secure computation over encrypted data
DESCRIPTION
Secure Computation Over Encrypted Data. Liangliang Xiao. Introduction. Cloud Customers outsource their data & computing needs to cloud Hardware technology hits its limit Systems become harder to maintain Security issues in cloud Adversaries attacks Human error - PowerPoint PPT PresentationTRANSCRIPT
Secure Computation Over Encrypted Data
Liangliang Xiao
Cloud Customers outsource their data & computing needs to cloud
Hardware technology hits its limit Systems become harder to maintain
Security issues in cloud Adversaries attacks Human error
Mistakenly sending disks with bank files to eBay [Ham03] Reorganization or buyout [Nan04]
Introduction
Salary
…
x1
xn
SELECT SUM(salary)
x1+…+ xn
Introduction Protect data in the cloud
Encryption How to process the encrypted data?
Decrypt data for computation (not secure!) Key should be stored with the data at the server (not secure!)
Computing directly on encrypted data
Existing Works Homomorphic Encryption (HE) Order-preserving Encryption (OPE) Prefix-preserving Encryption (PPE)
HE Encryption function has homomorphic properties
E(x + y) = E(x) + E(y)E(x * y) = E(x) * E(y)
HE Encryption function has homomorphic properties
HE supports computations on ciphertexts
Salary
…
E(x1)
E(xn)
E(x + y) = E(x) + E(y)E(x * y) = E(x) * E(y)
HE Encryption function has homomorphic properties
HE supports computations on ciphertexts
Salary
…
E(x1)
E(xn)
SELECT SUM(salary)
E(x + y) = E(x) + E(y)E(x * y) = E(x) * E(y)
HE Encryption function has homomorphic properties
HE supports computations on ciphertexts
Salary
…
E(x1)
E(xn)
SELECT SUM(salary)
E(x1+…+ xn)
DB computes E(x1+…+ xn) = E(x1) +…+ E(xn)
E(x + y) = E(x) + E(y)E(x * y) = E(x) * E(y)
HE Encryption function has homomorphic properties
HE supports computations on ciphertexts
Salary
…
E(x1)
E(xn)
SELECT SUM(salary)
E(x1+…+ xn)
Alice decrypts to get x1+…+ xn
DB computes E(x1+…+ xn) = E(x1) +…+ E(xn)
E(x + y) = E(x) + E(y)E(x * y) = E(x) * E(y)
Example of “Partial” HE RSA
E(x) = xe mod n e is the public key n = p ∙ q
Homomorphic with respect to multiplication E(x) * E(y) = xe * ye = (x * y)e = E(x * y)
Not homomorphic with respect to addition E(x) + E(y) = xe + ye ≠ (x + y)e = E(x + y)
Existing HEs Boolean circuit based HE
Plaintexts {0,1} Gentry’s construction [Gen09]
High security level but expensive computation Ring based HE
Plaintexts ZN
Efficient than Boolean circuit based HE Polly Cracker encryption scheme [Fel94]
Lack conclusive security evidence
OPE Encryption preserves order
x < y E(x) < E(y)
Encryption preserves order
OPE supports range searches on ciphertexts
OPE
Salary
…OPE(x1)
OPE(xn)
Name
E(N1)…
E(Nn)
x < y E(x) < E(y)
Encryption preserves order
OPE supports range searches on ciphertexts
OPE
Salary
…OPE(x1)
OPE(xn)
SELECT NameWhere Salary > OPE(a)
Name
E(N1)…
E(Nn)
x < y E(x) < E(y)
OPE Encryption preserves order
OPE supports range searches on ciphertexts
Salary
…OPE(x1)
OPE(xn)
SELECT NameWhere Salary > OPE(a)
E(Ni)
Name
E(N1)…
E(Nn)DB returns E(Ni) if OPE(xi) > OPE(a)
x < y E(x) < E(y)
OPE Encryption preserves order
OPE supports range searches on ciphertexts
Salary
…OPE(x1)
OPE(xn)
SELECT NameWhere Salary > OPE(a)
E(Ni)
Alice decrypts E(Ni) to get Ni
Name
E(N1)…
E(Nn)DB returns E(Ni) if OPE(xi) > OPE(a)
x < y E(x) < E(y)
Existing OPEs RN
Randomly generate r1, …, rx, …, ry, …
Poly Randomly generate a strict increasing polynomial f
x E(x) = r1 + … + rx
f
y
E(x)
y E(y) = r1 + … + rx + … + ry
x
E(y)
PPE Encryption preserves prefix
101000 → 001010
101110 → 001111
Plaintexts Ciphertexts
PPE Encryption preserves prefix
Range searches can be transformed to prefix-matching search [32, 111] [00100000, 01101111] {001*, 010*, 0110*}
101000 → 001010
101110 → 001111
Plaintexts Ciphertexts
PPE PPE supports range searches on ciphertexts
Salary
…PPE(x1)
PPE(xn)
Name
E(N1)…
E(Nn)
PPE PPE supports range searches on ciphertexts
