Evaluating Predicates over Encrypted Datareports- .Evaluating Predicates over Encrypted Data Elaine

  • View
    216

  • Download
    0

Embed Size (px)

Text of Evaluating Predicates over Encrypted Datareports- .Evaluating Predicates over Encrypted Data Elaine

  • Evaluating Predicates over Encrypted Data

    Elaine Shi

    CMU-CS-08-166

    October, 2008

    School of Computer ScienceCarnegie Mellon University

    Pittsburgh, PA 15213

    Thesis Committee:Adrian Perrig (CMU), Chair

    Dawn Song (CMU/U.C.Berkeley)Manuel Blum (CMU)

    Brent Waters (SRI/U.T.Austin)

    Submitted in partial fulfillment of the requirementsfor the degree of Doctor of Philosophy.

    Copyright c 2008 Elaine Shi

    This research was supported in part by CyLab at Carnegie Mellon under grants DAAD19-02-1-0389, grants CNS-0347807 and CT-CS 0433540 from the National Science Foundation, a grant from General Motors through the GM-CMU Collaborative Research Laboratory, and by a gift from Bosch.

    The views and conclusions contained here are those of the authors and should not be interpreted as necessarily rep-resenting the official policies or endorsements, either express or implied, of ARO, Bosch, CMU, GM, NSF, or theU.S. Government or any of its agencies.

  • Keywords: Predicate encryption, applied cryptography, bilinear group

  • AbstractPredicate encryption is a new encryption paradigm where the secret key owner can

    perform fine-grained access control over the encrypted data. In particular, the secretkey owner can generate a capability corresponding to a query predicate (e.g., whetheran encrypted email contains the keyword MEDICAL), and the capability allows one toevaluate the outcome of this predicate on the encrypted data.

    The high-level goal of this thesis is to build predicate encryption systems that areefficient, support expressive queries and rich operations. Our contributions are sum-marized below:

    1. We propose a predicate encryption scheme supporting multi-dimensional rangequeries. Prior to this work, researchers have constructed schemes support equal-ity tests. Hence, our scheme supports more expressive queries than before. Atthe core of this construction is a technique to support conjunctive queries withoutleaking the outcome of each individual clause.

    2. We study how to delegate capabilities in predicate encryption schemes. Todemonstrate why delegation may be interesting, imagine that Alice has a ca-pability, and she wishes to delegate to Bob a more restrictive capability allowinghim to decrypt a subset of the information Alice can learn about the plaintextencrypted. We propose a security definition for delegation, and build a schemesupporting delegation and conjunctive queries.

    3. Most prior work focuses on hiding the plaintext (encoded in the ciphertext), butdoes not provide guarantees about the secrecy of the queries (encoded in the ca-pabilities). In other words, given a capability, one might be able to infer from itwhat the query predicate is. We study how to hide the query predicates, and pro-pose a scheme supporting inner-product queries that hides the query predicatesin addition to the plaintext.

  • iv

  • AcknowledgmentsI am indebted to my thesis committee: the big boss Adrian, my pseudo-advisor Dawn, my academic uncle Brent, and the most kind and understanding Manuel.

    Without your help, this thesis would not have been possible.Apart from my committee members, John Bethencourt, Hubert Chan and Emily

    Shen also contributed to this thesis.I would also like to thank the English and Greek alphabet, for I am sure the no-

    tations would have become more confusing, had I used Chinese characters to denotethings.

  • vi

  • Contents

    1 Introduction 11.1 What is Predicate Encryption? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.3 Applications of predicate encryption . . . . . . . . . . . . . . . . . . . . . . . . . 21.4 Efficiency and expressiveness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.5 Summary of contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

    2 Formal Definitions 72.1 Public-key predicate encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

    2.1.1 Security definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.1.2 Selective security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82.1.3 Match revealing security . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

    2.2 Secret-key predicate encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92.2.1 Security definitions: Hiding both the plaintext and the query . . . . . . . . 10

    3 Multi-Dimensional Range Query over Encrypted Data 133.1 Multi-dimensional Range Queries over Encrypted Data . . . . . . . . . . . . . . . 13

    3.1.1 Overview of our construction . . . . . . . . . . . . . . . . . . . . . . . . 133.1.2 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143.1.3 Security Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

    3.2 A First Attempt to Construct MRQED . . . . . . . . . . . . . . . . . . . . . . . . 173.2.1 Trivial construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173.2.2 Improved MRQED1 construction based on AIBE . . . . . . . . . . . . . . 183.2.3 AIBE-Based MRQEDD Construction . . . . . . . . . . . . . . . . . . . . 20

    3.3 The Main MRQED Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . 223.3.1 Background on bilinear groups . . . . . . . . . . . . . . . . . . . . . . . . 223.3.2 Intuition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223.3.3 The Main Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243.3.4 Consistency, Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273.3.5 Practical Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

    3.4 The Dual Problem and Stock Trading through a Broker . . . . . . . . . . . . . . . 323.5 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333.6 Proof of Consistency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

    vii

  • 3.7 Proof of Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363.7.1 Proof: Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373.7.2 Proof: Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

    4 Delegating Capabilities in Predicate Encryption 474.1 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

    4.1.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484.1.2 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494.1.3 A simple example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

    4.2 Delegatable Hidden Vector Encryption (dHVE) . . . . . . . . . . . . . . . . . . . 514.2.1 Delegatable HVE overview (dHVE) . . . . . . . . . . . . . . . . . . . . . 514.2.2 dHVE definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

    4.3 Background on Pairings and Complexity Assumptions . . . . . . . . . . . . . . . 544.4 dHVE Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

    4.4.1 Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564.4.2 Security of our construction . . . . . . . . . . . . . . . . . . . . . . . . . 60

    4.5 Correctness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604.6 Proof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

    4.6.1 Sequence of games . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614.6.2 Indistinguishability of Game0 and Game1 . . . . . . . . . . . . . . . . . . 634.6.3 Indistinguishability of Game1 and Game2 . . . . . . . . . . . . . . . . . . 694.6.4 Generating Type 2 delegated tokens . . . . . . . . . . . . . . . . . . . . . 704.6.5 Indistinguishability of Game2 and Game3 . . . . . . . . . . . . . . . . . . 714.6.6 Indistinguishability of Game3 and Game4 . . . . . . . . . . . . . . . . . . 744.6.7 Indistinguishability of Game4 and Game5 . . . . . . . . . . . . . . . . . . 77

    4.7 dHVE Full Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 804.8 Anonymous Hierarchical Identity-Based Encryption with Short Private Keys . . . . 80

    4.8.1 Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 814.8.2 Security of construction . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

    5 Query Privacy in Predicate Encryption 835.1 Query Privacy in Predicate Encryption . . . . . . . . . . . . . . . . . . . . . . . . 835.2 Applications of SK-PE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 855.3 Definitions: SK-PE for General Queries . . . . . . . . . . . . . . . . . . . . . . . 85

    5.3.1 Full Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 865.3.2 Single Challenge Indistinguishability . . . . . . . . . . . . . . . . . . . . 885.3.3 Selective Single Challenge Indistinguishability . . . . . . . . . . . . . . . 895.3.4 Relationship Between Security Definitions . . . . . . . . . . . . . . . . . 90

    5.4 Background on Pairings and Complexity Assumptions . . . . . . . . . . . . . . . 915.4.1 Bilinear groups of composite order . . . . . . . . . . . . . . . . . . . . . . 915.4.2 Our assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

    5.5 Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 935.5.1 Intuition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

    viii

  • 5.5.2 Detailed construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 945.5.3 How to understand our construction .