supporting less than queries on encrypted data using
play

Supporting Less-Than Queries on Encrypted Data using Multi-Server - PowerPoint PPT Presentation

Feb 01, 2024 •163 likes •407 views

Supporting Less-Than Queries on Encrypted Data using Multi-Server Secret Sharing and Practical Order-Revealing Encryption Nate Chenette ICERM conference on Encrypted Search June 12, 2019 Project Background Baffle Inc. https://baffle.io/

  1. Supporting Less-Than Queries on Encrypted Data using Multi-Server Secret Sharing and Practical Order-Revealing Encryption Nate Chenette ICERM conference on Encrypted Search June 12, 2019

  2. Project Background • Baffle Inc. https://baffle.io/ • Goal: implement fully-fledged database server that provides a strong level of security • “Baffle provides an advanced data protection solution that protects data in memory, in process and at-rest to reduce insider threat and data theft risk.” • Many of their schemes implement searchable encryption! • Security model: multiple servers, assume only one is compromised by an active adversary • Protect as much information as possible, while supporting various query types (addition, equality, comparison) • My role as a consultant: evaluate schemes for comparison operations on encrypted data, specifically involving order-revealing encryption

  3. Baffle System Architecture Client Client plaintexts query response keys Trusted Computer Trusted Computer keys ciphertexts encrypted query encrypted response Cipher SMPC Servers Database Database data Query Support Encryption/Decryption

  4. Functionality and Security Model • Multiple servers • Respond to queries via an efficient collaborative protocol • Addition • Equality • Less-than • Assume an intruder can only compromise one server at a time • Characterize (and minimize) the leakage

  5. Baffle Encryption (& Authentication) • Uses a pseudorandom function F and a MAC M • Secret sharing, Encrypt-then-MAC Plaintext d Trusted Computer Choose random nonce n • Encryption key k Compute pad by running PRF on nonce with enc. key: • Authentication key k a p = F ( k , n ) Compute ciphertext c by subtracting* plaintext from tag: • c = p – d = F ( k , n ) – d Compute MAC: • m = M ( k a , n , c ) ( n , c , m ) *All quantities and operations occur in some finite commutative ring, e.g., the integers mod 256

  6. Baffle Authenticated Decryption • Recall c = F ( k , n ) – d • So, d = F ( k , n ) – c Trusted Computer • To decrypt ( n , c , m ): • Check the MAC: Verify m == M ( k a , n , c ) • If so, re-compute the pad F ( k , n ) from the nonce and subtract. d = F ( k , n ) – c

  7. Database View ( n 1 , c 1 , m 1 ) ( n 2 , c 2 , m 2 ) ( n 3 , c 3 , m 3 ) ( n 4 , c 4 , m 4 ) …

  8. c 1 = F ( k , n 1 ) – d 1 c 2 = F ( k , n 2 ) – d 2 Baffle Encrypted Addition Correctness: c 3 = S + c 1 + c 2 = F ( k , n 3 ) – F ( k , n 1 ) – F ( k , n 2 ) + c 1 + c 2 = F ( k , n 3 ) – ( d 1 + d 2 ) Query from client via ADD ( n 1 , c 1 , m 1 ) Encryption key k trusted computer: to ( n 2 , c 2 , m 2 ) n 1 , n 2 Choose random nonce n 3 Database Server 1 • Compute pad by running PRF on nonce: • p = F ( k , n 3 ) n 3 , S Compute pad difference Compute ciphertext: • • S = p – F ( k , n 1 ) – F ( k , n 2 ) c 3 = S + c 1 + c 2 Cipher tuple of sum is • ( n 3 , c 3 , 0*) Security notes: All of Server 1’s information is independent of plaintext data! *DB can’t compute the MAC, but the trusted • computer could before returning the tuple Database doesn’t have k , so can’t uncover pads from • (independent) nonces.

