Upload
ophira
View
44
Download
0
Embed Size (px)
DESCRIPTION
Multi-Dimensional Range Query over Encrypted Data. Elaine Shi, John Bethencourt, T-H. Hubert Chan, Dawn Song and Adrian Perrig. IEEE Symposium on Security and Privacy, May, 2007. Presenter: 陳國璋. Outline. Induction Problem Definition and Preliminary AIBE-Based MRQED 1 Scheme - PowerPoint PPT Presentation
Citation preview
1
Multi-Dimensional Range Query over Encrypted Data
Presenter: 陳國璋
Elaine Shi, John Bethencourt, T-H. Hubert Chan, Dawn Song and Adrian Perrig
IEEE Symposium on Security and Privacy, May, 2007
2
Outline
Induction Problem Definition and Preliminary AIBE-Based MRQED1 Scheme AIBE-Based MRQEDD Scheme Main Construction Conclusion
3
Introduction
接續上一次報告的 HVE (Hidden Vector Encryption) 方法,裡面提到 3 種 Query 形式,Comparison / Range / Subset ,此篇重點在 Conjunctive Range Queries.
Recall: HVE
4
Introduction
ConjunctiveGeneral
Predicate
Multi-cellPractical
Value
PredicateVector
PracticalVector
SK
Ciphertext
Token
Data / ⊥
Data
PK
GenTokenHVE
EncryptHVE
QueryHVE
5
Introduction
Multi-dimensional Range Query over Encrypted Data, MRQED
For example Network audit log has 3 attributes, time-sta
mp t, source address a and destination port number p.
(t, a, p) tuple Conjunctive ranges: [t1, t2], [a1, a2] and [p1, p2]
6
Introduction
Scheme Pub Key Size
Enc Cost CT Size Dec Key Size
Dec Cost
HVE O(DT) O(DT) O(DT) O(D) O(D)
Naïve AIBE-base
O(1) O((log T)D) O((log T)D) O((log T)D) O((log T)D)
MRQED O(Dlog T) O(Dlog T) O(Dlog T) O(Dlog T) O((log T)D)
D: #(Dimension), T: #(Point)
7
Introduction
Application Financial audit log Medical privacy Untrusted remote storage Using biometrics in anonymous IBE
8
Outline
Induction Problem Definition and Preliminary AIBE-Based MRQED1 Scheme AIBE-Based MRQEDD Scheme Main Construction Conclusion
9
Problem Definition
Network audit log has 3 attributes, time-stamp t, source address a and destination port number p.
(t, a, p) tuple Conjunctive ranges: [t1, t2], [a1, a2] and [p1,
p2]
10
Problem Definition
[t1, t2]
[a1, a2]
[p1, p2]
Hyper-rectangle B
X = (t, a, p)
Testing whether a point X falls inside the Hyper-rectangle B
11
Problem Definition
An attribute can be encoded using discrete integer values 1 through T.
[T]={1, …, T} S≦T, [S, T]={S, S+1, …, T} D different attributes, each of them can t
ake on value in [T1], [T2], …, [TD] respectively.
