1

Conjunctive, Subset, and Range Queries on

Encrypted Data Dan Boneh Brent Waters

Stanford University SRI International

2

Encryption Systems – Traditional View

PKSalil

Salil gives private key to assistant Charlie

Charlie learns everything

3

Encryption Systems – New View

PKSalil

Salil gives partial capabilities to Charlie

Charlie learns what he needs to know

Focus on “Searching Systems”

TCC

Subj: TCC

Subj:personal Subj:our paper

4

Filtering Encrypted Email Set containment queries:

Server learns nothing other than containment status.

MailServer

SKalice

From:

Subject:From Blacklist

Yes

No

E( PKalice, email)

Tspam

Tspam

email

5

Routing Encrypted Email Conjunction queries:

MailServer

SKalice

From:

Subject:

From Friends

ANDsubject = “urgent”

Yes

No

E( PKalice, email)

Tcell

email

Tcell

6

Long term goal …

Goal: Public-key encryption system supporting

any predicate (poly-size circuits)

Sample application:

Spam predicate: P(m) = 1 if m is spam email

Mail server filters out encrypted

spam email without decrypting email.

… seems far off

7

History To date: primary focus on equality queries

SWP’00, GO’87:

Equality queries on symmetric-key encrypted

data

BDOP’04, AB…’05:

Equality queries on public-key encrypted data

8

Definitions Let = {P1 , … , Pn} be a set of predicates over .

Pi : {0,1} [e.g: Pj(S) = 1 S j ]

A -query system consists of 4 algorithms:

Setup (): outputs PK and SK

Encrypt (PK, S) Ciphertext C (S)

GenToken (SK, <P>) Token TP (P)

Query ( TP, C) Output

(Can allow message decryption on “hit” when P(S)=1)

P(S)

9

Security Example: = {1, … , n} , [ Pj(x) = 1 x j ]

Adversary can request arbitrary tokens:

Clearly, adversary can distinguish

Encrypt(PK, x) from Encrypt(PK, y)

… but Encrypt(PK, x) and Encrypt(PK, z)

should be indistinguishable

1 na b c

x yz

10

Secure -query systems Semantic security in the presence of arbitrary tokens:

Ch

alle

ng

er

Atta

cker

RunSetup()

PK

P1

T1

Adversary wins if: b = b’

, P2 , … , Pq

, T2 , … , Tq

(S0) , (S1)

s.t.: j: Pj(S0) = Pj(S1)

b{0,1}

CEncrypt(PK,Sb)

b’ {0,1}

11

The trivial brute-force system = {P1 , … , Pn} ; (KeyGen, Enc, Dec) pub-key system

Setup(): Run KeyGen() n times

PK ( PK1 , … , PKn ) , SK ( SK1, … , SKn )

Encrypt( PK, S):

output C (C1 , … , Cn )

GenToken( SK, Pi ): output T SKi

Query( T, C) : output Dec( SKi , Ci )

Parameters: |CT| = O(n) |T| = O(1)

Enc( PKj , M ) if Pj(S) = 1

Enc( PKj , ) otherwisefor j = 1,…,n: Cj

12

Best known constructions [BSW’06, BW’06] Encrypt S {1 ,…, n } (Sizes in # of group elements)

Encrypt S = (S1,…,Sw) {1 ,…, n }w --- conjunctions

Trivial |CT|

Best Known|CT|

Equality (S = a) O(n) O(1)

Comparison (Sa) O(n) O(n)

Subset (S A) O(2n) O(n)

Trivial |CT|

Best Known|CT|

S1=a1 … Sw=aw O(nw) O(w)

S1a1 … Swaw O(nw) O(nw)

S1A1 … SwAw O(2nw) O(nw)

13

Bilinear maps G , GT : finite cyclic groups of prime order q.

Def: An admissible bilinear map e: GG GT is:

Bilinear: e(ga, gb) = e(g,g)ab a,bZ, gG

Non-degenerate: g generates G e(g,g) generates GT .

“Efficiently” computable.

14

Bilinear groups of order N=pq [BGN’05]

G: group of order N=pq. (p,q) – secret.

bilinear map: e: G G GT

G = Gp Gq . gp = gq Gp ; gq = gp Gq

Facts: h G h = (gq)a (gp)

b

e( gp , gq ) = e(gp , gq) = e(g,g)N = 1

e( gp , h ) = e( gp , gp)b !!

15

Subset query system Goal: for any S {1,…,n} and A {1,…,n}

answer queries of type: PA(S) = 1 S A

Example: FromAddress Friends

Trivial system: |CT| = O(2n) , Our goal: |CT| = O(n)

Approach: reformulate as conjunctive equality query

Encode S {1,…,n} in uniary:

(S) = (s1,…,sn) {0,1}n

Then S A (sa = 0)

0 0 0 … 1 … 0 0 0

a Ac

16

Construction Intuition 1st Attempt

Use IBE techniques to encrypt to “vector” identity (s1,…,sn) Get message if “true”

Problem: Can test identity by testing for DDH tuples between CT and PK

Solution Make CTs, PK random in Gq not DDH tuples

Tokens in Gp Gq does not matter after pairing Intuiton: Disallow unintended application of pairing

17

Security

Thm: The system is a selectively secure subset query system assuming: Bilinear-DH assumption, and Composite 3-party DH assumption

Implied by Boneh’s Uber-Assumption

18

Summary and Open Problems Queries on public key encrypted data:

Equality queries: efficient

Comparison queries: plaintext t Implies traitor tracing Best construction: |CT| = O(sqrt(n)) Open: |CT| = O(log n)

Subset queries: plaintext A Best construction: |CT| = O(n) Open: |CT| = O(log n)

Similar constructions/questions for conjunctive queries

?

