Security of Stateful Order-Preserving Encryption

Transcription

1 Security of Stateful Order-Preserving Encryption Kee Sung Kim, Minkyu Kim, Dongsoo Lee, JeHong Park, Woo-Hwan Kim National Security Research Institute(NSR) Nov. 29, ICISC 2017

2 Introduction of OPE

3 Introduction of OPE Introduction With the advent of cloud computing, cloud storage services whose purpose is to store and manage sensitive user data are becoming common. The basic approach for protecting the confidentiality of data stored in the untrusted cloud storage is to encrypt data using general symmetric encryption schemes. Semantic security destroys any ability to perform useful operations on encrypted data (even basic search) except decryption. OPE(Order-Preserving Encryption) OPE preserves numerical ordering of the plaintexts, so it enables a client to perform efficient range queries on the encrypted data.

4 Introduction of OPE Order preserving encryption (OPE) reflects the plaintext size order in the ciphertext Not secure if the plaintext and ciphertext spaces are the same size Generally, the ciphertext space is larger than the plaintext space m 0 < m 1 E k (m 0 ) < E k (m 1 ) General Encryption Insecure OPE OPE

5 Introduction of OPE Two different ways constructing OPE schemes. General Type: Stateless(Low Security & Middle Performance) Protocol Type: Stateful + Ciphertext Update (High Security & Low Performance) Scheme Type Client s Key Size Ciphertext Update Security Level Encryption Performance General [EURO 09, ASIA 14] O(1) (Stateless) X Low (Relaxed KPA) Middle (Sampling Algorithm) Protocol [S&P 13, CCS 14] O( M ) (Stateful) O High (Ideal) Low (Update Time) [EURO 09] A. Boldyreva et al., Order-Preserving Symmetric Encryption. [S&P 13] R. A. Popa et. al., A Ideal-Security Protocol for Order-Preserving Encoding. [CCS 14] F. Kerschbaum et al., Optimal Average-Complexity Ideal-Security Order-Preserving Encryption. [ASIA 14] I. Teranishi et al., Order-preserving encryption secure beyond one-wayness.

6 Introduction of OPE Two different ways constructing OPE schemes. General Type: Stateless(Low Security & Middle Performance) Protocol Type: Stateful + Ciphertext Update (High Security & Low Performance) Scheme Type Client s Key Size Ciphertext Update Security Level Encryption Performance General [EURO 09, ASIA 14] O(1) (Stateless) X Low (Relaxed KPA) Middle (Sampling Algorithm) New (Ours) Protocol [S&P 13, CCS 14] O( M ) (Stateful) O Middle High (Ideal) High Low (Update Time) Our Goal: Stateful without Update (Middle Security & High Performance)

7 Security Model

8 Security Model Ideal Security(IND-OCPA) Ciphertexts reveal no additional information beyond the order of the plaintext [EURO 09] A. Boldyreva et al., Order-Preserving Symmetric Encryption. Impossible to guarantee ideal security in both stateful/stateless OPE [S&P 13] R. A. Popa et. al., A Ideal-Security Protocol for Order-Preserving Encoding. Enc. Oracle m n q, m q q, m n u, m q u,, m n w, m q w Adversary E m y q, E m y u,, E(m y w ) b m n o < m n p iff m q o < m q p for all 1 i, j q

9 Security Model Relaxed Ideal Security (δ - IND-OCPA) A generalized security model that defines security level δ which means the ratio of protected information δ=1 means IND-OCPA IND-OCPA δ - IND-OCPA Plaintext Space m q Ideally Secure m u Plaintext Space m q Our Goal m u Secure Part c q Ciphertext Space c { c u c q Ciphertext Space c { c u Security level = log Secure spacet / log m u m q δ = min{security level}

10 Proposed Scheme

11 Proposed Scheme Main Idea Guarantee δ - IND-OCPA Even if the encryption process is performed, the size ratio of the divided plaintext and ciphertext is maintained. 1 st Partitioned Plaintext Space M q M u 2 nd Partitioned Plaintext Space C q > M q u C u > M u u 1 st Partitioned Ciphertext Space 2 nd Partitioned Ciphertext Space

12 Proposed Scheme Partitioning Algorithm Use the algorithm Find( ) to calculate the appropriate position of m 3 that can preserve the ciphertext space. Composed of simple integer operations including exponentiation Contains procedures to prevent exposure of plaintext information during encryption m q m { m u m { m q m u m { Plaintext Space Ciphertext Space c m { m q m u m { q Candidate of c u new ciphertext c {

