1 / 82

Secure Computation Over Encrypted Data

Secure Computation Over Encrypted Data. Liangliang Xiao. Introduction. Cloud Customers outsource their data & computing needs to cloud Hardware technology hits its limit Systems become harder to maintain Security issues in cloud Adversaries attacks Human error

edna
Télécharger la présentation

Secure Computation Over Encrypted Data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Computation Over Encrypted Data Liangliang Xiao

  2. Introduction • Cloud • Customers outsource their data & computing needs to cloud • Hardware technology hits its limit • Systems become harder to maintain • Security issues in cloud • Adversaries attacks • Human error • Mistakenly sending disks with bank files to eBay [Ham03] • Reorganization or buyout [Nan04] Salary SELECT SUM(salary) x1 … x1+…+ xn xn

  3. Introduction • Protect data in the cloud • Encryption • How to process the encrypted data? • Decrypt data for computation (not secure!) • Key should be stored with the data at the server(not secure!) •  Computing directly on encrypted data

  4. Existing Works • Homomorphic Encryption (HE) • Order-preserving Encryption (OPE) • Prefix-preserving Encryption (PPE)

  5. HE • Encryption function has homomorphic properties E(x +y) = E(x) +E(y) E(x *y) = E(x) *E(y)

  6. HE • Encryption function has homomorphic properties • HE supports computations on ciphertexts E(x +y) = E(x) +E(y) E(x *y) = E(x) *E(y) Salary E(x1) … E(xn)

  7. HE • Encryption function has homomorphic properties • HE supports computations on ciphertexts E(x +y) = E(x) +E(y) E(x *y) = E(x) *E(y) SELECT SUM(salary) Salary E(x1) … E(xn)

  8. HE • Encryption function has homomorphic properties • HE supports computations on ciphertexts E(x +y) = E(x) +E(y) E(x *y) = E(x) *E(y) SELECT SUM(salary) Salary E(x1) E(x1+…+ xn) … E(xn) DB computes E(x1+…+ xn) = E(x1) +…+ E(xn)

  9. HE • Encryption function has homomorphic properties • HE supports computations on ciphertexts E(x +y) = E(x) +E(y) E(x *y) = E(x) *E(y) SELECT SUM(salary) Salary E(x1) E(x1+…+ xn) … E(xn) DB computes E(x1+…+ xn) = E(x1) +…+ E(xn) Alice decrypts to get x1+…+ xn

  10. Example of “Partial” HE • RSA • E(x) = xemod n • e is the public key • n = p ∙ q • Homomorphic with respect to multiplication • E(x) * E(y) = xe* ye = (x * y)e = E(x * y) • Not homomorphic with respect to addition • E(x) + E(y) = xe+ ye≠ (x + y)e = E(x + y)

  11. Existing HEs • Boolean circuit based HE • Plaintexts {0,1} • Gentry’s construction [Gen09] • High security level but expensive computation • Ring based HE • Plaintexts ZN • Efficient than Boolean circuit based HE • Polly Cracker encryption scheme [Fel94] • Lack conclusive security evidence

  12. OPE • Encryption preserves order x<yE(x) <E(y)

  13. OPE • Encryption preserves order • OPE supports range searches on ciphertexts x<yE(x) <E(y) Name Salary E(N1) OPE(x1) … … E(Nn) OPE(xn)

  14. OPE • Encryption preserves order • OPE supports range searches on ciphertexts x<yE(x) <E(y) SELECT Name Where Salary > OPE(a) Name Salary E(N1) OPE(x1) … … E(Nn) OPE(xn)

  15. OPE • Encryption preserves order • OPE supports range searches on ciphertexts x<yE(x) <E(y) SELECT Name Where Salary > OPE(a) Name Salary E(N1) OPE(x1) E(Ni) … … E(Nn) OPE(xn) DB returns E(Ni) if OPE(xi) > OPE(a)

  16. OPE • Encryption preserves order • OPE supports range searches on ciphertexts x<yE(x) <E(y) SELECT Name Where Salary > OPE(a) Name Salary E(N1) OPE(x1) E(Ni) … … E(Nn) OPE(xn) DB returns E(Ni) if OPE(xi) > OPE(a) Alice decrypts E(Ni) to get Ni

  17. Existing OPEs • RN • Randomly generate r1, …, rx, …, ry, … • Poly • Randomly generate a strict increasing polynomial f E(x) = r1 + … + rx x E(y) = r1 + … + rx + … + ry y f E(y) E(x) x y

