Unleash Your Potential - Namagunga Girls Coding Club
Efficient Privacy Preserving Content Based Publish Subscribe Systems
1. Introduction
Overview
Background
Tweaking Pailliear Homomorphic Cryptosystem
Overall System
Implementation and Experimental Results
Conclusions Future Work
Efficient Privacy Preserving Content Based Publish
Subscribe Systems
Mohamed Nabeel, Ning Shang, Elisa Bertino
nabeel@cs.purdue.edu
June 21, 2012
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
2. Introduction
Overview
Background
Tweaking Pailliear Homomorphic Cryptosystem
Overall System
Implementation and Experimental Results
Conclusions Future Work
Publish Subscribe Systems
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
3. Introduction
Overview
Background
Tweaking Pailliear Homomorphic Cryptosystem
Overall System
Implementation and Experimental Results
Conclusions Future Work
Content Based Pub/Sub Systems
Notifications
Produced by publishers
Consist of set of attribute-value pairs
Example: { symbol = ”MSFT”, price = 30.93, size = 1000 }
Subscriptions
Produced by subscribers
Specify a condition on one or more attributes in a notification
Examples: (symbol = ”GOOG” ∧ price ≥ 578), (1000 ≤ size
≤ 2000)
Brokers match notifications against subscriptions and forward
the matching notifications to authorized subscribers
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
4. Introduction
Overview
Background
Tweaking Pailliear Homomorphic Cryptosystem
Overall System
Implementation and Experimental Results
Conclusions Future Work
Why Filtering?
Access control restrictions
Computational, storage and/or bandwidth considerations
Subscribers do not have sufficient computational power,
storage or bandwidth
Subscribers are interested only in certain types of notifications
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
5. Introduction
Overview
Background
Tweaking Pailliear Homomorphic Cryptosystem
Overall System
Implementation and Experimental Results
Conclusions Future Work
Security and Privacy
With the utilization of third-party brokering networks, brokers
cannot be trusted for the confidentiality/privacy
Publication privacy
Hide the notifications from brokers
Subscription privacy
Hide subscription from brokers
Unable to link multiple subscriptions
The goal of this work is to address these privacy issues
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
6. Introduction
Overview
Background
Tweaking Pailliear Homomorphic Cryptosystem
Overall System
Implementation and Experimental Results
Conclusions Future Work
Isn’t It a Solved Problem?
Secure pub-sub systems
Hinder matching functionality
False positives [Raiciu 2006]
Limited expressiveness [Srivatsa et al. 2007]
Key management overhead [Bacon et al. 2008]
Searchable encryption
Secure keyward matching [Song et al. 2000]
Order preserving encryption [Boldyreva et al. 2009]
Secure multi-party computation
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
7. Introduction
Overview
Background
Tweaking Pailliear Homomorphic Cryptosystem
Overall System
Implementation and Experimental Results
Conclusions Future Work
Goals of our Work
Allows brokers to make matching decisions without letting
them learn the actual notifications and subscriptions
Perform accurate matching and covering
Support the same expressiveness as the system without
security
Minimize the overhead introdcued by the security layer
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
8. Introduction
Overview
Background
Tweaking Pailliear Homomorphic Cryptosystem
Overall System
Implementation and Experimental Results
Conclusions Future Work
System Overview
Publishers
Produce ”encrypted” notifications
Register subscribers
Subscribers
Make ”encrypted” subscriptions
Brokers
Authenticate subscribers and handle subscriptions
Match incoming notifications with existing subscriptions and
forward to the notifications to corresponding subscribers
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
9. Introduction
Overview
Background
Tweaking Pailliear Homomorphic Cryptosystem
Overall System
Implementation and Experimental Results
