Order Revealing Encryption for Cloud Data

B67a5912da76f653f8f90f5a046f48f8?s=47 Dan Draper
January 30, 2020

Order Revealing Encryption for Cloud Data

With significant data breaches becoming the daily norm, our approaches to storing data in the cloud, especially with 3rd party providers need to radically improve.

With the “holy grail” of Fully Homomorphic Encryption (FHE) still years away from practicality, Order Revealing Encryption (ORE) offers a compelling stepping stone to significant data security improvements.

In this talk, I introduce both FHE and ORE, practical examples and how, in particular, ORE can allow for new security models for protecting data in the cloud.

Links
PG Secret: https://github.com/coderdan/pg_secret (contributions welcome!)
NuFHE https://github.com/nucypher/nufhe
Paillier Ruby https://github.com/DaylightingSociety/Paillier
Block ORE Paper https://www.cs.virginia.edu/dwu4/papers/BlockORE.pdf
The state of HE: https://homomorphicencryption.org

B67a5912da76f653f8f90f5a046f48f8?s=128

Dan Draper

January 30, 2020
Tweet

Transcript

  1. None
  2. Who is CrypoAUSTRALIA? •A small not-for-profit started by security and

    privacy enthusiasts. •We are for finding practical ways of dealing with the modern privacy and cybersecurity challenges. •We are looking for corporate sponsorship to continue our work. •Do you do Bitcoin?
  3. Next Month’s Event... When:Thursday, March 5, 2020 What:Cryptographic Systems Based

    on Linear Codes Where: Right here!
  4. Order revealing encryption for cloud data Dan Draper, 2020

  5. OAIC - Q3 2019 245 Data breaches 62% malicious attacks

    42% contained financial details 27% contained health information
  6. 2015 80 million records were exfiltrated from Anthem’s medical database

    after DB server credentials were compromised
  7. Transparent Encryption “Encryption at rest”

  8. None
  9. Trust model Who owns the keys?

  10. None
  11. None
  12. Online encryption - storing the CTs ID Name Email Age

    1 a1cf45... bdf3a... 1abc1... 2 f4a34... 9cda1... bbc34... 3 ... INSERT INTO users (name, email) VALUES (‘a1cf45...’, ‘bdf3a…’);
  13. Querying SELECT name FROM users where id = 1; --

    => a1cf45… (decrypt client side)
  14. Querying SELECT name FROM users where email = ??; E

    AES (‘dan@coderdan.co’, k) => atJTx_tFRqDOTCxLdz5f5Sv6YM... E AES (‘dan@coderdan.co’, k) => u1R1UsaYeZq7MKUBI8oebUyem... E AES (‘dan@coderdan.co’, k) => pG1xAtbe6nFRwxhvy5vPAchsJi... AES is Chosen Plaintext Secure!* *When using appropriate modes such as GCM, CCM or CBC
  15. Querying - Reduced Security Assumption SELECT name FROM users where

    email = ??; E HMAC (‘dan@coderdan.co’, k) => rRoXBH1OAg8cLyKWZMDKeDkiIekPzMs... HMAC is deterministic (not CPA secure) E HMAC (‘dan@coderdan.co’, k) => rRoXBH1OAg8cLyKWZMDKeDkiIekPzMs... E HMAC (‘dan@coderdan.co’, k) => rRoXBH1OAg8cLyKWZMDKeDkiIekPzMs...
  16. None
  17. Querying - FORGET IT! SELECT name FROM users where age

    > 21; SELECT average(age) FROM users; SELECT age, name FROM users ORDER BY age asc;
  18. FHE Fully Homomorphic Encryption

  19. None
  20. None
  21. Operations on Data 100 + 200 = 300 Ax7b… +

    4f51… = rTd3... Plaintexts Ciphertexts
  22. Operations on Data Ax7b… * 4f51… = 67Dv... Multiplication Ax7b…

    / 4f51… = uI7d... Division Ax7b… < 4f51… = hG5c... Comparison
  23. Operations on Data f(FHe(a), FHe(b)) ≡ FHe(f(a, b)) Generally

  24. Implementations Library Scheme Introduced Helib BGV, Bootstrapping 2013 PALISADE Lattice,

    multiple 2015 TFHE Torus FHE 2016 NuFHE THFE + CUDA 2018
  25. Performance ~ 0.13ms/bit for binary gate ~ 200ms for 32

    bit add NuFHE (CUDA) Averaging 1000 32 bit integers: > 3 minutes!
  26. Partial HE Homomorphic Encryption for specific operations

  27. Paillier: Addition f() = add() E P (2) + E

    p (3) = E p (2 + 3)
  28. Paillier Performance Operand (add) Arithmetic Paillier Slow Down 1 32ns

    49us 1513x 1000 33ns 89us 2672x 1000000 33ns 118us 3532x *On my Linux machine (i7 8700k, 3.7GHz), Single core performance Still 2000x faster than NuFHE!
  29. Order Preserving Encryption (OPE)

  30. OPE Defines the comparison operator for ciphertexts encrypted under the

    scheme (usually a symmetric key). cmp(ctxt_a, ctxt_b) => { -1, 0, 1} This is different to a PHE scheme for the comparison operator: cmp(ctxt_a, ctxt_b) => ctxt_c
  31. OPE Enc(100) = ABCD... Enc(200) = BA12... Enc(300) = C3FG...

  32. Image credit: Cryptowiki.net

  33. OPE susceptible to “inference” attacks (Naveed et al, 2015)

  34. Order Revealing Encryption (ORE) LW2016: Block-ORE (Wu et al)

  35. CT L CT R

  36. ORE (LW2016) Compare(A L , B R ) => {0,

    1} Defines
  37. None
  38. None
  39. Security Leakage: First block that differs between 2 ciphertexts (e.g.

    block size 8 bytes) A7C3 B4B1 1 E6B1 E6A9 3 Val1 Val2 Block that differs Indistinguishable Pr[Val1 == Val2] = 1/(2^16)
  40. Block Size vs Ciphertext Size Block Size Encrypt Compare Ciphertext

    Size 4 16.50us 0.31us 192 bytes 8 54.87us 0.63us 224 bytes 12 721.37us 2.61us 1612 bytes
  41. Pros and cons Pros Right CTs are Semantically Secure (CPA

    + CCA) Fast encryption ~ 55us (32bit integer) Fast - comparisons < 1us Based on existing primitives (AES/SHA) Resistant to inference attacks Cons Large Ciphertexts (CTR = 224 bytes, 1,000,000 64bit ints ~ 213MB) Weaker than pure AES or FHE (but better than OPE) Difficult to integrate into existing systems
  42. *Depends on your use-case.

  43. PG Secret Implementation of Block-ORE as PostgreSQL extension

  44. pg_secret 2 types - numeric and string Integers are 32

    bit, orderable (define <, =, >) Strings are arbitrary length, SIPHASH, not orderable (define only =) 2 independent keys required
  45. Demo

  46. Limitations • Currently stores both CTL + CTR • ORDER

    BY and GROUP BY will always need both anyway • Not battle tested - Don’t use in production (yet)!
  47. Links + Resources • PG Secret: https://github.com/coderdan/pg_secret (contributions welcome!) •

    NuFHE https://github.com/nucypher/nufhe • Paillier Ruby https://github.com/DaylightingSociety/Paillier • Block ORE Paper https://www.cs.virginia.edu/dwu4/papers/BlockORE.pdf • The state of HE: https://homomorphicencryption.org My Twitter: @danieldraper Thank you!