Privacy-Preserving Computation and Verification of Aggregate Queries on Outsourced Databases Brian Thompson 1, Stuart Haber 2, William G. Horne 2, Tomas Sander 2, and Danfeng Yao 1 Rutgers University Dept. of Computer Science Piscataway, NJ Hewlett-Packard Labs 5 Vaughn Dr., Suite 301 Princeton, NJ 12

PDAS: Privacy-Preserving Database-As-a-Service PETS 2009 Contributions An efficient, distributed architecture for outsourcing databases A privacy-preserving protocol for computing aggregate queries that is resistant to collusion of dishonest service providers A mechanism that allows users to verify the integrity and correctness of aggregate query responses

Outline Motivation PDAS Architecture and Protocol Secure Computation of Aggregate Queries Correctness Verification Conclusions and Future Work

Outline Motivation PDAS Architecture and Protocol Secure Computation of Aggregate Queries Correctness Verification Conclusions and Future Work

PDAS: Privacy-Preserving Database-As-a-Service PETS 2009 Simple Client-Server Model Data Owner Client queryresponse Client What if data owner has insufficient time or resources to answer all queries?

PDAS: Privacy-Preserving Database-As-a-Service PETS 2009 Database-As-a-Service Outsource database to a trusted third-party service provider (SP). SP supports and maintains DBMS infrastructure, stores data and responds to queries. Applications: Census data, medical records, network monitoring, recommendation systems. Data may be private or sensitive. –Only answer queries that follow a pre-defined inference control policy. outside scope of our work

PDAS: Privacy-Preserving Database-As-a-Service PETS 2009 Database-As-a-Service Data Owner Service Provider Client query Q result A Q Security threat! What if server is compromised or SP is malicious? Integrity issue! How does Client know that results are correct? sensitive data, inference control policy query rejected!

PDAS: Privacy-Preserving Database-As-a-Service PETS 2009 Database-As-a-Service Encryption [HIM02, MT06] –When client is the original data owner. Publish only statistics –Limits utility for complex data mining apps. Publish representative subset –Good for approximate query results. –No privacy for individuals in released dataset.

PDAS: Privacy-Preserving Database-As-a-Service PETS 2009 Our Solution: Privacy-Preserving Database-As-a-Service (PDAS) Outsource database to m service providers. Each SP gets a “share” of each data item. Each share gives zero information, but the shares can be combined to reconstruct the original data. [Shamir ’79] A homomorphic commitment scheme is used to guarantee correctness. [Pedersen ’91]

Outline Motivation PDAS Architecture and Protocol Secure Computation of Aggregate Queries Correctness Verification Conclusions and Future Work

PDAS: Privacy-Preserving Database-As-a-Service PETS 2009 PDAS Architecture Data Owner SP2SP3SP1 Client aggregate query Q request shares of A Q calculate share A Q 1 calculate share A Q 3 calculate share A Q 2 calculate result A Q result A Q, proof of correctness

PDAS Protocol 1.COMMIT: Data owner generates commitment values, signs root of Merkle hash tree. 2.DISTRIBUTE: Shares of each data item are distributed to SPs using Shamir secret-sharing. 3.QUERY: Client submits aggregate query to SP. 4.RESPOND: SP requests shares of aggregate from other SPs, recovers result, returns to Client. 5.VERIFY: Client checks commitments against signed root hash, verifies commitment for result. PDAS: Privacy-Preserving Database-As-a-Service PETS 2009

Outline Motivation PDAS Architecture and Protocol Secure Computation of Aggregate Queries Correctness Verification Conclusions and Future Work

PDAS: Privacy-Preserving Database-As-a-Service PETS 2009 Construct a random (k-1)-degree polynomial P with P(0) = S. Each share is a point on the curve. k points are both necessary and sufficient to uniquely determine the polynomial. Secret Sharing with Polynomials Note: Computation in the field F q Note: Allows for threshold scheme [Shamir ’79]

x1x1 x2x2 x3x3 (0, A) P A (x) (x 1, P A (x 1 )) (x 2, P A (x 2 )) (x 3, P A (x 3 )) Secret Sharing with Polynomials PETS 2009

x1x1 x2x2 x3x3 (0, B) P B (x) (x 1, P B (x 1 )) (x 2, P B (x 2 )) (x 3, P B (x 3 )) Secret Sharing with Polynomials PETS 2009

x1x1 x2x2 x3x3 (0, A) P A (x) (x 1, P A (x 1 )) (x 2, P A (x 2 )) (0, B) P B (x) (x 1, P B (x 1 )) (x 2, P B (x 2 )) (x 3, P A (x 3 )) (x 3, P B (x 3 )) Task: secure computation of A + B Secret Sharing with Polynomials PETS 2009 Task: compute A + B

x1x1 x2x2 x3x3 P A (x) (x 1, P A (x 1 )) (x 2, P A (x 2 ))P B (x) (x 1, P B (x 1 )) (x 2, P B (x 2 )) P A+B (x) (0, A+B) (x 1, P A+B (x 1 )) (x 2, P A+B (x 2 )) (x 3, P A (x 3 )) (x 3, P B (x 3 )) Player 1 calculates: P A (x 1 ) + P B (x 1 ) (x 3, P A+B (x 3 )) Determined the sum A+B without revealing A or B ! Secret Sharing with Polynomials PETS 2009 Player 2 calculates: P A (x 2 ) + P B (x 2 ) Player 3 calculates: P A (x 3 ) + P B (x 3 )

