Efficient privacy preserving publish subscribe systems

1,596 views
1,527 views

Published on

Efficient privacy preserving publish subscribe systems, SACMAT 2012

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,596
On SlideShare
0
From Embeds
0
Number of Embeds
646
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Efficient privacy preserving publish subscribe systems

  1. 1. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future WorkEfficient Privacy Preserving Content Based Publish Subscribe Systems Mohamed Nabeel, Ning Shang, Elisa Bertino nabeel@cs.purdue.edu June 21, 2012 Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
  2. 2. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future WorkPublish Subscribe Systems Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
  3. 3. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future WorkContent Based Pub/Sub Systems Notifications Produced by publishers Consist of set of attribute-value pairs Example: { symbol = ”MSFT”, price = 30.93, size = 1000 } Subscriptions Produced by subscribers Specify a condition on one or more attributes in a notification Examples: (symbol = ”GOOG” ∧ price ≥ 578), (1000 ≤ size ≤ 2000) Brokers match notifications against subscriptions and forward the matching notifications to authorized subscribers Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
  4. 4. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future WorkWhy Filtering? Access control restrictions Computational, storage and/or bandwidth considerations Subscribers do not have sufficient computational power, storage or bandwidth Subscribers are interested only in certain types of notifications Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
  5. 5. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future WorkSecurity and Privacy With the utilization of third-party brokering networks, brokers cannot be trusted for the confidentiality/privacy Publication privacy Hide the notifications from brokers Subscription privacy Hide subscription from brokers Unable to link multiple subscriptions The goal of this work is to address these privacy issues Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
  6. 6. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future WorkIsn’t It a Solved Problem? Secure pub-sub systems Hinder matching functionality False positives [Raiciu 2006] Limited expressiveness [Srivatsa et al. 2007] Key management overhead [Bacon et al. 2008] Searchable encryption Secure keyward matching [Song et al. 2000] Order preserving encryption [Boldyreva et al. 2009] Secure multi-party computation Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
  7. 7. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future WorkGoals of our Work Allows brokers to make matching decisions without letting them learn the actual notifications and subscriptions Perform accurate matching and covering Support the same expressiveness as the system without security Minimize the overhead introdcued by the security layer Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
  8. 8. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future WorkSystem Overview Publishers Produce ”encrypted” notifications Register subscribers Subscribers Make ”encrypted” subscriptions Brokers Authenticate subscribers and handle subscriptions Match incoming notifications with existing subscriptions and forward to the notifications to corresponding subscribers Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
  9. 9. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future WorkTrust Model Brokers are honest-but-curious Brokers may collude with one another Publishers are trusted Subscribers are not trusted for subscriptions Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
  10. 10. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future WorkMessage Format Each notification consists of a set of attribute-value pairs (AVPs) The set of AVPs is called the payload The AVPs related to matching are ”blinded” using our scheme The payload is encrypted using a seperate cryptosystem Examples: Broadcast encryption, Proxy Re-Encryption, Attribute Based Encryption Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
  11. 11. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future WorkHomomorphic Encryption E (m1 ) · E (m2 ) = E (m1 ⊙ m2 ) Partially vs. fully homomorphic cryptosystems Additive homomorphic cryptosystems E (m1 ) · E (m2 ) = E (m1 + m2 ) Examples: Paillier, Damgard, Benaloh Multiplicative homomorphic cryptosystems E (m1 ) · E (m2 ) = E (m1 · m2 ) Examples: Unpadded RSA, El-Gamal Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
  12. 12. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future WorkPaillier Homomorphic Crytosystem (PHC) Key generation KG (p, q) p and q are large primes Private key = (λ, µ) Public key = (n, g ), n = pq and g ∈ Z/(n2 )× Encryption E (m, r ) c = g m · r n (mod n2 ) Decryption D(c) m = L(c λ (mod n2 )) · µ (mod n), where L(u) = (u − 1)/n Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
  13. 13. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future WorkHomomorphic Properties of PHC PHC is additive homomorphic: D(E (m1 , r1 )E (m2 , r2 ) (mod n2 )) = m1 + m2 (mod n) D(E (m1 , r1 )k (mod n2 )) = km1 (mod n) Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
  14. 14. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future WorkTweaking PHC Making µ public Shifting the computation so that matching and covering operations are efficient Allowing to compute the randomized difference without decrypting individual values Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