  9. X V c 1 = F ( k , n 1 ) – d 1 Baffle Encrypted Equality c 2 = F ( k , n 2 ) – d 2 W == Y iff V == X iff d 1 == d 2 Correctness: EQUAL? ( n 1 , c 1 , m 1 ) ( n 2 , c 2 , m 2 ) Check MACs: verify Server 1 • Auth. key k a m 1 == M ( k a , n 1 , c 1 ), m 2 == M ( k a , n 2 , c 2 ) Compute ciphertext difference • n 1 , c 1 , m 1 , V = c 1 – c 2 n 2 , c 2 , m 2 Database Compute • W = EqualityEncryption( k E , V ) W EqualEnc key k E n 1 , n 2 Compute pad difference Server 2 • X = F ( k , n 1 ) – F ( k , n 2 ) Y Compute • Return TRUE iff • Encryption key k Y = EqualityEncryption( k E , X ) W == Y EqualityEncryption preserves equality; details explained on next page Security notes: Again, plaintext-dependent data (at Database & Server 1) has been separated from the ability to decrypt (Server 2). • The ability of the Database to discover sensitive information is dependent on the security of EqualityEncryption. •

  10. EqualityEncryption • In principle, could be any equality-revealing encryption such as deterministic encryption [Bellare, Boldyreva, O’Neill 2007] • As the EqualEnc key is new for each Equality query, Baffle gets away with a simple affine encryption. Use the key k E to generate invertible multiplier 𝛽 and shift β, and compute EqualityEncryption( k E , V ) = 𝛽 V + β • Since 𝛽 is invertible, EqualityEncryption( k E , V ) == 𝛽 V + β == 𝛽 X + β == EqualityEncryption( k E , X ) if and only if V == X .

  11. c 1 = F ( k , n 1 ) – d 1 Encrypted Comparison – First Try c 2 = F ( k , n 2 ) – d 2 LESSTHAN? ( n 1 , c 1 , m 1 ) ( n 2 , c 2 , m 2 ) Check MACs: verify Server 1 • Auth. key k a m 1 == M ( k a , n 1 , c 1 ), m 2 == M ( k a , n 2 , c 2 ) Compute ciphertext difference • n 1 , c 1 , m 1 , V = c 1 – c 2 n 2 , c 2 , m 2 Database Compute • W = OrderRevealingEncryption ( k L , V ) W ORE key k L n 1 , n 2 Compute pad difference Server 2 • X = F ( k , n 1 ) – F ( k , n 2 ) Y Compute • Return result of • Encryption key k Y = OrderRevealingEncryption ( k L , X ) ORE-LessThan ( W , Y ) Correctness (?): d 1 – d 2 = ( F ( k , n 1 ) – c 1 ) – ( F ( k , n 2 ) – c 2 ) So d 1 < d 2 iff d 1 – d 2 < 0 iff X – V < 0 iff = ( F ( k , n 1 ) – F ( k , n 2 )) – ( c 1 – c 2 ) X < V , which matches the result of Wrong!! = X – V ORE-LessThan( W , Y )

  12. Dealing With Signs For simplicity, assume plaintexts are ASCII characters, i.e., in Z 128 • Clarification: arithmetic is performed in Z 256 , represented using (two’s complement) signed bytes, i.e. taking • values in the range [–128,127]. d 1 < d 2 iff d 1 – d 2 < 0 iff X – V < 0 iff X < V Claim from previous page: True, since d 1 and d 2 are assumed True, since False, because of modularity of the to be ASCII characters in the d 1 – d 2 = X – V subtraction. For example, range [0,127] while d 1 – d 2 is in X = 100, V = –30 gives the range [–127,127]. X – V = –126 < 0; X ≥ V . Solution: Let z 0 = x 0 ⨁ v 0 be an indicator for whether the sign bits of X and V differ. • Let 𝓌 be an indicator for whether X 1..7 < V 1..7 , where we are comparing the non-signed parts of X and V . • Then X – V < 0 iff z 0 ⨁ 𝓌 == 1. •

