Order Revealing Encryption for Cloud Data

B67a5912da76f653f8f90f5a046f48f8?s=47 Dan Draper
January 30, 2020

Order Revealing Encryption for Cloud Data

With significant data breaches becoming the daily norm, our approaches to storing data in the cloud, especially with 3rd party providers need to radically improve.

With the “holy grail” of Fully Homomorphic Encryption (FHE) still years away from practicality, Order Revealing Encryption (ORE) offers a compelling stepping stone to significant data security improvements.

In this talk, I introduce both FHE and ORE, practical examples and how, in particular, ORE can allow for new security models for protecting data in the cloud.

Links
PG Secret: https://github.com/coderdan/pg_secret (contributions welcome!)
NuFHE https://github.com/nucypher/nufhe
Paillier Ruby https://github.com/DaylightingSociety/Paillier
Block ORE Paper https://www.cs.virginia.edu/dwu4/papers/BlockORE.pdf
The state of HE: https://homomorphicencryption.org

B67a5912da76f653f8f90f5a046f48f8?s=128

Dan Draper

January 30, 2020
Tweet

Transcript

  1. 1.
  2. 2.

    Who is CrypoAUSTRALIA? •A small not-for-profit started by security and

    privacy enthusiasts. •We are for finding practical ways of dealing with the modern privacy and cybersecurity challenges. •We are looking for corporate sponsorship to continue our work. •Do you do Bitcoin?
  3. 5.

    OAIC - Q3 2019 245 Data breaches 62% malicious attacks

    42% contained financial details 27% contained health information
  4. 6.
  5. 8.
  6. 10.
  7. 11.
  8. 12.

    Online encryption - storing the CTs ID Name Email Age

    1 a1cf45... bdf3a... 1abc1... 2 f4a34... 9cda1... bbc34... 3 ... INSERT INTO users (name, email) VALUES (‘a1cf45...’, ‘bdf3a…’);
  9. 13.

    Querying SELECT name FROM users where id = 1; --

    => a1cf45… (decrypt client side)
  10. 14.

    Querying SELECT name FROM users where email = ??; E

    AES (‘dan@coderdan.co’, k) => atJTx_tFRqDOTCxLdz5f5Sv6YM... E AES (‘dan@coderdan.co’, k) => u1R1UsaYeZq7MKUBI8oebUyem... E AES (‘dan@coderdan.co’, k) => pG1xAtbe6nFRwxhvy5vPAchsJi... AES is Chosen Plaintext Secure!* *When using appropriate modes such as GCM, CCM or CBC
  11. 15.

    Querying - Reduced Security Assumption SELECT name FROM users where

    email = ??; E HMAC (‘dan@coderdan.co’, k) => rRoXBH1OAg8cLyKWZMDKeDkiIekPzMs... HMAC is deterministic (not CPA secure) E HMAC (‘dan@coderdan.co’, k) => rRoXBH1OAg8cLyKWZMDKeDkiIekPzMs... E HMAC (‘dan@coderdan.co’, k) => rRoXBH1OAg8cLyKWZMDKeDkiIekPzMs...
  12. 16.
  13. 17.

    Querying - FORGET IT! SELECT name FROM users where age

    > 21; SELECT average(age) FROM users; SELECT age, name FROM users ORDER BY age asc;
  14. 19.
  15. 20.
  16. 21.

    Operations on Data 100 + 200 = 300 Ax7b… +

    4f51… = rTd3... Plaintexts Ciphertexts
  17. 22.

    Operations on Data Ax7b… * 4f51… = 67Dv... Multiplication Ax7b…

    / 4f51… = uI7d... Division Ax7b… < 4f51… = hG5c... Comparison
  18. 24.
  19. 25.

    Performance ~ 0.13ms/bit for binary gate ~ 200ms for 32

    bit add NuFHE (CUDA) Averaging 1000 32 bit integers: > 3 minutes!
  20. 28.

    Paillier Performance Operand (add) Arithmetic Paillier Slow Down 1 32ns

    49us 1513x 1000 33ns 89us 2672x 1000000 33ns 118us 3532x *On my Linux machine (i7 8700k, 3.7GHz), Single core performance Still 2000x faster than NuFHE!
  21. 30.

    OPE Defines the comparison operator for ciphertexts encrypted under the

    scheme (usually a symmetric key). cmp(ctxt_a, ctxt_b) => { -1, 0, 1} This is different to a PHE scheme for the comparison operator: cmp(ctxt_a, ctxt_b) => ctxt_c
  22. 35.
  23. 37.
  24. 38.
  25. 39.

    Security Leakage: First block that differs between 2 ciphertexts (e.g.

    block size 8 bytes) A7C3 B4B1 1 E6B1 E6A9 3 Val1 Val2 Block that differs Indistinguishable Pr[Val1 == Val2] = 1/(2^16)
  26. 40.

    Block Size vs Ciphertext Size Block Size Encrypt Compare Ciphertext

    Size 4 16.50us 0.31us 192 bytes 8 54.87us 0.63us 224 bytes 12 721.37us 2.61us 1612 bytes
  27. 41.

    Pros and cons Pros Right CTs are Semantically Secure (CPA

    + CCA) Fast encryption ~ 55us (32bit integer) Fast - comparisons < 1us Based on existing primitives (AES/SHA) Resistant to inference attacks Cons Large Ciphertexts (CTR = 224 bytes, 1,000,000 64bit ints ~ 213MB) Weaker than pure AES or FHE (but better than OPE) Difficult to integrate into existing systems
  28. 44.

    pg_secret 2 types - numeric and string Integers are 32

    bit, orderable (define <, =, >) Strings are arbitrary length, SIPHASH, not orderable (define only =) 2 independent keys required
  29. 45.
  30. 46.

    Limitations • Currently stores both CTL + CTR • ORDER

    BY and GROUP BY will always need both anyway • Not battle tested - Don’t use in production (yet)!
  31. 47.

    Links + Resources • PG Secret: https://github.com/coderdan/pg_secret (contributions welcome!) •

    NuFHE https://github.com/nucypher/nufhe • Paillier Ruby https://github.com/DaylightingSociety/Paillier • Block ORE Paper https://www.cs.virginia.edu/dwu4/papers/BlockORE.pdf • The state of HE: https://homomorphicencryption.org My Twitter: @danieldraper Thank you!