  18. PPE • Encryption preserves prefix Ciphertexts Plaintexts 101000 → 001010 101110 → 001111

  19. PPE • Encryption preserves prefix • Range searches can be transformed to prefix-matching search • [32, 111]  [00100000, 01101111]  {001*, 010*, 0110*} Ciphertexts Plaintexts 101000 → 001010 101110 → 001111

  20. PPE • PPE supports range searches on ciphertexts Name Salary E(N1) PPE(x1) … … E(Nn) PPE(xn)

  21. PPE • PPE supports range searches on ciphertexts SELECT Name Where Salary = PPE(aj), 1 ≤ j ≤ m Name Salary E(N1) PPE(x1) … … E(Nn) PPE(xn)

  22. PPE • PPE supports range searches on ciphertexts SELECT Name Where Salary = PPE(aj), 1 ≤ j ≤ m Name Salary E(N1) PPE(x1) … … E(Ni) E(Nn) PPE(xn) DB returns PPE(xi) if PPE(aj) is its prefix

  23. PPE • PPE supports range searches on ciphertexts SELECT Name Where Salary = PPE(aj), 1 ≤ j ≤ m Name Salary E(N1) PPE(x1) … … E(Ni) E(Nn) PPE(xn) DB returns PPE(xi) if PPE(aj) is its prefix Alice decrypts E(Ni) to get Ni

  24. Main problem of the Existing Works • HE/OPE/PPE only consider one encryption key • One encryption key • DB colludes with any user  compromise all data • Different users use different keys •  Computation cannot be performed collude …

  25. Other Problems • HE • Circuit-based HE has very high computation cost • Gentry’s algorithm: • Computation of each binary operation is  6 seconds [Gen] • Multiplication requires ~ 11,000 gates; Addition requires 160 gates [Mor]

  26. Other Problems • Attacks against OPE • Suppose A knows (m/2, OPE(m/2)) • Plaintexts {1, …, m} • A can retrieve the most significant bit of other cipherterxts •  Need to qualify the security of OPE m/2 OPE(m/2)

  27. Other Problems • Attacks against OPE • Suppose A knows (m/2, OPE(m/2)) • Plaintexts {1, …, m} • A can retrieve the most significant bit of other cipherterxts •  Need to qualify the security of OPE m/2 ciphertext ciphertext OPE(m/2)

  28. Other Problems • Existing security analysis • Reduce the security of the real OPE scheme to the ideal OPE object

  29. Other Problems • Existing security analysis • Reduce the security of the real OPE scheme to the ideal OPE object • Ideal OPE • The encryption function is uniformly randomly selected from all order-preserving functions Randomly selected Encryption function All OPE functions

  30. Other Problems • Existing security analysis • Reduce the security of the real OPE scheme to the ideal OPE object • Ideal OPE • The encryption function is uniformly randomly selected from all order-preserving functions • No security analysis of the ideal OPE object Randomly selected Encryption function All OPE functions

  31. Objective of My Research • Bridge the gaps • HE • Design a more efficient HE algorithm • Enhance it for multi-user systems • OPE • Prove the security of the ideal OPE object • Develop a multi-user OPE protocol • PPE • Prove the security of the ideal PPE object • Design a multi-user PPE protocol based on an existing PPE

  32. Objective of My Research • Bridge the gaps • HE • Design a more efficient HE algorithm • Enhance it for multi-user systems • OPE • Prove the security of the ideal OPE object • Develop a multi-user OPE protocol • PPE • Prove the security of the ideal PPE object • Design a multi-user PPE protocol based on an existing PPE

  33. Our HE Construction • Basic construction (ring based) • E(x,k) = M • M is a matrix with the eigenvaluexw.r.t. the eigenvector k • Over ring ZNwhere N = p ∙ q • Homomorphic in addition and multiplication • x ∙ k = M ∙ k and y ∙ k = M’ ∙ k (x + y) ∙ k = (M + M’) ∙ k  (x ∙y) ∙ k = (M ∙ M’) ∙ k [ ] [ ] [ ] x ∙ k = M ∙ k ZN

  34. Security Definition • Attack model • Adversary knows some plaintext/ciphertext pairs • Adversary tries to reverse another ciphertext • Called challenge

  35. Security Analysis • Attack based on plaintext/ciphertext pair (x, M) • Solve k from x ∙ k = M ∙ k • x has the only eigenvector k • Use k to reverse other ciphertexts [ ] [ ] [ ] x ∙ k = M ∙ k ZN Solve k

