Secure Mediation of Join Queries by Processing Ciphertexts

(1)

Secure Mediation of Join Queries by Processing Ciphertexts

Joachim Biskup, Christian Tsatedem and Lena Wiese Lehrstuhl VI

Fachbereich Informatik Universit¨at Dortmund

Germany

SECOBAP’07

Marmara Hotel, Istanbul April 20, 2007

(2)

Overview

ñ Introduction and Problem Statement

ñ Encryption Scheme 1: Database-As-a-Service ñ Encryption Scheme 2: Commutative Encryption

ñ Encryption Scheme 3: Homomorphic Encryption/Private Matching ñ Comparison

ñ Conclusion

(3)

Introduction: Mediation

Basic mediation system

ñ A client directs a global query to a mediator

ñ Mediator gathers data by sending partial queries to datasources

ñ Mediator constructs a global result out of the partial results and sends it back to the client.

global result global query Client

Source 1 Source n

.. Mediator .

partial query 1

partial query n partial result n partial result 1

(4)

Introduction: Secure Mediation

Secure mediation with the Multimedia Mediator (MMM) system ñ Altenschmidt/Biskup/Flegel/Karabulut, 2003

ñ Confederations of clients, mediators and datasources (flexible: contract based, short-term, ...)

ñ Aims: Anonymity of clients and confidentiality of data

(5)

Introduction: Secure Mediation

MMM Protocol

ñ Preparatory phase: Client acquires credentials (public key & properties) and identity certificates (public key & identity)

ñ Request phase:

1. Client sends global query with appropriate credentials to mediator 2. Mediator forwards credentials with partial queries to datasources 3. Datasources execute access control based on client’s properties 4. Datasources execute partial queries to get partial results

ñ Delivery phase:

1. Datasources encrypt partial results

2. Mediator computes encrypted global result and returns it to client

(6)

Introduction: Secure Mediation

i

process

p: properties

id: client’s identity Certification

id

k p

k_pub

p

pub

p k

pub

..

Source 1

.

global p

q kpub

scheme result

global encr.

Source n scheme

kpub

query

Client

k : client’s public key Authority

pub

scheme Mediator

partial result R SQL2-

Algebra

n

partial result R₁

partial query q partial query q₁

n

encrypted R

(7)

Problem Statement: Delivery Phase

How can the mediator compute a global result

if it is not eligible to access the data in the partial results?

Previous solution: mobile code (Biskup/Sprick/Wiese, 2005) ñ Mediator constructs executable that computes the global result

ñ Client executes mobile code on decrypted partial results

New solution: computation on encrypted data ñ Delivery phase:

1. Datasources encrypt partial results with appropriate encryption scheme 2. Mediator computes encrypted global result from encrypted partial results 3. Client decrypts global result (according to encryption scheme)

(8)

Notation

ñ One client, one mediator, two datasources S¹ and S₂ ñ Global query q: JOIN over two partial queries

ñ Partial queries q¹ over relation R₁ and q₂ over relation R₂ ñ Single, common attribute (“join attribute”) A^join

Client Mediator

q Source 1

Source 2

R1(...,Ajoin,...)

R2(...,Ajoin,...)

="select * from R1, R2 where R1.Ajoin=R2.Ajoin"

="select * from R1"

="select * from R2"

q

1

2

(9)

Overview

ñ Conclusion

(10)

Encryption Scheme 1: DAS Model

“Database As a Service”

(Hacıg¨um¨u¸s et al., 2002)

ñ Data owner outsources data to service provider in encrypted format ñ Partitioning of attribute domains (“bucketization”)

ñ One distinct index value for each partition of a domain

ñ One query executed on index values at service provider site (server query:

superset of exact result)

ñ Second query executed on data owner site (client query: exact result)

(11)

Encryption Scheme 1: DAS Model

Delivery Phase based on “Database As a Service”

ñ Datasources encrypt partial results

ñ Datasources define partitions (“buckets”) and index values of join attribute ñ Client constructs server query for mediator

ñ Mediator executes server query on encrypted partial results (→ encrypted superset of global result)

ñ Client decrypts mediator’s result and executes client query (→ global result)

DAS k_pub partitions & index values

DAS partial result R1

DAS partial result R₂

Source 2

R2(...,Ajoin,...)

