Efficient privacy preserving publish subscribe systems

IntroductionOverview

BackgroundTweaking Pailliear Homomorphic Cryptosystem

Overall SystemImplementation and Experimental Results

Conclusions Future Work

Efficient Privacy Preserving Content Based PublishSubscribe Systems

Mohamed Nabeel, Ning Shang, Elisa Bertino

[email protected]

June 21, 2012

Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS





Publish Subscribe Systems






Content Based Pub/Sub Systems

Notifications

Produced by publishersConsist of set of attribute-value pairsExample: { symbol = ”MSFT”, price = 30.93, size = 1000 }

Subscriptions

Produced by subscribersSpecify a condition on one or more attributes in a notificationExamples: (symbol = ”GOOG” ∧ price ≥ 578), (1000 ≤ size≤ 2000)

Brokers match notifications against subscriptions and forwardthe matching notifications to authorized subscribers






Why Filtering?

Access control restrictions

Computational, storage and/or bandwidth considerations

Subscribers do not have sufficient computational power,storage or bandwidthSubscribers are interested only in certain types of notifications






Security and Privacy

With the utilization of third-party brokering networks, brokerscannot be trusted for the confidentiality/privacy

Publication privacy

Hide the notifications from brokers

Subscription privacy

Hide subscription from brokersUnable to link multiple subscriptions

The goal of this work is to address these privacy issues






Isn’t It a Solved Problem?

Secure pub-sub systems

Hinder matching functionalityFalse positives [Raiciu 2006]Limited expressiveness [Srivatsa et al. 2007]Key management overhead [Bacon et al. 2008]

Searchable encryption

Secure keyward matching [Song et al. 2000]Order preserving encryption [Boldyreva et al. 2009]

Secure multi-party computation






Goals of our Work

Allows brokers to make matching decisions without lettingthem learn the actual notifications and subscriptions

Perform accurate matching and covering

Support the same expressiveness as the system withoutsecurity

Minimize the overhead introdcued by the security layer






System Overview

Publishers

Produce ”encrypted” notificationsRegister subscribers

Subscribers

Make ”encrypted” subscriptions

Brokers

Authenticate subscribers and handle subscriptionsMatch incoming notifications with existing subscriptions andforward to the notifications to corresponding subscribers






Trust Model

Brokers are honest-but-curious

Brokers may collude with one another

Publishers are trusted

Subscribers are not trusted for subscriptions






Message Format

Each notification consists of a set of attribute-value pairs(AVPs)

The set of AVPs is called the payload

The AVPs related to matching are ”blinded” using our scheme

The payload is encrypted using a seperate cryptosystem

Examples: Broadcast encryption, Proxy Re-Encryption,Attribute Based Encryption






Homomorphic Encryption

E (m1) · E (m2) = E (m1 ⊙m2)

Partially vs. fully homomorphic cryptosystems

Additive homomorphic cryptosystems

E (m1) · E (m2) = E (m1 +m2)Examples: Paillier, Damgard, Benaloh

Multiplicative homomorphic cryptosystems

E (m1) · E (m2) = E (m1 ·m2)Examples: Unpadded RSA, El-Gamal






Paillier Homomorphic Crytosystem (PHC)

Key generation KG (p, q)

p and q are large primesPrivate key = (λ, µ)Public key = (n, g), n = pq and g ∈ Z/(n2)×

Encryption E (m, r)

c = gm · rn (mod n2)

Decryption D(c)

m = L(cλ (mod n2)) · µ (mod n), where L(u) = (u − 1)/n






Homomorphic Properties of PHC

PHC is additive homomorphic:

D(E (m1, r1)E (m2, r2) (mod n2)) = m1 +m2 (mod n)

D(E (m1, r1)k (mod n2)) = km1 (mod n)






Tweaking PHC

Making µ public

Shifting the computation so that matching and coveringoperations are efficient

Allowing to compute the randomized difference withoutdecrypting individual values






Making µ Public

Original private key = (λ, µ) and public key = (n, g)

Modified private key = λ and public key = (n, g , µ)

Due to the hardness of Computational Diffie-Hellmanproblem, it is hard to derive λ from µ.