12
Problem Definition D-dimensional lattice, point, hyper-rectangle Δ=(T1, …, TD) LΔ = [T1] × [T2] × … × [TD]
D-dimensional lattice X = (x1, …, xD)
Point B(s1, t1, s2, t2, …, sD, tD) = {(x1, …, xD) | ∀d∈[D], xd∈
[sd, td]} Hyper-rectangle
13
Problem Definition
Network audit log Time-stamp t, address a, port number p
D = 3 Time-stamp [Tt]={0000, …, 1439} Address [Ta]={0, …, 255} Port number [Tp]={0, …, 65535}
14
Problem Definition
Δ=(Tt, Ta, Tp) LΔ= [Tt] × [Ta] × [Tp] =[14
39] × [255] × [65535] X = (t, a, p) = (603, 97, 777) B(540, 720, 84, 124, 700, 800)
15
Problem Definition
[Tt]=[1439]
[Ta]=[255]
[Tp]=[65535]
[540, 720]
[84, 124][700, 800]
X = (603, 97, 777)
B(540, 720, 84, 124, 700, 800)
LΔ= [1439] × [255] × [65535]
16
Problem Definition
MRQED scheme consists of 4 polynomial time algorithms: Setup Encrypt DeriveKey QueryDecrypt
17
Problem Definition
Setup(Σ, LΔ) Input a security parameter Σ and D-dimensio
nal lattice LΔ
Output public key PK amd master private key SK
18
Problem Definition
Encrypt(PK, X, Msg) Input a public key PK, a point X and a messa
ge Mag Output a ciphertext C
19
Problem Definition
DeriveKey(PK, SK, B) Take a public key PK, a master private key S
K and a hyper-rectangle B Output decryption key DK for hyper-rectangl
e B
20
Problem Definition
QueryDecrypt(PK, DK, C) Take a public key PK, a decryption key DK an
d a ciphertext C Output either a plaintext Msg or ⊥
21
Problem Definition Correctness
∀message Msg ∈ message space M, hyper-rectangle B ⊆ LΔ, and a point X ∈ LΔ, the above algorithm must satisfy the following consistency constraints:
, if ( , , )
, . . ., if
where ( , , ) and ( , , )
Msg X BQueryDecrypt PK DK C
wh p X B
C Encrypt PK X Msg DK DeriveKey PK SK B
22
Preliminary
Decision BDH Assumption Given[g, ga, gb, gc, Z]∈G4×G’, where expone
nts a, b, c are picked at ramdom from Zp, decide whether Z=e(g, g)abc
23
Preliminary
Decision Linear Assumption Given [g, ga, gb, gac, gbd, Z]∈G4, where a, b, c, d
are picked at random from Zp, decide whether Z=gc+d
24
Outline
Induction Problem Definition and Preliminary AIBE-Based MRQED1 Scheme AIBE-Based MRQEDD Scheme Main Construction Conclusion
25
AIBE-Based MRQED1 Scheme Interval tree
tr(T) denote a binary interval tree over integer from 1 to T.
Each node has a pre-assigned unique ID. cv(ID) denote the range represented by node ID∈tr
(T)
1 2
1 2
, if be a leaf node.
( ) ( ) ( ), if is an internal node,
and are its child nodes.
thi ID i
cv ID cv ID cv ID ID
ID ID
26
AIBE-Based MRQED1 Scheme Interval tree
The set P(x) of IDs covering a point x∈[1, T] The set Λ(s, t) of IDs representing a range [s, t]⊆[1, T] If x∈[s, t], then P(x)∩Λ(s, t)≠φ |P(x)∩Λ(s, t)| = 1 If x [s, t], then P(x)∩Λ(s, t)=φ
27
AIBE-Based MRQED1 Scheme
I JH K OL M N
E FD G
B C
A
1 2 3 4 5 6 7 8
tr(T)=tr(8)
cv(L)={5}
cv(E)=[4,5]
cv(C)=[5,8]
P(3)={A, B, E, J}
Λ(2, 7)={I, E, F, N}
28
AIBE-Based MRQED1 Scheme MROED1 scheme
AIBE scheme Setup*(Σ) DeriveKey*(PK, SK, ID) Encrypt*(PK, ID, Msg) Decrypt*(PK, DK, C)
Setup(Σ, T) Encrypt(PK, x, Msg) DeriveKey(PK, SK, [s, t]) QueryDecrypt(PK, DK, C)
29
AIBE-Based MRQED1 Scheme
Setup(Σ, T) Call Setup*(Σ) Output PK and SK
30
AIBE-Based MRQED1 Scheme
Encrypt(PK, x, Msg) x→P(x) ∀ID∈P(x), cID=Encrypt*(PK, ID, Msg||0m’), wh
ere 0m’ is fill the Msg to {0, 1}m
Output ciphertext C={cID | ∀ID∈P(x)}
31
AIBE-Based MRQED1 Scheme
DeriveKey(PK, SK, [s, t]) [s, t]→Λ(s, t) ∀ID∈Λ(s,t), kID=DeriveKey*(PK, SK, ID) Output DK[s, t]={kID | ∀ID∈Λ(s, t)}
32
AIBE-Based MRQED1 Scheme
QueryDerive(PK, DK, C) If x∈[s,t], then∃! ID, s.t. P(x)∩Λ(s,t)=ID Call and output Decrypt*(PK, kID, cID) = Msg|
|0m’. Otherwise, output ⊥.