PDAS: Privacy-Preserving Database-As-a-Service PETS 2009 A secret-sharing polynomial P j is constructed for each data element D j, i.e. The share of data D j for SP i is Suppose client queries for SP i computes and broadcasts Using polynomial interpolation, the SPs can derive the polynomial Secret Sharing in PDAS

PDAS: Privacy-Preserving Database-As-a-Service PETS 2009 Honest SPs only contribute to a computation if the query follows the data owner’s policy. PDAS allows for a (k,m) threshold scheme, where any k of m SPs can answer a query. If less than k collaborate, they learn nothing. If there are less than k dishonest SPs, the system has information theoretic security. Privacy is preserved* – no information is leaked besides the query results! Secret Sharing in PDAS

Outline Motivation PDAS Architecture and Protocol Secure Computation of Aggregate Queries Correctness Verification Conclusions and Future Work

PDAS: Privacy-Preserving Database-As-a-Service PETS 2009 Verification in PDAS The Pedersen Commitment Scheme [’91] Prover: COMMIT( ) Publish generators of group Choose random Calculate commitment value: Verifier: VERIFY( ) Check commitment:

PDAS: Privacy-Preserving Database-As-a-Service PETS 2009 Verification in PDAS Owner computes commitment to each data entry and signs to authenticate. Given, the client verifies the commitment:. This requires access to sensitive data ! Problem: How to verify an aggregate query result without access to individual entries? Use a homomorphic commitment scheme!

PDAS: Privacy-Preserving Database-As-a-Service PETS 2009 Verification in PDAS Pedersen commitment scheme is homomorphic: What is x 1 + x 2 ? Verify: Service Provider commitments signed by data owner

PDAS: Privacy-Preserving Database-As-a-Service PETS 2009 Verification in PDAS Use Merkle hash tree to improve efficiency. Data owner only signs once: the root hash. h 00 h 01 h 10 h 11 h0h0 h1h1 h root

Outline Motivation PDAS Architecture and Protocol Secure Computation of Aggregate Queries Correctness Verification Conclusions and Future Work

Security Properties of PDAS Secrecy: Only query results are revealed. Security: Commitments are computationally binding and unconditionally hiding. Correctness: Accuracy, integrity guaranteed. Collusion resistance: Privacy is protected against k-1 collaborating adversaries. Accountability: Malicious SPs will be caught. PDAS: Privacy-Preserving Database-As-a-Service PETS 2009 In practice, may relax some properties to achieve greater functionality. Details in corrected version of paper.

PDAS: Privacy-Preserving Database-As-a-Service PETS 2009 Efficiency of PDAS Setup cost is O(nm) time* for data owner, but there is no maintenance cost. Space required is O(n) for each SP. Time complexity to compute a query over subset S is only O(|S|) for each SP, plus O(|S| log n) communication cost. Verification has computational and communication cost O(min(|S| log n, n)).

PDAS: Privacy-Preserving Database-As-a-Service PETS 2009 Extensions Dynamic databases –Support efficient addition/deletion Multiple data owners Load balancing Selection over insensitive attributes –“Mixed” databases –Guaranteeing completeness

PDAS: Privacy-Preserving Database-As-a-Service PETS 2009 Future Work Complex queries –Nested queries –Selection over sensitive attributes –MAX, MIN Inference control –Differential privacy [Dwork06] Private Information Retrieval –[Chor, Goldreich, Kushilevitz, Sudan ‘95]

PDAS: Privacy-Preserving Database-As-a-Service PETS 2009 Conclusions PDAS accomplishes the following goals: A distributed architecture for computing aggregate queries over sensitive data in outsourced databases. An efficient protocol for verifying the accuracy and integrity of query results. A secure system that is robust against a network of k-1 collaborating adversaries.

PDAS: Privacy-Preserving Database-As-a-Service PETS 2009 Thank you! Corrected version to be available soon:

PDAS: Privacy-Preserving Database-As-a-Service PETS 2009

PDAS: Privacy-Preserving Database-As-a-Service PETS 2009 Extra Slides

PDAS: Privacy-Preserving Database-As-a-Service PETS 2009 How to enforce a query response policy? SUM = ? Okay, sure! Please give me your share of Σ D j ! Our Solution: Secret Sharing

PDAS: Privacy-Preserving Database-As-a-Service PETS 2009 How to enforce a query response policy? No, I’m not supposed to... Please give me your share of x! Our Solution: Secret Sharing

PDAS: Privacy-Preserving Database-As-a-Service PETS 2009 Secret Sharing

PDAS: Privacy-Preserving Database-As-a-Service PETS 2009 Related Work H. Hacigümüs, B. Iyer, S. Mehrotra. “Efficient Execution of Aggregation Queries over Encrypted Relational Databases.” DASFAA, F. Chin. “Security Problems on Inference Control for SUM, MAX, and MIN Queries.” Journal of ACM, G. Jagannathan, R. Wright. “Private Inference Control for Aggregate Database Queries.” PADM, 2007.