Supporting Less-Than Queries on Encrypted Data using Multi-Server - PowerPoint PPT Presentation

Supporting Less-Than Queries on Encrypted Data using Multi-Server Secret Sharing and Practical Order-Revealing Encryption Nate Chenette ICERM conference on Encrypted Search June 12, 2019

Project Background • Baffle Inc. https://baffle.io/ • Goal: implement fully-fledged database server that provides a strong level of security • “Baffle provides an advanced data protection solution that protects data in memory, in process and at-rest to reduce insider threat and data theft risk.” • Many of their schemes implement searchable encryption! • Security model: multiple servers, assume only one is compromised by an active adversary • Protect as much information as possible, while supporting various query types (addition, equality, comparison) • My role as a consultant: evaluate schemes for comparison operations on encrypted data, specifically involving order-revealing encryption

Baffle System Architecture Client Client plaintexts query response keys Trusted Computer Trusted Computer keys ciphertexts encrypted query encrypted response Cipher SMPC Servers Database Database data Query Support Encryption/Decryption

Functionality and Security Model • Multiple servers • Respond to queries via an efficient collaborative protocol • Addition • Equality • Less-than • Assume an intruder can only compromise one server at a time • Characterize (and minimize) the leakage

Baffle Encryption (& Authentication) • Uses a pseudorandom function F and a MAC M • Secret sharing, Encrypt-then-MAC Plaintext d Trusted Computer Choose random nonce n • Encryption key k Compute pad by running PRF on nonce with enc. key: • Authentication key k a p = F ( k , n ) Compute ciphertext c by subtracting* plaintext from tag: • c = p – d = F ( k , n ) – d Compute MAC: • m = M ( k a , n , c ) ( n , c , m ) *All quantities and operations occur in some finite commutative ring, e.g., the integers mod 256

Baffle Authenticated Decryption • Recall c = F ( k , n ) – d • So, d = F ( k , n ) – c Trusted Computer • To decrypt ( n , c , m ): • Check the MAC: Verify m == M ( k a , n , c ) • If so, re-compute the pad F ( k , n ) from the nonce and subtract. d = F ( k , n ) – c

Database View ( n 1 , c 1 , m 1 ) ( n 2 , c 2 , m 2 ) ( n 3 , c 3 , m 3 ) ( n 4 , c 4 , m 4 ) …

c 1 = F ( k , n 1 ) – d 1 c 2 = F ( k , n 2 ) – d 2 Baffle Encrypted Addition Correctness: c 3 = S + c 1 + c 2 = F ( k , n 3 ) – F ( k , n 1 ) – F ( k , n 2 ) + c 1 + c 2 = F ( k , n 3 ) – ( d 1 + d 2 ) Query from client via ADD ( n 1 , c 1 , m 1 ) Encryption key k trusted computer: to ( n 2 , c 2 , m 2 ) n 1 , n 2 Choose random nonce n 3 Database Server 1 • Compute pad by running PRF on nonce: • p = F ( k , n 3 ) n 3 , S Compute pad difference Compute ciphertext: • • S = p – F ( k , n 1 ) – F ( k , n 2 ) c 3 = S + c 1 + c 2 Cipher tuple of sum is • ( n 3 , c 3 , 0*) Security notes: All of Server 1’s information is independent of plaintext data! *DB can’t compute the MAC, but the trusted • computer could before returning the tuple Database doesn’t have k , so can’t uncover pads from • (independent) nonces.

X V c 1 = F ( k , n 1 ) – d 1 Baffle Encrypted Equality c 2 = F ( k , n 2 ) – d 2 W == Y iff V == X iff d 1 == d 2 Correctness: EQUAL? ( n 1 , c 1 , m 1 ) ( n 2 , c 2 , m 2 ) Check MACs: verify Server 1 • Auth. key k a m 1 == M ( k a , n 1 , c 1 ), m 2 == M ( k a , n 2 , c 2 ) Compute ciphertext difference • n 1 , c 1 , m 1 , V = c 1 – c 2 n 2 , c 2 , m 2 Database Compute • W = EqualityEncryption( k E , V ) W EqualEnc key k E n 1 , n 2 Compute pad difference Server 2 • X = F ( k , n 1 ) – F ( k , n 2 ) Y Compute • Return TRUE iff • Encryption key k Y = EqualityEncryption( k E , X ) W == Y EqualityEncryption preserves equality; details explained on next page Security notes: Again, plaintext-dependent data (at Database & Server 1) has been separated from the ability to decrypt (Server 2). • The ability of the Database to discover sensitive information is dependent on the security of EqualityEncryption. •

EqualityEncryption • In principle, could be any equality-revealing encryption such as deterministic encryption [Bellare, Boldyreva, O’Neill 2007] • As the EqualEnc key is new for each Equality query, Baffle gets away with a simple affine encryption. Use the key k E to generate invertible multiplier 𝛽 and shift β, and compute EqualityEncryption( k E , V ) = 𝛽 V + β • Since 𝛽 is invertible, EqualityEncryption( k E , V ) == 𝛽 V + β == 𝛽 X + β == EqualityEncryption( k E , X ) if and only if V == X .

c 1 = F ( k , n 1 ) – d 1 Encrypted Comparison – First Try c 2 = F ( k , n 2 ) – d 2 LESSTHAN? ( n 1 , c 1 , m 1 ) ( n 2 , c 2 , m 2 ) Check MACs: verify Server 1 • Auth. key k a m 1 == M ( k a , n 1 , c 1 ), m 2 == M ( k a , n 2 , c 2 ) Compute ciphertext difference • n 1 , c 1 , m 1 , V = c 1 – c 2 n 2 , c 2 , m 2 Database Compute • W = OrderRevealingEncryption ( k L , V ) W ORE key k L n 1 , n 2 Compute pad difference Server 2 • X = F ( k , n 1 ) – F ( k , n 2 ) Y Compute • Return result of • Encryption key k Y = OrderRevealingEncryption ( k L , X ) ORE-LessThan ( W , Y ) Correctness (?): d 1 – d 2 = ( F ( k , n 1 ) – c 1 ) – ( F ( k , n 2 ) – c 2 ) So d 1 < d 2 iff d 1 – d 2 < 0 iff X – V < 0 iff = ( F ( k , n 1 ) – F ( k , n 2 )) – ( c 1 – c 2 ) X < V , which matches the result of Wrong!! = X – V ORE-LessThan( W , Y )

Dealing With Signs For simplicity, assume plaintexts are ASCII characters, i.e., in Z 128 • Clarification: arithmetic is performed in Z 256 , represented using (two’s complement) signed bytes, i.e. taking • values in the range [–128,127]. d 1 < d 2 iff d 1 – d 2 < 0 iff X – V < 0 iff X < V Claim from previous page: True, since d 1 and d 2 are assumed True, since False, because of modularity of the to be ASCII characters in the d 1 – d 2 = X – V subtraction. For example, range [0,127] while d 1 – d 2 is in X = 100, V = –30 gives the range [–127,127]. X – V = –126 < 0; X ≥ V . Solution: Let z 0 = x 0 ⨁ v 0 be an indicator for whether the sign bits of X and V differ. • Let 𝓌 be an indicator for whether X 1..7 < V 1..7 , where we are comparing the non-signed parts of X and V . • Then X – V < 0 iff z 0 ⨁ 𝓌 == 1. •

c 1 = F ( k , n 1 ) – d 1 Encrypted Comparison – Corrected c 2 = F ( k , n 2 ) – d 2 LESSTHAN? ( n 1 , c 1 , m 1 ) ( n 2 , c 2 , m 2 ) Check MACs: verify Server 1 • Auth. key k a m 1 == M ( k a , n 1 , c 1 ), m 2 == M ( k a , n 2 , c 2 ) Compute ciphertext difference • n 1 , c 1 , m 1 , V = c 1 – c 2 n 2 , c 2 , m 2 Database Set • W = OrderRevealingEncryption( k L , V 1..7 ) W , v 0 ORE key k L n 1 , n 2 Compute pad difference Server 2 • X = F ( k , n 1 ) – F ( k , n 2 ) Compute z 0 = x 0 ⨁ v 0 • Y , x 0 Set • Encryption key k Let 𝓌 be an indicator for • Y = OrderRevealingEncryption( k L , X 1..7 ) ORE-LessThan( W , Y ) Return TRUE iff • z 0 ⨁ 𝓌 == 1

Baffle Implementation of Comparison • For OrderRevealingEncryption( k L ,·), use a variant of the “Practical Order-Revealing Encryption” scheme [Chenette, Lewi, Weis, Wu 2016] • Leakage: order of V 1..7 and W 1..7 , and the most significant differing bit (MSDB) of V 1..7 and W 1..7 • [Reminder] CLWW scheme: fix a PRF, F . mask (pad) PracticalORE( k L , V 1..7 ) = p 1 ‖ … ‖ p 7 where p j = F ( k L , V 1..( j – 1) ) + v j (mod 3) • Each bit is masked by an element of Z 3 derived from the prefix preceding the bit • Baffle variant, PracticalORE2: essentially the same, but mod 2 instead of mod 3 • Will reveal location of MSDB( V 1..7 , X 1..7 ) but not its value. • In the scheme, also have Server 1 reveal all of V 1..7 to the Database so it can uncover the MSDB values.

c 1 = F ( k , n 1 ) – d 1 Baffle Encrypted Comparison c 2 = F ( k , n 2 ) – d 2 LESSTHAN? ( n 1 , c 1 , m 1 ) ( n 2 , c 2 , m 2 ) Check MACs: verify Server 1 • Auth. key k a m 1 == M ( k a , n 1 , c 1 ), m 2 == M ( k a , n 2 , c 2 ) Compute ciphertext difference • n 1 , c 1 , m 1 , V = c 1 – c 2 n 2 , c 2 , m 2 Database Set • W = PracticalORE2( k L , V 1..7 ) W , V ORE key k L (ephemeral) n 1 , n 2 Compute pad difference Server 2 • X = F ( k , n 1 ) – F ( k , n 2 ) Compute z 0 = x 0 ⨁ v 0 • Y , x 0 Set • Encryption key k If W == Y , let 𝓌 = v 0 ; • Y = PracticalORE2( k L , X 1..7 ) otherwise, let 𝓌 = v j corresponding to the MSDB between W and Y . Return TRUE iff • z 0 ⨁ 𝓌 == 1

Implementation Particulars • Use AES to generate the “pseudorandom” bits in PracticalORE2. • For each prefix-derived mask, the number of AES output bits needed is 1 + [prefix length] • Mask = XOR of all AES bits corresponding to 1’s in the prefix, XORed with the one extra bit. • Extra bit guarantees ≥1 pseudorandom bit used in each mask (even all-0 prefix) • Usage of other bits guarantees that different prefixes’ masks are independent • Example: prefix 01101 pseudorandom bits 101011______ mask XOR(0,1,1,1) = 1 • Relatively efficient: requires only 3 AES blocks to ORE-encrypt a 32-bit character