1 conjunctive, subset, and range queries on encrypted data presenter: 陳國璋 lecture notes in...

1

Conjunctive, Subset, and Range Queries on Encrypted Data

Presenter: 陳國璋

Lecture Notes in Computer Science, 2007

Dan Boneh and Brent Waters

2

Outline

Introduction Definition Brute Force Construction Pairings and complexity assumption Hidden Vector Encryption Application of HVE Conclusion

3

Introduction(1/3)

VisaCredit card payment

GatewayEncrypted

Transaction

Visa’s Public Key

EncryptedTransactionEncrypted

Transaction

Predicate P[value over $1000]

Given by Visa

Yes

No

More Secure Processing

Normally Secure Processing

4

Introduction(2/3)

Mail Server

P P’

Satisfy P

Satisfy P’

inbox

Discard

Recipient’s pager

Recipient’sPublic key

Given by Recipient

5

Introduction(3/3)

Hidden Vector Encryption (HVE) Extreme example, Anonymous Identity B

ased Encryption (AnonIBE) Query type

Equality query Comparison query Subset query

6

Outline


7

Definition(1/4)

Σ: finite set of binary strings Predicate P over Σ is a function

P: Σ →{0,1} S∈Σ if P(S)=1

8

Definition(2/4) Φ: set of predicates over Σ Φ-searchable public key system

Setup(λ) Input security parameter λ Output public key PK and secret key SK

Encrypt(PK,S,M) Public key PK S∈Σ as the searchable field, called an index M as the data

9

Definition(3/4)

Φ-searchable public key system GenToken(SK,<P>)

Input secret key SK and a predicate P∈Φ Output a token TK

Query(TK,C) Input token TK for some predicate P and a ciph

ertext C that is an encryption of (S,M) Output M or ⊥

10

Definition(4/4) Correctness

Query correctness

If ( ) 1 then ( , )

If ( ) 0 then Pr[ ( , ) ] 1 ( )

where ( )

( , ) and all predicate

is a negli

(

gib

, ) ( )

(

le fu

, ,

nc o

)

)

n

(

ti

,

R

R

R

P S

S M M P

PK SK Setup

C Encrypt PK S M

TK GenToke

Query TK C M

P S Query C

n SK P

TK

11

Outline


12

Brute Force Construction(1/9)

Σ: finite set of binary strings Build a Φ-searchable public key system ε

TR

ε=(Setup’, Encrypt’, Decrypt’) be a public key system

Φ={P1,P2,…,Pt}

13


Setup(λ) Run Setup’(λ) t times PK←(PK1,…,PKt) SK←(SK1,…,SKt) Output (PK, SK)

14

Brute Force Construction(3/9) Encrypt(PK,S,M)

For i= 1,…,t define:

Output C←(C1,…,Ct)

'( , ), if ( ) 1

'( , ), o.wi iR

ii

Encrypt PK M P SC

Encrypt PK

15


GenToken(SK,<P>) <P> is the description of predicate Φ The index i of Pi in Φ Output TK←(i,SKi)

16

Brute Force Construction(5/9) Query(TK,C)

C=(C1,…,Ct) TK=(i,SKi) Output Decrypt’(SKi,Ci)

17


Example for single query Σ={1,2,3,4,5} Φ={P1,P2,P3} Setup(λ)

Run 3 times Setup’(λ) PK←(PK1,PK2,PK3) SK←(SK1,SK2,SK3)

18


Encrypt(PK,4,M) C1←Encrypt’(PK1,⊥) C2←Encrypt’(PK2,⊥) C3←Encrypt’(PK3,M) C←(C1,C2,C3)

x 1 2 3 4 5

P1(x) 0 1 1 0 0

P2(x) 1 0 0 0 0

P3(x) 0 0 0 1 1

19


x 1 2 3 4 5

P1(x)

0 1 1 0 0

P2(x)

1 0 0 0 0

P3(x)

