multi-dimensional range query over encrypted data

1

Multi-Dimensional Range Query over Encrypted Data

Presenter: 陳國璋

Elaine Shi, John Bethencourt, T-H. Hubert Chan, Dawn Song and Adrian Perrig

IEEE Symposium on Security and Privacy, May, 2007

2

Outline

Induction Problem Definition and Preliminary AIBE-Based MRQED1 Scheme AIBE-Based MRQEDD Scheme Main Construction Conclusion

3

Introduction

接續上一次報告的 HVE (Hidden Vector Encryption) 方法，裡面提到 3 種 Query 形式，Comparison / Range / Subset ，此篇重點在 Conjunctive Range Queries.

Recall: HVE

4

Introduction

ConjunctiveGeneral

Predicate

Multi-cellPractical

Value

PredicateVector

PracticalVector

SK

Ciphertext

Token

Data / ⊥

Data

PK

GenTokenHVE

EncryptHVE

QueryHVE

5

Introduction

Multi-dimensional Range Query over Encrypted Data, MRQED

For example Network audit log has 3 attributes, time-sta

mp t, source address a and destination port number p.

(t, a, p) tuple Conjunctive ranges: [t1, t2], [a1, a2] and [p1, p2]

6

Introduction

Scheme Pub Key Size

Enc Cost CT Size Dec Key Size

Dec Cost

HVE O(DT) O(DT) O(DT) O(D) O(D)

Naïve AIBE-base

O(1) O((log T)D) O((log T)D) O((log T)D) O((log T)D)

MRQED O(Dlog T) O(Dlog T) O(Dlog T) O(Dlog T) O((log T)D)

D: #(Dimension), T: #(Point)

7

Introduction

Application Financial audit log Medical privacy Untrusted remote storage Using biometrics in anonymous IBE

8

Outline


9

Problem Definition

Network audit log has 3 attributes, time-stamp t, source address a and destination port number p.

(t, a, p) tuple Conjunctive ranges: [t1, t2], [a1, a2] and [p1,

p2]

10

Problem Definition

[t1, t2]

[a1, a2]

[p1, p2]

Hyper-rectangle B

X = (t, a, p)

Testing whether a point X falls inside the Hyper-rectangle B

11

Problem Definition

An attribute can be encoded using discrete integer values 1 through T.

[T]={1, …, T} S≦T, [S, T]={S, S+1, …, T} D different attributes, each of them can t

ake on value in [T1], [T2], …, [TD] respectively.

12

Problem Definition D-dimensional lattice, point, hyper-rectangle Δ=(T1, …, TD) LΔ = [T1] × [T2] × … × [TD]

D-dimensional lattice X = (x1, …, xD)

Point B(s1, t1, s2, t2, …, sD, tD) = {(x1, …, xD) | ∀d∈[D], xd∈

[sd, td]} Hyper-rectangle

13

Problem Definition

Network audit log Time-stamp t, address a, port number p

D = 3 Time-stamp [Tt]={0000, …, 1439} Address [Ta]={0, …, 255} Port number [Tp]={0, …, 65535}

14

Problem Definition

Δ=(Tt, Ta, Tp) LΔ= [Tt] × [Ta] × [Tp] =[14

39] × [255] × [65535] X = (t, a, p) = (603, 97, 777) B(540, 720, 84, 124, 700, 800)

15

Problem Definition

[Tt]=[1439]

[Ta]=[255]

[Tp]=[65535]

[540, 720]

[84, 124][700, 800]

X = (603, 97, 777)

B(540, 720, 84, 124, 700, 800)

LΔ= [1439] × [255] × [65535]

16

Problem Definition

MRQED scheme consists of 4 polynomial time algorithms: Setup Encrypt DeriveKey QueryDecrypt

17

Problem Definition

Setup(Σ, LΔ) Input a security parameter Σ and D-dimensio

nal lattice LΔ

Output public key PK amd master private key SK

18

Problem Definition

Encrypt(PK, X, Msg) Input a public key PK, a point X and a messa

ge Mag Output a ciphertext C

19

Problem Definition

DeriveKey(PK, SK, B) Take a public key PK, a master private key S

K and a hyper-rectangle B Output decryption key DK for hyper-rectangl

e B

20

Problem Definition

QueryDecrypt(PK, DK, C) Take a public key PK, a decryption key DK an

d a ciphertext C Output either a plaintext Msg or ⊥

21

Problem Definition Correctness

∀message Msg ∈ 　 message space M, hyper-rectangle B ⊆ LΔ, and a point X ∈ LΔ, the above algorithm must satisfy the following consistency constraints:

, if ( , , )

, . . ., if

where ( , , ) and ( , , )

Msg X BQueryDecrypt PK DK C

wh p X B

C Encrypt PK X Msg DK DeriveKey PK SK B

22

Preliminary

Decision BDH Assumption Given[g, ga, gb, gc, Z]∈G4×G’, where expone

nts a, b, c are picked at ramdom from Zp, decide whether Z=e(g, g)abc

23

Preliminary

Decision Linear Assumption Given [g, ga, gb, gac, gbd, Z]∈G4, where a, b, c, d

are picked at random from Zp, decide whether Z=gc+d

24

Outline


25

AIBE-Based MRQED1 Scheme Interval tree

tr(T) denote a binary interval tree over integer from 1 to T.