  13. c 1 = F ( k , n 1 ) – d 1 Encrypted Comparison – Corrected c 2 = F ( k , n 2 ) – d 2 LESSTHAN? ( n 1 , c 1 , m 1 ) ( n 2 , c 2 , m 2 ) Check MACs: verify Server 1 • Auth. key k a m 1 == M ( k a , n 1 , c 1 ), m 2 == M ( k a , n 2 , c 2 ) Compute ciphertext difference • n 1 , c 1 , m 1 , V = c 1 – c 2 n 2 , c 2 , m 2 Database Set • W = OrderRevealingEncryption( k L , V 1..7 ) W , v 0 ORE key k L n 1 , n 2 Compute pad difference Server 2 • X = F ( k , n 1 ) – F ( k , n 2 ) Compute z 0 = x 0 ⨁ v 0 • Y , x 0 Set • Encryption key k Let 𝓌 be an indicator for • Y = OrderRevealingEncryption( k L , X 1..7 ) ORE-LessThan( W , Y ) Return TRUE iff • z 0 ⨁ 𝓌 == 1

  14. Baffle Implementation of Comparison • For OrderRevealingEncryption( k L ,·), use a variant of the “Practical Order-Revealing Encryption” scheme [Chenette, Lewi, Weis, Wu 2016] • Leakage: order of V 1..7 and W 1..7 , and the most significant differing bit (MSDB) of V 1..7 and W 1..7 • [Reminder] CLWW scheme: fix a PRF, F . mask (pad) PracticalORE( k L , V 1..7 ) = p 1 ‖ … ‖ p 7 where p j = F ( k L , V 1..( j – 1) ) + v j (mod 3) • Each bit is masked by an element of Z 3 derived from the prefix preceding the bit • Baffle variant, PracticalORE2: essentially the same, but mod 2 instead of mod 3 • Will reveal location of MSDB( V 1..7 , X 1..7 ) but not its value. • In the scheme, also have Server 1 reveal all of V 1..7 to the Database so it can uncover the MSDB values.

  15. c 1 = F ( k , n 1 ) – d 1 Baffle Encrypted Comparison c 2 = F ( k , n 2 ) – d 2 LESSTHAN? ( n 1 , c 1 , m 1 ) ( n 2 , c 2 , m 2 ) Check MACs: verify Server 1 • Auth. key k a m 1 == M ( k a , n 1 , c 1 ), m 2 == M ( k a , n 2 , c 2 ) Compute ciphertext difference • n 1 , c 1 , m 1 , V = c 1 – c 2 n 2 , c 2 , m 2 Database Set • W = PracticalORE2( k L , V 1..7 ) W , V ORE key k L (ephemeral) n 1 , n 2 Compute pad difference Server 2 • X = F ( k , n 1 ) – F ( k , n 2 ) Compute z 0 = x 0 ⨁ v 0 • Y , x 0 Set • Encryption key k If W == Y , let 𝓌 = v 0 ; • Y = PracticalORE2( k L , X 1..7 ) otherwise, let 𝓌 = v j corresponding to the MSDB between W and Y . Return TRUE iff • z 0 ⨁ 𝓌 == 1

  16. Implementation Particulars • Use AES to generate the “pseudorandom” bits in PracticalORE2. • For each prefix-derived mask, the number of AES output bits needed is 1 + [prefix length] • Mask = XOR of all AES bits corresponding to 1’s in the prefix, XORed with the one extra bit. • Extra bit guarantees ≥1 pseudorandom bit used in each mask (even all-0 prefix) • Usage of other bits guarantees that different prefixes’ masks are independent • Example: prefix 01101 pseudorandom bits 101011______ mask XOR(0,1,1,1) = 1 • Relatively efficient: requires only 3 AES blocks to ORE-encrypt a 32-bit character

