1. 1 Multi-Dimensional Range Query over Encrypted Data Presenter: 陳國璋 Elaine Shi, John Bethencourt, T-H. Hubert Chan, Dawn Song and Adrian Perrig IEEE Symposium on Security and Privacy, May, 2007

2. 2 Outline  Induction  Problem Definition and Preliminary  AIBE-Based MRQED 1 Scheme  AIBE-Based MRQED D Scheme  Main Construction  Conclusion

3. 3 Introduction  接續上一次報告的 HVE (Hidden Vector Encryption) 方法，裡面提到 3 種 Query 形 式， Comparison / Range / Subset ，此 篇重點在 Conjunctive Range Queries.  Recall: HVE

4. 4 Introduction Conjunctive General Predicate Multi-cell Practical Value Predicate Vector Practical Vector SK Ciphertext Token Data / ⊥ Data PK GenToken HVE Encrypt HVE Query HVE

5. 5 Introduction  Multi-dimensional Range Query over Encrypted Data, MRQED  For example Network audit log has 3 attributes, time- stamp t, source address a and destination port number p. (t, a, p) tuple Conjunctive ranges: [t 1, t 2 ], [a 1, a 2 ] and [p 1, p 2 ]

6. 6 Introduction SchemePub Key Size Enc CostCT SizeDec Key Size Dec Cost HVEO(DT) O(D) Na ï ve AIBE-base O(1)O((log T) D ) MRQEDO(Dlog T) O((log T) D ) D: #(Dimension), T: #(Point)

7. 7 Introduction  Application Financial audit log Medical privacy Untrusted remote storage Using biometrics in anonymous IBE

8. 8 Outline  Induction  Problem Definition and Preliminary  AIBE-Based MRQED 1 Scheme  AIBE-Based MRQED D Scheme  Main Construction  Conclusion

9. 9 Problem Definition  Network audit log has 3 attributes, time-stamp t, source address a and destination port number p.  (t, a, p) tuple  Conjunctive ranges: [t 1, t 2 ], [a 1, a 2 ] and [p 1, p 2 ]

10. 10 Problem Definition  [t 1, t 2 ] [a 1, a 2 ] [p 1, p 2 ] Hyper-rectangle B X = (t, a, p) Testing whether a point X falls inside the Hyper-rectangle B

11. 11 Problem Definition  An attribute can be encoded using discrete integer values 1 through T.  [T]={1, …, T}  S ≦ T, [S, T]={S, S+1, …, T}  D different attributes, each of them can take on value in [T 1 ], [T 2 ], …, [T D ] respectively.

12. 12 Problem Definition  D-dimensional lattice, point, hyper- rectangle  Δ=(T 1, …, T D )  L Δ = [T 1 ] × [T 2 ] × … × [T D ] D-dimensional lattice  X = (x 1, …, x D ) Point  B(s 1, t 1, s 2, t 2, …, s D, t D ) = {(x 1, …, x D ) | ∀ d ∈ [D], x d ∈ [s d, t d ]} Hyper-rectangle

13. 13 Problem Definition  Network audit log Time-stamp t, address a, port number p  D = 3  Time-stamp [T t ]={0000, …, 1439}  Address [T a ]={0, …, 255}  Port number [T p ]={0, …, 65535}

14. 14 Problem Definition  Δ=(T t, T a, T p )  L Δ = [T t ] × [T a ] × [T p ] =[1439] × [255] × [65535]  X = (t, a, p) = (603, 97, 777)  B(540, 720, 84, 124, 700, 800)

15. 15 Problem Definition  [T t ]=[1439] [T a ]=[255] [T p ]=[65535] [540, 720] [84, 124] [700, 800] X = (603, 97, 777) B(540, 720, 84, 124, 700, 800) L Δ = [1439] × [255] × [65535]

16. 16 Problem Definition  MRQED scheme consists of 4 polynomial time algorithms: Setup Encrypt DeriveKey QueryDecrypt

17. 17 Problem Definition  Setup(Σ, L Δ ) Input a security parameter Σ and D- dimensional lattice L Δ Output public key PK amd master private key SK

18. 18 Problem Definition  Encrypt(PK, X, Msg) Input a public key PK, a point X and a message Mag Output a ciphertext C

19. 19 Problem Definition  DeriveKey(PK, SK, B) Take a public key PK, a master private key SK and a hyper-rectangle B Output decryption key DK for hyper- rectangle B

