View
216
Download
2
Embed Size (px)
Citation preview
1
Conjunctive, Subset, and Range Queries on Encrypted Data
Presenter: 陳國璋
Lecture Notes in Computer Science, 2007
Dan Boneh and Brent Waters
2
Outline
Introduction Definition Brute Force Construction Pairings and complexity assumption Hidden Vector Encryption Application of HVE Conclusion
3
Introduction(1/3)
VisaCredit card payment
GatewayEncrypted
Transaction
Visa’s Public Key
EncryptedTransactionEncrypted
Transaction
Predicate P[value over $1000]
Given by Visa
Yes
No
More Secure Processing
Normally Secure Processing
4
Introduction(2/3)
Mail Server
P P’
Satisfy P
Satisfy P’
inbox
Discard
Recipient’s pager
Recipient’sPublic key
Given by Recipient
5
Introduction(3/3)
Hidden Vector Encryption (HVE) Extreme example, Anonymous Identity B
ased Encryption (AnonIBE) Query type
Equality query Comparison query Subset query
6
Outline
Introduction Definition Brute Force Construction Pairings and complexity assumption Hidden Vector Encryption Application of HVE Conclusion
7
Definition(1/4)
Σ: finite set of binary strings Predicate P over Σ is a function
P: Σ →{0,1} S∈Σ if P(S)=1
8
Definition(2/4) Φ: set of predicates over Σ Φ-searchable public key system
Setup(λ) Input security parameter λ Output public key PK and secret key SK
Encrypt(PK,S,M) Public key PK S∈Σ as the searchable field, called an index M as the data
9
Definition(3/4)
Φ-searchable public key system GenToken(SK,<P>)
Input secret key SK and a predicate P∈Φ Output a token TK
Query(TK,C) Input token TK for some predicate P and a ciph
ertext C that is an encryption of (S,M) Output M or ⊥
10
Definition(4/4) Correctness
Query correctness
If ( ) 1 then ( , )
If ( ) 0 then Pr[ ( , ) ] 1 ( )
where ( )
( , ) and all predicate
is a negli
(
gib
, ) ( )
(
le fu
, ,
nc o
)
)
n
(
ti
,
R
R
R
P S
S M M P
PK SK Setup
C Encrypt PK S M
TK GenToke
Query TK C M
P S Query C
n SK P
TK
11
Outline
Introduction Definition Brute Force Construction Pairings and complexity assumption Hidden Vector Encryption Application of HVE Conclusion
12
Brute Force Construction(1/9)
Σ: finite set of binary strings Build a Φ-searchable public key system ε
TR
ε=(Setup’, Encrypt’, Decrypt’) be a public key system
Φ={P1,P2,…,Pt}
13
Brute Force Construction(2/9)
Setup(λ) Run Setup’(λ) t times PK←(PK1,…,PKt) SK←(SK1,…,SKt) Output (PK, SK)
14
Brute Force Construction(3/9) Encrypt(PK,S,M)
For i= 1,…,t define:
Output C←(C1,…,Ct)
'( , ), if ( ) 1
'( , ), o.wi iR
ii
Encrypt PK M P SC
Encrypt PK
15
Brute Force Construction(4/9)
GenToken(SK,<P>) <P> is the description of predicate Φ The index i of Pi in Φ Output TK←(i,SKi)
16
Brute Force Construction(5/9) Query(TK,C)
C=(C1,…,Ct) TK=(i,SKi) Output Decrypt’(SKi,Ci)
17
Brute Force Construction(6/9)
Example for single query Σ={1,2,3,4,5} Φ={P1,P2,P3} Setup(λ)
Run 3 times Setup’(λ) PK←(PK1,PK2,PK3) SK←(SK1,SK2,SK3)
18
Brute Force Construction(7/9)
Encrypt(PK,4,M) C1←Encrypt’(PK1,⊥) C2←Encrypt’(PK2,⊥) C3←Encrypt’(PK3,M) C←(C1,C2,C3)
x 1 2 3 4 5
P1(x) 0 1 1 0 0
P2(x) 1 0 0 0 0
P3(x) 0 0 0 1 1
19
Brute Force Construction(8/9)
x 1 2 3 4 5
P1(x)
0 1 1 0 0
P2(x)
1 0 0 0 0
P3(x)
0 0 0 1 1GenToken(SK,<P2>) GenToken(SK,<P3>)TK1←(2,SK2) TK2←(3,SK3)
Query(TK1,C) Query(TK2,C)
Decrypt’(SK2,C2)=⊥ Decrypt’(SK3,C3)=M
20
Brute Force Construction(9/9) Example for conjunctive comparison predicate
s Σ={1,…,n}w={1,2,3,4,5}4
n is the maximum value for each cell w is the number of the cells
Φn,w be a set of predicates, |Φn,w|=nw=54
1... 1
1
1, if for all 1,...,( ... )
0, . .
