beyond the ideal object: towards disclosure-resilient order-preserving encryption schemes
DESCRIPTION
Beyond the Ideal Object: Towards Disclosure-Resilient Order-Preserving Encryption Schemes. Technische Universität Ilmenau CCSW 2013. Sander Wozniak Michael Rossberg Sascha Grau Ali Alshawish Guenter Schaefer. Order-Preserving Encryption (OPE). Domain of plaintexts: - PowerPoint PPT PresentationTRANSCRIPT
Beyond the Ideal Object:Towards Disclosure-Resilient
Order-Preserving Encryption Schemes
Sander Wozniak Michael Rossberg Sascha Grau Ali Alshawish Guenter Schaefer
Technische Universität IlmenauCCSW 2013
S. Wozniak – Beyond the Ideal Object: Towards Disclosure-Resilient Order-Preserving Encryption Schemes 2
• Domain of plaintexts:• Range of ciphertexts:
• For an encryption function an OPE scheme satisfies:
• Application in the context of cloud computing: – Users may not fully trust their service providers– Need to encrypt the outsourced data– OPE enables efficient range queries in standard DBMS
Order-Preserving Encryption (OPE)
S. Wozniak – Beyond the Ideal Object: Towards Disclosure-Resilient Order-Preserving Encryption Schemes 3
OPE based on Order-Preserving Functions• OPF-based Schemes:
– Rely on Order-Preserving Functions (OPFs) drawn from:
– OPE scheme based on a chosen OPF
• Choosing Order-Preserving Functions– Standard model: “Ideal Object” (Boldyreva et al., 2009):
OPFs are drawn uniformly at random– In this work: alternative OPF construction schemes
S. Wozniak – Beyond the Ideal Object: Towards Disclosure-Resilient Order-Preserving Encryption Schemes 4
Weaknesses of the “Ideal Object”• One-wayness of “ideal object” is not satisfying
– Existing research highlights the significance of the most likely plaintext (m.l.p.) of a given ciphertext
– Empiric frequency distributions for 108 OPFs:
S. Wozniak – Beyond the Ideal Object: Towards Disclosure-Resilient Order-Preserving Encryption Schemes 5
Disclosure-Resilience of OPE• Given: OPF construction scheme• Attacker model:
– and the plaintext space is known to adversaries– Adversaries have limited additional information:
• Known ciphertexts• Known/chosen plaintext-ciphertext pairs
– Given a challenge ciphertext , adversaries have to accurately estimate the plaintext producing
• is referred to as disclosure-resilient if it:– provides a sufficient number of plaintexts producing– maintains this property in case of disclosed information
S. Wozniak – Beyond the Ideal Object: Towards Disclosure-Resilient Order-Preserving Encryption Schemes 6
Plaintext p
Prob
abili
ty o
f bei
ng
assig
ned
to c
iphe
rtex
t cAverage Number of Significant Plaintexts• Measures the number of plaintexts that an attacker has
to consider as candidates for a challenge ciphertext
Weighted average over all ciphertexts:
Number of significant plaintexts for a ciphertext:
Threshold
Note: this is not a quantile!
S. Wozniak – Beyond the Ideal Object: Towards Disclosure-Resilient Order-Preserving Encryption Schemes 7
Average Expected Estimation Error• Measures the error of a maximum-likelihood estimator
using the most likely plaintexts of a challenge ciphertextExpected estimator error:
Weighted average over all ciphertexts:
Error Plaintext p
Prob
abili
ty o
f bei
ng
assig
ned
to c
iphe
rtex
t c
S. Wozniak – Beyond the Ideal Object: Towards Disclosure-Resilient Order-Preserving Encryption Schemes 8
Random Offset Addition• Draw a random offset• Encryption function:
• Disclosure-resilient for very few known ciphertexts• No resilience against known plaintext-ciphertext pairs
Plaintext p
Ciph
erte
xt c
Random
offset
OPF1
OPF4
OPF5
OPF3
OPF2
108 OPFs
S. Wozniak – Beyond the Ideal Object: Towards Disclosure-Resilient Order-Preserving Encryption Schemes 9
Random Uniform Sampling• Choose a splitting element:
– Random selection / median of the (sub)domain• Randomly assign ciphertext to chosen plaintext• Recursively sample subspaces
Plaintext p
Ciph
erte
xt c
Splitting elementp1p2
p3
c1
c3
c2
108 OPFs
S. Wozniak – Beyond the Ideal Object: Towards Disclosure-Resilient Order-Preserving Encryption Schemes 10
Random Subrange Selection• Randomly decide whether to draw or first
– Lower bound first: ;– Upper bound first: ;
• Sample OPF from subrange(alternative constr. scheme)
Plaintext p
Ciphertext c
S. Wozniak – Beyond the Ideal Object: Towards Disclosure-Resilient Order-Preserving Encryption Schemes 11
Evaluation and Results• Empiric evaluation using 108 randomly generated OPFs
The suggested OPF construction schemes reduce the significance of specific plaintexts
S. Wozniak – Beyond the Ideal Object: Towards Disclosure-Resilient Order-Preserving Encryption Schemes 12
Average Number of Significant Plaintexts108 OPFs
A B
C D B: Disclosure of ciphertexts affects all approaches; novel schemes more effective than “ideal object”
D: Chosen pairs render all schemes ineffective
A: Novel schemes increase ;offset addition and subrange selection most effective
C: Known pairs strongly decrease ; offset add. ineffective ; subrange selection less effective
S. Wozniak – Beyond the Ideal Object: Towards Disclosure-Resilient Order-Preserving Encryption Schemes 13
Average Expected Estimation Error108 OPFs
A B
C D
confirms the results of ;subrange selection using the “ideal object” shows a smaller error (dominant peak of m.l.p.)
S. Wozniak – Beyond the Ideal Object: Towards Disclosure-Resilient Order-Preserving Encryption Schemes 14
Conclusion & Outlook• Conclusion
– The suggested OPF construction schemes are able to reduce the significance of specific plaintexts when compared to the “ideal object”
– However, the resilience against the disclosure of additional information is not yet sufficient for practical applications
• Future work– Consider the impact of an increasing range size– Investigate alternative OPF construction schemes with high
disclosure-resilience in case of well-informed adversaries
Sander [email protected]
Thank you for your attention!
Telematics and Computer Networks GroupTechnische Universität Ilmenau, Germany