Salary
…PPE(x1)
PPE(xn)
Name
E(N1)…
E(Nn)
SELECT NameWhere Salary = PPE(aj), 1 ≤ j ≤ m
PPE PPE supports range searches on ciphertexts
E(Ni)
DB returns PPE(xi) if PPE(aj) is its prefix
Salary
…PPE(x1)
PPE(xn)
Name
E(N1)…
E(Nn)
SELECT NameWhere Salary = PPE(aj), 1 ≤ j ≤ m
PPE supports range searches on ciphertexts
PPE
E(Ni)
Alice decrypts E(Ni) to get Ni
DB returns PPE(xi) if PPE(aj) is its prefix
Salary
…PPE(x1)
PPE(xn)
Name
E(N1)…
E(Nn)
SELECT NameWhere Salary = PPE(aj), 1 ≤ j ≤ m
Main problem of the Existing Works HE/OPE/PPE only consider one encryption key
One encryption key DB colludes with any user compromise all data
Different users use different keys Computation cannot be performed
…
collude
Other Problems HE
Circuit-based HE has very high computation cost
Gentry’s algorithm32-bit integer addition 900 s
32-bit integer multiplication 67,000 s 18 hours
Gentry’s algorithm:• Computation of each binary operation is 6 seconds [Gen]• Multiplication requires ~ 11,000 gates; Addition requires 160 gates [Mor]
Other Problems Attacks against OPE
Suppose A knows (m/2, OPE(m/2)) Plaintexts {1, …, m}
A can retrieve the most significant bit of other cipherterxts Need to qualify the security of OPE
OPE(m/2)
m/2
Other Problems Attacks against OPE
Suppose A knows (m/2, OPE(m/2)) Plaintexts {1, …, m}
A can retrieve the most significant bit of other cipherterxts Need to qualify the security of OPE
OPE(m/2)
m/2
ciphertext ciphertext
Other Problems Existing security analysis
Reduce the security of the real OPE scheme to the ideal OPE object
Other Problems Existing security analysis
Reduce the security of the real OPE scheme to the ideal OPE object
Ideal OPE The encryption function is uniformly randomly selected from all
order-preserving functions
All OPE functionsRandomly selected
Encryption function
Other Problems Existing security analysis
Reduce the security of the real OPE scheme to the ideal OPE object
Ideal OPE The encryption function is uniformly randomly selected from all
order-preserving functions
No security analysis of the ideal OPE object
All OPE functionsRandomly selected
Encryption function
Objective of My Research Bridge the gaps
HE Design a more efficient HE algorithm Enhance it for multi-user systems
OPE Prove the security of the ideal OPE object Develop a multi-user OPE protocol
PPE Prove the security of the ideal PPE object Design a multi-user PPE protocol based on an existing PPE
Objective of My Research Bridge the gaps
HE Design a more efficient HE algorithm Enhance it for multi-user systems
OPE Prove the security of the ideal OPE object Develop a multi-user OPE protocol
PPE Prove the security of the ideal PPE object Design a multi-user PPE protocol based on an existing PPE
Basic construction (ring based) E(x, k) = M
M is a matrix with the eigenvalue x w.r.t. the eigenvector k Over ring ZN where N = p ∙ q
Homomorphic in addition and multiplication x ∙ k = M ∙ k and y ∙ k = M’ ∙ k (x + y) ∙ k = (M + M’) ∙ k (x ∙ y) ∙ k = (M ∙ M’) ∙ k
Our HE Construction
x ∙ k = M ∙ k ZN
[ [] ][ ]
Security Definition Attack model
Adversary knows some plaintext/ciphertext pairs Adversary tries to reverse another ciphertext
Called challenge
Attack based on plaintext/ciphertext pair (x, M) Solve k from x ∙ k = M ∙ k
x has the only eigenvector k Use k to reverse other ciphertexts
Security Analysis
Solve k
x ∙ k = M ∙ k ZN
[ [] ][ ]
Our HE Construction Need to improve the basic construction
One common eigenvector homomorphic computation Second distinct eigenvector resist the attack
Improved Construction Consider 44 matrix k, u, v, w are randomly chosen eigenvectors
Our HE Construction Improved Construction
Associate x with k and z z = u, v, or w subject to a distribution D
Randomly select r Associate r with two remaining eigenvectors
M
x r
k u v w
M
x r
k v u w
M
x r
k w u v
Our HE Construction Consider m rings
ZN
k1
k2
km
k
p
p
ppm
Zf1
Zf2
Zfm
. . .
