1 Conjunctive, Subset, and Range Queries on Encrypted Data Presenter: 陳國璋 Lecture Notes in Computer Science, 2007 Dan Boneh and Brent Waters

2 Outline  Introduction  Definition  Brute Force Construction  Pairings and complexity assumption  Hidden Vector Encryption  Application of HVE  Conclusion

3 Introduction(1/3) Visa Credit card payment Gateway Encrypted Transaction Visa ’ s Public Key Encrypted Transaction Encrypted Transaction Predicate P [value over $1000] Given by Visa Yes No More Secure Processing Normally Secure Processing

4 Introduction(2/3) Mail Server PP’P’ Satisfy P Satisfy P ’ inbox Discard Recipient ’ s pager Recipient ’ s Public key Given by Recipient

5 Introduction(3/3)  Hidden Vector Encryption (HVE)  Extreme example, Anonymous Identity Based Encryption (AnonIBE)  Query type Equality query Comparison query Subset query

6 Outline  Introduction  Definition  Brute Force Construction  Pairings and complexity assumption  Hidden Vector Encryption  Application of HVE  Conclusion

7 Definition(1/4)  Σ: finite set of binary strings  Predicate P over Σ is a function P: Σ → {0,1}  S ∈ Σ if P(S)=1

8 Definition(2/4)  Φ: set of predicates over Σ  Φ-searchable public key system Setup(λ)  Input security parameter λ  Output public key PK and secret key SK Encrypt(PK,S,M)  Public key PK  S ∈ Σ as the searchable field, called an index  M as the data

9 Definition(3/4)  Φ-searchable public key system GenToken(SK, )  Input secret key SK and a predicate P ∈ Φ  Output a token TK Query(TK,C)  Input token TK for some predicate P and a ciphertext C that is an encryption of (S,M)  Output M or ⊥

10 Definition(4/4)  Correctness Query correctness

11 Outline  Introduction  Definition  Brute Force Construction  Pairings and complexity assumption  Hidden Vector Encryption  Application of HVE  Conclusion

12 Brute Force Construction(1/9)  Σ: finite set of binary strings  Build a Φ-searchable public key system ε TR  ε=(Setup ’, Encrypt ’, Decrypt ’ ) be a public key system  Φ={P 1,P 2, …,P t }

13 Brute Force Construction(2/9)  Setup(λ) Run Setup ’ (λ) t times PK ← (PK 1, …,PK t ) SK ← (SK 1, …,SK t ) Output (PK, SK)

14 Brute Force Construction(3/9)  Encrypt(PK,S,M) For i= 1, …,t define: Output C ← (C 1, …,C t )

15 Brute Force Construction(4/9)  GenToken(SK, ) is the description of predicate Φ The index i of P i in Φ Output TK ← (i,SK i )

16 Brute Force Construction(5/9)  Query(TK,C) C=(C 1, …,C t ) TK=(i,SK i ) Output Decrypt ’ (SK i,C i )

17 Brute Force Construction(6/9)  Example for single query  Σ={1,2,3,4,5}  Φ={P 1,P 2,P 3 }  Setup(λ) Run 3 times Setup ’ (λ) PK ← (PK 1,PK 2,PK 3 ) SK ← (SK 1,SK 2,SK 3 )

18 Brute Force Construction(7/9)   Encrypt(PK,4,M) C 1 ← Encrypt ’ (PK 1, ⊥ ) C 2 ← Encrypt ’ (PK 2, ⊥ ) C 3 ← Encrypt ’ (PK 3,M) C ← (C 1,C 2,C 3 ) x12345 P 1 (x)01100 P 2 (x)10000 P 3 (x)00011

19 Brute Force Construction(8/9)     x12345 P 1 (x)01100 P 2 (x)10000 P 3 (x)00011 GenToken(SK, ) TK 1 ← (2,SK 2 )TK 2 ← (3,SK 3 ) Query(TK 1,C)Query(TK 2,C) Decrypt ’ (SK 2,C 2 )= ⊥ Decrypt ’ (SK 3,C 3 )=M

20 Brute Force Construction(9/9)  Example for conjunctive comparison predicates  Σ={1, …,n} w ={1,2,3,4,5} 4 n is the maximum value for each cell w is the number of the cells  Φ n,w be a set of predicates, |Φ n,w |=n w= 5 4