  36. Our HE Construction •  Need to improve the basic construction • One common eigenvector  homomorphic computation • Second distinct eigenvector  resist the attack • Improved Construction • Consider 44 matrix • k, u, v, ware randomly chosen eigenvectors

  37. Our HE Construction • Improved Construction • Associate x with k and z • z = u, v, or w subject to a distribution D • Randomly select r • Associate r with two remaining eigenvectors M M M x r x r x r k u v w k v u w k w u v

  38. Our HE Construction • Consider m rings Zf1 k1 p Zf2 k2 ZN p k . . . Zfm km p pm

  39. Security of Our HE • Security • Theorem: the probability for the adversary to reverse any other ciphertext is pm • p = 1  (1  q)  qn • pm becomes negligibly small if n < mln poly() •  is the security parameter • Achieves one-wayness security • Further computes q to minimize (1  (1  q)  qn)m • q is the probability that x is associated with u • q = 1  1/n

  40. Performance Comparison • Compare our algorithm with Gentry’s • Our algorithm • Choose m = 16 to sustain 1109 chosen plaintext attacks • Gentry’s algorithm: • Computation of each binary operation is  6 seconds [Gen] • Multiplication requires ~ 11,000 gates; Addition requires 160 gates [Mor]

  41. Objective of My Research • Bridge the gaps • HE • Design a more efficient HE algorithm • Enhance it for multi-user systems • OPE • Prove the security of the ideal OPE object • Develop a multi-user OPE protocol • PPE • Prove the security of the ideal PPE object • Design a multi-user PPE protocol based on an existing PPE

  42. HE for Multi-User System • Key transformation  similarity transform • k’ ∙ E(x, k) ∙ k’ −1 = E(x, k’∙ k)

  43. HE for Multi-User System • Key transformation  similarity transform • k’ ∙ E(x, k) ∙ k’ −1 = E(x, k’∙ k) • Request protocol • kj – user key • Different user holds different user key • kj’ and kj’’– matching key • mk – master key • Response protocol – reverse the request protocol E(x, kj) E(x, kj’ ∙ kj) User Uj Key agent DB E(x, mk) x Hold key kj Hold key kj’ Hold key kj’’ kj’’ kj’  kj= mk

  44. HE for Multi-User System • Security • Theorem: Our Protocols are as secure as HE unless both DB and KA are compromised • Further security improvement • Use a chain of KAs

  45. Performance Study • Request/Response Protocols • User ; DB • Key agent

  46. Performance Study • Results • λ – data length • NE = “No Encryption” • HE – Q = DB received the data encrypted by user • HE – P = User decrypts the data sent from DB

  47. Objective of My Research • Bridge the gaps • HE • Design a more efficient HE algorithm • Enhance it for multi-user systems • OPE • Prove the security of the ideal OPE object • Develop a multi-user OPE protocol • PPE • Prove the security of the ideal PPE object • Design a multi-user PPE protocol based on an existing PPE

  48. Security Analysis of the Ideal OPE • Security metric • zh = Average# of secure bits of plaintext under h known plaintext attacks = H~∞(X| Y, KPh) • H~∞ is the average min-entropy • X is the plaintext, Y is a challenge (randomly generated ciphertext) • KPh is h plaintext ciphertext pairs known by the adversary • Challenge of computing zh • It is difficult to find close-form expression for zh

  49. Security Analysis of the Ideal OPE • Instead, estimate the upper and lower bounds on zh • Upper bound on zh • Choose KPh = { (xi, E*(xi)) | xi = i∙(m+1)/(h+1), 1≤i≤h } • xi is uniformly distributed • zh ≤ log2(m−h)/(h+1) • Lower bound on zh • Don’t know the strongest plaintext attack, how? … xh x1 x2 x3

  50. Security Analysis of the Ideal OPE • Our approach to estimate the lower bound on zh • Observation • KPh divides the domain and range to h+1 subdomains and subranges • KPh = {(xi, yi)}1≤i≤h • No plaintext attack within each subdomains and subranges • Estimate the lower bound for the case of no plaintext attack • Defined as z0 • Apply z0 to each subdomain and subrange • (xi,yi) are variables • Accordingly, estimate zh ≥ clog2(m−h)/(h+1) • Optimize the h (xi,yi) pairs • 0 < c < 1 No plaintext attack xj xj+1 [m] yj yj+1 [n]

More Related