20. 20 Problem Definition  QueryDecrypt(PK, DK, C) Take a public key PK, a decryption key DK and a ciphertext C Output either a plaintext Msg or ⊥

21. 21 Problem Definition  Correctness ∀ message Msg ∈ message space M, hyper- rectangle B ⊆ L Δ, and a point X ∈ L Δ, the above algorithm must satisfy the following consistency constraints:

22. 22 Preliminary  Decision BDH Assumption Given[g, g a, g b, g c, Z] ∈ G 4 ×G ’, where exponents a, b, c are picked at ramdom from Z p, decide whether Z=e(g, g) abc

23. 23 Preliminary  Decision Linear Assumption Given [g, g a, g b, g ac, g bd, Z] ∈ G 4, where a, b, c, d are picked at random from Z p, decide whether Z=g c+d

24. 24 Outline  Induction  Problem Definition and Preliminary  AIBE-Based MRQED 1 Scheme  AIBE-Based MRQED D Scheme  Main Construction  Conclusion

25. 25 AIBE-Based MRQED 1 Scheme  Interval tree tr(T) denote a binary interval tree over integer from 1 to T. Each node has a pre-assigned unique ID. cv(ID) denote the range represented by node ID ∈ tr(T)

26. 26 AIBE-Based MRQED 1 Scheme  Interval tree The set P(x) of IDs covering a point x ∈ [1, T] The set Λ(s, t) of IDs representing a range [s, t] ⊆ [1, T] If x ∈ [s, t], then P(x) ∩ Λ(s, t)≠φ |P(x) ∩ Λ(s, t)| = 1 If x [s, t], then P(x) ∩ Λ(s, t)=φ

27. 27 AIBE-Based MRQED 1 Scheme  IJHKOLMN EFDG BC A 12345678 tr(T)=tr(8) cv(L)={5} cv(E)=[4,5] cv(C)=[5,8] P(3)={A, B, E, J} Λ(2, 7)={I, E, F, N}

28. 28 AIBE-Based MRQED 1 Scheme  MROED 1 scheme AIBE scheme  Setup*(Σ)  DeriveKey*(PK, SK, ID)  Encrypt*(PK, ID, Msg)  Decrypt*(PK, DK, C) Setup(Σ, T) Encrypt(PK, x, Msg) DeriveKey(PK, SK, [s, t]) QueryDecrypt(PK, DK, C)

29. 29 AIBE-Based MRQED 1 Scheme  Setup(Σ, T) Call Setup*(Σ) Output PK and SK

30. 30 AIBE-Based MRQED 1 Scheme  Encrypt(PK, x, Msg) x → P(x) ∀ ID ∈ P(x), c ID =Encrypt*(PK, ID, Msg||0 m ’ ), where 0 m ’ is fill the Msg to {0, 1} m Output ciphertext C={c ID | ∀ ID ∈ P(x)}

31. 31 AIBE-Based MRQED 1 Scheme  DeriveKey(PK, SK, [s, t]) [s, t] → Λ(s, t) ∀ ID ∈ Λ(s,t), k ID =DeriveKey*(PK, SK, ID) Output DK[s, t]={kID | ∀ ID ∈ Λ(s, t)}

32. 32 AIBE-Based MRQED 1 Scheme  QueryDerive(PK, DK, C) If x ∈ [s,t], then ∃ ! ID, s.t. P(x) ∩ Λ(s,t)=ID Call and output Decrypt*(PK, kID, cID) = Msg||0 m ’. Otherwise, output ⊥.

33. 33 AIBE-Based MRQED 1 Scheme  IJHKOLMN EFDG BC A 12345678 tr(T)=tr(8) cv(L)={5} cv(E)=[3,4] cv(C)=[5,8] P(3)={A, B, E, J} Λ(2, 7)={I, E, F, N}

34. 34 Outline  Induction  Problem Definition and Preliminary  AIBE-Based MRQED 1 Scheme  AIBE-Based MRQED D Scheme  Main Construction  Conclusion

35. 35 AIBE-Based MRQED D Scheme  As AIBE-Based MRQED 1 Scheme, the changed points as follows: Encrypt(PK, X, Msg) DeriveKey(PK, DK, C)

36. 36 AIBE-Based MRQED D Scheme  Encryption A point X =(x 1, x 2, …, x D ) For each dimension, x d has each P(x d ), ∀ d ∈ [d] Denote P × (X)=P(x 1 )×P(x 2 )× … ×P(x D ) Call Encrypt*(PK, P × (X), Msg) = C