Conclusions Future Work
Trust Model
Brokers are honest-but-curious
Brokers may collude with one another
Publishers are trusted
Subscribers are not trusted for subscriptions
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
10. Introduction
Overview
Background
Tweaking Pailliear Homomorphic Cryptosystem
Overall System
Implementation and Experimental Results
Conclusions Future Work
Message Format
Each notification consists of a set of attribute-value pairs
(AVPs)
The set of AVPs is called the payload
The AVPs related to matching are ”blinded” using our scheme
The payload is encrypted using a seperate cryptosystem
Examples: Broadcast encryption, Proxy Re-Encryption,
Attribute Based Encryption
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
11. Introduction
Overview
Background
Tweaking Pailliear Homomorphic Cryptosystem
Overall System
Implementation and Experimental Results
Conclusions Future Work
Homomorphic Encryption
E (m1 ) · E (m2 ) = E (m1 ⊙ m2 )
Partially vs. fully homomorphic cryptosystems
Additive homomorphic cryptosystems
E (m1 ) · E (m2 ) = E (m1 + m2 )
Examples: Paillier, Damgard, Benaloh
Multiplicative homomorphic cryptosystems
E (m1 ) · E (m2 ) = E (m1 · m2 )
Examples: Unpadded RSA, El-Gamal
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
12. Introduction
Overview
Background
Tweaking Pailliear Homomorphic Cryptosystem
Overall System
Implementation and Experimental Results
Conclusions Future Work
Paillier Homomorphic Crytosystem (PHC)
Key generation KG (p, q)
p and q are large primes
Private key = (λ, µ)
Public key = (n, g ), n = pq and g ∈ Z/(n2 )×
Encryption E (m, r )
c = g m · r n (mod n2 )
Decryption D(c)
m = L(c λ (mod n2 )) · µ (mod n), where L(u) = (u − 1)/n
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
14. Introduction
Overview
Background
Tweaking Pailliear Homomorphic Cryptosystem
Overall System
Implementation and Experimental Results
Conclusions Future Work
Tweaking PHC
Making µ public
Shifting the computation so that matching and covering
operations are efficient
Allowing to compute the randomized difference without
decrypting individual values
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
15. Introduction
Overview
Background
Tweaking Pailliear Homomorphic Cryptosystem
Overall System
Implementation and Experimental Results
Conclusions Future Work
Making µ Public
Original private key = (λ, µ) and public key = (n, g )
Modified private key = λ and public key = (n, g , µ)
Due to the hardness of Computational Diffie-Hellman
problem, it is hard to derive λ from µ.
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
16. Introduction
Overview
Background
Tweaking Pailliear Homomorphic Cryptosystem
Overall System
Implementation and Experimental Results
Conclusions Future Work
Shifting the Computation
Encryption E ′ (m, r , λ)
E ′ (m, r ) = E (m, r )λ
= g mλ · r nλ (mod n2 )
=c
Decryption D(c)
D(c) = L(c (mod n2 )) · µ (mod n)
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
17. Introduction
Overview
Background
Tweaking Pailliear Homomorphic Cryptosystem
Overall System
Implementation and Experimental Results
Conclusions Future Work
Allowing to Compute Differences
Allowing to find the difference of x and v
Encryption E ′′ (x, v )
x ′ = g t · E ′ (x, r1 ) (mod n2 )
v ′ = g −t · E ′ (−v , r2 ) (mod n2 )
We get the following:
x ′ · v ′ = E ′ (x − v , r3 )
Decryption D(x ′ · v ′ )
D(x ′ · v ′ ) = x − v
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
18. Introduction
Overview
Background
Tweaking Pailliear Homomorphic Cryptosystem
Overall System
Implementation and Experimental Results
Conclusions Future Work
Allowing to Compare
Notification = x ∈ [0, 2l ], where l is the domain size
Subscription = v ∈ [0, 2l ]
Difference d = x − v
The matching table is as follows:
d Decision
0 x =v
< n/2 x >v
> n/2 x <v
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
19. Introduction
Overview
Background
Tweaking Pailliear Homomorphic Cryptosystem
Overall System
Implementation and Experimental Results
Conclusions Future Work
How to hide the difference?