Source 1

R1(...,Ajoin,...)

Mediator Client

superset of global result query

server query

client

(12)

Overview

ñ Conclusion

(13)

Encryption Scheme 2: Commutative Encryption

Commutative encryption function f_e (as in Agrawal et al., 2003) ñ Polynomial-time computable function (with key e) such that:

1. [Commutativity] For all keys e₁ and e₂: f_e₁ ◦ f_e₂ = f_e₂ ◦ f_e₁ 2. [Bijectivity] Each f_e is a bijection

3. [Invertibility] The inverse f_e⁻¹ is polynomial-time computable given e 4. [Secrecy] Distributions of hx, f_e(x), y, f_e(y)i and hx, f_e(x), y, zi are

indistinguishable

ñ Property 4 indispensable for security proofs

ñ Use hash values of original inputs to ensure randomness (random oracle model)

(14)

Encryption Scheme 2: Commutative Encryption

Delivery Phase based on two-party protocol for join (Agrawal et al., 2003)

1. Tuples with same join attribute value are encrypted with client’s key 2. Join attribute values are hashed: h(a)

3. S₁ has key e₁ and encrypts hashes: f_e₁(h(a)) / S₂ has key e₂: f_e₂(h(a⁰)) 4. Exchange and second encryption gives f_e₂(f_e₁(h(a))) and f_e₁(f_e₂(h(a⁰))) 5. Mediator checks if f_e₂(f_e₁(h(a))) = f_e₁(f_e₂(h(a⁰)))

Source 1

R1(...,Ajoin,...)

e2 h(a’)e2

e1 h(a) e1

e2 h(a’)e2 e1

?= R₁

kpub

Client

h(a’)

(15)

Overview

ñ Conclusion

(16)

Encryption Scheme 3: Homomorphic Encryption

Additively homomorphic encryption function E (as in Freedman et al., 2004)

ñ Semantically secure public key encryption function such that:

1. Given two ciphertexts E(a) and E(b),

there is a way to efficiently compute E(a + b).

2. Given a constant γ and a ciphertext E(a),

there is a way to efficiently compute E(γ · a).

ñ For a polynomial P (x) = ^Pⁿk=0 c_kx^k, given only encryptions E(c_k) of the coefficients and

cleartext input value a (such that b = P (a)),

one can efficiently compute E(b) = E(P (a)) = E(^Pⁿ_k=0 c_ka^k)

ñ For a constant value γ and “payload data” p (|| means concatenation)

(17)

Encryption Scheme 3: Homomorphic Encryption

Delivery Phase based on Private Matching protocol for intersection (Freedman et al., 2004)

1. Client’s k_pub is public key of homomorphic encryption scheme

2. Each datasource has polynomial with join attribute values as roots (P₁ and P₂) 3. Mediator exchanges encrypted coefficients

4. Each datasource evaluates encrypted polynomial on cleartext join attribute values plus tuples as payload data

5. Client decrypts data and finds either random values or matching tuples

Mediator

Source 1

R1(...,Ajoin,...)

Source 2

R2(...,Ajoin,...)

Source 2

R2(...,Ajoin,...)

R₂ homom.

R₁ homom.

R₂ homom.

R₁ homom.

R₁

homom. k_pub

k_pub Client P1

P2

(18)

Overview

ñ Conclusion

(19)

Comparison

Assumptions

ñ Cryptographic strength of encryption schemes as stated by security proofs in original articles

ñ Cryptographic models are respected (random oracle model, large domains, ...) ñ Datasources include only those data records in partial results

for which access permissions could be established (based on client’s credentials)

(20)

Comparison

Client’s extra knowledge ñ Database-As-a-Service:

client retrieves superset of global result (extra data records) and partitions and index tables

ñ Commutative Encryption:

no extra knowledge (client just retrieves exact global result) ñ Homomorphic Encryption/Private Matching:

client knows number of different join attribute values with each datasource

(21)

