supporting less than queries on encrypted data using
play

Supporting Less-Than Queries on Encrypted Data using Multi-Server - PowerPoint PPT Presentation

Supporting Less-Than Queries on Encrypted Data using Multi-Server Secret Sharing and Practical Order-Revealing Encryption Nate Chenette ICERM conference on Encrypted Search June 12, 2019 Project Background Baffle Inc. https://baffle.io/


  1. Supporting Less-Than Queries on Encrypted Data using Multi-Server Secret Sharing and Practical Order-Revealing Encryption Nate Chenette ICERM conference on Encrypted Search June 12, 2019

  2. Project Background • Baffle Inc. https://baffle.io/ • Goal: implement fully-fledged database server that provides a strong level of security • “Baffle provides an advanced data protection solution that protects data in memory, in process and at-rest to reduce insider threat and data theft risk.” • Many of their schemes implement searchable encryption! • Security model: multiple servers, assume only one is compromised by an active adversary • Protect as much information as possible, while supporting various query types (addition, equality, comparison) • My role as a consultant: evaluate schemes for comparison operations on encrypted data, specifically involving order-revealing encryption

  3. Baffle System Architecture Client Client plaintexts query response keys Trusted Computer Trusted Computer keys ciphertexts encrypted query encrypted response Cipher SMPC Servers Database Database data Query Support Encryption/Decryption

  4. Functionality and Security Model • Multiple servers • Respond to queries via an efficient collaborative protocol • Addition • Equality • Less-than • Assume an intruder can only compromise one server at a time • Characterize (and minimize) the leakage

  5. Baffle Encryption (& Authentication) • Uses a pseudorandom function F and a MAC M • Secret sharing, Encrypt-then-MAC Plaintext d Trusted Computer Choose random nonce n • Encryption key k Compute pad by running PRF on nonce with enc. key: • Authentication key k a p = F ( k , n ) Compute ciphertext c by subtracting* plaintext from tag: • c = p – d = F ( k , n ) – d Compute MAC: • m = M ( k a , n , c ) ( n , c , m ) *All quantities and operations occur in some finite commutative ring, e.g., the integers mod 256

  6. Baffle Authenticated Decryption • Recall c = F ( k , n ) – d • So, d = F ( k , n ) – c Trusted Computer • To decrypt ( n , c , m ): • Check the MAC: Verify m == M ( k a , n , c ) • If so, re-compute the pad F ( k , n ) from the nonce and subtract. d = F ( k , n ) – c

  7. Database View ( n 1 , c 1 , m 1 ) ( n 2 , c 2 , m 2 ) ( n 3 , c 3 , m 3 ) ( n 4 , c 4 , m 4 ) …

  8. c 1 = F ( k , n 1 ) – d 1 c 2 = F ( k , n 2 ) – d 2 Baffle Encrypted Addition Correctness: c 3 = S + c 1 + c 2 = F ( k , n 3 ) – F ( k , n 1 ) – F ( k , n 2 ) + c 1 + c 2 = F ( k , n 3 ) – ( d 1 + d 2 ) Query from client via ADD ( n 1 , c 1 , m 1 ) Encryption key k trusted computer: to ( n 2 , c 2 , m 2 ) n 1 , n 2 Choose random nonce n 3 Database Server 1 • Compute pad by running PRF on nonce: • p = F ( k , n 3 ) n 3 , S Compute pad difference Compute ciphertext: • • S = p – F ( k , n 1 ) – F ( k , n 2 ) c 3 = S + c 1 + c 2 Cipher tuple of sum is • ( n 3 , c 3 , 0*) Security notes: All of Server 1’s information is independent of plaintext data! *DB can’t compute the MAC, but the trusted • computer could before returning the tuple Database doesn’t have k , so can’t uncover pads from • (independent) nonces.