Each node has a pre-assigned unique ID. cv(ID) denote the range represented by node ID∈tr

(T)

1 2

1 2

, if be a leaf node.

( ) ( ) ( ), if is an internal node,

and are its child nodes.

thi ID i

cv ID cv ID cv ID ID

ID ID

26

AIBE-Based MRQED1 Scheme Interval tree

The set P(x) of IDs covering a point x∈[1, T] The set Λ(s, t) of IDs representing a range [s, t]⊆[1, T] If x∈[s, t], then P(x)∩Λ(s, t)≠φ |P(x)∩Λ(s, t)| = 1 If x [s, t], then P(x)∩Λ(s, t)=φ

27

AIBE-Based MRQED1 Scheme

I JH K OL M N

E FD G

B C

A

1 2 3 4 5 6 7 8

tr(T)=tr(8)

cv(L)={5}

cv(E)=[4,5]

cv(C)=[5,8]

P(3)={A, B, E, J}

Λ(2, 7)={I, E, F, N}

28

AIBE-Based MRQED1 Scheme MROED1 scheme

AIBE scheme Setup*(Σ) DeriveKey*(PK, SK, ID) Encrypt*(PK, ID, Msg) Decrypt*(PK, DK, C)

Setup(Σ, T) Encrypt(PK, x, Msg) DeriveKey(PK, SK, [s, t]) QueryDecrypt(PK, DK, C)

29


Setup(Σ, T) Call Setup*(Σ) Output PK and SK

30


Encrypt(PK, x, Msg) x→P(x) ∀ID∈P(x), cID=Encrypt*(PK, ID, Msg||0m’), wh

ere 0m’ is fill the Msg to {0, 1}m

Output ciphertext C={cID | ∀ID∈P(x)}

31


DeriveKey(PK, SK, [s, t]) [s, t]→Λ(s, t) ∀ID∈Λ(s,t), kID=DeriveKey*(PK, SK, ID) Output DK[s, t]={kID | ∀ID∈Λ(s, t)}

32


QueryDerive(PK, DK, C) If x∈[s,t], then∃! ID, s.t. P(x)∩Λ(s,t)=ID Call and output Decrypt*(PK, kID, cID) = Msg|

|0m’. Otherwise, output ⊥.

33


I JH K OL M N

E FD G

B C

A

1 2 3 4 5 6 7 8

tr(T)=tr(8)

cv(L)={5}

cv(E)=[3,4]

cv(C)=[5,8]

P(3)={A, B, E, J}

Λ(2, 7)={I, E, F, N}

34

Outline


35

AIBE-Based MRQEDD Scheme

As AIBE-Based MRQED1 Scheme, the changed points as follows: Encrypt(PK, X, Msg) DeriveKey(PK, DK, C)

36


Encryption A point X =(x1, x2, …, xD) For each dimension, xd has each P(xd), ∀d∈

[d] Denote P×(X)=P(x1)×P(x2)×…×P(xD) Call Encrypt*(PK, P×(X), Msg) = C

37

I JH K OL M N

E FD G

B C

A

1 2 3 4 5 6 7 8

XY

WZ

D’

A’

B’

C’

TU

SV

QR

P

87

65

43

21

X

X=(x1, x2)=(3, 5)P(x1) = {A, B, E, J}P(x2) = {P, Q, T, Z}P×(X) = {A, B, E, J}×{P, Q, T, Z}

38


Key Derivation All dimension range combine a hyper-rectan

gle B(s1, t1, …, sD, tD) Each range [sd, td] has Λ(sd, td), ∀d∈[d] Denote Λ×(B)=Λ(s1, t2)×…×Λ(sD, tD) Call DeriveKey*(PK, SK, Λ×(B)) = DK

39

I JH K OL M N

E FD G

B C

A

1 2 3 4 5 6 7 8

XY

WZ

D’

A’

B’

C’

TU

SV

QR

P

87

65

43

21

B=(s1, t1, s2,, t2)=[2, 6]×[3, 7]Λ(s1, t1) = {E, F, I}Λ(s2, t2) = {T, U, X}Λ×(B) = {E, F, I}×{T, U, X}

40

AIBE-Based MRQEDD Scheme Collusion attack

R4

R1

R3

R2

kd

kc

ka kb

41

Outline


42

Main Construction Reducing the ciphertext size

P×(X) = P(x1) × …× P(xD) ↓ P∪(X) = P(x1) ∪ …∪ P(xD)

43

Main Construction Reducing the decryption key size

Λ×(B)=Λ(s1, t2) × …× Λ(sD, tD) ↓

Λ∪(B)=Λ(s1, t2)∪ …∪(sD, tD)

