Order Revealing Encryption for Cloud Data

Transcript

1. None

2. Who is CrypoAUSTRALIA? •A small not-for-profit started by security and

   privacy enthusiasts. •We are for finding practical ways of dealing with the modern privacy and cybersecurity challenges. •We are looking for corporate sponsorship to continue our work. •Do you do Bitcoin?

3. Next Month’s Event... When:Thursday, March 5, 2020 What:Cryptographic Systems Based

   on Linear Codes Where: Right here!

4. Order revealing encryption for cloud data Dan Draper, 2020

5. OAIC - Q3 2019 245 Data breaches 62% malicious attacks

   42% contained financial details 27% contained health information

6. 2015 80 million records were exfiltrated from Anthem’s medical database

   after DB server credentials were compromised

7. Transparent Encryption “Encryption at rest”

8. None

9. Trust model Who owns the keys?

10. None
11. None

12. Online encryption - storing the CTs ID Name Email Age

    1 a1cf45... bdf3a... 1abc1... 2 f4a34... 9cda1... bbc34... 3 ... INSERT INTO users (name, email) VALUES (‘a1cf45...’, ‘bdf3a…’);

13. Querying SELECT name FROM users where id = 1; --

    => a1cf45… (decrypt client side)

14. Querying SELECT name FROM users where email = ??; E

    AES (‘[email protected]’, k) => atJTx_tFRqDOTCxLdz5f5Sv6YM... E AES (‘[email protected]’, k) => u1R1UsaYeZq7MKUBI8oebUyem... E AES (‘[email protected]’, k) => pG1xAtbe6nFRwxhvy5vPAchsJi... AES is Chosen Plaintext Secure!* *When using appropriate modes such as GCM, CCM or CBC

15. Querying - Reduced Security Assumption SELECT name FROM users where

    email = ??; E HMAC (‘[email protected]’, k) => rRoXBH1OAg8cLyKWZMDKeDkiIekPzMs... HMAC is deterministic (not CPA secure) E HMAC (‘[email protected]’, k) => rRoXBH1OAg8cLyKWZMDKeDkiIekPzMs... E HMAC (‘[email protected]’, k) => rRoXBH1OAg8cLyKWZMDKeDkiIekPzMs...
16. None

17. Querying - FORGET IT! SELECT name FROM users where age

    > 21; SELECT average(age) FROM users; SELECT age, name FROM users ORDER BY age asc;

18. FHE Fully Homomorphic Encryption

19. None
20. None

21. Operations on Data 100 + 200 = 300 Ax7b… +

    4f51… = rTd3... Plaintexts Ciphertexts

22. Operations on Data Ax7b… * 4f51… = 67Dv... Multiplication Ax7b…

    / 4f51… = uI7d... Division Ax7b… < 4f51… = hG5c... Comparison

23. Operations on Data f(FHe(a), FHe(b)) ≡ FHe(f(a, b)) Generally

24. Implementations Library Scheme Introduced Helib BGV, Bootstrapping 2013 PALISADE Lattice,

    multiple 2015 TFHE Torus FHE 2016 NuFHE THFE + CUDA 2018

25. Performance ~ 0.13ms/bit for binary gate ~ 200ms for 32

    bit add NuFHE (CUDA) Averaging 1000 32 bit integers: > 3 minutes!

26. Partial HE Homomorphic Encryption for specific operations

27. Paillier: Addition f() = add() E P (2) + E

    p (3) = E p (2 + 3)

28. Paillier Performance Operand (add) Arithmetic Paillier Slow Down 1 32ns

    49us 1513x 1000 33ns 89us 2672x 1000000 33ns 118us 3532x *On my Linux machine (i7 8700k, 3.7GHz), Single core performance Still 2000x faster than NuFHE!

29. Order Preserving Encryption (OPE)

30. OPE Defines the comparison operator for ciphertexts encrypted under the

    scheme (usually a symmetric key). cmp(ctxt_a, ctxt_b) => { -1, 0, 1} This is different to a PHE scheme for the comparison operator: cmp(ctxt_a, ctxt_b) => ctxt_c

31. OPE Enc(100) = ABCD... Enc(200) = BA12... Enc(300) = C3FG...

32. Image credit: Cryptowiki.net

33. OPE susceptible to “inference” attacks (Naveed et al, 2015)

34. Order Revealing Encryption (ORE) LW2016: Block-ORE (Wu et al)

35. CT L CT R

36. ORE (LW2016) Compare(A L , B R ) => {0,

    1} Defines
37. None
38. None

39. Security Leakage: First block that differs between 2 ciphertexts (e.g.

    block size 8 bytes) A7C3 B4B1 1 E6B1 E6A9 3 Val1 Val2 Block that differs Indistinguishable Pr[Val1 == Val2] = 1/(2^16)

40. Block Size vs Ciphertext Size Block Size Encrypt Compare Ciphertext

    Size 4 16.50us 0.31us 192 bytes 8 54.87us 0.63us 224 bytes 12 721.37us 2.61us 1612 bytes

41. Pros and cons Pros Right CTs are Semantically Secure (CPA

    + CCA) Fast encryption ~ 55us (32bit integer) Fast - comparisons < 1us Based on existing primitives (AES/SHA) Resistant to inference attacks Cons Large Ciphertexts (CTR = 224 bytes, 1,000,000 64bit ints ~ 213MB) Weaker than pure AES or FHE (but better than OPE) Difficult to integrate into existing systems

42. *Depends on your use-case.

43. PG Secret Implementation of Block-ORE as PostgreSQL extension

44. pg_secret 2 types - numeric and string Integers are 32

    bit, orderable (define <, =, >) Strings are arbitrary length, SIPHASH, not orderable (define only =) 2 independent keys required

45. Demo

46. Limitations • Currently stores both CTL + CTR • ORDER

    BY and GROUP BY will always need both anyway • Not battle tested - Don’t use in production (yet)!

47. Links + Resources • PG Secret: https://github.com/coderdan/pg_secret (contributions welcome!) •

    NuFHE https://github.com/nucypher/nufhe • Paillier Ruby https://github.com/DaylightingSociety/Paillier • Block ORE Paper https://www.cs.virginia.edu/dwu4/papers/BlockORE.pdf • The state of HE: https://homomorphicencryption.org My Twitter: @danieldraper Thank you!