13 Proposed Scheme Partitioning Algorithm Even if the values of m 1, m 2, c 1, c 2 and c 3 are known, it is difficult to find the value of m 3 Security Level δ = š œ q žÿ w œ c { c q q/ c u c { q/ m q m { Secure! m u Plaintext Space Ciphertext Space c c c u c { q { c q c { c u

14 Proposed Scheme Security Analysis Satisfies δ=(d-1)/d, when PT is n-bit and CT is d*n-bit High Efficiency Simple arithmetic operation Based on square and square root operation No update of ciphertext is required Scheme Type Client s Key Size Ciphertext Update Security Level Encryption Performance General New (Ours) Protocol O(1) (Stateless) O( M ) (Stateful) X O Low (Partial KPA) Middle (δ-ind-ocpa) High (IND-OCPA) Middle (Sampling Algorithm) High (Simple Arithmetic) Low (Update Time)

15 Working Scenario

16 Working Scenario Plaintext Should be convertible as integer format Number, Fixed length string (or first n bits of value) Ciphertext DETerministic Encryption: Block Cipher(128bit) Order Preserving Encryption: Ours(d*n bit) Model Almost same as protocol based OPE algorithm Client Storage (DBMS) [DET, OPE, Others] OPE DB [PT*, OPE] *. Depending on the environment, DET ciphertext can be used instead of plaintext.

17 Working Scenario Insertion OPE algorithm is used DET Ciphertext and OPE Ciphertext are sent (5) Encrypt DET ciphertext Client (6) Send insertion query with OPE, DET ciphertext Storage (DBMS) [DET, OPE, Others] (4) Return OPE Ciphertext OPE DB [PT, OPE] (1) Request OPE Ciphertext (2) Perform OPE algorithm (2-1) Search two OPE DB values closest to plaintext (2-2) Derive ciphertext using partitioning algorithm (3) Store OPE ciphertext in OPE DB No ciphertext update procedure is required!

18 Working Scenario Search (Simple Query) Only DET Ciphertext is used (1) Send search query Client Storage (DBMS) [DET, OPE, Others] (3) Decrypt DET ciphertext (2) Return results with DET ciphertext OPE DB [PT, OPE]

19 Working Scenario Search (Range Query) OPE DB is used, but OPE algorithm can be not. (4) Modify query with OPE ciphertext (7) Decrypt DET ciphertext Client (3) Return OPE CT (5) Send range search query with OPE ciphertext Storage (DBMS) [DET, OPE, Others] (6) Return results with DET ciphertext OPE DB [PT, OPE] (1) Request the nearest ciphertext considering the comparison operator( <, =, > ) (2) Search the nearest OPE ciphertext for the requested plaintext

20 Evaluation

21 Evaluation Environment Configuration Intel i7-4790, DDR3 16GB, Samsung 850 PRO 512GB Linux Mint 18(64bit) Perform client, DBMS, and OPE DB at same time on a single computer In the real environment, network latency should be included Implementation C++14, libgmp, boost multi-precision library, AES-NI SQLite(OPE DB), Maria DB(Storage) Evaluation Measurement Measurement Linear Correlation Encryption Speed(Latency)

22 Evaluation Linear Correlation The lower the linear coefficient, the better BCLO: bad linear coefficient (1.00) Ours: various linear coefficients depending on the size of the ciphertext. Sometimes the best.

23 Evaluation Encryption Performance Latency perspective (us) Communication time is excluded BCLO: Require multiple block encryption Ours: Slightly more execution time than KS. However, no update procedure is required.

24 Thank you for your attention Questions?

25 Appendix

26 Appendix Insertion with Update (Protocol Type) When there is not enough ciphertext space Ciphertext update procedure* is required (6) Encrypt DET ciphertext Client (5) Return OPE ciphertext with update signal OPE DB [PT, OPE] (2) Perform OPE algorithm (2-1) Found that update procedure is required (3) Perform ciphertext update procedure (4) Perform OPE algorithm (6) Store OPE ciphertext in OPE DB (7) Send update signal (9) Send insertion query with OPE, DET ciphertext (1) Request OPE Ciphertext *. Improved update procedures are included as an appendix to the paper. Storage (DBMS) [DET, OPE, Others] (8) Perform ciphertext update procedure