Pattern Matching on Encrypted Streams Nicolas Desmoulins Pierre-Alain Fouque Cristina Onete Orange Labs Universit´ e de Rennes Universit´ e de Limoges Olivier Sanders Orange Labs Asiacrypt 2018, December 03, 2018
Agenda � Context � Our Contribution � Conclusion Asiacrypt – p 2
Context Asiacrypt – p 3
End-to-End Encryption More and more encrypted data � 50% of worldwide traffic is encrypted, 80% expected by 2020 � development of encrypted messaging services (WhatsApp, Signal,...) Asiacrypt – p 4
End-to-End Encryption Standard encryption protocols designed to prevent any processing � no possible tradeoff between privacy and functionalities � incompatible with security applications such as IDS Asiacrypt – p 4
End-to-End Encryption Current solutions imply decryption by a gateway � the gateway can access all data exchanged through the channel � what is the point of end-to-end encryption? Asiacrypt – p 4
Generic Solutions � Processing of encrypted data has been extensively studied � Generic solutions exist but are very complex − fully homomorphic encryption: high computational cost − multi-party computation: requires interaction with the gateway/ high communication cost � Solutions tailored to specific tasks can significantly improve efficiency Asiacrypt – p 5
Pattern Matching � Example of Snort rules: − alert tcp ( msg:”MALWARE-BACKDOOR - Dagger 1.4.0”; content:”2 | 00 00 00 06 00 00 00 | Drives | 24 00 | ”,depth 16;) − alert tcp ( msg:”MALWARE-BACKDOOR QAZ Worm Client Login access”; content:”qazwsx.hsq”;) � Pattern matching is essential to several other applications − searches on genomic data − filtering content − ... � Solutions exist but they are unsuitable for data streams Asiacrypt – p 6
Searchable Encryption � Symmetric searchable encryption for database is very efficient but: − documents must be associated with keywords ⇒ how to select relevant keywords in our context? − not designed for on the fly encryption ⇒ unsuitable for data streams � Standard searchable encryption enables to issue tokens td W for specific keywords W − given td w , the gateway can check whether C = E K ( W ) − the gateway learns no information beyond the result of this query Asiacrypt – p 7
Dealing with Data Streams Current solutions follow the sliding window method: keywords o s t e $ h i l host hostile E K ... C 0 � Each C i can be tested using td W � The process must be repeated for each possible length of keywords Asiacrypt – p 8
Dealing with Data Streams Current solutions follow the sliding window method: keywords o s t e $ h i l host hostile E K ... C 0 C 1 � Each C i can be tested using td W � The process must be repeated for each possible length of keywords Asiacrypt – p 8
Dealing with Data Streams Current solutions follow the sliding window method: keywords o s t e $ h i l host hostile E K ... C 0 C 1 C 2 � Each C i can be tested using td W � The process must be repeated for each possible length of keywords Asiacrypt – p 8
Dealing with Data Streams Current solutions follow the sliding window method: keywords o s t e $ h i l host hostile E K ... C 0 C 1 C 2 C 3 � Each C i can be tested using td W � The process must be repeated for each possible length of keywords Asiacrypt – p 8
Dealing with Data Streams Current solutions follow the sliding window method: keywords o s t e $ h i l host hostile E K ... C 0 C 1 C 2 C 3 C 4 � Each C i can be tested using td W � The process must be repeated for each possible length of keywords Asiacrypt – p 8
Dealing with Data Streams Current solutions follow the sliding window method: keywords o s t e $ h i l host hostile E K host tile C 0 C 1 C 2 C 3 C 4 � Each C i can be tested using td W � Splitting keywords in smaller ones of fixed length severely harms privacy: thoussands of (potentially long) keywords to split Asiacrypt – p 8
Anonymous Predicate Encryption � Anonymous Predicate Encryption enables to encrypt for a set of attributes A 1 , . . . , A n � A secret key sk P is associated with a predicate P : C can be decrypted ⇔ P ( A 1 , . . . , A n ) = 1 � No other information is leaked on the attributes of C � Efficient solutions exist for predicate P such that: P ( A 1 , . . . , A n ) = 1 ⇔ A i = Y i , ∀ i ∈ I ⊂ [1 , n ] Asiacrypt – p 9
