Pattern Matching on Encrypted Streams Nicolas Desmoulins - - PowerPoint PPT Presentation

Pattern Matching on Encrypted Streams

Nicolas Desmoulins Pierre-Alain Fouque Cristina Onete

Orange Labs Universit´ e de Rennes Universit´ e de Limoges

Olivier Sanders

Orange Labs

Asiacrypt 2018, December 03, 2018

Agenda

Context Our Contribution Conclusion

Asiacrypt – p 2

Context

Asiacrypt – p 3

End-to-End Encryption

More and more encrypted data

50% of worldwide traffic is encrypted, 80% expected by 2020 development of encrypted messaging services (WhatsApp, Signal,...)

Asiacrypt – p 4

End-to-End Encryption

Standard encryption protocols designed to prevent any processing

no possible tradeoff between privacy and functionalities incompatible with security applications such as IDS

Asiacrypt – p 4

End-to-End Encryption

Current solutions imply decryption by a gateway

the gateway can access all data exchanged through the channel what is the point of end-to-end encryption?

Asiacrypt – p 4

Generic Solutions

Processing of encrypted data has been extensively studied Generic solutions exist but are very complex

− fully homomorphic encryption: high computational cost − multi-party computation: requires interaction with the gateway/ high

communication cost

Solutions tailored to specific tasks can significantly improve efficiency

Asiacrypt – p 5

Pattern Matching

Example of Snort rules:

− alert tcp ( msg:”MALWARE-BACKDOOR - Dagger 1.4.0”;

content:”2| 00 00 00 06 00 00 00 | Drives | 24 00 |”,depth 16;)

− alert tcp ( msg:”MALWARE-BACKDOOR QAZ Worm Client Login

access”; content:”qazwsx.hsq”;)

Pattern matching is essential to several other applications

− searches on genomic data − filtering content − ...

Solutions exist but they are unsuitable for data streams

Asiacrypt – p 6

Searchable Encryption

Symmetric searchable encryption for database is very efficient but:

− documents must be associated with keywords

⇒ how to select relevant keywords in our context?

− not designed for on the fly encryption

⇒ unsuitable for data streams

Standard searchable encryption enables to issue tokens tdW for

specific keywords W

− given tdw, the gateway can check whether C = EK(W ) − the gateway learns no information beyond the result of this query Asiacrypt – p 7

Dealing with Data Streams

Current solutions follow the sliding window method: h

• s

t i l e keywords host hostile ... $ EK C0

Each Ci can be tested using tdW The process must be repeated for each possible length of keywords

Asiacrypt – p 8

Dealing with Data Streams

Current solutions follow the sliding window method: h

• s

t i l e keywords host hostile ... $ EK C0 C1

Each Ci can be tested using tdW The process must be repeated for each possible length of keywords

Asiacrypt – p 8

Dealing with Data Streams

Current solutions follow the sliding window method: h

• s

t i l e keywords host hostile ... $ EK C0 C1 C2

Each Ci can be tested using tdW The process must be repeated for each possible length of keywords

Asiacrypt – p 8

Dealing with Data Streams

Current solutions follow the sliding window method: h

• s

t i l e keywords host hostile ... $ EK C0 C1 C2 C3

Each Ci can be tested using tdW The process must be repeated for each possible length of keywords

Asiacrypt – p 8

Dealing with Data Streams

Current solutions follow the sliding window method: h

• s

t i l e keywords host hostile ... $ EK C0 C1 C2 C3 C4

Each Ci can be tested using tdW The process must be repeated for each possible length of keywords

Asiacrypt – p 8

Dealing with Data Streams

Current solutions follow the sliding window method: h

• s

t i l e keywords host hostile host tile $ EK C0 C1 C2 C3 C4

Each Ci can be tested using tdW Splitting keywords in smaller ones of fixed length severely harms

privacy: thoussands of (potentially long) keywords to split

Asiacrypt – p 8

Anonymous Predicate Encryption

Anonymous Predicate Encryption enables to encrypt for a set of

attributes A1,. . .,An

A secret key skP is associated with a predicate P:

C can be decrypted ⇔ P(A1, . . . , An) = 1

No other information is leaked on the attributes of C Efficient solutions exist for predicate P such that:

P(A1, . . . , An) = 1 ⇔ Ai = Yi, ∀i ∈ I ⊂ [1, n]

Asiacrypt – p 9

Dealing with Data Streams

Each character is considered as an attribute plaintext $ h

• s

t i l e Phost,0 h

• s

t ∗ ∗ ∗ ∗ Phost,1 ∗ h

• s

t ∗ ∗ ∗ Phost,2 ∗ ∗ h

• s

t ∗ ∗ Phost,3 ∗ ∗ ∗ h

• s

t ∗ Phost,4 ∗ ∗ ∗ ∗ h

• s

t keyword: host

A predicate is defined for each keyword and each possible offset skPhost,j enables to check if the plaintext contains host at offset j Secret keys must be issued for each possible offset

Asiacrypt – p 10

Our Goals

We want an encryption scheme such that:

pattern matching is possible anywhere in the ciphertext Encryption is independent of the searchable keywords

⇒ ciphertexts should be compatible with keywords of any length

tdW allows for searches at any possible offset

⇒ not 1 token by possible offset

Asiacrypt – p 11

Our Contribution

Asiacrypt – p 12

SEST

We introduce a new primitive, Searchable Encryption with Shiftable Trapdoors

Similar to predicate encryption A Test algorithm run on EK(b1 . . . bm) and a trapdoor for

W = w1 . . . wℓ returns J = {j : bj+1 . . . bj+ℓ = w1 . . . wℓ}

Security requires indistinguishability of two encrypted bitstrings,

unless issued trapdoors enable trivial distinctions.