21 Outline  Introduction  Definition  Brute Force Construction  Pairings and complexity assumption  Hidden Vector Encryption  Application of HVE  Conclusion

22 Pairings and complexity assumption(1/5)  p, q are two big primes. n =pq  G: bilinear group, order = n  G p : cyclic group, order = p  G q : cyclic group, order = q  G T : cyclic group  e:G 2 → G T satisfied as follows Biliner: ∀ u, v ∈ G, e(u a,v b )=e(u,v) ab Non-degenerate: ∃ g s.t. e(g,g) has order n in G T

23 Pairings and complexity assumption(2/5)  The composite Bilinear Diffie-Hellman assumption (cBDH)

24 Pairings and complexity assumption(3/5)  The advantage of cBDH

25 Pairings and complexity assumption(4/5)  The composite 3-party Diffie-Hellman assumption (c3DH)

26 Pairings and complexity assumption(5/5)  The advantage of c3DH

27 Outline  Introduction  Definition  Brute Force Construction  Pairings and complexity assumption  Hidden Vector Encryption  Application of HVE  Conclusion

28 Hidden Vector Encryption(1/10) Conjunctive General Predicate Multi-cell Practical Value Predicate Vector Practical Vector SK Ciphertext Token Data / ⊥ Data PK GenToken HVE Encrypt HVE Query HVE

29 Hidden Vector Encryption(2/10)  Σ: finite set  *: special symbol, plays the role of a wildcard or don ’ t care.  Σ * = Σ ∪ {*}

30 Hidden Vector Encryption(3/10) 

31 Hidden Vector Encryption(4/10)    

32 Hidden Vector Encryption(5/10)  Particular HVE construction  Σ=Z m for some integer m  Σ * =Z m ∪ {*}

33 Hidden Vector Encryption(6/10)  Setup HVE (λ) Choose random primes p,q > m Create a bilinear group G of order n Picks random elements

34 Hidden Vector Encryption(7/10) 

35 Hidden Vector Encryption(8/10)  Encrypt HVE (PK,I,M)

36 Hidden Vector Encryption(9/10)  GenToken HVE (SK,I * ) S be a set of all index i s.t. I i ≠ * Choose random Generate a token for the predicate

37 Hidden Vector Encryption(10/10)  Query HVE (TK,C) First, compte If M is not in data space, output ⊥. Otherwise, output M.

38 Outline  Introduction  Definition  Brute Force Construction  Pairings and complexity assumption  Hidden Vector Encryption  Application of HVE  Conclusion

39 Application of HVE(1/15) Conjunctive General Predicate Multi-cell Practical Value Predicate Vector Practical Vector SK Ciphertext Token Data / ⊥ Data PK GenToken HVE Encrypt HVE Query HVE

40 Application of HVE(2/15)  Example for conjunctive comparison queries  Σ 01 ={0,1}=Z 2  Σ 01* ={0,1,*}=Z 2 ∪ {*}  Take n=3, w=4, then l =nw=12, m=2  Secure HVE over Σ (Setup HVE, Encrypt HVE, GenToken HVE, Query HVE )  Construct a Φ n,w -searchable system as follows

41 Application of HVE(3/15)  Setup(λ) Run Setup HVE (λ) Get public key PK and secret ket SK.

42 Application of HVE(4/15)  Encrypt(PK,S,M) S=(x 1, …,x w ) ∈ {1, …,n} w ={1,2,3} 4 Build a vector σ(S)=(σ i,j ) ∈ Σ 01 nw =Σ σ i,j =1 if x i ≧ j; σ i,j =0, otherwise For example, take S=(1,3,2,1) Vector σ(S) = ( ) Output C ← Encrypt HVE (PK,σ(S),M), size = O(nw) x i j123 x 1 =1100 x 2 =3111 x 3 =2110 x 4 =1100

43 Application of HVE(5/15)  GenToken(SK, ) a=(a 1,a 2,a 3,a 4 ) ∈ {1, …,n} w ={1,2,3} 4 Build a vector σ * (a)=(σ *i,j ) ∈ Σ 01* nw =Σ 01* 12 σ *i,j =1 if x i =j; σ *i,j =*, otherwise For example, take a = (2,3,1,1) Vector σ * (a) = (*1* **1 1** 1**) Output TK a ← GenToken HVE (SK,σ * (a)), size = O(w) a i j123 a1=2*1* a2=3**1 a3=11** a4=11**