Shifting the Computation

Encryption E ′(m, r , λ)

E ′(m, r) = E (m, r)λ

= gmλ · rnλ (mod n2)

= c

Decryption D(c)

D(c) = L(c (mod n2)) · µ (mod n)






Allowing to Compute Differences

Allowing to find the difference of x and v

Encryption E ′′(x , v)

x ′ = g t · E ′(x , r1) (mod n2)

v ′ = g−t · E ′(−v , r2) (mod n2)

We get the following:

x ′ · v ′ = E ′(x − v , r3)

Decryption D(x ′ · v ′)

D(x ′ · v ′) = x − v






Allowing to Compare

Notification = x ∈ [0, 2l ], where l is the domain size

Subscription = v ∈ [0, 2l ]

Difference d = x − v

The matching table is as follows:

d Decision

0 x = v

< n/2 x > v

> n/2 x < v






How to hide the difference?

The current approach reveals the difference to brokers

The key idea: using the unused range to hide the difference






Hiding the Difference

Introduce two random numbers rp and rq during blinding:x ′′ = g t · E ′(x , r1)

rpE ′(rq) (mod n2)v ′′ = g−t · E ′(−v , r2)

rp (mod n2)

x ′′ and v ′′ are called blinded values

The decryption results in the following output:D(x ′′ · v ′′) = rp(x − v) + rq = d ′

The matching table is as follows:

d’ Decision

≤ n/2 x ≥ v

> n/2 x < v






System Protocols and Interactions

SetupIntialize system security parametersDomain size = l bits (2l << n)

RegisterSubscribers initially registers with publishers and obtainrandomized access tokens

SubscribeSubscribers submit blinded subscriptions (v ′′) to brokers

PublishPublishers submit blinded notifications (x ′′) to brokers

MatchFor each notification, brokers compute x ′′ · v ′′ and makematching decision

CoverBrokers find covering relationships among subscriptions






Correctness of Matching

The following shows the correctness of d ′. Let

y = x ′′ · v ′′ (mod n2)

y = g t · (E ((rpx + rq)λ) · g−t · (E (−v))rpλ

(mod n2)

= {E (rpx + rq)) · E (−rpv)}λ (mod n2)

= (E (rp(x − v) + rq))λ (mod n2)

d ′ = L(y) · µ (mod n)

= rp(x − v) + rq






Implemenation

Implementation Environment

Intel Core 2 Duo CPU 2.50GHz 4GBLinux kernel version 2.6.27Java 1.6 with Bouncy Castle

Two types of experiments

ProtocolsExtension to SIENA






Protocol Experiments (Blinding)

0

10

20

30

40

50

60

70

80

90

100

200 400 600 800 1000 1200 1400 1600 1800 2000 2200

Tim

e (in

ms)

Bit length of n (Paillier)

Encrypt Subscription (Sub)Blind Encrypted Subscription (Pub)

Blind Notification (Pub)

(a) Varying n

0

5

10

15

20

10 20 30 40 50 60 70 80 90 100

Tim

e (in

ms)

Bit length of content (l)

Encrypt Subscription (Sub)Blind Encrypted Subscription (Pub)

Blind Notification (Pub)

(b) Varying l






Protocol Experiments (Match/Cover)

0

50

100

150

200

250

300

350

400

200 400 600 800 1000 1200 1400 1600 1800 2000 2200

Tim

e (in

mic

rose

cond

s)

Bit length of n (Paillier)

Match (Broker)Cover (Broker)

(c) Varying n

90

95

100

105

110

10 20 30 40 50 60 70 80 90 100

Tim

e (in

mic

rose

cond

s)

Bit length of content (l)

Match (Broker)Cover (Broker)

(d) Varying l






System Experiments

0

2

4

6

8

10

12

1000 1500 2000 2500 3000 3500 4000 4500 5000

Tim

e (in

ms)

No. of subscriptions

SIENAPP-CBPS

(e) Equality Filtering

0

20

40

60

80

100

120

140

1000 1500 2000 2500 3000 3500 4000 4500 5000

Tim

e (in

mic

rose

c)

No. of subscriptions

l = 25 bitsl = 10 bits

(f) Inequality Filtering






Conclusions

We proposed approach for brokers to perform matching andcovering operations without learning the actual subscriptionsand notifications

Experimental results shows that the approach is practical

Our privacy preserving matching technique can be utilized inother applications

Future work

Implement our scheme on an industry strength JMSSupport frequent subscriptions/unsubscriptions


Technology

Efficient privacy preserving publish subscribe systems