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

AnalysingAccess Pattern and Volume Leakage from Range Queries on Encrypted Data Kenny Paterson

AnalysingAccess Pattern and Volume Leakage from Range Queries on Encrypted Data Kenny Paterson

AnalysingAccess Pattern and Volume Leakage from Range Queries on Encrypted Data Kenny Paterson @kennyog based on joint work with Paul Grubbs, Marie-Sarah Lacharit, Brice Minaud Information Security Group SuRI EPFL June 18, 2018

859 views • 49 slides
CryptDB: Processing Queries on an Encrypted Database Raluca Ada Popa, Catherine M. S. Redfield,

CryptDB: Processing Queries on an Encrypted Database Raluca Ada Popa, Catherine M. S. Redfield,

CryptDB: Processing Queries on an Encrypted Database Raluca Ada Popa, Catherine M. S. Redfield, Nickolai Zeldovich, and Hari Balakrishnan MIT CSAIL Problem } Confidential data leaks from databases (DB) } 2012: hackers extracted 6.5

465 views • 30 slides
Secure Skyline Queries on Encrypted Data CS 573 Data Privacy and Security Jinfei Liu, Juncheng

Secure Skyline Queries on Encrypted Data CS 573 Data Privacy and Security Jinfei Liu, Juncheng

Secure Skyline Queries on Encrypted Data CS 573 Data Privacy and Security Jinfei Liu, Juncheng Yang, Li Xiong, and Jian Pei. Secure Skyline Queries on Cloud Platform. ICDE 2017. Jinfei Liu, Juncheng Yang, Li Xiong, and Jian Pei. Secure and

1.1k views • 72 slides
Why Encrypt Data? We have already discussed authentication and access control as means to

Why Encrypt Data? We have already discussed authentication and access control as means to

Security in Outsourced Databases II Outsourced Databases II (Query Processing on Encrypted Data) Disks replaced Data worthless if encrypted Customer Credit for maintenance Card Number Laptops stolen Backups lost p 1 Why Encrypt Data?

759 views • 19 slides
Searches Through Encrypted Data presenter: Reza Curtmola Advanced Topics in Network Security

Searches Through Encrypted Data presenter: Reza Curtmola Advanced Topics in Network Security

Searches Through Encrypted Data presenter: Reza Curtmola Advanced Topics in Network Security (600/650.624) Introduction Searching usually done over plaintext But what if we could search encrypted data? Bloom Filters Efficient

459 views • 30 slides
TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1

TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1

TLS 1.3 Encrypted SNI ekr: ekr@rtfm.com dkg: dkg@aclu.org IETF 94 TLS 1.3 Encrypted SNI 1 DISCLAIMER: THIS IS NOT FULLY-BAKED We just fleshed out this idea yesterday, so its hand-wavy. Insufficient analysis has been done. IETF 94 TLS 1.3

886 views • 11 slides
Basic SQL Lecture 2 1 Outline Data in SQL Simple Queries in SQL Queries with more

Basic SQL Lecture 2 1 Outline Data in SQL Simple Queries in SQL Queries with more

Basic SQL Lecture 2 1 Outline Data in SQL Simple Queries in SQL Queries with more than one relation Reading: Chapter 3, Simple Queries from SQL for Web Nerds, by Philip Greenspun http://philip.greenspun.com/sql/ 2 1

835 views • 17 slides
How to run SQL queries on TBs of data using GPUs Jake Wheat Lead Architect, SQream Technologies

How to run SQL queries on TBs of data using GPUs Jake Wheat Lead Architect, SQream Technologies

How to run SQL queries on TBs of data using GPUs Jake Wheat Lead Architect, SQream Technologies @sqreamtech SIL7138 1 How to run SQL queries on TBs of data using GPUs 1. A toy SQL query engine 2. Support wide range of SQL queries 3.