where ( ... ) {1,..., }
w
i ia a w
ww
x a i wP x x
o w
a a n
21
Outline
Introduction Definition Brute Force Construction Pairings and complexity assumption Hidden Vector Encryption Application of HVE Conclusion
22
Pairings and complexity assumption(1/5)
p, q are two big primes. n =pq G: bilinear group, order = n Gp: cyclic group, order = p Gq: cyclic group, order = q GT: cyclic group e:G2→GT satisfied as follows
Biliner: ∀u, v∈G, e(ua,vb)=e(u,v)ab
Non-degenerate: ∃g s.t. e(g,g) has order n in GT
23
Pairings and complexity assumption(2/5)
The composite Bilinear Diffie-Hellman assumption (cBDH) ( , , , , )
, ,
, ,
(( , , , , , )
( , )
, , , , , )
( , )
RT
R Rp p q q
Rn
a b cp q T p p p p
abcp p
q
p q G G e GroupGenerator
n pq g G g G
a b c Z
Z p q G G G e g g g g
e g g
g
T
Output Z T
24
Pairings and complexity assumption(3/5)
The advantage of cBDH | Pr[ ( , ) 1] Pr[ ( , ) 1] |
where ( , ) and
cBDH
R RT
Adv A Z T A Z R
Z T GroupGenerator R G
25
Pairings and complexity assumption(4/5)
The composite 3-party Diffie-Hellman assumption (c3DH)
1 2 3
1 2
3
( , , , , )
, ,
, ,
(( , , , , , ), , , , , , )
( , )
, ,
RT
R R
Rq
a b ab abcp p p p
c
p p q q
Rn
p q T
p
p q
p q G G e GroupGenerator
n pq g G g G
a b
R R
c Z
Z p q G G G
R G
g g g R ge g g
T
Output Z
g
T
R
R
26
Pairings and complexity assumption(5/5)
The advantage of c3DH 3 | Pr[ ( , ) 1] Pr[ ( , ) 1] |
where ( , ) and
c DH
R R
Adv A Z T A Z R
Z T GroupGenerator R G
27
Outline
Introduction Definition Brute Force Construction Pairings and complexity assumption Hidden Vector Encryption Application of HVE Conclusion
28
Hidden Vector Encryption(1/10)
ConjunctiveGeneral
Predicate
Multi-cellPractical
Value
PredicateVector
PracticalVector
SK
Ciphertext
Token
Data / ⊥
Data
PK
GenTokenHVE
EncryptHVE
QueryHVE
29
Hidden Vector Encryption(2/10)
Σ: finite set *: special symbol, plays the role of a
wildcard or don’t care. Σ* = Σ∪{*}
30
Hidden Vector Encryption(3/10)
1 *
1
( ,..., )
define a predicate over as follows:
( ,..., )
1, if 1,..., :
,
( or *)
0,
*
. .
ll
HVE l
ll
i i iHVE
In other word the vector x matches
in all coordinates where
P
x x x
i l xP
o
is not
w
* { , }
.
.
HVE lHVE
width
Let P
l as the of the HVE
31
Hidden Vector Encryption(4/10)
1 *
1
( ,..., ) : predicate vector
( ,..., ) : practical vector
1, 1,..., : ( or *)( )
0, . .
