Upload
nabeel-yoosuf
View
1.360
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Efficient privacy preserving publish subscribe systems, SACMAT 2012
Citation preview
IntroductionOverview
BackgroundTweaking Pailliear Homomorphic Cryptosystem
Overall SystemImplementation and Experimental Results
Conclusions Future Work
Efficient Privacy Preserving Content Based PublishSubscribe Systems
Mohamed Nabeel, Ning Shang, Elisa Bertino
June 21, 2012
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
IntroductionOverview
BackgroundTweaking Pailliear Homomorphic Cryptosystem
Overall SystemImplementation and Experimental Results
Conclusions Future Work
Publish Subscribe Systems
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
IntroductionOverview
BackgroundTweaking Pailliear Homomorphic Cryptosystem
Overall SystemImplementation and Experimental Results
Conclusions Future Work
Content Based Pub/Sub Systems
Notifications
Produced by publishersConsist of set of attribute-value pairsExample: { symbol = ”MSFT”, price = 30.93, size = 1000 }
Subscriptions
Produced by subscribersSpecify a condition on one or more attributes in a notificationExamples: (symbol = ”GOOG” ∧ price ≥ 578), (1000 ≤ size≤ 2000)
Brokers match notifications against subscriptions and forwardthe matching notifications to authorized subscribers
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
IntroductionOverview
BackgroundTweaking Pailliear Homomorphic Cryptosystem
Overall SystemImplementation and Experimental Results
Conclusions Future Work
Why Filtering?
Access control restrictions
Computational, storage and/or bandwidth considerations
Subscribers do not have sufficient computational power,storage or bandwidthSubscribers are interested only in certain types of notifications
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
IntroductionOverview
BackgroundTweaking Pailliear Homomorphic Cryptosystem
Overall SystemImplementation and Experimental Results
Conclusions Future Work
Security and Privacy
With the utilization of third-party brokering networks, brokerscannot be trusted for the confidentiality/privacy
Publication privacy
Hide the notifications from brokers
Subscription privacy
Hide subscription from brokersUnable to link multiple subscriptions
The goal of this work is to address these privacy issues
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
IntroductionOverview
BackgroundTweaking Pailliear Homomorphic Cryptosystem
Overall SystemImplementation and Experimental Results
Conclusions Future Work
Isn’t It a Solved Problem?
Secure pub-sub systems
Hinder matching functionalityFalse positives [Raiciu 2006]Limited expressiveness [Srivatsa et al. 2007]Key management overhead [Bacon et al. 2008]
Searchable encryption
Secure keyward matching [Song et al. 2000]Order preserving encryption [Boldyreva et al. 2009]
Secure multi-party computation
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
IntroductionOverview
BackgroundTweaking Pailliear Homomorphic Cryptosystem
Overall SystemImplementation and Experimental Results
Conclusions Future Work
Goals of our Work
Allows brokers to make matching decisions without lettingthem learn the actual notifications and subscriptions
Perform accurate matching and covering
Support the same expressiveness as the system withoutsecurity
Minimize the overhead introdcued by the security layer
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
IntroductionOverview
BackgroundTweaking Pailliear Homomorphic Cryptosystem
Overall SystemImplementation and Experimental Results
Conclusions Future Work
System Overview
Publishers
Produce ”encrypted” notificationsRegister subscribers
Subscribers
Make ”encrypted” subscriptions
Brokers
Authenticate subscribers and handle subscriptionsMatch incoming notifications with existing subscriptions andforward to the notifications to corresponding subscribers
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
IntroductionOverview
BackgroundTweaking Pailliear Homomorphic Cryptosystem
Overall SystemImplementation and Experimental Results
Conclusions Future Work
Trust Model
Brokers are honest-but-curious
Brokers may collude with one another
Publishers are trusted