?

19

THE END

20

History To date: primary focus on equality queries

SWP’00, GO’87:

Equality queries on symmetric-key encrypted

data

BDOP’04, AB…’05:

Equality queries on public-key encrypted data

OS’05, BSW’06:

Equality queries that hide predicate from server

BBO’06: Efficient equality searches in databases

BCPSS’06: Range queries in a weaker security model

21

Motivation: a few examples

Example 1: Visa gateway: Forwarding encrypted CC transactions

to the visa system

VIS

A G

ate

way

Yes

No

VALUE > $1000?

SKvisa T1000

TransactionVALUE Exp-Date D

Enc(PKvisa, Transaction)

LowSecurity

Processor

HighSecurity

ProcessorD

T1000

22

Conjunction queries

Goal: gateway should not learn which conjunct failed.

Visa cannot simply give gateway two tokens

VIS

A G

ate

way

Yes

No

VALUE > 1000

ANDexp-date < April 2007

SKvisa TP

TransactionVALUE Exp-Date D

LowSecurity

Processor

HighSecurity

ProcessorD

TP

23

Best known constructions [BSW’06, BW’06] Encrypt S {1 ,…, n } (Sizes in # of group elements)

Encrypt S = (S1,…,Sw) {1 ,…, n }w --- conjunctions

Trivial |CT|

Lower Bound

Best Known|CT| |T|

Equality (S = a) O(n) O(log n) O(log n) O(log n)

Comparison (Sa) O(n) O(log n) O(n) O(n)

Subset (S A) O(2n) O(log n) O(n) O(n-|A|)

Trivial |CT|

Lower Bound

Best Known|CT| |T|

S1=a1 … Sw=aw O(nw) O(wlog n) O(wlog n) O(wlog n)

S1a1 … Swaw O(nw) O(wlog n) O(nw) O(wlog n)

S1A1 … SwAw O(2nw) O(wlog n) O(nw) O(w|A|)

24

The full system ... But cannot prove the system secure.

The full system: add y1, … , yn to SK

GenToken( SK=w, A {1,…,n} ): t1,1, t1,2 , … ZN

( u1

t1,1 , y1

t1,2 )

( un

tn,1 , yn

tn,2 )

Thm: The system is a selectively secure subset query system assuming: Bilinear-DH assumption, and Composite 3-party DH assumption

TA w (va)ta,1 (ya)

ta,2 ,aAc

25

The full system ... But cannot prove the system secure. (Need a bit more)

Thm: The system is a selectively secure subset query system assuming: Bilinear-DH assumption, and Composite 3-party DH assumption (Fragments of “Uber-assumption”)

26

Binary conjunctive equality queries A failed attempt using standard IBE technology: [BB’04]

G: bilinear group. w, u, u1,…, v1,… G,

Encrypt (PK, b = (b1,…,bn), M): r Zq

C [ e(u,w)r , ur , (u1

b1 v1)

r , … , (un

bn vn)r ]

GenToken( SK=w, A {1,…,n} ): t1, … , tn Zq

TA [ w (va)ta , u

t1 , … , utn ]

Query( TA, C): If ( a Ac : ba=0)

then “algebra” returns M; otherwise random in G

Problem: C leaks ( b1, …, bn )

bj = 0 (u, vj , ur , (uj

bj vj)r ) is a DDH tuple

aAc

27

Composite order groups to the rescue … G=GpGq composite order group. w, u, u1 , …, v1 , … Gp

PK: Blind u’s and v’s by Gq

UiuiRi , ViviRi’ where Ri, Ri’ Gq

Encrypt (PK, b = (b1,…,bn), M): r ZN , Z, Z1,… Gq

C [ e(u,w)r , U

rZ , (U1

b1 V1)r Z1 , … , (Un

bn Vn)r Zn ]

No change to GenToken and Query

Note: Rj , Zi terms cancel in Query.

Main point: now DDH attack fails: bj = 0 , but (U, Vj ,

UrZ , (Uj

bj Vj)rZj ) not a DDH tuple in G

28

Selectively secure -query systems

Ch

alle

ng

er

Atta

cker

RunSetup()

PK

P1

T1

Adversary wins if: b = b’

, P2 , … , Pq

, T2 , … , Tq

S0 , S1

s.t.: j: Pj(S0) = Pj(S1)

b{0,1}

CEncrypt(PK,Sb)

b’ {0,1}

S0 , S1

S0 S1