Security of Our HE Security
Theorem: the probability for the adversary to reverse any other ciphertext is pm
p = 1 (1 q) qn
pm becomes negligibly small if n < m ln poly() is the security parameter
Achieves one-wayness security Further computes q to minimize (1 (1 q) qn)m
q is the probability that x is associated with u q = 1 1/n
Performance Comparison Compare our algorithm with Gentry’s
Gentry’s algorithm Our algorithm32-bit integer addition 900 s 0.0992 ms
32-bit integer multiplication
67,000 s 18 hours
108 ms
Space cost 1 bit → 200,000 bits 1024 bits → 262,144 bits
Our algorithm• Choose m = 16 to sustain 1109 chosen plaintext attacks
Gentry’s algorithm:• Computation of each binary operation is 6 seconds [Gen]• Multiplication requires ~ 11,000 gates; Addition requires 160 gates [Mor]
Objective of My Research Bridge the gaps
HE Design a more efficient HE algorithm Enhance it for multi-user systems
OPE Prove the security of the ideal OPE object Develop a multi-user OPE protocol
PPE Prove the security of the ideal PPE object Design a multi-user PPE protocol based on an existing PPE
HE for Multi-User System Key transformation similarity transform
k’ ∙ E(x, k) ∙ k’ −1 = E(x, k’ ∙ k)
HE for Multi-User System Key transformation similarity transform
k’ ∙ E(x, k) ∙ k’ −1 = E(x, k’ ∙ k) Request protocol
kj – user key Different user holds different user key
kj’ and kj’’ – matching key mk – master key
Response protocol – reverse the request protocol
User Uj Key agent DB
Hold key kj’Hold key kj Hold key kj’’
E(x, kj) E(x, kj’ ∙ kj)
kj’’ kj’ kj = mk
E(x, mk)x
HE for Multi-User System Security
Theorem: Our Protocols are as secure as HE unless both DB and KA are compromised
Further security improvement Use a chain of KAs
Performance Study Request/Response Protocols
User ; DB Key agent
Performance Study Results
λ – data length NE = “No Encryption” HE – Q = DB received the data encrypted by user HE – P = User decrypts the data sent from DB
λ (bit) NE (ms) HE - Q (ms)
HE - P (ms)
Request Protocol
(ms)
Response Protocol
(ms) 32 86.03 301.03 120.03 807 80664 86.23 301.23 120.23 807 806
1024 91.62 306.99 125.62 807 806
Objective of My Research Bridge the gaps
HE Design a more efficient HE algorithm Enhance it for multi-user systems
OPE Prove the security of the ideal OPE object Develop a multi-user OPE protocol
PPE Prove the security of the ideal PPE object Design a multi-user PPE protocol based on an existing PPE
Security Analysis of the Ideal OPE Security metric
zh = Average # of secure bits of plaintext under h known plaintext attacks = H~∞(X | Y, KPh)
H~∞ is the average min-entropy X is the plaintext, Y is a challenge (randomly generated ciphertext) KPh is h plaintext ciphertext pairs known by the adversary
Challenge of computing zh
It is difficult to find close-form expression for zh
Security Analysis of the Ideal OPE Instead, estimate the upper and lower bounds on zh
Upper bound on zh Choose KPh = { (xi, E*(xi)) | xi = i∙(m+1)/(h+1), 1≤i≤h }
xi is uniformly distributed
zh ≤ log2(m−h)/(h+1)
Lower bound on zh
Don’t know the strongest plaintext attack, how?
x1 x2xhx3
…
Security Analysis of the Ideal OPE Our approach to estimate the lower bound on zh
Observation KPh divides the domain and range
to h+1 subdomains and subranges KPh = {(xi, yi)}1≤i≤h
No plaintext attack within each subdomains and subranges
Estimate the lower bound for the case of no plaintext attack Defined as z0
Apply z0 to each subdomain and subrange (xi,yi) are variables
Accordingly, estimate zh ≥ clog2(m−h)/(h+1) Optimize the h (xi,yi) pairs 0 < c < 1
xj
yj
[m]
[n]
xj+1
yj+1
No plaintext attack
Security Analysis of the Ideal OPE zh = Θ(log2(m−h)/(h+1)) for n ≥ m3
Combine the lower bound and upper bound Θ denotes the big-theta notion
Theorem: constant ratio of bits are secure
Objective of My Research Bridge the gaps
HE Design a more efficient HE algorithm Enhance it for multi-user systems
OPE Prove the security of the ideal OPE object Develop a multi-user OPE protocol
PPE Prove the security of the ideal PPE object Design a multi-user PPE protocol based on an existing PPE
OPE for Multi-User System Challenge
All data should be encrypted by one key Simple solution:
One key agent holds the key and encrypt the data for users Has to have some knowledge of the key in order to encrypt
No entity should hold the encryption key But how to encrypt the data?