684 views • 24 slides
Supporting Analysis of SQL Queries in PHP AiR David Anderson and Mark Hills (@hillsma on Twitter)

Supporting Analysis of SQL Queries in PHP AiR David Anderson and Mark Hills (@hillsma on Twitter)

Supporting Analysis of SQL Queries in PHP AiR David Anderson and Mark Hills (@hillsma on Twitter) 17th IEEE International Working Conference on Source Code Analysis and Manipulation (SCAM 2017), Engineering Track September 17-18, 2017 Shanghai,

163 views • 13 slides
Streaming Queries over Streaming Data Sirish Chandrasekaran UC Berkeley August 20, 2002 VLDB

Streaming Queries over Streaming Data Sirish Chandrasekaran UC Berkeley August 20, 2002 VLDB

Streaming Queries over Streaming Data Sirish Chandrasekaran UC Berkeley August 20, 2002 VLDB 2002 with Michael J. Franklin Motivation (1): Queries over Data Streams Queries over the past Select all the Hondas that passed I-80 at Ashby Ave.

735 views • 48 slides
SUPPORTING SQL QUERIES FOR SUBSETTING LARGE- SCALE DATASETS IN PARAVIEW Yu Su*, Gagan Agrawal*,

SUPPORTING SQL QUERIES FOR SUBSETTING LARGE- SCALE DATASETS IN PARAVIEW Yu Su*, Gagan Agrawal*,

SUPPORTING SQL QUERIES FOR SUBSETTING LARGE- SCALE DATASETS IN PARAVIEW Yu Su*, Gagan Agrawal*, Jon Woodring *The Ohio State University Los Alamos National Laboratory SC11 UltraVis Workshop, November 13, 2011 Subsetting Large-Scale

523 views • 20 slides
Queries in PSM The following rules apply to the use of queries: CS 235: 1. Queries

Queries in PSM The following rules apply to the use of queries: CS 235: 1. Queries

Queries in PSM The following rules apply to the use of queries: CS 235: 1. Queries returning a single value can be Introduction to Databases used in assignments 2. Queries returning a single tuple can be used Svetlozar Nestorov with

530 views • 4 slides
Supporting Time-Constrained SQL Queries in Oracle Ying Hu, Seema Sundara, Jagannathan Srinivasan

Supporting Time-Constrained SQL Queries in Oracle Ying Hu, Seema Sundara, Jagannathan Srinivasan

&lt;Insert Picture Here&gt; Supporting Time-Constrained SQL Queries in Oracle Ying Hu, Seema Sundara, Jagannathan Srinivasan Oracle New England Development Center One Oracle Drive, Nashua, NH 03062 Talk Outline The Problem and Our Approach

791 views • 40 slides
Big Data Security: How to efficiently perform data analytics over encrypted data? Adrian Perrig

Big Data Security: How to efficiently perform data analytics over encrypted data? Adrian Perrig

Big Data Security: How to efficiently perform data analytics over encrypted data? Adrian Perrig Network Security Group ETH Zrich 1 Why worry about Big Data Security? Security is well understood and well handled! Really? 2 Problem

360 views • 16 slides
Overview Stream Processing Applications Stock Markets Internet of Things Intrusion Detection

Overview Stream Processing Applications Stock Markets Internet of Things Intrusion Detection

Overview Stream Processing Applications Stock Markets Internet of Things Intrusion Detection Central Idea Classical Queries : Queries Change, Data Fixed View Maintenance : Data Changes, Queries Fixed, Slow Response Here : Data Changes, Queries

760 views • 9 slides
Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure communication. Does not allow modifying encrypted data. Homomorphic Encryption: allows computation on encrypted data, but result remains encrypted Functional

987 views • 61 slides
INVENTIV Physical Design Implementation for 3D IC Methodology and Tools Dave Noice

INVENTIV Physical Design Implementation for 3D IC Methodology and Tools Dave Noice