Comparison

Mediator’s extra knowledge

ñ All three Delivery Phase protocols:

confidentiality ensured

(data records are encrypted such that only the client can decrypt them) ñ Database-As-a-Service:

mediator learns sizes of partial results and

size of server query result (upper bound of size of global result);

partition sizes and domain sizes maybe crucial (trade-off confidentiality/efficiency)

ñ Commutative Encryption:

mediator learns number of join attribute values with each datasource and size of intersection (lower bound of size of global result)

ñ Homomorphic Encryption/Private Matching:

mediator learns number of join attribute values with each datasource

(22)

Overview

ñ Conclusion

(23)

Conclusion

Secure mediation with ciphertext processing ñ Confidentiality of transmitted data

ñ Anonymity of client

ñ Reduced need for trust in the mediator (in comparison to mobile code) ñ Reduced workload for client (in comparison to mobile code)

(24)

Appendix

ñ Encryption Scheme 3: Homomorphic Encryption/Private Matching

(25)

Encryption Scheme 1: DAS Model

Delivery Phase based on “Database As a Service”

(Hacıg¨um¨u¸s et al., 2002)

1. Each database S_i partitions active domain of join attribute dom_active(R_i.A_join) and assigns each partition an index value in an index table IT able_R_i_.A_join.

R₁:

. . . R₁.A_join . . . . . . 100 . . . . . . 120 . . . . . . 150 . . .

⇒

index table for R₁:

IT able_R₁_.A_join [100, 150) 1

[150, 200] 2

R₂:

. . . R₂.A_join . . . . . . 120 . . . . . . 150 . . . . . . 210 . . .

⇒

index table for R₂:

IT able_R₂_.A_join [100, 200) 11 [200, 300] 12 2. S_i encrypts R_i row-wise (with client’s keys) and adds column for index

R₁^S:

R^S₁.t^S R^S₁.A^S_join 1010101 . . . 1 0101011 . . . 1 010111 . . . 2

R^S₂:

R^S₂.t^S R₂^S.A^S_join 00101001 . . . 11

1101001 . . . 11 100111 . . . 12

(26)

3. S_i sends encrypted partial result and encrypted index table to the mediator:

hR^S_i , encrypt(IT able_R_i_.A_join)i, where encrypt is encryption with client’s keys 4. Mediator forwards index tables to client

5. Client decrypts index tables and constructs:

a. Server query q^S (selects tuples from overlapping partitions in partial results) R^C := q^S(R₁^S, R₂^S) = σCond_S(R^S₁ × R^S₂)

where Cond_S = (R₁^S.A^S_join = 1 ∧ R^S₂.A^S_join = 11

∨R₁^S.A^S_join = 2 ∧ R^S₂.A^S_join = 11

∨R₁^S.A^S_join = 2 ∧ R^S₂.A^S_join = 12)

IT able_R₁_.A_join: [100, 150) 1

[150, 200] 2 IT able_R₂_.A_join: [100, 200) 11

[200, 300] 12 b. Client query q^C (postprocesses mediator’s result to find correct join tuples)

q^C(decrypt(R^C)) = σ_(R₁_.A_join_=R₂_.A_join₎(decrypt(R^C))

(27)

7. Mediator executes q^S on encrypted partial results; returns R^C to client

R^C:

R^S₁.t^S R₁^S.A^S_join R^S₂.t^S R^S₂.A^S_join 1010101 . . . 1 00101001 . . . 11 1010101 . . . 1 1101001 . . . 11 0101011 . . . 1 00101001 . . . 11 0101011 . . . 1 1101001 . . . 11 010111 . . . 2 00101001 . . . 11 010111 . . . 2 1101001 . . . 11 010111 . . . 2 100111 . . . 12 8. Client decrypts R^C and executes client query q^C

global result R:

. . . R₁.A_join . . . R₂.A_join . . . . . . 120 . . . 120 . . . . . . 150 . . . 150 . . .

