) Æ (ip 2 128.1.*.*)
• Can decrypt all matching entries
• Cannot learn additional information for non-matching entries– Except for the fact that they do not match
7Speaking Requirement Talk
The Challenges
• Current practices:– No encryption– All-or-nothing decryption
• Challenge:– How to design such an encryption scheme– Efficiency– Security
8Speaking Requirement Talk
Related work
• Search on encrypted data (SoE)– Not clear if can be extended to range query
over multiple attributes.
• Anonymous hierarchical IBE (AHIBE)– Could be used to implement MRQED,
encryption cost O(TD)
• Concurrent work– BonehWaters06: Complex query over
encrypted data. More expensive public key size, encryption cost, cheaper decryption cost and shorter decryption key size.
Different from general DB range query
• Data is discrete (a small cardinality)
• Search is still linear scan
• Need to check multiple decrypt keys– Multiple linear scans
9Speaking Requirement Talk
10Speaking Requirement Talk
Generalized Problem Definition
• Time-stamp t, source address a, destination
port p• A tuple (t, a, p) can be viewed as a point x in
3 dimensional space. • Query for flows with• Hyper-rectangle B in space
• x is in B ?
1 2 1 2 1 2[ , ], [ , ], [ , ]t t t a a a p p p
1 2 1 2 1 2[ , ] [ , ] [ , ]t t a a p p
11Speaking Requirement Talk
Generalized Problem Definition
• KeyGen– Key generation
• Encrypt– Encryption
• DeriveKey– Compute a decryption key
• QueryDecrypt– Attempt to decrypt using a capability
12Speaking Requirement Talk
KeyGen (, n)
• Input– k: security parameter– n: bit-length of x
• Output– public key PK & master
private key SK
KeyGen(, n)
Trusted authority
13Speaking Requirement Talk
Encrypt(PK, x, msg)
x: a point
Cipher_Text à Encrypt(PK, x, msg)
14Speaking Requirement Talk
DeriveKey(PK, SK, B )
B : “hyper-rectangle”
DKB
t1
t2
r1 r2
15Speaking Requirement Talk
QueryDecrypt(PK, DK, C)
• Output – msg if– if
x B x B
16Speaking Requirement Talk
Roadmap
• Trivial construction
• AIBE – MRQED1
– Efficient representation for ranges
– 1 dimensional scheme
• Extension to multiple dimensions
17Speaking Requirement Talk
Trivial Construction
Scheme PK. size Enc. Cost CT. Size DK. Size Dec. Cost
Trivial O(T2D) O(T2D) O(T2D) O(D) O(D)
T: # different values along each dimensionD: # dimensions
• 1 dimensionOne public key pair for each possible range - O(T2) public key pairs - O(T2) cipher texts and decryption keys for each range: the same message is encrypted many times!
Performance of D dimensions
[ , ] [1, ]s t T
18Speaking Requirement Talk
Roadmap
• Trivial construction• AIBE – MRQED1
– Efficient representation for ranges– 1 dimensional scheme
• Extension to multiple dimensions
Identity based encryption (IBE)
Master PK + ID (e.g., a string) ID-specific PK
ID + SK_manager ID-specific SK
Benefit: needs only to maintain one MasterPK; can invalidate the specific ID at anytime.
For details of IBE, check •Dan Boneh and Matthew Franklin. Identity-based encryption from the weil pairing. SIAM J. Comput., 32(3):586–615, 2003.
19
20Speaking Requirement Talk
AIBE – MRQED1
• Try to decrease storage and computation cost
• Efficient representation of range:- Define Interval Tree tr(T) as a binary tree
over [1, T], each node represents a range
- ith leaf node: cv(ID) = i
- non-leaf node: cv(ID) = cv(ID1) U cv(ID2)
in which ID1 & ID2 are its children nodes
21Speaking Requirement Talk
AIBE – MRQED1– cont’d
• Set of IDs covering a point x
- if , ID covers x if .
- Define P(x) to be the set such IDs.
- P(x) includes all nodes on the path from leaf x to root.
• Range as a collection of IDs
- Define (s, t) to be the minimum set of nodes that cover range [s, t].
[1, ]x T ( )x cv ID
22Speaking Requirement Talk
AIBE – MRQED1– cont’d
0 1 2 3 4 5 6 7
[0, 1] [2, 3] [4, 5] [6, 7]
[0, 3] [4, 7]
[0, 7]
[1, 7]
23Speaking Requirement Talk
AIBE – MRQED1: Encrypt
0 1 2 3 4 5 6 7
C0=Encrypt(PK, IDA, msg)
C1=Encrypt(PK, IDB, msg)
C2
C3
A
B
24Speaking Requirement Talk
AIBE – MRQED1: Encrypt
0 1 2 3 4 5 6 7
C0
C1
C2
C3
O(logT) ciphertext size
25Speaking Requirement Talk
AIBE – MRQED1: DeriveKey
0 1 2 3 4 5 6 7
[2, 6]
26Speaking Requirement Talk
AIBE – MRQED1: DeriveKey
0 1 2 3 4 5 6 7
[2, 6]
[2, 3] [4, 5]
[6, 6]
27Speaking Requirement Talk
AIBE – MRQED1: DeriveKey
0 1 2 3 4 5 6 7
[2, 6]
SKSK
SK
28Speaking Requirement Talk
AIBE – MRQED1: DeriveKey
0 1 2 3 4 5 6 7
[2, 6]
SKSK
SK
O(logT) decryption key size
29Speaking Requirement Talk
AIBE – MRQED1: QueryDecrypt
Observations: • If x 2 [s, t], then | P(x) Å (s, t) | = 1• If x 2 [s, t], P(x) Å (s, t) = ;
30Speaking Requirement Talk
AIBE – MRQED1: Decrypt
0 1 2 3 4 5 6 7
C1
C2
C3
C0
31Speaking Requirement Talk
AIBE – MRQED1: Decrypt
0 1 2 3 4 5 6 7
[2, 6]
C1
C2
C3
C0
SKSK
SK
32Speaking Requirement Talk
AIBE – MRQED1: Decrypt
0 1 2 3 4 5 6 7
C1
C2
C3
C0
33Speaking Requirement Talk
AIBE – MRQED1: Decrypt
0 1 2 3 4 5 6 7
[0, 3]
C1
C2
C3
C0
SK
34Speaking Requirement Talk
AIBE – MRQED1: Decrypt
0 1 2 3 4 5 6 7
[4, 7]
C1
C2
C3
C0
SK
35Speaking Requirement Talk
AIBE – MRQED1: Performance
Scheme PK. size Enc. Cost CT. Size DK. Size Dec. Cost
Trivial O(T2D) O(T2D) O(T2D) O(D) O(D)
AIBE-MRQED1 O(1) O(logT) O(logT) O(logT) O(logT)
T: # different values along each dimensionD: # dimensions
36Speaking Requirement Talk
AIBE – MRQEDD – EncryptionD = 2 dimensional exampleTo encrypt point x = (3,5)
37Speaking Requirement Talk
AIBE – MRQEDD – DeriveKey
Query range:[2,6] x [7,3]1st dimension: (2, 6)2nd dimension: (3,7)
38Speaking Requirement Talk
AIBE – MRQEDD Performance
• O(1) PK size• O(D¢logT)
– Encryption cost– Cipher Text. size– Decryption key size
• O((logT)D) decrypt. cost • Good performance, but has a serious
vulnerability – prone to collusion attack