  9. X V c 1 = F ( k , n 1 ) – d 1 Baffle Encrypted Equality c 2 = F ( k , n 2 ) – d 2 W == Y iff V == X iff d 1 == d 2 Correctness: EQUAL? ( n 1 , c 1 , m 1 ) ( n 2 , c 2 , m 2 ) Check MACs: verify Server 1 • Auth. key k a m 1 == M ( k a , n 1 , c 1 ), m 2 == M ( k a , n 2 , c 2 ) Compute ciphertext difference • n 1 , c 1 , m 1 , V = c 1 – c 2 n 2 , c 2 , m 2 Database Compute • W = EqualityEncryption( k E , V ) W EqualEnc key k E n 1 , n 2 Compute pad difference Server 2 • X = F ( k , n 1 ) – F ( k , n 2 ) Y Compute • Return TRUE iff • Encryption key k Y = EqualityEncryption( k E , X ) W == Y EqualityEncryption preserves equality; details explained on next page Security notes: Again, plaintext-dependent data (at Database & Server 1) has been separated from the ability to decrypt (Server 2). • The ability of the Database to discover sensitive information is dependent on the security of EqualityEncryption. •

  10. EqualityEncryption • In principle, could be any equality-revealing encryption such as deterministic encryption [Bellare, Boldyreva, O’Neill 2007] • As the EqualEnc key is new for each Equality query, Baffle gets away with a simple affine encryption. Use the key k E to generate invertible multiplier 𝛽 and shift β, and compute EqualityEncryption( k E , V ) = 𝛽 V + β • Since 𝛽 is invertible, EqualityEncryption( k E , V ) == 𝛽 V + β == 𝛽 X + β == EqualityEncryption( k E , X ) if and only if V == X .

  11. c 1 = F ( k , n 1 ) – d 1 Encrypted Comparison – First Try c 2 = F ( k , n 2 ) – d 2 LESSTHAN? ( n 1 , c 1 , m 1 ) ( n 2 , c 2 , m 2 ) Check MACs: verify Server 1 • Auth. key k a m 1 == M ( k a , n 1 , c 1 ), m 2 == M ( k a , n 2 , c 2 ) Compute ciphertext difference • n 1 , c 1 , m 1 , V = c 1 – c 2 n 2 , c 2 , m 2 Database Compute • W = OrderRevealingEncryption ( k L , V ) W ORE key k L n 1 , n 2 Compute pad difference Server 2 • X = F ( k , n 1 ) – F ( k , n 2 ) Y Compute • Return result of • Encryption key k Y = OrderRevealingEncryption ( k L , X ) ORE-LessThan ( W , Y ) Correctness (?): d 1 – d 2 = ( F ( k , n 1 ) – c 1 ) – ( F ( k , n 2 ) – c 2 ) So d 1 < d 2 iff d 1 – d 2 < 0 iff X – V < 0 iff = ( F ( k , n 1 ) – F ( k , n 2 )) – ( c 1 – c 2 ) X < V , which matches the result of Wrong!! = X – V ORE-LessThan( W , Y )

  12. Dealing With Signs For simplicity, assume plaintexts are ASCII characters, i.e., in Z 128 • Clarification: arithmetic is performed in Z 256 , represented using (two’s complement) signed bytes, i.e. taking • values in the range [–128,127]. d 1 < d 2 iff d 1 – d 2 < 0 iff X – V < 0 iff X < V Claim from previous page: True, since d 1 and d 2 are assumed True, since False, because of modularity of the to be ASCII characters in the d 1 – d 2 = X – V subtraction. For example, range [0,127] while d 1 – d 2 is in X = 100, V = –30 gives the range [–127,127]. X – V = –126 < 0; X ≥ V . Solution: Let z 0 = x 0 ⨁ v 0 be an indicator for whether the sign bits of X and V differ. • Let 𝓌 be an indicator for whether X 1..7 < V 1..7 , where we are comparing the non-signed parts of X and V . • Then X – V < 0 iff z 0 ⨁ 𝓌 == 1. •