Dealing with Data Streams Each character is considered as an attribute plaintext $ h o s t i l e h o s t ∗ ∗ ∗ ∗ P host , 0 ∗ h o s t ∗ ∗ ∗ P host , 1 ∗ ∗ h o s t ∗ ∗ P host , 2 ∗ ∗ ∗ h o s t ∗ P host , 3 ∗ ∗ ∗ ∗ h o s t P host , 4 keyword: host � A predicate is defined for each keyword and each possible offset � sk P host , j enables to check if the plaintext contains host at offset j � Secret keys must be issued for each possible offset Asiacrypt – p 10
Our Goals We want an encryption scheme such that: � pattern matching is possible anywhere in the ciphertext � Encryption is independent of the searchable keywords ⇒ ciphertexts should be compatible with keywords of any length � td W allows for searches at any possible offset ⇒ not 1 token by possible offset Asiacrypt – p 11
Our Contribution Asiacrypt – p 12
SEST We introduce a new primitive, Searchable Encryption with Shiftable Trapdoors � Similar to predicate encryption � A Test algorithm run on E K ( b 1 . . . b m ) and a trapdoor for W = w 1 . . . w ℓ returns J = { j : b j +1 . . . b j + ℓ = w 1 . . . w ℓ } � Security requires indistinguishability of two encrypted bitstrings, unless issued trapdoors enable trivial distinctions. Asiacrypt – p 13
Bilinear Groups We construct a scheme based on asymetric bilinear groups � Bilinear Groups: 3 groups G 1 , G 2 and G T of prime order p along with a map e such that g ) ∈ G 1 × G 2 and a , b ∈ Z p e ( g a , � g b ) = e ( g , � g ) a · b ∀ ( g , � e ( g , � g ) = 1 G T = ⇒ g = 1 G 1 or � g = 1 G 2 � Asymmetry : no efficiently computable isomorphism between G 1 and G 2 exists � Such groups are easily instantiated using elliptic curves Asiacrypt – p 14
Intuition - Step 1 Let us consider bitstrings B = b 1 . . . b n � We define secret encodings α 0 , α 1 ∈ Z p associated with 0 and 1 � We select a secret z ∈ Z p defining a public “basis” ( g , g z , . . . , g z n − 1 ) of G n 1 � Encryption of B is performed by 1 . randomizing the basis ( C 1 , . . . C n ) ← ( g a , ( g z ) a , . . . , ( g z n ) a ) for a $ ← Z p 2 . “projecting” B on this basis n ) ← ([( g z ) a ] α b 1 , . . . , [( g z n ) a ] α bn ) ( C ′ 1 , . . . C ′ Asiacrypt – p 15
Trapdoors � The secret key sk is { z , α 0 , α 1 } � To issue a trapdoor td W for W = w 1 . . . w ℓ $ 1 . generate random scalars v 1 , . . . , v ℓ ← Z p g v i in G 2 2 . compute � g V with V = � ℓ i =1 v i · α w i · z i − 1 3 . compute � g V } g v 1 , . . . , � g v ℓ , � 4 . return td W = { � � Each trapdoor is associated with a random polynomial V � Random coefficients v i are used to prevent trapdoor forgeries Asiacrypt – p 16
Intuition - Step 2 B 0 1 1 0 1 W 1 1 0 = g a C 1 g a α 1 z 2 g a α 0 z 3 g a α 1 z 4 g a α 0 g a α 1 z = g az C 2 = = = = = = g az 2 C ′ C ′ C ′ C ′ C ′ C 3 1 2 3 4 5 g V ) g v 1 ) e ( C ′ g v 2 ) e ( C ′ g v 3 ) e ( C ′ 1 , � 2 , � 3 , � e ( C 1 , � = = g ) a ( v 1 α 0 + v 2 α 1 z + v 3 α 1 z 2 ) g ) a ( v 1 α 1 + v 2 α 1 z + v 3 α 0 z 2 ) e ( g , � e ( g , � g ) aP ( z ,α 0 ,α 1 ) Consecutive C ′ i can be aggregated to generate e ( g , � Asiacrypt – p 17
Intuition - Step 2 B 0 1 1 0 1 W 1 1 0 = g a C 1 g a α 1 z 2 g a α 0 z 3 g a α 1 z 4 g a α 0 g a α 1 z = g az C 2 = = = = = = g az 2 C ′ C ′ C ′ C ′ C ′ C 3 1 2 3 4 5 g V ) g v 1 ) e ( C ′ g v 2 ) e ( C ′ g v 3 ) e ( C ′ 2 , � 3 , � 4 , � e ( C 2 , � = = g ) a ( v 1 α 1 z + v 2 α 1 z 2 + v 3 α 0 z 3 ) g ) a ( v 1 α 1 z + v 2 α 1 z 2 + v 3 α 0 z 3 ) e ( g , � e ( g , � B contains W ⇔ P = z ∗ V Asiacrypt – p 17
Intuition - Step 2 B 0 1 1 0 1 W 1 1 0 g a = C 1 g a α 1 z 2 g a α 0 z 3 g a α 1 z 4 g a α 0 g a α 1 z g az = C 2 = = = = = g az 2 = C ′ C ′ C ′ C ′ C ′ C 3 1 2 3 4 5 g V ) g v 1 ) e ( C ′ g v 2 ) e ( C ′ g v 3 ) e ( C ′ 3 , � 4 , � 5 , � e ( C 3 , � = = g ) a ( v 1 α 1 z 2 + v 2 α 0 z 3 + v 3 α 1 z 4 ) g ) a ( v 1 α 1 z 2 + v 2 α 1 z 3 + v 3 α 0 z 4 ) e ( g , � e ( g , � Keywords of any size can be tested Asiacrypt – p 17
Features � Our construction can handle any kind of strings (bytestrings, ...) � Our construction supports wildcards − Let W = w 1 . . . w k − 1 ∗ w k +1 . . . w ℓ − The associated coefficient v k in td W is set to 0 k − th element of a substring no longer taken into account � We can handle certain types of regular expressions by defining special encodings e.g. ǫ ([0 − 9]) = β 1 ∈ Z p , ǫ ([ a − z ]) = β 2 , . . . � Our construction is proven secure in the generic group model Asiacrypt – p 18
Recommend
More recommend