0 0 0 1 1GenToken(SK,<P2>) GenToken(SK,<P3>)TK1←(2,SK2) TK2←(3,SK3)

Query(TK1,C) Query(TK2,C)

Decrypt’(SK2,C2)=⊥ Decrypt’(SK3,C3)=M

20

Brute Force Construction(9/9) Example for conjunctive comparison predicate

s Σ={1,…,n}w={1,2,3,4,5}4

n is the maximum value for each cell w is the number of the cells

Φn,w be a set of predicates, |Φn,w|=nw=54

1... 1

1

1, if for all 1,...,( ... )

0, . .

where ( ... ) {1,..., }

w

i ia a w

ww

x a i wP x x

o w

a a n

21

Outline


22

Pairings and complexity assumption(1/5)

p, q are two big primes. n =pq G: bilinear group, order = n Gp: cyclic group, order = p Gq: cyclic group, order = q GT: cyclic group e:G2→GT satisfied as follows

Biliner: ∀u, v∈G, e(ua,vb)=e(u,v)ab

Non-degenerate: ∃g s.t. e(g,g) has order n in GT

23


The composite Bilinear Diffie-Hellman assumption (cBDH) ( , , , , )

, ,

, ,

(( , , , , , )

( , )

, , , , , )

( , )

RT

R Rp p q q

Rn

a b cp q T p p p p

abcp p

q

p q G G e GroupGenerator

n pq g G g G

a b c Z

Z p q G G G e g g g g

e g g

g

T

Output Z T

24


The advantage of cBDH | Pr[ ( , ) 1] Pr[ ( , ) 1] |

where ( , ) and

cBDH

R RT

Adv A Z T A Z R

Z T GroupGenerator R G

25


The composite 3-party Diffie-Hellman assumption (c3DH)

1 2 3

1 2

3

( , , , , )

, ,

, ,

(( , , , , , ), , , , , , )

( , )

, ,

RT

R R

Rq

a b ab abcp p p p

c

p p q q

Rn

p q T

p

p q

p q G G e GroupGenerator

n pq g G g G

a b

R R

c Z

Z p q G G G

R G

g g g R ge g g

T

Output Z

g

T

R

R

26


The advantage of c3DH 3 | Pr[ ( , ) 1] Pr[ ( , ) 1] |

where ( , ) and

c DH

R R

Adv A Z T A Z R

Z T GroupGenerator R G

27

Outline


28

Hidden Vector Encryption(1/10)

ConjunctiveGeneral

Predicate

Multi-cellPractical

Value

PredicateVector

PracticalVector

SK

Ciphertext

Token

Data / ⊥

Data

PK

GenTokenHVE

EncryptHVE

QueryHVE

29


Σ: finite set *: special symbol, plays the role of a

wildcard or don’t care. Σ* = Σ∪{*}

30


1 *

1

( ,..., )

define a predicate over as follows:

( ,..., )

1, if 1,..., :

,

( or *)

0,

*

. .

ll

HVE l

ll

i i iHVE

In other word the vector x matches

in all coordinates where

P

x x x

i l xP

o

is not

w

* { , }

.

.

HVE lHVE

width

Let P

l as the of the HVE

31


1 *

1

( ,..., ) : predicate vector

( ,..., ) : practical vector

1, 1,..., : ( or *)( )

0, . .

For example,

take (1** **1 *1*)

and (110 001 010)

( ) 1

ll

ll

i i iHVE

HVE

x x x

i l xP x

o w

x

P x

32


Particular HVE construction Σ=Zm for some integer m Σ* =Zm∪{*}

33

Hidden Vector Encryption(6/10) SetupHVE(λ)

Choose random primes p,q > m Create a bilinear group G of order n Picks random elements

34


31 1 1

3,1 ,1 ,1 , , ,

( , , ),...,( , , )

, , , a exponent

(3 1) random blind

Secret

ing factor

( , , ),

Key :