For example,
take (1** **1 *1*)
and (110 001 010)
( ) 1
ll
ll
i i iHVE
HVE
x x x
i l xP x
o w
x
P x
32
Hidden Vector Encryption(5/10)
Particular HVE construction Σ=Zm for some integer m Σ* =Zm∪{*}
33
Hidden Vector Encryption(6/10) SetupHVE(λ)
Choose random primes p,q > m Create a bilinear group G of order n Picks random elements
34
Hidden Vector Encryption(7/10)
31 1 1
3,1 ,1 ,1 , , ,
( , , ),...,( , , )
, , , a exponent
(3 1) random blind
Secret
ing factor
( , , ),
Key :
And then,
in
For Public Key
...,( , , ) ,
, ( , ) ,
:
l l l p
p q q p
u h w u l h l w l q v q
v
q
u h w u h w G
g v G g G Z
l
R R R R R R G R G
V
SK
G
P
vR A g
K
e v
1 1 ,1 1 1 ,1 1 1 ,1
, , ,1
u h w
l l u l l l h l l l w
U u R H h R W w R
U u R H h R W w R
35
Hidden Vector Encryption(8/10) EncryptHVE(PK,I,M)
1( ,..., ) ll mI I I Z
21,1 1,2 ,1 ,2
random
random
random ( , ),...,( , )
n
q
l l q
s Z
Z G
Z Z Z Z G
11,1 1 1 1,1 1,2 1 1,2
0
,1 ,1 ,2 ,2
( )
( ' , ,
:
)
( )l
s s
s s
s sl l l l l
I
Il l
C U H Z C W Z
C C MA C V Z
C U H
Ciphertex
C W
t
Z Z
36
Hidden Vector Encryption(9/10) GenTokenHVE(SK,I*)
S be a set of all index i s.t. Ii ≠ * Choose random Generate a token for the predicate
* 1( ,..., ) { {*}}ll mI I I Z
2,1 ,2( , ) ,i i pr r Z i S
*
HVEIP
,1 ,2
,1 ,2
* 0
,1 ,2
( , ( ) ,
, )
i i
i
i
i
r ri i i
i S
r ri
I
i
TK I K g u h w i S
K v K v
37
Hidden Vector Encryption(10/10)
QueryHVE(TK,C) First, compte
If M is not in data space, output ⊥. Otherwise, output M.
0 0 ,1 ,1 ,2 ,2' / ( ( , ) / ( , ) ( , ))i i i ii S
M C e C K e C K e C K
38
Outline
Introduction Definition Brute Force Construction Pairings and complexity assumption Hidden Vector Encryption Application of HVE Conclusion
39
Application of HVE(1/15)
ConjunctiveGeneral
Predicate
Multi-cellPractical
Value
PredicateVector
PracticalVector
SK
Ciphertext
Token
Data / ⊥
Data
PK
GenTokenHVE
EncryptHVE
QueryHVE
40
Application of HVE(2/15) Example for conjunctive comparison queries Σ01={0,1}=Z2
Σ01*={0,1,*}=Z2∪{*} Take n=3, w=4, then l=nw=12, m=2 Secure HVE over Σ01
12
(SetupHVE, EncryptHVE, GenTokenHVE, QueryHVE) Construct a Φn,w-searchable system as follows
41
Application of HVE(3/15)
Setup(λ) Run SetupHVE(λ) Get public key PK and secret ket SK.
42
Application of HVE(4/15) Encrypt(PK,S,M)
S=(x1,…,xw)∈{1,…,n}w={1,2,3}4
Build a vector σ(S)=(σi,j)∈Σ01nw=Σ01
12
σi,j=1 if xi ≧ j; σi,j=0, otherwise For example, take S=(1,3,2,1) Vector σ(S) = (100 111 110 100) Output C←EncryptHVE(PK,σ(S),M), size = O(nw)
xi j
1 2 3
x1=1 1 0 0
x2=3 1 1 1
x3=2 1 1 0
x4=1 1 0 0
43
Application of HVE(5/15) GenToken(SK,<Pa>)
a=(a1,a2,a3,a4)∈{1,…,n}w={1,2,3}4
Build a vector σ*(a)=(σ*i,j)∈Σ01*nw=Σ01*
12
