Multi-Dimensional Range Query over Encrypted Data Authors: Elaine Shi, Joint work with John Bethencourt, Hubert Chan, Dawn Song, Adrian Perrig Slides originated from Elaine Shi, modified by Michael Chen CSC 774 Advanced Network Security Instructor: Dr. Peng Ning Presenter: Michael Chen April 19, 2007

2Speaking Requirement Talk Motivation - Network Audit Logs Network gateway Data center

3Speaking Requirement Talk An Ideal Solution Network gateway Data center

4Speaking Requirement Talk Auditor auditor Trusted authority Query: ( 100 · port · 200 ) Æ ( ip *.* )

5Speaking Requirement Talk Auditor auditor Trusted authority Capability: ( 100 · port · 200 ) Æ ( ip *.* ) Query: ( 100 · port · 200 ) Æ ( ip *.* )

6Speaking Requirement Talk Security Query: ( 100 · port · 200 ) Æ ( ip *.* ) Can decrypt all matching entries Cannot learn additional information for non-matching entries –Except for the fact that they do not match

7Speaking Requirement Talk The Challenges Current practices: –No encryption –All-or-nothing decryption Challenge: –How to design such an encryption scheme –Efficiency –Security

8Speaking Requirement Talk Related work Search on encrypted data (SoE) –Not clear if can be extended to range query over multiple attributes. Anonymous hierarchical IBE (AHIBE) –Could be used to implement MRQED, encryption cost O(T D ) Concurrent work –BonehWaters06: Complex query over encrypted data. More expensive public key size, encryption cost, cheaper decryption cost and shorter decryption key size.

9Speaking Requirement Talk Generalized Problem Definition Time-stamp t, source address a, destination port p A tuple (t, a, p)  can be viewed as a point x in 3 dimensional space. Query for flows with Hyper-rectangle B in space x is in B ?

10Speaking Requirement Talk Generalized Problem Definition KeyGen – Key generation Encrypt – Encryption DeriveKey – Compute a decryption key QueryDecrypt – Attempt to decrypt using a capability

11Speaking Requirement Talk KeyGen ( , n) Input –k: security parameter –n: bit-length of x Output –public key PK & master private key SK KeyGen( , n) Trusted authority

12Speaking Requirement Talk Encrypt(PK, x, msg) x – a point Cipher_Text à Encrypt(PK, x, msg)

13Speaking Requirement Talk DeriveKey(PK, SK, B ) B – “hyper-rectangle” DK B t1t1 t2t2 r1r1 r2r2

14Speaking Requirement Talk QueryDecrypt(PK, DK, C) Output –msg if – if

15Speaking Requirement Talk Roadmap Trivial construction AIBE – MRQED1 –Efficient representation for ranges –1 dimensional scheme Extension to multiple dimensions

16Speaking Requirement Talk Trivial Construction SchemePK. sizeEnc. CostCT. SizeDK. SizeDec. Cost TrivialO(T 2D ) O(D) T : # different values along each dimension D : # dimensions 1 dimension One public key pair for each possible range - O(T 2 ) public key pairs - O(T 2 ) cipher texts and decryption keys for each range Performance of D dimensions

17Speaking Requirement Talk Roadmap Trivial construction AIBE – MRQED 1 –Efficient representation for ranges –1 dimensional scheme Extension to multiple dimensions

18Speaking Requirement Talk AIBE – MRQED 1 Try to decrease storage and computation cost Efficient representation of range: - Define Interval Tree tr(T) as a binary tree over [1, T], each node represents a range - ith leaf node: cv(ID) = i - non-leaf node: cv(ID) = cv(ID1) U cv(ID2) in which ID1 & ID2 are its children nodes

19Speaking Requirement Talk AIBE – MRQED 1 – cont’d Set of IDs covering a point x - if, ID covers x if. - Define P(x) to be the set such IDs. - P(x) includes all nodes on the path from leaf x to root. Range as a collection of IDs - Define (s, t) to be the minimum set of nodes that cover range [s, t].