And then,

in

For Public Key

...,( , , ) ,

, ( , ) ,

:

l l l p

p q q p

u h w u l h l w l q v q

v

q

u h w u h w G

g v G g G Z

l

R R R R R R G R G

V

SK

G

P

vR A g

K

e v

1 1 ,1 1 1 ,1 1 1 ,1

, , ,1

u h w

l l u l l l h l l l w

U u R H h R W w R

U u R H h R W w R

35

Hidden Vector Encryption(8/10) EncryptHVE(PK,I,M)

1( ,..., ) ll mI I I Z

21,1 1,2 ,1 ,2

random

random

random ( , ),...,( , )

n

q

l l q

s Z

Z G

Z Z Z Z G

11,1 1 1 1,1 1,2 1 1,2

0

,1 ,1 ,2 ,2

( )

( ' , ,

:

)

( )l

s s

s s

s sl l l l l

I

Il l

C U H Z C W Z

C C MA C V Z

C U H

Ciphertex

C W

t

Z Z

36

Hidden Vector Encryption(9/10) GenTokenHVE(SK,I*)

S be a set of all index i s.t. Ii ≠ * Choose random Generate a token for the predicate

* 1( ,..., ) { {*}}ll mI I I Z

2,1 ,2( , ) ,i i pr r Z i S

*

HVEIP

,1 ,2

,1 ,2

* 0

,1 ,2

( , ( ) ,

, )

i i

i

i

i

r ri i i

i S

r ri

I

i

TK I K g u h w i S

K v K v

37


QueryHVE(TK,C) First, compte

If M is not in data space, output ⊥. Otherwise, output M.

0 0 ,1 ,1 ,2 ,2' / ( ( , ) / ( , ) ( , ))i i i ii S

M C e C K e C K e C K

38

Outline


39

Application of HVE(1/15)

ConjunctiveGeneral

Predicate

Multi-cellPractical

Value

PredicateVector

PracticalVector

SK

Ciphertext

Token

Data / ⊥

Data

PK

GenTokenHVE

EncryptHVE

QueryHVE

40

Application of HVE(2/15) Example for conjunctive comparison queries Σ01={0,1}=Z2

Σ01*={0,1,*}=Z2∪{*} Take n=3, w=4, then l=nw=12, m=2 Secure HVE over Σ01

12

(SetupHVE, EncryptHVE, GenTokenHVE, QueryHVE) Construct a Φn,w-searchable system as follows

41


Setup(λ) Run SetupHVE(λ) Get public key PK and secret ket SK.

42

Application of HVE(4/15) Encrypt(PK,S,M)

S=(x1,…,xw)∈{1,…,n}w={1,2,3}4

Build a vector σ(S)=(σi,j)∈Σ01nw=Σ01

12

σi,j=1 if xi ≧ j; σi,j=0, otherwise For example, take S=(1,3,2,1) Vector σ(S) = (100 111 110 100) Output C←EncryptHVE(PK,σ(S),M), size = O(nw)

xi j

1 2 3

x1=1 1 0 0

x2=3 1 1 1

x3=2 1 1 0

x4=1 1 0 0

43

Application of HVE(5/15) GenToken(SK,<Pa>)

a=(a1,a2,a3,a4)∈{1,…,n}w={1,2,3}4

Build a vector σ*(a)=(σ*i,j)∈Σ01*nw=Σ01*

12

σ*i,j=1 if xi=j; σ*i,j=*, otherwise For example, take a = (2,3,1,1) Vector σ*(a) = (*1* **1 1** 1**) Output TKa←GenTokenHVE(SK,σ*(a)), size = O(w)

ai j 1 2 3

a1=2 * 1 *a2=3 * * 1

a3=1 1 * *a4=1 1 * *

44


Query(TKa,C) Run QueryHVE(TKa,C)

45

Application of HVE(7/15) S=(1,3,2,1) and a=(2,3,1,1) Pa(S)=(x1≧2)^(x2≧3)^(x3≧1)^(x4≧1)=0