Possible solution: Use a group of key agents to “distributedly” encrypt the data How to design it so that the resulting ciphertexts are still
order-preserving? Existing data sharing schemes cannot achieve this
Basic-DOPE (digit-based OPE) User partitions the plaintext into “digits” Each key agent encrypts a single “digit” DB integrates the encrypted “digits”
Request protocol
Basic-DOPE (digit-based OPE) User partitions the plaintext into “digits” Each key agent encrypts a single “digit” DB integrates the encrypted “digits”
Request protocol
User DB
…
KA1 with k1
KAp with kp
…
KAj with kj
Basic-DOPE (digit-based OPE) User partitions the plaintext into “digits” Each key agent encrypts a single “digit” DB integrates the encrypted “digits”
User DB
…
KA1 with k1
KAp with kp
x1
xp
Request protocol
…
KAj with kj
xj
Expresses x in base A number system, i.e., x = 1j≤p xj · Aj−1
Basic-DOPE (digit-based OPE) User partitions the plaintext into “digits” Each key agent encrypts a single “digit” DB integrates the encrypted “digits”
User DB
…
KA1 with k1
KAp with kp yp
y1x1
xp
Request protocol
KAj encrypts xj by an OPE with kj
…
KAj with kj
xj yj
Basic-DOPE (digit-based OPE) User partitions the plaintext into “digits” Each key agent encrypts a single “digit” DB integrates the encrypted “digits”
User DB
…
KA1 with k1
KAp with kp yp
y1x1
xp
Request protocol
DB integrates the ciphertext COPE(x) = 1j≤p yj · Bj−1
In the base B number system
…
KAj with kj
xj yj
Example Base A = 10; base B = 20 p = 3
User DB
KA1 with k1
KA3 with k3y3 = OPE(5, k3)
y1 = OPE(3, k1)3
5
Request protocol
DB integrates the ciphertext COPE(x) = y3*202 + y2*20 + y1
User maps 583 to (5, 8, 3)
x = 583
KA2 with k28
y2 = OPE(8, k2)
KAj encrypts xj by an OPE with kj
If DB and one KA are compromised The adversary can get one “digit” of each data in DB
Security Issues of Basic-DOPE
User DB
KA1 with k1
KA3 with k3
KA2 with k2
Uses k3 to decrypt this digit
OPE( 5 8 3)
3
5
8
OPE(5, k3)
OPE(3, k1)
OPE(8, k2)
OPE( 2 5 6)
OPE( 7 3 1)
…
…
Solution Substitute each KA by a chain of key agents
Security Issues of Basic-DOPE
User DB
KA12 with k12
KA32 with k32z3=OPE(y3, k32)
z1=OPE(y1, k12)3
5
x = 583
KA22 with k228
z2=OPE(y2, k22)
KA11 with k11
KA31 with k31
KA21 with k21
y3=OPE(5, k31)
y1=OPE(3, k11)
y2=OPE(8, k21)
If the first KA in the chain is compromised A views the raw “digit”
Potential solution: Two party computation Too expensive
Security Issues of Basic-DOPE
can views raw digit
User DB
KA12 with k12
KA32 with k32
3
5
x = 583
KA22 with k228
KA11 with k11
KA31 with k31
KA21 with k21
OE-DOPE OE (Oblivious Encryption)
OE-DOPE OE (Oblivious Encryption)
“digit” x “micro-digits” (x1, x2, …, xu) Inserting micro-digits into random matrix
User Key agent DBEncrypt elements in the matrix …
r r x1 r r
r r r r x2
r x3 r r r
x4 r r r r
OE-DOPE OE (Oblivious Encryption)
“digit” x “micro-digits” (x1, x2, …, xu) Inserting micro-digits into random matrix
User Key agent DBEncrypt elements in the matrix …
DB knows which micro-digit to select and encrypt further
r r x1 r r
r r r r x2
r x3 r r r
x4 r r r r
(1,3), (2,5), (3,2), (4,1)
Position information
OE-DOPE OE (Oblivious Encryption)
“digit” x “micro-digits” (x1, x2, …, xu) Inserting micro-digits into random matrix
User Key agent DBEncrypt elements in the matrix …
DB knows which micro-digit to select and encrypt further
r r x1 r r
r r r r x2
r x3 r r r
x4 r r r r
(1,3), (2,5), (3,2), (4,1)
Position information
The probability to derive digit x is negligibly small
OPE for Multi-User Systems Response Protocol
Can simply reverse the request protocol Response may contain a large number of confidential data Reverse protocol can be very inefficient
DB maintains CCE(x) Encrypted using a conventional encryption (e.g AES) Key is granted to users with access privilege
User DBCCE(x)
Maintains COPE(x) and CCE(x)
Properties of OE-DOPE Security
