SQL on Structurally-Encrypted Databases

Transcription

1 SQL on Structurally-Encrypted Databases Seny Kamara Tarik Moataz

2 Q: What is a relational database? 2

3 Relational DB Table or relation Column or attribute Att 1 Att 2 Att 3 Att 4 Att5 Att 6 Att 7 DB = Row or record T 2 T 1 3

4 Structured Query Language SQL is a language for querying relational DBs Example: Select (name, gender, height) From (T 2, T 8 ) Where (age = 36 AND zip = AND gender = F) SQL is the standard way to query a relational DB Standard ANSI/ISO since 1986/1987 4

5 Q: What is Structured Encryption (STE)? 5

6 Structured Encryption (STE) [CK10] DS EDS tk ct Setup(1 k, DS) (K, EDS) Query(EDS, tk) ct Token(K, q) tk 6

7 Structured Encryption (STE) [CK10] DS Setup Leakage L s (DS) EDS Query Leakage L q (DS, q) tk ans Setup(1 k, DS) (K, EDS) Query(EDS, tk) ans Token(K, q) tk 7

8 Structured Encryption (STE) [CK10] We say that an STE is (L S,L Q )-secure if It reveals no information about the structure beyond L S It reveals no information about the structure and queries beyond L Q 8

9 Encrypted Multi-Maps [CK10] Encrypted Multi-Map Encrypted Inverted Index Single Keyword SSE [SWP00], [Goh03], [CGKO06], [CK10], [KPR12], [KP13], [CJJKRS13], [CJJJKRS14], [Bost16], [BMO17], [AKM19] 9

10 Q: How can we encrypt a relational DB? 10

11 Efficiency Functionality Leakage 11

12 Tradeoffs: Efficiency vs. Security Efficiency STE/SSE-based PPE-based skfe-based pkfe-based ORAM-based FHE-based Leakage 12

13 Tradeoffs: Functionality vs. Efficiency Functionality SQL FHE-based ORAM-based PPE-based NoSQL SK-FE-based PK-FE-based STE/SSE-based Efficiency 13

14 Q: Can we design an STE-based Relational EDB? 14

15 Challenges No PPE so no plug-and-play solutions SQL is a declarative language Where do we even start? SQL is complex Combination of many basic query types Most STE schemes handle a single type queries SQL is constructive STE has been optimized for lookup-type queries 15

16 Ch. #1: Declarative => Procedural Relational algebra [Codd70] Set of operations on relations/tables Union Difference Selection Projection Cross product Join (many kinds) RA SQL 16

17 Ch. #2: Complex => Simple SPC algebra [Chandra-Merlin77] Selection, Projection, Cross product Equivalent to Conjunctive SQL queries Any SPC query can be written in a Normal Form: SPC RA SQL 17

18 Select, Project, Cross Product Att 1 Att 2 Att 3 Att 1 Att 2 Att 3 σ " Att 1 Att 2 Att 3 π $,& Att 1 Att 2 Att 3 Att 4 Att 5 Att 6 Att 2 Att 3 Att 1 Att 2 Att 3 Att 4 Att 5 Att 6 18

19 Our Goal Att 1 Att 2 Att 1 Att 3 STE K tk SQL => SPC => NF Att 2 Att 3 Enc K 19

20 Our Results SPX: Encrypted Relational Database First STE scheme for relational DBs Handles non-trivial subset of SQL Sub-linear search and storage complexity (optimal under certain conditions) from any single-keyword SSE SPX + : dynamic SPX Only row addition and deletion from any dynamic single-keyword SSE Sub-linear search and storage complexity (optimal under certain conditions) FP-SPX + : forward-private dynamic SPX poly-logarithmic overhead for updates 20

21 A: Naïve STE-based Relational EDB 21

22 Naïve SPC Algorithm Att 1 Att 2 Att 3 Att 4 Att 5 Att 6 Att 1 Att 2 Att 3 Att 4 Att 5 Att 6 Att 2 Att 6 22

23 Sub-Linear SPC Algorithm Ideally linear in output size: Att 2 Att 6 Att 1 Att 2 Att 3 Att 4 Att 5 Att 6 Less than cross product size: 23

24 Q: Can we achieve sub-linear STE-based EDB? 24

25 SPX Overview Step 1. Heuristic normal form (HNF) instead of the standard normal form Avoid naïve Cartesian product by a push select through product method Step 2. New (plaintext) data structure that supports HNF Different representations of the database to handle different SPC operators Step 3. Encrypted structure that supports HNF queries Chaining technique with a better control of leakage From any single-keyword SSE schemes 25

26 Step 1: Heuristic Normal Form (1) σ " Att 1 Att 2 Att 3 Att 4 Att 5 Att 6 More complicated Correlated/non-correlated Different types of select Push Select through Product Ψ = Ψ 1 Ψ 2 Att 1 Att 2 Att 3 Att 4 Att 5 Att 6 σ "' σ "( 26

27 Step 1: Heuristic Normal Form (2) Att 1 Att 2 Att 3 Att 4 Att 5 Att 6 Att 1 Att 2 Att 3 Att 4 Att 5 Att 6 σ "' σ "( Size Overhead Att 1 Att 2 Att 3 Att 4 Att 5 Att 6 Att 1 Att 2 Att 3 Att 4 Att 5 Att 6 27

28 Step 2: Database representations Att 1 Att 2 Att 3 Att 4 Att 5 DB = T 1 T 2 Row representation Column representation Value representation Cross-value representation 28

29 Step 2: Row / Column representation Row Multi-map MM R (T 1, 1) (T 1, 2) (T 2, 1) Att 1 Att 2 Att 3 Att 4 Att 5 (T 2, 2) (T 2, 3) Column Multi-map MM C (T 1, Att 1 ) (T 1, Att 2 ) (T 2, Att 3 ) (T 2, Att 4 ) (T 2, Att 5 ) 29

30 Step 2: Value representation (1, T 1, Att 1 ) Value Multi-map MM v (T 1, 1) (2, T 1, Att 1 ) (T 1, 2) (CS, T 1, Att 2 ) (T 1, 1) (Math, T 1, Att 2 ) (T 1, 2) Att 1 Att 2 1 CS 2 Math Att 3 Att 4 Att CS 2 45 Math 2 60 CS (1, T 2, Att 3 ) (2, T 2, Att 3 ) (45, T 2, Att 4 ) (T 2, 1) (T 2, 2) (T 2, 3) (T 2, 1) (T 2, 2) (60, T 2, Att 4 ) (T 2, 1) (CS, T 2, Att 5 ) (T 2, 1) (T 2, 3) (Math, T 2, Att 5 ) (T 2, 2) 30

31 Step 2: Cross-Value representation Att 1 Att 2 1 CS 2 Math Att 3 Att 4 Att CS 2 45 Math 2 60 CS ((T 1,Att 1 ), (T 2, Att 3 )) ((T 1,Att 2 ), (T 2, Att 5 )) Cross-Value Multi-map MM Att1 Cross-Value Multi-map MM Att2 (T 1, 1), (T 2, 1) (T 1, 2), (T 2, 2) (T 1, 2), (T 2, 3) (T 1, 1), (T 2, 1) (T 1, 2), (T 2, 3) (T 1, 2), (T 2, 2) 31

32 Step 3: SPX Setup Att 1 Att 2 Setup SPX 1 k, Att 3 Att 4 Att 5 32

33 Step 3: SPX Setup Encrypted Row Multi-map EMM R (T 1, 1) (T 1, 2) (T 2, 1) Encrypted Column Multi-map EMM C (T 1, 1) (T 1, 2) (T 2, 1) Encrypted Value Multi-map EMM v (1, T 1, Att 1 ) (2, T 1, Att 1 ) (CS, T 1, Att 2 ) (T 1, 1) (T 1, 2) (T 1, 1) (T 2, 2) (T 2, 2) (Math, T 1, Att 2 ) (T 1, 2) (T 2, 3) (T 2, 3) (1, T 2, Att 3 ) (T 2, 1), Att 1 Encrypted dictionary EDX Encrypted Cross-Values Multi-map EMM Att1 ((T 1,Att 1 ), (T 2, Att 3 )) (T 1, 1), (T 2, 1) (T 1, 2), (T 2, 2) (T 1, 2), (T 2, 3) (2, T 2, Att 3 ) (45, T 2, Att 4 ) (60, T 2, Att 4 ) (CS, T 2, Att 5 ) (T 2, 2) (T 2, 3) (T 2, 1) (T 2, 2) (T 2, 1) (T 2, 1) (T 2, 3) Att 2 ((T 1,Att 2 ), (T 2, Att 5 )) Encrypted Cross-Values Multi-map EMM Att2 (T 1, 1), (T 2, 1) (T 1, 2), (T 2, 3) (T 1, 2), (T 2, 2) (Math, T 2, Att 5 ) (T 2, 2) 33