33
AIBE-Based MRQED1 Scheme
I JH K OL M N
E FD G
B C
A
1 2 3 4 5 6 7 8
tr(T)=tr(8)
cv(L)={5}
cv(E)=[3,4]
cv(C)=[5,8]
P(3)={A, B, E, J}
Λ(2, 7)={I, E, F, N}
34
Outline
Induction Problem Definition and Preliminary AIBE-Based MRQED1 Scheme AIBE-Based MRQEDD Scheme Main Construction Conclusion
35
AIBE-Based MRQEDD Scheme
As AIBE-Based MRQED1 Scheme, the changed points as follows: Encrypt(PK, X, Msg) DeriveKey(PK, DK, C)
36
AIBE-Based MRQEDD Scheme
Encryption A point X =(x1, x2, …, xD) For each dimension, xd has each P(xd), ∀d∈
[d] Denote P×(X)=P(x1)×P(x2)×…×P(xD) Call Encrypt*(PK, P×(X), Msg) = C
37
I JH K OL M N
E FD G
B C
A
1 2 3 4 5 6 7 8
XY
WZ
D’
A’
B’
C’
TU
SV
QR
P
87
65
43
21
X
X=(x1, x2)=(3, 5)P(x1) = {A, B, E, J}P(x2) = {P, Q, T, Z}P×(X) = {A, B, E, J}×{P, Q, T, Z}
38
AIBE-Based MRQEDD Scheme
Key Derivation All dimension range combine a hyper-rectan
gle B(s1, t1, …, sD, tD) Each range [sd, td] has Λ(sd, td), ∀d∈[d] Denote Λ×(B)=Λ(s1, t2)×…×Λ(sD, tD) Call DeriveKey*(PK, SK, Λ×(B)) = DK
39
I JH K OL M N
E FD G
B C
A
1 2 3 4 5 6 7 8
XY
WZ
D’
A’
B’
C’
TU
SV
QR
P
87
65
43
21
B=(s1, t1, s2,, t2)=[2, 6]×[3, 7]Λ(s1, t1) = {E, F, I}Λ(s2, t2) = {T, U, X}Λ×(B) = {E, F, I}×{T, U, X}
40
AIBE-Based MRQEDD Scheme Collusion attack
R4
R1
R3
R2
kd
kc
ka kb
41
Outline
Induction Problem Definition and Preliminary AIBE-Based MRQED1 Scheme AIBE-Based MRQEDD Scheme Main Construction Conclusion
42
Main Construction Reducing the ciphertext size
P×(X) = P(x1) × …× P(xD) ↓ P∪(X) = P(x1) ∪ …∪ P(xD)
43
Main Construction Reducing the decryption key size
Λ×(B)=Λ(s1, t2) × …× Λ(sD, tD) ↓
Λ∪(B)=Λ(s1, t2)∪ …∪(sD, tD)
44
Main Construction Preventing the collusion attack
Using binding technique Using re-randomization to tie the sub-
keys in different dimensions
45
Main Construction Preventing the collusion attack
R4
R1
R3
R2
kd
kc
ka kb
In R1, {ka, kc}→{μ1ka, μ2kc}In R4, {kb, kd}→{μ3kb, μ4kd}(μ1, μ2) are independently from (μ3, μ4)μ1μ2=μ3μ4= some invariant
46
Main Construction Define L=O(log T) be the height of a tree All IDs are picked from Z*
P
Message Msg∈{0, 1} with a series of trailing zero 0m’
47
Main Construction Setup(Σ, LΔ)
, ,
, ,
8 1
,1 ,2 ,1 ,2 ,1 ,2 ,1 ,2 ( , ) [ ] [ ]
8
,
',
1. [ , , ', , ] ( )
2. random parameters from
,[ , , , , , , ' , ' ]
3. public key PK G' G
( , )
, 1,2,
'
i i
i
R
DLp
d l D L
DL
i
i
p G G g e Gen
Z
e g g
a g i