INVENTIV Physical Design Implementation for 3D IC Methodology and Tools Dave Noice Vassilios Gerousis IVE Outline 3D IC Physical components Modeling 3D IC Stack Configuration Physical Design With TSV Summary

373 views • 18 slides
Vladislav Zakharov Monday February 10 th , 2020 2 Background &amp; Motivation: Time Projection

Vladislav Zakharov Monday February 10 th , 2020 2 Background &amp; Motivation: Time Projection

1 Vladislav Zakharov Monday February 10 th , 2020 2 Background &amp; Motivation: Time Projection Chamber (TPC) u A type of detector A type of capacitor Outer &amp; Inner mandrel construction in our lab u To be used in sPHENIX u Can

727 views • 33 slides
BUILDING PROGRESSIVE WEB APPS IN KOTLIN Erik Hellman @ErikHellman Copenhagen Denmark Actual

BUILDING PROGRESSIVE WEB APPS IN KOTLIN Erik Hellman @ErikHellman Copenhagen Denmark Actual

BUILDING PROGRESSIVE WEB APPS IN KOTLIN Erik Hellman @ErikHellman Copenhagen Denmark Actual Cross Platform! Types - Theyre pretty great! Type definitions for JavaScript DOM APIs lib.dom.d.ts import { LitElement, html, property,

973 views • 81 slides
horizon EDA whats new Lukas Kramer 03.02.2019 FOSDEM 2019 Lukas K., FOSDEM 2019 1 / 20

horizon EDA whats new Lukas Kramer 03.02.2019 FOSDEM 2019 Lukas K., FOSDEM 2019 1 / 20

horizon EDA whats new Lukas Kramer 03.02.2019 FOSDEM 2019 Lukas K., FOSDEM 2019 1 / 20 Motivation Why write an EDA package from scratch in 2016? Lukas K., FOSDEM 2019 2 / 20 Motivation Why write an EDA package from scratch in 2016?

784 views • 43 slides
Short status update on DCE3 A. Wassatsch Max-Planck Semiconductor Laboratory Munich (Germany) 13

Short status update on DCE3 A. Wassatsch Max-Planck Semiconductor Laboratory Munich (Germany) 13

Short status update on DCE3 A. Wassatsch Max-Planck Semiconductor Laboratory Munich (Germany) 13 th International Workshop on DEPFET Detectors and Applications Ringberg 12-15.06.2013 DEPFET A r c t i v e e c t o P D e t i x e l 13

700 views • 19 slides
(Signal creation, energy loss, PID) Particle tracking and identification at high rates WS 16/17

(Signal creation, energy loss, PID) Particle tracking and identification at high rates WS 16/17

Time Projection Chamber (Signal creation, energy loss, PID) Particle tracking and identification at high rates WS 16/17 Bogdan Blidaru Page 1 Motivation Standard detector courses describe to some extent how the signal is created and how

899 views • 72 slides
Seconda dary Prevention o n of V Vascul ular E Eve vents Wha hat i is t the o e opt

Seconda dary Prevention o n of V Vascul ular E Eve vents Wha hat i is t the o e opt

Canadian Society o of I Internal M Medicine A Annual Meeting Toronto, Ontario, November 2017 Seconda dary Prevention o n of V Vascul ular E Eve vents Wha hat i is t the o e opt ptimal antithr hrombo botic strateg egy? Benjamin

900 views • 21 slides
Economics 113 Slides J. Bradford Delong http://bradford-delong.com brad.delong@gmail.com

Economics 113 Slides J. Bradford Delong http://bradford-delong.com brad.delong@gmail.com

Economics 113 Slides J. Bradford Delong http://bradford-delong.com brad.delong@gmail.com @delong 2017-01-23 KNT: https://www.icloud.com/keynote/ 0LrGo9XoEQ-6Plw4xIs8hEe6Q#2017-01-23_Econ_113_Slides Outline Office Hours Tools:

847 views • 56 slides

More recommend