  15. 15. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future WorkMaking µ Public Original private key = (λ, µ) and public key = (n, g ) Modified private key = λ and public key = (n, g , µ) Due to the hardness of Computational Diffie-Hellman problem, it is hard to derive λ from µ. Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
  16. 16. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future WorkShifting the Computation Encryption E ′ (m, r , λ) E ′ (m, r ) = E (m, r )λ = g mλ · r nλ (mod n2 ) =c Decryption D(c) D(c) = L(c (mod n2 )) · µ (mod n) Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
  17. 17. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future WorkAllowing to Compute Differences Allowing to find the difference of x and v Encryption E ′′ (x, v ) x ′ = g t · E ′ (x, r1 ) (mod n2 ) v ′ = g −t · E ′ (−v , r2 ) (mod n2 ) We get the following: x ′ · v ′ = E ′ (x − v , r3 ) Decryption D(x ′ · v ′ ) D(x ′ · v ′ ) = x − v Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
  18. 18. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future WorkAllowing to Compare Notification = x ∈ [0, 2l ], where l is the domain size Subscription = v ∈ [0, 2l ] Difference d = x − v The matching table is as follows: d Decision 0 x =v < n/2 x >v > n/2 x <v Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
  19. 19. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future WorkHow to hide the difference? The current approach reveals the difference to brokers The key idea: using the unused range to hide the difference Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
  20. 20. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future WorkHiding the Difference Introduce two random numbers rp and rq during blinding: x ′′ = g t · E ′ (x, r1 )rp E ′ (rq ) (mod n2 ) v ′′ = g −t · E ′ (−v , r2 )rp (mod n2 ) x ′′ and v ′′ are called blinded values The decryption results in the following output: D(x ′′ · v ′′ ) = rp (x − v ) + rq = d ′ The matching table is as follows: d’ Decision ≤ n/2 x≥v > n/2 x <v Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
  21. 21. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future WorkSystem Protocols and Interactions Setup Intialize system security parameters Domain size = l bits (2l << n) Register Subscribers initially registers with publishers and obtain randomized access tokens Subscribe Subscribers submit blinded subscriptions (v ′′ ) to brokers Publish Publishers submit blinded notifications (x ′′ ) to brokers Match For each notification, brokers compute x ′′ · v ′′ and make matching decision Cover Brokers find covering relationships among subscriptions Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
  22. 22. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future WorkCorrectness of Matching The following shows the correctness of d ′ . Let y = x ′′ · v ′′ (mod n2 ) y = g t · (E ((rp x + rq )λ) · g −t · (E (−v ))rp λ (mod n2 ) = {E (rp x + rq )) · E (−rp v )}λ (mod n2 ) = (E (rp (x − v ) + rq ))λ (mod n2 ) d ′ = L(y ) · µ (mod n) = rp (x − v ) + rq Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
  23. 23. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future WorkImplemenation Implementation Environment Intel Core 2 Duo CPU 2.50GHz 4GB Linux kernel version 2.6.27 Java 1.6 with Bouncy Castle Two types of experiments Protocols Extension to SIENA Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
  24. 24. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future WorkProtocol Experiments (Blinding) 100 20 Encrypt Subscription (Sub) Encrypt Subscription (Sub) Blind Encrypted Subscription (Pub) Blind Encrypted Subscription (Pub) 90 Blind Notification (Pub) Blind Notification (Pub) 80 15 70 60 Time (in ms) Time (in ms) 50 10 40 30 5 20 10 0 0 200 400 600 800 1000 1200 1400 1600 1800 2000 2200 10 20 30 40 50 60 70 80 90 100 Bit length of n (Paillier) Bit length of content (l) (a) Varying n (b) Varying l Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
  25. 25. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future WorkProtocol Experiments (Match/Cover) 400 110 Match (Broker) Match (Broker) Cover (Broker) Cover (Broker) 350 300 105 Time (in microseconds) Time (in microseconds) 250 200 100 150 100 95 50 0 90 200 400 600 800 1000 1200 1400 1600 1800 2000 2200 10 20 30 40 50 60 70 80 90 100 Bit length of n (Paillier) Bit length of content (l) (c) Varying n (d) Varying l Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
  26. 26. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future WorkSystem Experiments 12 140 SIENA l = 25 bits PP-CBPS l = 10 bits 120 10 100 8 Time (in microsec) Time (in ms) 80 6 60 4 40 2 20 0 0 1000 1500 2000 2500 3000 3500 4000 4500 5000 1000 1500 2000 2500 3000 3500 4000 4500 5000 No. of subscriptions No. of subscriptions (e) Equality Filtering (f) Inequality Filtering Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
  27. 27. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future WorkConclusions We proposed approach for brokers to perform matching and covering operations without learning the actual subscriptions and notifications Experimental results shows that the approach is practical Our privacy preserving matching technique can be utilized in other applications Future work Implement our scheme on an industry strength JMS Support frequent subscriptions/unsubscriptions Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS

×