37. 37 IJHKOLMN EFDG BC A 12345678 XYWZD’D’ A’A’ B’B’ C’C’ TUSV QR P 87654321 X X=(x 1, x 2 )=(3, 5) P(x 1 ) = {A, B, E, J} P(x 2 ) = {P, Q, T, Z} P × (X) = {A, B, E, J}×{P, Q, T, Z}

38. 38 AIBE-Based MRQED D Scheme  Key Derivation All dimension range combine a hyper- rectangle B(s 1, t 1, …, s D, t D ) Each range [s d, t d ] has Λ(s d, t d ), ∀ d ∈ [d] Denote Λ × (B)=Λ(s 1, t 2 )× … ×Λ(s D, t D ) Call DeriveKey*(PK, SK, Λ × (B)) = DK

39. 39 IJHKOLMN EFDG BC A 12345678 XYWZD’D’ A’A’ B’B’ C’C’ TUSV QR P 87654321 B=(s 1, t 1, s 2,, t 2 )=[2, 6]×[3, 7] Λ(s 1, t 1 ) = {E, F, I} Λ(s 2, t 2 ) = {T, U, X} Λ × (B) = {E, F, I}×{T, U, X}

40. 40 AIBE-Based MRQED D Scheme  Collusion attack R4R4 R1R1 R3R3 R2R2 kdkd kckc kaka kbkb

41. 41 Outline  Induction  Problem Definition and Preliminary  AIBE-Based MRQED 1 Scheme  AIBE-Based MRQED D Scheme  Main Construction  Conclusion

42. 42 Main Construction  Reducing the ciphertext size P × (X) = P(x 1 ) × … × P(x D ) ↓ P ∪ (X) = P(x 1 ) ∪ … ∪ P(x D )

43. 43 Main Construction  Reducing the decryption key size Λ × (B)=Λ(s 1, t 2 ) × … × Λ(s D, t D ) ↓ Λ ∪ (B)=Λ(s 1, t 2 ) ∪ … ∪ (s D, t D )

44. 44 Main Construction  Preventing the collusion attack Using binding technique Using re-randomization to tie the sub- keys in different dimensions

45. 45 Main Construction  Preventing the collusion attack R4R4 R1R1 R3R3 R2R2 kdkd kckc kaka kbkb In R1, {k a, k c } → {μ 1 k a, μ 2 k c } In R4, {k b, k d } → {μ 3 k b, μ 4 k d } (μ 1, μ 2 ) are independently from (μ 3, μ 4 ) μ 1 μ 2 =μ 3 μ 4 = some invariant

46. 46 Main Construction  Define L=O(log T) be the height of a tree  All IDs are picked from Z * P  Message Msg ∈ {0, 1} with a series of trailing zero 0 m ’

47. 47 Main Construction  Setup(Σ, L Δ )

48. 48 Main Construction  Setup(Σ, L Δ )

49. 49 Main Construction  DeriveKey(PK, SK, B)

50. 50 Main Construction  Encrypt(PK, X, Msg)

51. 51 Main Construction  QueryDecrypt(PK, DK, C)

52. 52 Outline  Induction  Problem Definition and Preliminary  AIBE-Based MRQED 1 Scheme  AIBE-Based MRQED D Scheme  Main Construction  Conclusion

53. 53 Conclusion  Using tree data structure.  Reducing the ciphertext size and Decryption key size.

54. 54 Conclusion  Using advance/better/original data structure.  Multi-dimension into One-dimension.

55. 55 Conclusion  [3, 6], [4, 9], [5, 8] ↓  [2, 7], [3, 10], [4, 9] ↓  [0, 1], [1, 2], [2, 3]

56. 56 Conclusion  Real value is (5, 7, 6)  Predicate range is [3, 6]×[4, 9]×[5, 8] 0 1 23 [2 7] [3 10] [49] 576

57. 57 Conclusion  About subset query Lattice diagram/Hasse diagram Binary string method

58. 58 Conclusion  Lattice diagram/Hasse diagram

59. 59 Conclusion  Binary string method 假設有 5 個元素 U={1, …,5} Predicate set A={1,4}, 轉換 predicate set A 成 binary string 為 01001 Real value T={1,5}, 轉換成 binary string 為 10001 兩個 binary string 做 OR 運算, 其結果與 predicate set 的 binary string 相同即為 T 是 A 的子集, 反之, T 不是 A 的子集