Asiacrypt – p 13

Bilinear Groups

We construct a scheme based on asymetric bilinear groups

Bilinear Groups: 3 groups G1, G2 and GT of prime order p along

with a map e such that ∀(g, g) ∈ G1 × G2 and a, b ∈ Zp e(g a, g b) = e(g, g)a·b e(g, g) = 1GT = ⇒ g = 1G1 or g = 1G2

Asymmetry : no efficiently computable isomorphism between G1 and

G2 exists

Such groups are easily instantiated using elliptic curves

Asiacrypt – p 14

Intuition - Step 1

Let us consider bitstrings B = b1 . . . bn

We define secret encodings α0, α1 ∈ Zp associated with 0 and 1 We select a secret z ∈ Zp defining a public “basis”

(g, g z, . . . , g zn−1) of Gn

1

Encryption of B is performed by

• 1. randomizing the basis

(C1, . . . Cn) ← (g a, (g z)a, . . . , (g zn)a) for a

$

← Zp

• 2. “projecting” B on this basis

(C ′

1, . . . C ′ n) ← ([(g z)a]αb1 , . . . , [(g zn)a]αbn )

Asiacrypt – p 15

Trapdoors

The secret key sk is {z, α0, α1} To issue a trapdoor tdW for W = w1 . . . wℓ

• 1. generate random scalars v1, . . . , vℓ

$

← Zp

• 2. compute

g vi in G2

• 3. compute

g V with V = ℓ

i=1 vi · αwi · zi−1

• 4. return tdW = {

g v1, . . . , g vℓ, g V }

Each trapdoor is associated with a random polynomial V Random coefficients vi are used to prevent trapdoor forgeries

Asiacrypt – p 16

Intuition - Step 2

B 1 1 1 W 1 1 C ′

1

C ′

2

C ′

3

C ′

4

C ′

5

= g aα0 = g aα1z = g aα1z2 = g aα0z3 = g aα1z4 e(C ′

1,

g v1)e(C ′

2,

g v2)e(C ′

3,

g v3) C3 = g az2 C2 = g az C1 = g a e(C1, g V ) = e(g, g)a(v1α0+v2α1z+v3α1z2) = e(g, g)a(v1α1+v2α1z+v3α0z2) Consecutive C ′

i can be aggregated to generate e(g,

g)aP(z,α0,α1)

Asiacrypt – p 17

Intuition - Step 2

B 1 1 1 W 1 1 C ′

1

C ′

2

C ′

3

C ′

4

C ′

5

= g aα0 = g aα1z = g aα1z2 = g aα0z3 = g aα1z4 e(C ′

2,

g v1)e(C ′

3,

g v2)e(C ′

4,

g v3) C3 = g az2 C2 = g az C1 = g a e(C2, g V ) = e(g, g)a(v1α1z+v2α1z2+v3α0z3) = e(g, g)a(v1α1z+v2α1z2+v3α0z3) B contains W ⇔ P = z∗V

Asiacrypt – p 17

Intuition - Step 2

B 1 1 1 W 1 1 C ′

1

C ′

2

C ′

3

C ′

4

C ′

5

= g aα0 = g aα1z = g aα1z2 = g aα0z3 = g aα1z4 e(C ′

3,

g v1)e(C ′

4,

g v2)e(C ′

5,

g v3) C3 = g az2 C2 = g az C1 = g a e(C3, g V ) = e(g, g)a(v1α1z2+v2α0z3+v3α1z4) = e(g, g)a(v1α1z2+v2α1z3+v3α0z4) Keywords of any size can be tested

Asiacrypt – p 17

Features

Our construction can handle any kind of strings (bytestrings, ...) Our construction supports wildcards

− Let W = w1 . . . wk−1∗wk+1 . . . wℓ − The associated coefficient vk in tdW is set to 0

k − th element of a substring no longer taken into account

We can handle certain types of regular expressions by defining

special encodings e.g. ǫ([0 − 9]) = β1 ∈ Zp, ǫ([a − z]) = β2, . . .

Our construction is proven secure in the generic group model

Asiacrypt – p 18

Optimization

Let B = b1 . . . bn and W = w1 . . . wℓ

Previous detection procedure requires (n − ℓ + 1)(ℓ + 1) pairings:

∀j : e(C ′

j+1,

g v1) . . . e(C ′

j+ℓ,

g vℓ) = e(Cj+1, g V )

Security requires that V has distinct coefficients

V = v1αw1 + v2αw2z . . . + vℓαwℓzℓ−1

If wi = wk, we can set vi = vk and merge the corresponding pairings:

e(C ′

j+i,

g vi) · e(C ′

j+k,

g vk) = e(C ′

j+i · C ′ j+k,

g vi)

Divides the number of pairings by up to 256 for bytestrings.

Asiacrypt – p 19

Further Optimizations

Several pairings involved in the same equation

− the final exponentiations can be merged − some steps of the Miller loop can be merged

Most computations are embarrassingly parallelizable The coefficients vi can be selected so that V = 0

− Divides by 2 the size of the ciphertext − Forbids constant pattern (e.g. aaaaaaaaaa) Asiacrypt – p 20

Conclusion

Asiacrypt – p 21

Conclusion

We propose a new primitive, tailored to pattern matching on

encrypted data

We propose a construction based on bilinear groups We avoid the inherent problems of the sliding window method and

• f offsets for predicate

We prove the security of our scheme in the generic group model

Asiacrypt – p 22