(28)

Appendix

(29)

Encryption Scheme 2: Commutative Encryption

Delivery Phase based on two-party protocol for join (Agrawal et al., 2003)

1. Datasource S_i generates key e_i for commutative encryption function f S_i encrypts hash values of join attribute values (ideal hash function h)

R₁:

R₁.A₁ R₁.A_join

α 10

β 10

γ 15

⇒

encrypted hash values:

f_e₁(h(10)), f_e₁(h(15))

R₂:

R₂.A₁ R₂.A_join

δ 12

15

ζ 15

⇒

encrypted hash values:

f_e₂(h(12)), f_e₂(h(15)) 2. S_i builds tuple sets for same join attribute value:

T up_i(a) := {t ∈ R_i | t[A_join] = a}

T up₁(10) = {hα, 10i, hβ, 10i}

T up₁(15) = {hγ, 15i}

T up₂(12) = {hδ, 12i}

T up₂(15) = {h, 15i, hζ, 15i}

S encrypts them with client’s keys to ciphertexts encrypt(T up (a))

(30)

3. S_i sends set of messages M_i := {hf_e_i(h(a)), encrypt(T up_i(a))i} to mediator M₁ :=

{hf_e₁(h(10)), encrypt(T up₁(10))i, hf_e₁(h(15)), encrypt(T up₁(15))i}

M₂ :=

{hf_e₂(h(12)), encrypt(T up₂(12))i, hf_e₂(h(15)), encrypt(T up₂(15))i}

4. Mediator exchanges message sets (sends M₁ to S₂ and M₂ to S₁) 5. For each hf_e₂(h(a)), encrypt(T up₂(a))i from S₂:

S₁ computes hf_e₁(f_e₂(h(a))), encrypt(T up₂(a))i and sends it to the mediator 6. For each hf_e₁(h(a)), encrypt(T up₁(a))ifrom S₂:

S₂ computes hf_e₂(f_e₁(h(a))), encrypt(T up₁(a))i and sends it to the mediator 7. Mediator looks for messages with identical first component

f_e₁(f_e₂(h(a))) = f_e₂(f_e₁(h(a))) (bijectivity and commutativity properties of f ) and sends result messages hencrypt(T up₁(a)), encrypt(T up₂(a))i to the client 8. Client decrypts result messages with his private keys and constructs result tuples

R₁.A₁ R₁.A_join R₂.A₁ R₂.A_join

(31)

Appendix

(32)

Encryption Scheme 3: Homomorphic Encryption

Delivery Phase based on Private Matching protocol for intersection (Freedman et al., 2004)

1. Assumption: Client has one public key for homomorphic encryption scheme E 2. S₁ forms a polynomial whose roots are the join attribute values a₁, . . . , a_n:

P₁(x) := (a₁ − x) · (a₂ − x) · ... · (a_n − x) = ^Xⁿ

k=0c_kx^k

S₁ encrypts coefficients using client’s key and sends all E(c_k) to mediator 3. S₂ forms a polynomial whose roots are the join attribute values a⁰₁, . . . , a⁰_m:

P₂(x) := (a⁰₁ − x) · (a⁰₂ − x) · ... · (a⁰_m − x) = ^X^m

l=0

d_lx^l

S₂ encrypts coefficients using client’s key and sends all E(d_l) to mediator 4. Mediator exchanges coefficients (E(d ) to S and E(c ) to S )

(33)

5. S₁ evaluates polynomial P₂ on its cleartext join attribute values a₁, . . . , a_n: e_k := E(r_k · P₂(a_k) + (a_k||T up₁(a_k)))

(r_k is a fresh random number and

T up₁(a_k) is set of tuples with join attribute value a_k) S₁ returns all e_k values to mediator

6. S₂ evaluates polynomial P₁ on its cleartext join attribute values a⁰₁, . . . , a⁰_m: e⁰_l := E(r_l⁰ · P₁(a_l⁰) + (a⁰_l||T up₂(a⁰_l)))

S₂ returns all e⁰_l values to mediator

7. Mediator forwards all e_k and e⁰_l values to client 8. Client decrypts them to either a random value,

a value (a_k||T up₁(a_k)) or a value (a⁰_l||T up₂(a⁰_l))

For values (a_k||T up₁(a_k)) and (a⁰_l||T up₂(a⁰_l)) where a_k = a⁰_l, the tuples are joined in the global result