a g
,1 ,
,1 ,
,
', ( , ) [ ] [ ]
, 1,2,
, 1,2,
' , 1,2
i
i
i
i
i d l D L
i
b g i
b g i
48
Main Construction Setup(Σ, LΔ)
,
,
, , ,
, , ,
8 1
,
,
,
', ( , ) [ ] [ ]
4. master private key SK G
, 1,2,
, 1,2,
, 1,2,
' , 1,2
i
i
i i i
i i i
DL
i
i
i
i d l D L
g
A g i
B g i
y g i
y g i
49
Main Construction DeriveKey(PK, SK, B)
,
2| ( )|
,1 ,2 ( )
5| ( )|
,1 ,1
1. Pick ( ) random integer from G
[ ] ,[ , ]
such that
2. Compute and release a decryption key DK G
for each ( ),
( ' ) ID
D Bp
d d D ID ID ID B
dd D
B
IDd
O D L Z
ID B
y y
1 ,2 ,1 ,2 ,1 ,2
,2 ,2 ,1 ,2 ,1 ,2
,0 ,1 ,2 ,3 ,4
( ' ) , , , ,
=( , , , , )
ID ID ID ID IDID
ID ID ID ID ID
y y A A B B
k k k k k
50
Main Construction Encrypt(PK, X, Msg)
2
,1 ,2 ( , ) [ ] [ ]
4 1
1. Select 2 1 random integers
,[ , ]
2. For ( , ) [ ] [ ],
define ( ) is the node at depth in ( ) in the dimension.
ciphertext '
DLR p d l D L R p
thd
DL
DL
r Z r r Z
d l D L
I I X l P x d
C G G
,1 ,1
,2 ,2
'
,1 ,1 ,1 ,1
,2 ,2 ,2 ,2 ( , ) [ ] [ ]
0 ,1 ,2 ,3 ,4
( || 0 ) , ,
( ' ) ,( ' ) ,
( ' ) ,( ' )
=( , ,[ , , , ])
m r r
I r I r r
I r I r r
d l D L
Msg g
b b a a
b b a a
c c c c c c
51
Main Construction QueryDecrypt(PK, DK, C)
1 2
0 ,0 ,1 ,1 ,2 ,2 ,3 ,3 ,4 ,4[ ]
'
1. collection {DK( ),DK( ),...,DK( )} of sub-keys.
2. Decryption
[ ( ) ( ) ( ) ( ) ( )]
If is of the form || 0 , then outpu
d d d d
D
ID ID ID ID IDd D
m
ID ID ID
V c e c k e c k e c k e c k e c k
V Msg
t as the plaintext
otherwise, output
Msg
52
Outline
Induction Problem Definition and Preliminary AIBE-Based MRQED1 Scheme AIBE-Based MRQEDD Scheme Main Construction Conclusion
53
Conclusion Using tree data structure. Reducing the ciphertext size and Decrypt
ion key size.
54
Conclusion Using advance/better/original data
structure. Multi-dimension into One-dimension.
55
Conclusion [3, 6], [4, 9], [5, 8] ↓ [2, 7], [3, 10], [4, 9] ↓ [0, 1], [1, 2], [2, 3]
56
Conclusion Real value is (5, 7, 6) Predicate range is [3, 6]×[4, 9]×[5, 8]
0 1 2 3
[2 7][3 10]
[4 9]
5 7 6
57
Conclusion About subset query
Lattice diagram/Hasse diagram Binary string method
58
Conclusion Lattice diagram/Hasse diagram
59
Conclusion Binary string method
假設有 5 個元素 U={1,…,5} Predicate set A={1,4}, 轉換 predicate set A 成
binary string 為 01001 Real value T={1,5}, 轉換成 binary string 為 10
001 兩個 binary string 做 OR 運算 , 其結果與 pred
icate set 的 binary string 相同即為 T 是 A 的子集 , 反之 , T 不是 A 的子集