σ*i,j=1 if xi=j; σ*i,j=*, otherwise For example, take a = (2,3,1,1) Vector σ*(a) = (*1* **1 1** 1**) Output TKa←GenTokenHVE(SK,σ*(a)), size = O(w)
ai j 1 2 3
a1=2 * 1 *a2=3 * * 1
a3=1 1 * *a4=1 1 * *
44
Application of HVE(6/15)
Query(TKa,C) Run QueryHVE(TKa,C)
45
Application of HVE(7/15) S=(1,3,2,1) and a=(2,3,1,1) Pa(S)=(x1≧2)^(x2≧3)^(x3≧1)^(x4≧1)=0
* ( )( ) 1 ( ( )) 1HVEa aP S iff P S
* ( ) ( ( )) (100 111 110 100) ^
(*1* **1 1** 1**) 0
HVEaP S
46
Application of HVE(8/15) S=(2,3,2,1) and a=(2,3,1,1) Pa(S)=(x1≧2)^(x2≧3)^(x3≧1)^(x4≧1)=1
* ( )( ) 1 ( ( )) 1HVEa aP S iff P S
* ( ) ( ( )) (110 111 110 100) ^
(*1* **1 1** 1**) 1
HVEaP S
47
Application of HVE(9/15)
Conjunctive range queries To search for plaintext where x∈[a,b] Encrypts the pair (x,x) The predicate then tests x≧a ^ x≦b
48
Application of HVE(10/15)
Subset queries T: set of size n A⊆T Subset predicate
PA(x)=1 if x∈A; PA(x) = 0, otherwise
49
Application of HVE(11/15)
Conjunctive subset predicates over Tw
σ=(A1,…,Aw) where Ai⊆T, i=1,…,w σ∈(2T)w
x=(x1,…,xw) Pσ(x)=1, if xi∈Ai ∀i=1,…,w; Pσ(x)=0, otherwise
50
Application of HVE(12/15)
T={1,2,3,4,5}, |T|=n=5, w=4 A1={1,2,4}, A2={3,5}, A3={1,5},
A4={2} Φ={Pσ,∀σ∈(2T)w}, |Φ|=2nw=220
51
Application of HVE(13/15) Encrypt(PK,S,M)
S=(x1,…,xw)∈{1,…,n}w={1,2,3,4,5}4
Build a vector σ(S)=(σi,j)∈Σ01nw=Σ01
20
σi,j=1 if xi≠j; σi,j=0, otherwise For example, take S=(4,5,2,3) Vector σ(S) = (11101 11110 10111 11011) Output C←EncryptHVE(PK,σ(S),M), size = O(nw)
xi j 1 2 3 4 5
x1=4 1 1 1 0 1
x2=5 1 1 1 1 0
x3=2 1 0 1 1 1
x4=3 1 1 0 1 1
52
Application of HVE(14/15) GenToken(SK,<Pa>)
a=(A1,A2,A3,A4)∈{1,…,n}w={1,2,3,4,5}4
Build a vector σ*(a)=(σ*i,j)∈Σ01*nw=Σ01*
20
σ*i,j=1 if j≠Ai; σ*i,j=*, otherwise For example, take a = (A1,A2,A3,A4) A1={1,2,4}, A2={3,5}, A3={1,5}, A4={2} Vector σ*(a) = (**1*1 11*1* *111* 1*111) Output TKa←GenTokenHVE(SK,σ*(a)), size = O(nw)Ai j 1 2 3 4 5
A1={1,2,4}
* * 1 * 1
A2={3,5} 1 1 * 1 *A3={1,5} * 1 1 1 *A4={2} 1 * 1 1 1
53
Application of HVE(15/15) S=(4,5,2,3) and a=(A1,A2,A3,A4) A1={1,2,4}, A2={3,5}, A3={1,5}, A4={2} Pa(S)=(4∈A1)^(5∈A2)^(2∈A3)^(3∈A4)=0
* ( )( ) 1 ( ( )) 1HVEa aP S iff P S
* ( ) ( ( )) (**1*1 11*1* *111* 1*111) ^
(11101 11110 10111 11011) 0
HVEaP S
54
Outline
Introduction Definition Brute Force Construction Pairings and complexity assumption Hidden Vector Encryption Application of HVE Conclusion
55
Conclusion(1/2)
ConjunctiveGeneral
Predicate
Multi-cellPractical
Value
PredicateVector
PracticalVector
SK
Ciphertext
Token
Data / ⊥
Data
PK
GenTokenHVE
EncryptHVE
QueryHVE
56
Conclusion(2/2)
As the width of HVE is 1, the HVE scheme is essentially an Aonymous IBE system.
Improve the size of ciphertext. The predicate vector and the practical ve
ctor are unique. Composite queries.
Range query + Subset query