Theorem: the probability for A to retrieve any “digit” is negligible if The underlying OPE has one-wayness security A cannot compromise all the key agents in a chain simultaneously
Versatile Our OE-DOPE can be applied to any OPE algorithm
Performance Study Basic-DOPE: 4 key agents
User ; DB Key agent
Performance Study OE-DOPE: 4 * 2 = 8 key agents
User ; DB Key agent
Performance Study Results for OPE Poly and Hyper
λ – data length NE = “No Encryption”
λ (bit)
NE (ms)
Poly (ms)
Basic-DOPE + Poly (ms)
OE-DOPE + Poly (ms)
Hyper (ms)
Basic-DOPE + Hyper (ms)
OE-DOPE + Hyper (ms)
8 85.87 85.87 166.62 194.35 106.24 506.06 7718.9032 86.03 86.03 167.83 214.18 20537 9.19E+0764 86.23 86.23 169.32 239.34 4965977.56
128 86.64 86.64 172.05 285.091024 91.62 91.99 197.23 786.72
Basic - DOPE is at most 2 times slower
OE - DOPE is at most 8 times slower
OE-DOPE is more expensive but more secure
Objective of My Research Bridge the gaps
HE Design a more efficient HE algorithm Enhance it for multi-user systems
OPE Prove the security of the ideal OPE object Develop a multi-user OPE protocol
PPE Prove the security of the ideal PPE object Design a multi-user PPE protocol based on an existing PPE
PPE Prove the security of the ideal PPE object
Weaken the security notion from IND-CPA to IND-PCPA Show that IND-PCPA can exactly qualify the security of the
ideal PPE object By mapping the prefix-preserving function to tree-based function
Design a multi-user PPE protocol Based on an existing PPE construction, which consists
A pseudo random function (PRF) A least significant bit extractor (LSB)
Distributedly compute PRF by DL Remove LSB
But will cause the ciphertext to be too long Develop a reduction method to reduce the size
Future Research Theoretical work
Further improve the security and performance of HE Construct better OPE and PPE algorithms to achieve better
security and improved performance
OPE PPEIND-OCPA ? IND-PCPA √
One-wayness security √ One-wayness security ?
Future Research HE application
Current key management systems have a centralized manager to generate and refresh keys and validate entities
In a large scale system, centralized solution won’t work E.g., the SCADA (supervisory control and data acquisition) system
includes a large number of meters and devices Expected to have billions of entities
Distributed key management Individual key managers will not be as trustworthy Probability of one of the many key managers being malicious or
compromised is very high Use HE for key manager computation
Large data space, uniform distribution suitable to our HE
HE application Centralized key manager
Distributed key manager
Key manager
HE application Centralized key manager
Distributed key manager
Key manager
HEHE HE
Future Research OPE application
Privacy preserving data mining Decision tree (with continuous attributes)
For each step, an attribute X and threshold t is selected Compute the information gain about X and t
o Comparisons are needed to determine the number of instances in each class
Use our multi-user OPE Handle training data from different sources Privacy requirement: Each data owner wishes not to disclose its data
to other parties
OPE application Privacy preserving data mining
Data owner
Data owner
Data owner
…
…
…… … …
… yij …
… … …
… … …
… xij …
… … …
… … …
… zij …
… … …
Data mining
Multi-user OPE
OPE application Privacy preserving data mining
Data owner
Data owner
Data owner
…
…
…… … …
… yij …
… … …
… … …
… xij …
… … …
… … …
… zij …
… … …
Data mining
Future Research PPE application
Anonymous analysis of internet traffic traces E.g., study web performance, routing performance analysis, or
clustering of end-systems Traffic log owners hesitate to make the traces public
Leak the identities of senders and receivers Use our PPE protocol
Handle traffic data from different sources Privacy requirement: No entity in the system has a global knowledge
to the traffic information
Question?