Subscribers are not trusted for subscriptions
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
IntroductionOverview
BackgroundTweaking Pailliear Homomorphic Cryptosystem
Overall SystemImplementation and Experimental Results
Conclusions Future Work
Message Format
Each notification consists of a set of attribute-value pairs(AVPs)
The set of AVPs is called the payload
The AVPs related to matching are ”blinded” using our scheme
The payload is encrypted using a seperate cryptosystem
Examples: Broadcast encryption, Proxy Re-Encryption,Attribute Based Encryption
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
IntroductionOverview
BackgroundTweaking Pailliear Homomorphic Cryptosystem
Overall SystemImplementation and Experimental Results
Conclusions Future Work
Homomorphic Encryption
E (m1) · E (m2) = E (m1 ⊙m2)
Partially vs. fully homomorphic cryptosystems
Additive homomorphic cryptosystems
E (m1) · E (m2) = E (m1 +m2)Examples: Paillier, Damgard, Benaloh
Multiplicative homomorphic cryptosystems
E (m1) · E (m2) = E (m1 ·m2)Examples: Unpadded RSA, El-Gamal
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
IntroductionOverview
BackgroundTweaking Pailliear Homomorphic Cryptosystem
Overall SystemImplementation and Experimental Results
Conclusions Future Work
Paillier Homomorphic Crytosystem (PHC)
Key generation KG (p, q)
p and q are large primesPrivate key = (λ, µ)Public key = (n, g), n = pq and g ∈ Z/(n2)×
Encryption E (m, r)
c = gm · rn (mod n2)
Decryption D(c)
m = L(cλ (mod n2)) · µ (mod n), where L(u) = (u − 1)/n
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
IntroductionOverview
BackgroundTweaking Pailliear Homomorphic Cryptosystem
Overall SystemImplementation and Experimental Results
Conclusions Future Work
Homomorphic Properties of PHC
PHC is additive homomorphic:
D(E (m1, r1)E (m2, r2) (mod n2)) = m1 +m2 (mod n)
D(E (m1, r1)k (mod n2)) = km1 (mod n)
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
IntroductionOverview
BackgroundTweaking Pailliear Homomorphic Cryptosystem
Overall SystemImplementation and Experimental Results
Conclusions Future Work
Tweaking PHC
Making µ public
Shifting the computation so that matching and coveringoperations are efficient
Allowing to compute the randomized difference withoutdecrypting individual values
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
IntroductionOverview
BackgroundTweaking Pailliear Homomorphic Cryptosystem
Overall SystemImplementation and Experimental Results
Conclusions Future Work
Making µ Public
Original private key = (λ, µ) and public key = (n, g)
Modified private key = λ and public key = (n, g , µ)
Due to the hardness of Computational Diffie-Hellmanproblem, it is hard to derive λ from µ.
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
IntroductionOverview
BackgroundTweaking Pailliear Homomorphic Cryptosystem
Overall SystemImplementation and Experimental Results
Conclusions Future Work
Shifting the Computation
Encryption E ′(m, r , λ)
E ′(m, r) = E (m, r)λ
= gmλ · rnλ (mod n2)
= c
Decryption D(c)
D(c) = L(c (mod n2)) · µ (mod n)
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
IntroductionOverview
BackgroundTweaking Pailliear Homomorphic Cryptosystem
Overall SystemImplementation and Experimental Results
Conclusions Future Work
Allowing to Compute Differences
Allowing to find the difference of x and v
Encryption E ′′(x , v)
x ′ = g t · E ′(x , r1) (mod n2)
v ′ = g−t · E ′(−v , r2) (mod n2)
We get the following:
x ′ · v ′ = E ′(x − v , r3)
Decryption D(x ′ · v ′)
D(x ′ · v ′) = x − v
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
IntroductionOverview
BackgroundTweaking Pailliear Homomorphic Cryptosystem
Overall SystemImplementation and Experimental Results
Conclusions Future Work
Allowing to Compare
Notification = x ∈ [0, 2l ], where l is the domain size
Subscription = v ∈ [0, 2l ]
Difference d = x − v
The matching table is as follows:
d Decision
0 x = v
< n/2 x > v
> n/2 x < v
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
IntroductionOverview
BackgroundTweaking Pailliear Homomorphic Cryptosystem
Overall SystemImplementation and Experimental Results
Conclusions Future Work
How to hide the difference?
