GRECS: GRaph Encryption for Approx.

Transcription

1 ACM CCS 2015 GRECS: GRaph Encryption for Approx. Shortest Distance Queries Xianrui Meng (Boston University) Seny Kamara (Microsoft Research) Kobbi Nissim (Ben-Gurion U. & CRCS Harvard U.) George Kollios (Boston University) 10/16/15 1

2 Cloud Storage Big Database 2

3 Graph Data Social Networks Communications phone call logs Networks Web crawlers 10/16/15 ACM CCS

4 Outsource Graphs Graph 4

5 Outsourced Graph Data Cloud Server Outsource Client (Data Owner) Query 5

6 Graph Encryption Leakage function Setup Phase Enc K + L 1 Query Phase token Enc K + L 2 6

7 Security Definition Adaptive Chosen Query Attack (CQA-2) Searchable Encryption [Curtmola-Garay-Kamara-Ostrovsky06], [CK10], [CJJKRS13], etc Simulation-based security No efficient adversary can learn any partial information about the data or the queries, beyond what is explicitly allowed by the leakage functions. even for queries that are adversarially-influenced and generated adaptively. 7

8 Leakage function Describe as stateful functions of the input data o o o o Leakage Size ofthe graph Query Pattern, i.e. whether the query has been repeated. Access Pattern, i.e. pointer to the databases. etc 8

9 State of the Art Searchable Encryption (SE) Keyword Search [SWP01, CM05,CGKO06], Boolean queries [CJJKRS13] Range queries [SBCSP 07, LLWB 14] Dynamic SE [KPR12, KP13, SPS 14, NPG 14] Structured data [CK10] Oblivious RAM More secure: does NOT leak access pattern [GO92, SDSCFRYD 13, DSS 14, WNLCSSH 14, LWNHS 15, etc...] Fully HomomorphicEncryption [Gentry09] 9

10 GRECS: GRaph EnCryption for approx. Shortest distance queries 10

11 Querying the Encrypted Graph q = (u, v) Token q Enc(dist(u,v)) Want dist(u, v) d(u,v) * * d(u,v) is the real shortest distance between u and v 11

12 Design a Practical Scheme Low Communication Complexity Reasonable Space Overhead Query Processing Overhead Server: small computation Client : very small computation 12

13 Shortest Distance for Graphs G=(V, E) APSP nxn matrix E.g. Dijkstra's algorithm Query Time O( V log V + E ) O(1) Space O(n) O(n 2 ) Setup Time O(1) O(n 3 ) e.g., Floyd-Warshall!! Want some efficient and compact Data Structure for Fast Shortest Distance Queries. 13

14 Practical Distance Oracle v 1 : v n : sketch for v 1 The sketch is compact! normally O(log V ) Data Structure that is produced by some Randomized Algorithm 14

15 Practical Distance Oracle v 1 : v n : Graph sketches DO returns d s.t. dist d α dist (dist: real shortest distance) Most DOs have to compromise on accuracy: don't return the accurate distance but rather a constantfactor approximation of it. 15

16 Our basic idea: to encrypt the DO v i : v j : (v 3, 2) (v 4, 3) (v 5, 2) (v 8, 1) (v 11, 3) (v 4, 2) (v 2, 2) (v 5, 2) (v 1, 2) (v 8, 2) v 5 v 8 dist(v i, v j ) : minimum{(2+2), (2+1)} 16

17 GRECS GraphEnc 1 GraphEnc 2 GraphEnc 3 Space Complexity Communicatio n Server s Query Complexity Client s Query Complexity O(nlogn) O(nlog 2 n/ ) O(nlogn) O(logn) O(1) O(1) O(1) O(log 2 n/ ) O(logn) O(logn) O(diameter) O(diameter) n = V for G = (V, E) Sketch size is ~ O(logn) GraphEnc 3 leaks a bit of more 17

18 GraphEnc 1 : An Encrypted Storage Approach Map to a token (PRF based) v: (b, 2) (c, 3) (e, 2) (i, 2) (m, 1) Encrypt the distances and node & id s F k (v): Enc[(b, 2)], Enc[(c, 3)],Enc[(e, 2)], Enc[(i, 2)], Enc[(m, 1)] Problem: Query has high Communication Complexity!! 18

19 GraphEnc 2 : Communication-Efficient O(1) Distance Oracle Random Hashing Encode & Encryption Encrypted Graph Database 19

20 Setup: GraphEnc 2 : our basic idea 1. Map v to token: F k (v) 2. Random hashing : h(node_id) 0 h(v 4 ) Enc(B N-d4 ) V: (v 1, d 1 ) (v 2, d 2 ) (v 3, d 3 ) (v 4, d 4 ) h(v 1 ) h(v 3 ) h(v 2 ) Enc(B N-d1 )... Enc(B N-d3 ) Enc(B N-d2 ) L 3.Encode & Encrypt using SWHE (BGN encryption): Enc(B N-dist ) *N is max dist in DO *B is some positive integer 4.Encrypt the rest Enc(0) 20

21 GraphEnc 2 : Query Overview Query: query = (u, v) Token: F k (u), F k (v) F k (u): Enc(a 1 ) Enc(a 2 ) Enc(...) Enc(...) Enc(...) Enc(...) Enc(a l ) Enc (a 1 b a l b l ) F k (v): Enc(b 1 ) Enc(b 2 ) Enc(...) Enc(...) Enc(...) Enc(...) Enc(b l ) homomorphic multiplication: bilinear pairing on ciphertext homomorphic addition: multiplication on ciphertext 21

22 Theorem: with high probability, GRECS:GraphEnc 2 d(u, v) e dist α d(u, v) α e: related # of common nodes in Sketch(u) and Sketch(v) : approximation ratio from Dist. Oracle dist = Dec(Enc(a 1 b a l b l )) Server only returns only one Enc(.)! 22

23 Theorem: with high probability, GRECS:GraphEnc 2 d(u, v) e dist α d(u, v) e: related # of common nodes in Sketch(u) and Sketch(v) α: approximation ratio from Dist. Oracle Security: CQA2-secure against semi-honest adversarial server. Leakage: query pattern, access pattern, V 23

24 GRECS: GraphEnc 3 GraphEnc 3 Constant Communication Complexity Much Lower Space Overhead Much Faster Query Time Leaks a bit of more than GraphEnc 2 Standard leakage similar to SE 24

25 Query Performance V E as-skitter: 1.6M 11M youtube: 1.1M 2.9M gowalla: 0.20M 0.95M enron: 36K 0.37M condmat: 23K 0.19M 3logn 4logn 5logn 6logn Query Processing (GraphcEnc 3 ) *24-core 2.9GHz Intel Xeon, 512 GB RAM 25

26 Distance Accuracy V E as-skitter: 1.6M 11M youtube: 1.1M 2.9M gowalla: 0.20M 0.95M enron: 36K 0.37M condmat: 23K 0.19M 26

27 Subsequent/Ongoing work To support more complex graph queries/graph mining tasks More efficient searchable encrypted graph database Challenge Leakage: how to minimize and control the leakage Trade-off: privacy/performance/space Design schemes that scale to massive data General Queries on Encrypted Graph Structure More details see: 27

28 Thank you very much! Questions? 28