44

Main Construction Preventing the collusion attack

Using binding technique Using re-randomization to tie the sub-

keys in different dimensions

45

Main Construction Preventing the collusion attack

R4

R1

R3

R2

kd

kc

ka kb

In R1, {ka, kc}→{μ1ka, μ2kc}In R4, {kb, kd}→{μ3kb, μ4kd}(μ1, μ2) are independently from (μ3, μ4)μ1μ2=μ3μ4= some invariant

46

Main Construction Define L=O(log T) be the height of a tree All IDs are picked from Z*

P

Message Msg∈{0, 1} with a series of trailing zero 0m’

47

Main Construction Setup(Σ, LΔ)

, ,

, ,

8 1

,1 ,2 ,1 ,2 ,1 ,2 ,1 ,2 ( , ) [ ] [ ]

8

,

',

1. [ , , ', , ] ( )

2. random parameters from

,[ , , , , , , ' , ' ]

3. public key PK G' G

( , )

, 1,2,

'

i i

i

R

DLp

d l D L

DL

i

i

p G G g e Gen

Z

e g g

a g i

a g

,1 ,

,1 ,

,

', ( , ) [ ] [ ]

, 1,2,

, 1,2,

' , 1,2

i

i

i

i

i d l D L

i

b g i

b g i

48

Main Construction Setup(Σ, LΔ)

,

,

, , ,

, , ,

8 1

,

,

,

', ( , ) [ ] [ ]

4. master private key SK G

, 1,2,

, 1,2,

, 1,2,

' , 1,2

i

i

i i i

i i i

DL

i

i

i

i d l D L

g

A g i

B g i

y g i

y g i

49

Main Construction DeriveKey(PK, SK, B)

,

2| ( )|

,1 ,2 ( )

5| ( )|

,1 ,1

1. Pick ( ) random integer from G

[ ] ,[ , ]

such that

2. Compute and release a decryption key DK G

for each ( ),

( ' ) ID

D Bp

d d D ID ID ID B

dd D

B

IDd

O D L Z

ID B

y y

1 ,2 ,1 ,2 ,1 ,2

,2 ,2 ,1 ,2 ,1 ,2

,0 ,1 ,2 ,3 ,4

( ' ) , , , ,

=( , , , , )

ID ID ID ID IDID

ID ID ID ID ID

y y A A B B

k k k k k

50

Main Construction Encrypt(PK, X, Msg)

2

,1 ,2 ( , ) [ ] [ ]

4 1

1. Select 2 1 random integers

,[ , ]

2. For ( , ) [ ] [ ],

define ( ) is the node at depth in ( ) in the dimension.

ciphertext '

DLR p d l D L R p

thd

DL

DL

r Z r r Z

d l D L

I I X l P x d

C G G

,1 ,1

,2 ,2

'

,1 ,1 ,1 ,1

,2 ,2 ,2 ,2 ( , ) [ ] [ ]

0 ,1 ,2 ,3 ,4

( || 0 ) , ,

( ' ) ,( ' ) ,

( ' ) ,( ' )

=( , ,[ , , , ])

m r r

I r I r r

I r I r r

d l D L

Msg g

b b a a

b b a a

c c c c c c

51

Main Construction QueryDecrypt(PK, DK, C)

1 2

0 ,0 ,1 ,1 ,2 ,2 ,3 ,3 ,4 ,4[ ]

'

1. collection {DK( ),DK( ),...,DK( )} of sub-keys.

2. Decryption

[ ( ) ( ) ( ) ( ) ( )]

If is of the form || 0 , then outpu

d d d d

D

ID ID ID ID IDd D

m

ID ID ID

V c e c k e c k e c k e c k e c k

V Msg

t as the plaintext

otherwise, output

Msg

52

Outline


53

Conclusion Using tree data structure. Reducing the ciphertext size and Decrypt

ion key size.

54

Conclusion Using advance/better/original data

structure. Multi-dimension into One-dimension.

55

Conclusion [3, 6], [4, 9], [5, 8] ↓ [2, 7], [3, 10], [4, 9] ↓ [0, 1], [1, 2], [2, 3]

56

Conclusion Real value is (5, 7, 6) Predicate range is [3, 6]×[4, 9]×[5, 8]

0 1 2 3

[2 7][3 10]

[4 9]

5 7 6

57

Conclusion About subset query

Lattice diagram/Hasse diagram Binary string method

58

Conclusion Lattice diagram/Hasse diagram

59

Conclusion Binary string method

假設有 5 個元素 U={1,…,5} Predicate set A={1,4}, 轉換 predicate set A 成

binary string 為 01001 Real value T={1,5}, 轉換成 binary string 為 10

001 兩個 binary string 做 OR 運算 , 其結果與 pred

icate set 的 binary string 相同即為 T 是 A 的子集 , 反之 , T 不是 A 的子集

multi-dimensional range query over encrypted data

Documents