The current approach reveals the difference to brokers
The key idea: using the unused range to hide the difference
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
IntroductionOverview
BackgroundTweaking Pailliear Homomorphic Cryptosystem
Overall SystemImplementation and Experimental Results
Conclusions Future Work
Hiding the Difference
Introduce two random numbers rp and rq during blinding:x ′′ = g t · E ′(x , r1)
rpE ′(rq) (mod n2)v ′′ = g−t · E ′(−v , r2)
rp (mod n2)
x ′′ and v ′′ are called blinded values
The decryption results in the following output:D(x ′′ · v ′′) = rp(x − v) + rq = d ′
The matching table is as follows:
d’ Decision
≤ n/2 x ≥ v
> n/2 x < v
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
IntroductionOverview
BackgroundTweaking Pailliear Homomorphic Cryptosystem
Overall SystemImplementation and Experimental Results
Conclusions Future Work
System Protocols and Interactions
SetupIntialize system security parametersDomain size = l bits (2l << n)
RegisterSubscribers initially registers with publishers and obtainrandomized access tokens
SubscribeSubscribers submit blinded subscriptions (v ′′) to brokers
PublishPublishers submit blinded notifications (x ′′) to brokers
MatchFor each notification, brokers compute x ′′ · v ′′ and makematching decision
CoverBrokers find covering relationships among subscriptions
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
IntroductionOverview
BackgroundTweaking Pailliear Homomorphic Cryptosystem
Overall SystemImplementation and Experimental Results
Conclusions Future Work
Correctness of Matching
The following shows the correctness of d ′. Let
y = x ′′ · v ′′ (mod n2)
y = g t · (E ((rpx + rq)λ) · g−t · (E (−v))rpλ
(mod n2)
= {E (rpx + rq)) · E (−rpv)}λ (mod n2)
= (E (rp(x − v) + rq))λ (mod n2)
d ′ = L(y) · µ (mod n)
= rp(x − v) + rq
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
IntroductionOverview
BackgroundTweaking Pailliear Homomorphic Cryptosystem
Overall SystemImplementation and Experimental Results
Conclusions Future Work
Implemenation
Implementation Environment
Intel Core 2 Duo CPU 2.50GHz 4GBLinux kernel version 2.6.27Java 1.6 with Bouncy Castle
Two types of experiments
ProtocolsExtension to SIENA
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
IntroductionOverview
BackgroundTweaking Pailliear Homomorphic Cryptosystem
Overall SystemImplementation and Experimental Results
Conclusions Future Work
Protocol Experiments (Blinding)
0
10
20
30
40
50
60
70
80
90
100
200 400 600 800 1000 1200 1400 1600 1800 2000 2200
Tim
e (in
ms)
Bit length of n (Paillier)
Encrypt Subscription (Sub)Blind Encrypted Subscription (Pub)
Blind Notification (Pub)
(a) Varying n
0
5
10
15
20
10 20 30 40 50 60 70 80 90 100
Tim
e (in
ms)
Bit length of content (l)
Encrypt Subscription (Sub)Blind Encrypted Subscription (Pub)
Blind Notification (Pub)
(b) Varying l
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
IntroductionOverview
BackgroundTweaking Pailliear Homomorphic Cryptosystem
Overall SystemImplementation and Experimental Results
Conclusions Future Work
Protocol Experiments (Match/Cover)
0
50
100
150
200
250
300
350
400
200 400 600 800 1000 1200 1400 1600 1800 2000 2200
Tim
e (in
mic
rose
cond
s)
Bit length of n (Paillier)
Match (Broker)Cover (Broker)
(c) Varying n
90
95
100
105
110
10 20 30 40 50 60 70 80 90 100
Tim
e (in
mic
rose
cond
s)
Bit length of content (l)
Match (Broker)Cover (Broker)
(d) Varying l
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
IntroductionOverview
BackgroundTweaking Pailliear Homomorphic Cryptosystem
Overall SystemImplementation and Experimental Results
Conclusions Future Work
System Experiments
0
2
4
6
8
10
12
1000 1500 2000 2500 3000 3500 4000 4500 5000
Tim
e (in
ms)
No. of subscriptions
SIENAPP-CBPS
(e) Equality Filtering
0
20
40
60
80
100
120
140
1000 1500 2000 2500 3000 3500 4000 4500 5000
Tim
e (in
mic
rose
c)
No. of subscriptions
l = 25 bitsl = 10 bits
(f) Inequality Filtering
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
IntroductionOverview
BackgroundTweaking Pailliear Homomorphic Cryptosystem
Overall SystemImplementation and Experimental Results
Conclusions Future Work
Conclusions
We proposed approach for brokers to perform matching andcovering operations without learning the actual subscriptionsand notifications
Experimental results shows that the approach is practical
Our privacy preserving matching technique can be utilized inother applications
Future work
Implement our scheme on an industry strength JMSSupport frequent subscriptions/unsubscriptions
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS