Post on 14-Jan-2016
description
1
Order-Preserving Symmetric Encryption
Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill
EUROCRYPT 2009, LNCS 5479, pp. 224-241
2
Outline
Introduction OPE and Its Security Lazy Sampling a Random Order-Preserving
Function OPE Scheme and Its Analysis Conclusion
3
Introduction
Order-persevering symmetric encryption, OPE OPE 以 one-part codes 的形式來使用,具有
相當長的歷史,可追朔到第一次世界大戰。 明文藉由打亂文字順序或數字順序來得到所對
應的密文。 近年比較有價值的研究為應用 OPE 在 databa
se community ,由 Agrawal 等學者於 2004 年提出。
4
Introduction
OPE 機制在加密資料上要有有效率的範圍查詢。 這裡的有效率是指 O(lg n) 時間, n 為 database 的
資料量。 HVE, MRQED 是沒有效率的,進行查詢時必須掃描整個
database.
有關 OPE 的可證明式的安全性證明尚未提出,作者想補強這方面的議題。
OPE 無法滿足所有的安全性定義,如 IND-CPA 。
5
Outline
Introduction OPE and Its Security Lazy Sampling a Random Order-Preserving
Function OPE Scheme and Its Analysis Conclusion
6
OPE and Its Security
IND-CPA LR(˙,˙,b) : input m0 and m1, return mb. symmetric encryption scheme SE = (K, ENC, DEC) Adversary A b {0,1} ∈ We require that each query (m0, m1) that A makes to
its oracle satisfies |m0| = |m1|
( , ( , , ))
Exp ( )
K
return
IND CPA bSE
R
R ENC K LR b
A
K
d A
d
1 0Adv ( ) Pr Exp ( ) 1 Pr Exp ( ) 1 IND CPA IND CPA IND CPASE SE SEA A A
7
OPE and Its Security OPE 無法滿足 IND-CPA 。
Deterministic. Leak the order-relations among the plaintext.
IND-CPA 無法滿足,作者想弱化 IND-CPA 試著讓OPE 滿足。 參考 M. Bellare 等學者,在” Authenticated encryption in
SSH: provably fixing the SSH binary packet protocol, CCS ’02, pp. 1-11, 2002.” 一文中所提出的 IND-DCPA (indistinguishability distinct chosen-plaintext attack)
提出 IND-OCPA (indistinguishability ordered chosen-plaintext attack)
8
OPE and Its Security
IND-DCPA Restricted to make only distinct queries. Adversary A makes queries (m0
1, m11), …, (m0
q, m1q)
Require that mb1, mb
2, …, mbq are all distinct for b∈
{0,1}
9
OPE and Its Security
IND-OCPA Adversary A makes queries (m0
1, m11), …, (m0
q, m1q)
m0i < m0
j iff m1i < m1
j for all 1≦i, j≦q.
10
OPE and Its Security IND-OCPA 看起來可行,實際上無用,除非密文空
間大小是明文空間大小的指數倍。 SE = (K, ENC, DEC) be an order-preserving encryptio
n with plaintext-space [M] and ciphertext-space [N] for M, N∈N s.t. 2k-1 ≦ N <2k for some k∈N. Then there exists an IND-OCPA adversary A against SE s.t.
Furthermore, A run in time O(log N) and makes 3 oracle queries.
2Adv ( ) 1
1
IND CPASE
kA
M
11
OPE and Its Security
Big jump and big reverse-jump For an order-preserving function f : [M] →[N] i {3, …, ∈ M-1} is a big jump if the f-distance to the
next point is as big as the sum of all the previous. f(i + 1) - f(i) ≧ f(i) - f(1)
i {2, …, ∈ M-2} is a big reverse-jump if f(i) - f(i-1) ≧ f(M) - f(i)
12
OPE and Its Security
Big jump and big reverse-jump
Big Jump
is big jump if ( 1) ( ) ( ) (1) i f i f i f i f
is big reverse-jump if ( ) ( 1) ( ) ( ) i f i f i f M f i
13
OPE and Its Security
Big jump attack Consider IND-OCPA adversary A against SE
( , ( , , ))
1
2
3
3 2 2 1
Adversary
{1,..., 1}
( , (1, , ))
( , ( , 1, ))
( , ( 1, , ))
return 1 if ( ) ( )
else return 0
ENC K LR b
R
A
m M
c ENC K LR m b
c ENC K LR m m b
c ENC K LR m M b
c c c c
14
OPE and Its Security
Big jump and big reverse-jump
Big Jump
( , ( , , ))
1
2
3
3 2 2 1
Adversary
{1,..., 1}
( , (1, , ))
( , ( , 1, ))
( , ( 1, , ))
return 1 if ( ) ( )
else return 0
ENC K LR b
R
A
m M
c ENC K LR m b
c ENC K LR m m b
c ENC K LR m M b
c c c c
m = 5c1 = 24 or 35c2 = 35 or 36c3 = 36 or 45c3 – c2 = 1 or 9c2 – c1 = 11 or 1if (c3 – c2) > (c2 – c1) adversary A guess b = 1else adversary A guess b = 0
m = 4c1 = 24 or 27c2 = 27 or 35c3 = 35 or 45c3 – c2 = 8 or 10c2 – c1 = 3 or 8if (c3 – c2) > (c2 – c1) adversary A guess b = 1else adversary A guess b = 0
1 ( 1)Pr Exp ( ) 1 1
1 1
IND OCPASE
M k kA
M M
We assume that f has k big jumps.
15
OPE and Its Security
Big jump attack and OPE scheme Distinguish between ciphertext that are very close a
nd far apart. The attack shows that any practical OPE scheme in
herently leaks more information about the plaintext than just their ordering. Some information about their relative distances.
16
OPE and Its Security
作者想試著在 IND-OCPA 中,限制 adversary A 的能力。
透過 pseudorandom functions(PRFs) 或 permutations(PRPs) ,讓 adversary 無法區分 oracle access to ENC of the scheme 或 corresponding ideal object.
Pseudorandom order-preserving function against chosen-ciphertext attack, POPF-CCA.
17
OPE and Its Security
POPF-CCA order-preserving encryption scheme SE = (K, ENC,
DEC) plaintext-space D ciphertext-space R |D| |≦ R| OPFD,R denotes the set of all order-preserving functi
ons from D to R. adversary A against SE with advantage
1(K, ), (K, ) ( ), ( )Adv ( ) Pr K | Pr K |
R RPOPF CCA ENC DEC g gSE A K A K A
18
Outline
Introduction OPE and Its Security Lazy Sampling a Random Order-Preserving
Function OPE Scheme and Its Analysis Conclusion
19
Lazy Sampling a Random Order-Preserving Function
Lazy Sampling POPF-CCA is useful. Need a way to implement A’s oracles in the “ideal”
experiment efficiently. How to lazy sample a random order-preserving functio
n and its inverse. A connection between a random order-preserving f
unction and the hypergeometric probability distribution.
20
Lazy Sampling a Random Order-Preserving Function
The set OPFD,R : all order-preserving functions from a domain D of size M to a range R of size N > M.
The set of all possible combinations of M out of N ordered items.
21
Lazy Sampling a Random Order-Preserving Function
Domain
Range
set S = {24, 25, 27, 35, 36, 39, 41, 42, 44, 45}
22
Lazy Sampling a Random Order-Preserving Function
,
, and any , 1 ,
Pr ( ) ( 1) | OPFy N y
R x M xD R N
M
M N x x M y N
C Cf x y f x f
C
23
Lazy Sampling a Random Order-Preserving Function
Hypergeometric distribution Hypergeometric experiment
A random sample of size M is selected without replacement from N items.
y of the N items may be classified as success and N-y are classified as failures.
( ; , , )
y N yx M x
NM
C Ch x N M y
C
24
Lazy Sampling a Random Order-Preserving Function
Hypergeometric distribution
25
Lazy Sampling a Random Order-Preserving Function
Hypergeometric distribution 有一批 40 顆燈泡,品管檢查出 3 顆瑕疵燈
泡就驗退。假設品管隨機挑選 5 顆檢查,請問被檢查出有只有 1 個瑕疵品的機率是多少? N = 40, M = 5, y = 3 X = 檢查出有瑕疵的燈泡數 ~ h(x; N, M, y) =
h(x; 40, 5, 3) 3 37
1 4405
Pr( 1) 0.301y N yx M x
NM
C C C CX
C C
26
Lazy Sampling a Random Order-Preserving Function
,
, and any , 1 ,
Pr ( ) ( 1) | OPFy N y
R x M xD R N
M
M N x x M y N
C Cf x y f x f
C
( ; , , )y N yx M x
NM
C Ch x N M y
C
27
Lazy Sampling a Random Order-Preserving Function
The LazySample algorithm Algorithms LazySample, LazySampleInv that
lazy sample a random order-preserving function from domain D to range R, |D| |≦ R|, and its inverse, respectively.
28
Lazy Sampling a Random Order-Preserving Function
The LazySample algorithm Two subroutines
HGD(D, R, y∈R) = x∈D s.t. for each x*∈D we have x=x* with probability h(x - d; |R|, |D|, y - r), where d = min(D) – 1, r = min(R) – 1.
GetCoins(1l, D, R, b||z) = cc {0,1}∈ l, where b {0,∈1} and z∈R if b = 0 and z∈D otherwise.
29
Lazy Sampling a Random Order-Preserving Function
The LazySample algorithm Joint state: array F and I
Array I: the number of points in D are mapping to range point y
Arrray F: the image of m under the lazy-sampled function.
30
Lazy Sampling a Random Order-Preserving Function
The LazySample algorithm LazySample meploys a strategy
Mapping range gaps to domain gaps in a recursive, binary search manner.
By range gap or domain gap An imaginary barrier between two consecutive points i
n the range or domain.
31
Introduction
32
Lazy Sampling a Random Order-Preserving Function
The LazySample algorithm Support GetCoins returns truly random coins on
each new input. The for any algorithm A we have
where g, g-1 denote an order-preserving function picked at random from OPFD,R and its inverse.
1( ), ( ) ( , , ), ( , , )Pr 1 Pr 1g g LazySample D R LazySampleInv D RA A
33
Outline
Introduction OPE and Its Security Lazy Sampling a Random Order-Preserving
Function OPE Scheme and Its Analysis Conclusion
34
OPE Scheme and Its Analysis
The TapeGen PRF LazySample, LazySampleInv 無法直接使用在 ENC
與 DEC 上, LS 與 LSI 分享及更新 joint state , array F 與 I ,用來儲存 HGD 的 output 。
修改 GetCoins ,當呼叫 HGD 時,透過 TapeGen PRF 的輸出結果當 seed ,讓 HGD 產生 F 與 I 的 entries 。
TapeGen PRF 有 3 個 RPFs 組成, VIL-PRF 、 VOL-PRF 、 LF-PRF ,以 LF-PRF 為主要關鍵。
35
OPE Scheme and Its Analysis
The TapeGen PRF For an adversary A, define its LF-PRF-advantag
e against TapeGen as() ()Adv ( ) Pr 1 Pr 1LF PRF TapeGen R
TapeGen A A A
36
Introduction
37
OPE Scheme and Its Analysis
Let OPE[TapeGen] be the OPE scheme define above with plaintext-space of size M and ciphertext-space of size N. Then for any adversary A against OPE[TapeGen] making at most q queries to its oracles combined, there is an adversary B against TapeGen s.t.
[ ]Adv ( ) Adv ( )POPF CCA LF PRFOPE TapeGen TapeGenA B
38
OPE Scheme and Its Analysis
Adversary B makes at most q1 = q(log N + 1) queries if size at most 5logN + 1 to its oracle, whose responses total q1λ’ bits on average, and its running time is that of A. Above, λ and λ’ are constants depending only on HGD.
39
OPE Scheme and Its Analysis
On choosing N 當 [M] 跟 [N] 很大時,大於 280, random order-p
reserving function 才會洩漏訊息
40
Outline
Introduction OPE and Its Security Lazy Sampling a Random Order-Preserving
Function OPE Scheme and Its Analysis Conclusion
41
Conclusion 作者做了許多推論,從 IND-CPA 一路改進到提出
POPF-CCA 利用 LazySample 與 Hypergeometric distribution 的
巧妙組合,提出了一個 OPE scheme 可證明式的安全性證明 POPE-CCA
如何套用到我的 scheme 作者的 OPE 是數字到數字 我的 OPE 是數字到辮群 直接套用?修改證明方式?修改 scheme ?