34 Step 3: SPX Token (1) Token SPX, Select Att 3 From (T 1, T 2 ) Where T 1.Att 2 = T 2.Att 5 34

35 Step 3: SPX Token (2) 1. Rewrite SQL query to Normal Form att3 att 2 =att 5 T 1 T 2 2. Rewrite Normal Form to Heuristic Normal Form 3. Generate the token Att 2 3 ((T 1, Att 2 ), (T 2, Att 5 )) Dictionary sub-token Projection Sub-token Select Sub-token 35

36 Step 3: SPX Query (1) Encrypted Value Multi-map EMM v Query SPX Att 2 3 ((T 1, Att 2 ), (T 2, Att 5 )), Encrypted Encrypted Row Multi-map EMM R Column Multi-map EMM C Encrypted dictionary EDX 36

37 Step 3: SPX Query (2) Get, Att 2 Att 1 Att 2 Encrypted dictionary EDX Encrypted Cross-Values Multi-map EMM Att1 ((T 1,Att 1 ), (T 2, Att 3 )) ((T 1,Att 2 ), (T 2, Att 5 )) (T 1, 1), (T 2, 1) (T 1, 2), (T 2, 2) (T 1, 2), (T 2, 3) Encrypted Cross-Values Multi-map EMM Att2 (T 1, 1), (T 2, 1) (T 1, 2), (T 2, 3) (T 1, 2), (T 2, 2) ((T 1,Att 2 ), (T 2, Att 5 )) Encrypted Cross-Values Multi-map EMM Att2 (T 1, 1), (T 2, 1) (T 1, 2), (T 2, 3) (T 1, 2), (T 2, 2) 37

38 Step 3: SPX Query (3) Get, Encrypted Cross-Values Multi-map EMM Att2 ((T 1, Att 2 ), (T 2, Att 5 )) ((T 1,Att 2 ), (T 2, Att 5 )) (T 1, 1), (T 2, 1) (T 1, 2), (T 2, 3) (T 1, 2), (T 2, 2) (T 1, 1), (T 2, 1) (T 1, 2), (T 2, 3) (T 1, 2), (T 2, 2) 38

39 Step 3: SPX Query (4) (T 1, 1), (T 2, 1) (T 1, 2), (T 2, 3) Get, (T 1, 1) Encrypted Row Multi-map EMM R (T 1, 1) (T 1, 2) (T 2, 1) (T 2, 2) (T 2, 3) (T 1, 2), (T 2, 2) Temporary Result Table Get (T 2, 1), Encrypted Row Multi-map EMM R 39

40 Step 3: SPX Query (5) (T 1, 1), (T 2, 1) (T 1, 2), (T 2, 3) (T 1, 2), (T 2, 2) Get (T 1, 2), Encrypted Row Multi-map EMM R Temporary Result Table Get (T 2, 3), Encrypted Row Multi-map EMM R Get (T 1, 2), Encrypted Row Multi-map EMM R Get (T 2, 2), Encrypted Row Multi-map EMM R 40

41 Step 3: SPX Query (6) Temporary Result Table Final Result π 3 41

42 Leakage: SPX-OPT vs. PPE-based Query leakage of SPX Cross product pattern Projection pattern Selection pattern Query leakage of PPE-based schemes Cross product pattern Projection pattern Selection pattern Frequency pattern Persistent Existing very strong attacks 42

43 Modularity: SPX-Obliv vs. SPX-OPT Query leakage of SPX-Obliv When the EMMs are oblivious [GO96,SvDS+13,GMP16,KMO18] But comes with extra overhead Query leakage of SPX-OPT 43

44 SPX-OPT Asymptotics Worst-case query complexity with Assuming optimal MM and DX encryption schemes [CK10,CJJ+14] h projected attributes t tables with size each is the size of the result on a plaintext database Mild condition tx If h 1 is constant in, then query time is optimal i=1 s i 44

45 SPX-OPT Asymptotics Communication complexity is optimal Storage depends on the data distribution O(#DB + X #MM att ) att2s Concretely, the big-o hides a multiplicative factor of 3 45

46 Takeaways and Future Work First STE-based encrypted relational database Sub-linear query time (optimal under certain conditions) First (forward-private) dynamic STE-based encrypted relational database Better leakage profile than PPE-based Future research questions: Extend SPX to handle relational algebra Remove interaction in SPX + Extend SPX to handle range sub-predicates Design of new encrypted range solutions is required [KKNO16, LMP17] 46

47 Thank you! 47