44 Application of HVE(6/15)  Query(TK a,C) Run Query HVE (TK a,C)

45 Application of HVE(7/15)   S=(1,3,2,1) and a=(2,3,1,1)  P a (S)=(x 1 ≧ 2)^(x 2 ≧ 3)^(x 3 ≧ 1)^(x 4 ≧ 1)=0 

46 Application of HVE(8/15)   S=(2,3,2,1) and a=(2,3,1,1)  P a (S)=(x 1 ≧ 2)^(x 2 ≧ 3)^(x 3 ≧ 1)^(x 4 ≧ 1)=1 

47 Application of HVE(9/15)  Conjunctive range queries To search for plaintext where x ∈ [a,b] Encrypts the pair (x,x) The predicate then tests x ≧ a ^ x ≦ b

48 Application of HVE(10/15)  Subset queries T: set of size n A ⊆ T Subset predicate  P A (x)=1 if x ∈ A; P A (x) = 0, otherwise

49 Application of HVE(11/15)  Conjunctive subset predicates over T w  σ=(A 1, …,A w ) where A i ⊆ T, i=1, …,w  σ ∈ (2 T ) w  x=(x 1, …,x w )  P σ (x)=1, if x i ∈ A i ∀ i=1, …,w; P σ (x)=0, otherwise

50 Application of HVE(12/15)  T={1,2,3,4,5}, |T|=n=5, w=4  A 1 ={1,2,4}, A 2 ={3,5}, A 3 ={1,5}, A 4 ={2}  Φ={P σ, ∀ σ ∈ (2 T ) w }, |Φ|=2 nw =2 20

51 Application of HVE(13/15)  Encrypt(PK,S,M) S=(x 1, …,x w ) ∈ {1, …,n} w ={1,2,3,4,5} 4 Build a vector σ(S)=(σ i,j ) ∈ Σ 01 nw =Σ σ i,j =1 if x i ≠j; σ i,j =0, otherwise For example, take S=(4,5,2,3) Vector σ(S) = ( ) Output C ← Encrypt HVE (PK,σ(S),M), size = O(nw) xi j12345 x1= x2= x3= x4=311011

52 Application of HVE(14/15)  GenToken(SK, ) a=(A 1,A 2,A 3,A 4 ) ∈ {1, …,n} w ={1,2,3,4,5} 4 Build a vector σ * (a)=(σ *i,j ) ∈ Σ 01* nw =Σ 01* 20 σ *i,j =1 if j≠A i ; σ *i,j =*, otherwise For example, take a = (A 1,A 2,A 3,A 4 ) A 1 ={1,2,4}, A 2 ={3,5}, A 3 ={1,5}, A 4 ={2} Vector σ * (a) = (**1*1 11*1* *111* 1*111) Output TK a ← GenToken HVE (SK,σ * (a)), size = O(nw) Ai j12345 A1={1,2,4}**1*1 A2={3,5}11*1* A3={1,5}*111* A4={2}1*111

53 Application of HVE(15/15)   S=(4,5,2,3) and a=(A 1,A 2,A 3,A 4 )  A 1 ={1,2,4}, A 2 ={3,5}, A 3 ={1,5}, A 4 ={2}  P a (S)=(4 ∈ A 1 )^(5 ∈ A 2 )^(2 ∈ A 3 )^(3 ∈ A 4 )=0 

54 Outline  Introduction  Definition  Brute Force Construction  Pairings and complexity assumption  Hidden Vector Encryption  Application of HVE  Conclusion

55 Conclusion(1/2) Conjunctive General Predicate Multi-cell Practical Value Predicate Vector Practical Vector SK Ciphertext Token Data / ⊥ Data PK GenToken HVE Encrypt HVE Query HVE

56 Conclusion(2/2)  As the width of HVE is 1, the HVE scheme is essentially an Aonymous IBE system.  Improve the size of ciphertext.  The predicate vector and the practical vector are unique.  Composite queries. Range query + Subset query