20Speaking Requirement Talk AIBE – MRQED 1 – cont’d [0, 1] [2, 3] [4, 5] [6, 7] [0, 3] [4, 7] [0, 7] [1, 7]

21Speaking Requirement Talk AIBE – MRQED 1 : Encrypt C 0 =Encrypt(PK, ID A, msg) C 1 =Encrypt(PK, ID B, msg) C2C2 C3C3 A B

22Speaking Requirement Talk AIBE – MRQED 1 : Encrypt C0C0 C1C1 C2C2 C3C3 O(logT) ciphertext size

23Speaking Requirement Talk AIBE – MRQED 1 : DeriveKey [2, 6]

24Speaking Requirement Talk AIBE – MRQED 1 : DeriveKey [2, 6] [2, 3][4, 5] [6, 6]

25Speaking Requirement Talk AIBE – MRQED 1 : DeriveKey [2, 6] SK  SK  SK 

26Speaking Requirement Talk AIBE – MRQED 1 : DeriveKey [2, 6] SK  SK  SK  O(logT) decryption key size

27Speaking Requirement Talk AIBE – MRQED 1 : QueryDecrypt Observations: If x 2 [s, t], then | P(x) Å (s, t) | = 1 If x 2 [s, t], P(x) Å (s, t) = ;

28Speaking Requirement Talk AIBE – MRQED 1 : Decrypt C1C1 C2C2 C3C3 C0C0

29Speaking Requirement Talk AIBE – MRQED 1 : Decrypt [2, 6] C1C1 C2C2 C3C3 C0C0 SK  SK  SK 

30Speaking Requirement Talk AIBE – MRQED 1 : Decrypt C1C1 C2C2 C3C3 C0C0

31Speaking Requirement Talk AIBE – MRQED 1 : Decrypt [0, 3] C1C1 C2C2 C3C3 C0C0 SK 

32Speaking Requirement Talk AIBE – MRQED 1 : Decrypt [4, 7] C1C1 C2C2 C3C3 C0C0 SK 

33Speaking Requirement Talk AIBE – MRQED 1 : Performance SchemePK. sizeEnc. CostCT. SizeDK. SizeDec. Cost TrivialO(T 2D ) O(D) AIBE-MRQED 1 O(1)O(logT) T : # different values along each dimension D : # dimensions

34Speaking Requirement Talk AIBE – MRQED D – Encryption D = 2 dimensional example To encrypt point x = (3,5)

35Speaking Requirement Talk AIBE – MRQED D – DeriveKey Query range: [2,6] x [7,3] 1 st dimension: (2, 6) 2 nd dimension: (3,7)

36Speaking Requirement Talk AIBE – MRQED D Performance O(1) PK size O(D ¢ logT) –Encryption cost –Cipher Text. size –Decryption key size O((logT) D ) decrypt. cost Good performance, but has a serious vulnerability – prone to collusion attack

37Speaking Requirement Talk Collusion Attack K x1 K x2 SK y2 SK y1 {SK x1, SK y1 } {SK x2, SK y2 } R1R1 R2R2 R3R3 R4R4 {SK x1, SK y2 } {SK x2, SK y1 } How fix the problem but preserve the AIBE – MRQED D efficiency?

38Speaking Requirement Talk Collusion Attack solution - “Binding” SK x1 SK x2 SK y2 SK y1 {SK x1, SK y1 } {SK x2, SK y2 } {SK x1, SK y1 }  x ¢  y = c

39Speaking Requirement Talk Collusion Attack solution - “Binding” SK x1 SK x2 SK y2 SK y1 {SK x1, SK y1 } {SK x2, SK y2 }  x ¢  y = c  x 4 SK x1 {SK x1, SK y1 }

40Speaking Requirement Talk Collusion Attack solution - “Binding” SK x1 SK x2 SK y2 SK y1 {SK x1, SK y1 } {SK x2, SK y2 }  x ¢  y = c  x SK x1 {SK x1, SK y1 }

41Speaking Requirement Talk Collusion Attack solution - “Binding” SK x1 SK x2 SK y2 SK y1 {SK x1, SK y1 } {SK x2, SK y2 }  x ¢  y = c  x SK x1 {SK x1, SK y1 }  y SK y1

42Speaking Requirement Talk Collusion Attack solution - “Binding” SK x1 SK x2 SK y2 SK y1 {SK x1, SK y1 } {SK x2, SK y2 } x ¢ y = c {SK x2, SK y2 } x SK x2 y SK y2

43Speaking Requirement Talk The “Binding” Construction Use Bilinear Groups Rely on well-known difficult problem: –Decision BDH Assumption –Decision linear Assumption Algebraically intensive

44Speaking Requirement Talk Conclusion SchemePK. sizeEnc. CostCT. SizeDK. SizeDec. Cost TrivialO(T 2D ) O(D) BW06O(D ¢ T) O(D) RQEQ D O(D∙logT) O((logT) D ) T : # different values along each dimension D : # dimensions

45Speaking Requirement Talk Future work Further exploration of ways to decrease the decryption co Possible other privacy-preserving applications in addition to network audit logs, financial audit logs, etc.

46Speaking Requirement Talk Question Observations: If x 2 [s, t], then | P(x) Å (s, t) | = 1 If x 2 [s, t], P(x) Å (s, t) = ; Why is this always true?

Thank you!