  13. c 1 = F ( k , n 1 ) – d 1 Encrypted Comparison – Corrected c 2 = F ( k , n 2 ) – d 2 LESSTHAN? ( n 1 , c 1 , m 1 ) ( n 2 , c 2 , m 2 ) Check MACs: verify Server 1 • Auth. key k a m 1 == M ( k a , n 1 , c 1 ), m 2 == M ( k a , n 2 , c 2 ) Compute ciphertext difference • n 1 , c 1 , m 1 , V = c 1 – c 2 n 2 , c 2 , m 2 Database Set • W = OrderRevealingEncryption( k L , V 1..7 ) W , v 0 ORE key k L n 1 , n 2 Compute pad difference Server 2 • X = F ( k , n 1 ) – F ( k , n 2 ) Compute z 0 = x 0 ⨁ v 0 • Y , x 0 Set • Encryption key k Let 𝓌 be an indicator for • Y = OrderRevealingEncryption( k L , X 1..7 ) ORE-LessThan( W , Y ) Return TRUE iff • z 0 ⨁ 𝓌 == 1

  14. Baffle Implementation of Comparison • For OrderRevealingEncryption( k L ,·), use a variant of the “Practical Order-Revealing Encryption” scheme [Chenette, Lewi, Weis, Wu 2016] • Leakage: order of V 1..7 and W 1..7 , and the most significant differing bit (MSDB) of V 1..7 and W 1..7 • [Reminder] CLWW scheme: fix a PRF, F . mask (pad) PracticalORE( k L , V 1..7 ) = p 1 ‖ … ‖ p 7 where p j = F ( k L , V 1..( j – 1) ) + v j (mod 3) • Each bit is masked by an element of Z 3 derived from the prefix preceding the bit • Baffle variant, PracticalORE2: essentially the same, but mod 2 instead of mod 3 • Will reveal location of MSDB( V 1..7 , X 1..7 ) but not its value. • In the scheme, also have Server 1 reveal all of V 1..7 to the Database so it can uncover the MSDB values.

  15. c 1 = F ( k , n 1 ) – d 1 Baffle Encrypted Comparison c 2 = F ( k , n 2 ) – d 2 LESSTHAN? ( n 1 , c 1 , m 1 ) ( n 2 , c 2 , m 2 ) Check MACs: verify Server 1 • Auth. key k a m 1 == M ( k a , n 1 , c 1 ), m 2 == M ( k a , n 2 , c 2 ) Compute ciphertext difference • n 1 , c 1 , m 1 , V = c 1 – c 2 n 2 , c 2 , m 2 Database Set • W = PracticalORE2( k L , V 1..7 ) W , V ORE key k L (ephemeral) n 1 , n 2 Compute pad difference Server 2 • X = F ( k , n 1 ) – F ( k , n 2 ) Compute z 0 = x 0 ⨁ v 0 • Y , x 0 Set • Encryption key k If W == Y , let 𝓌 = v 0 ; • Y = PracticalORE2( k L , X 1..7 ) otherwise, let 𝓌 = v j corresponding to the MSDB between W and Y . Return TRUE iff • z 0 ⨁ 𝓌 == 1

  16. Implementation Particulars • Use AES to generate the “pseudorandom” bits in PracticalORE2. • For each prefix-derived mask, the number of AES output bits needed is 1 + [prefix length] • Mask = XOR of all AES bits corresponding to 1’s in the prefix, XORed with the one extra bit. • Extra bit guarantees ≥1 pseudorandom bit used in each mask (even all-0 prefix) • Usage of other bits guarantees that different prefixes’ masks are independent • Example: prefix 01101 pseudorandom bits 101011______ mask XOR(0,1,1,1) = 1 • Relatively efficient: requires only 3 AES blocks to ORE-encrypt a 32-bit character

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend


More recommend