* ( )( ) 1 ( ( )) 1HVEa aP S iff P S

* ( ) ( ( )) (100 111 110 100) ^

(*1* **1 1** 1**) 0

HVEaP S

46

Application of HVE(8/15) S=(2,3,2,1) and a=(2,3,1,1) Pa(S)=(x1≧2)^(x2≧3)^(x3≧1)^(x4≧1)=1

* ( )( ) 1 ( ( )) 1HVEa aP S iff P S

* ( ) ( ( )) (110 111 110 100) ^

(*1* **1 1** 1**) 1

HVEaP S

47


Conjunctive range queries To search for plaintext where x∈[a,b] Encrypts the pair (x,x) The predicate then tests x≧a ^ x≦b

48


Subset queries T: set of size n A⊆T Subset predicate

PA(x)=1 if x∈A; PA(x) = 0, otherwise

49


Conjunctive subset predicates over Tw

σ=(A1,…,Aw) where Ai⊆T, i=1,…,w σ∈(2T)w

x=(x1,…,xw) Pσ(x)=1, if xi∈Ai ∀i=1,…,w; Pσ(x)=0, otherwise

50


T={1,2,3,4,5}, |T|=n=5, w=4 A1={1,2,4}, A2={3,5}, A3={1,5},

A4={2} Φ={Pσ,∀σ∈(2T)w}, |Φ|=2nw=220

51

Application of HVE(13/15) Encrypt(PK,S,M)

S=(x1,…,xw)∈{1,…,n}w={1,2,3,4,5}4

Build a vector σ(S)=(σi,j)∈Σ01nw=Σ01

20

σi,j=1 if xi≠j; σi,j=0, otherwise For example, take S=(4,5,2,3) Vector σ(S) = (11101 11110 10111 11011) Output C←EncryptHVE(PK,σ(S),M), size = O(nw)

xi j 1 2 3 4 5

x1=4 1 1 1 0 1

x2=5 1 1 1 1 0

x3=2 1 0 1 1 1

x4=3 1 1 0 1 1

52

Application of HVE(14/15) GenToken(SK,<Pa>)

a=(A1,A2,A3,A4)∈{1,…,n}w={1,2,3,4,5}4

Build a vector σ*(a)=(σ*i,j)∈Σ01*nw=Σ01*

20

σ*i,j=1 if j≠Ai; σ*i,j=*, otherwise For example, take a = (A1,A2,A3,A4) A1={1,2,4}, A2={3,5}, A3={1,5}, A4={2} Vector σ*(a) = (**1*1 11*1* *111* 1*111) Output TKa←GenTokenHVE(SK,σ*(a)), size = O(nw)Ai j 1 2 3 4 5

A1={1,2,4}

* * 1 * 1

A2={3,5} 1 1 * 1 *A3={1,5} * 1 1 1 *A4={2} 1 * 1 1 1

53

Application of HVE(15/15) S=(4,5,2,3) and a=(A1,A2,A3,A4) A1={1,2,4}, A2={3,5}, A3={1,5}, A4={2} Pa(S)=(4∈A1)^(5∈A2)^(2∈A3)^(3∈A4)=0

* ( )( ) 1 ( ( )) 1HVEa aP S iff P S

* ( ) ( ( )) (**1*1 11*1* *111* 1*111) ^

(11101 11110 10111 11011) 0

HVEaP S

54

Outline


55

Conclusion(1/2)

ConjunctiveGeneral

Predicate

Multi-cellPractical

Value

PredicateVector

PracticalVector

SK

Ciphertext

Token

Data / ⊥

Data

PK

GenTokenHVE

EncryptHVE

QueryHVE

56

Conclusion(2/2)

As the width of HVE is 1, the HVE scheme is essentially an Aonymous IBE system.

Improve the size of ciphertext. The predicate vector and the practical ve

ctor are unique. Composite queries.

Range query + Subset query

1 conjunctive, subset, and range queries on encrypted data presenter: 陳國璋 lecture notes in...

Documents