The current approach reveals the difference to brokers
The key idea: using the unused range to hide the difference
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
20. Introduction
Overview
Background
Tweaking Pailliear Homomorphic Cryptosystem
Overall System
Implementation and Experimental Results
Conclusions Future Work
Hiding the Difference
Introduce two random numbers rp and rq during blinding:
x ′′ = g t · E ′ (x, r1 )rp E ′ (rq ) (mod n2 )
v ′′ = g −t · E ′ (−v , r2 )rp (mod n2 )
x ′′ and v ′′ are called blinded values
The decryption results in the following output:
D(x ′′ · v ′′ ) = rp (x − v ) + rq = d ′
The matching table is as follows:
d’ Decision
≤ n/2 x≥v
> n/2 x <v
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
21. Introduction
Overview
Background
Tweaking Pailliear Homomorphic Cryptosystem
Overall System
Implementation and Experimental Results
Conclusions Future Work
System Protocols and Interactions
Setup
Intialize system security parameters
Domain size = l bits (2l << n)
Register
Subscribers initially registers with publishers and obtain
randomized access tokens
Subscribe
Subscribers submit blinded subscriptions (v ′′ ) to brokers
Publish
Publishers submit blinded notifications (x ′′ ) to brokers
Match
For each notification, brokers compute x ′′ · v ′′ and make
matching decision
Cover
Brokers find covering relationships among subscriptions
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
22. Introduction
Overview
Background
Tweaking Pailliear Homomorphic Cryptosystem
Overall System
Implementation and Experimental Results
Conclusions Future Work
Correctness of Matching
The following shows the correctness of d ′ . Let
y = x ′′ · v ′′ (mod n2 )
y = g t · (E ((rp x + rq )λ) · g −t · (E (−v ))rp λ
(mod n2 )
= {E (rp x + rq )) · E (−rp v )}λ (mod n2 )
= (E (rp (x − v ) + rq ))λ (mod n2 )
d ′ = L(y ) · µ (mod n)
= rp (x − v ) + rq
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
23. Introduction
Overview
Background
Tweaking Pailliear Homomorphic Cryptosystem
Overall System
Implementation and Experimental Results
Conclusions Future Work
Implemenation
Implementation Environment
Intel Core 2 Duo CPU 2.50GHz 4GB
Linux kernel version 2.6.27
Java 1.6 with Bouncy Castle
Two types of experiments
Protocols
Extension to SIENA
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
24. Introduction
Overview
Background
Tweaking Pailliear Homomorphic Cryptosystem
Overall System
Implementation and Experimental Results
Conclusions Future Work
Protocol Experiments (Blinding)
100 20
Encrypt Subscription (Sub) Encrypt Subscription (Sub)
Blind Encrypted Subscription (Pub) Blind Encrypted Subscription (Pub)
90 Blind Notification (Pub) Blind Notification (Pub)
80
15
70
60
Time (in ms)
Time (in ms)
50 10
40
30
5
20
10
0 0
200 400 600 800 1000 1200 1400 1600 1800 2000 2200 10 20 30 40 50 60 70 80 90 100
Bit length of n (Paillier) Bit length of content (l)
(a) Varying n (b) Varying l
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
25. Introduction
Overview
Background
Tweaking Pailliear Homomorphic Cryptosystem
Overall System
Implementation and Experimental Results
Conclusions Future Work
Protocol Experiments (Match/Cover)
400 110
Match (Broker) Match (Broker)
Cover (Broker) Cover (Broker)
350
300 105
Time (in microseconds)
Time (in microseconds)
250
200 100
150
100 95
50
0 90
200 400 600 800 1000 1200 1400 1600 1800 2000 2200 10 20 30 40 50 60 70 80 90 100
Bit length of n (Paillier) Bit length of content (l)
(c) Varying n (d) Varying l
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
26. Introduction
Overview
Background
Tweaking Pailliear Homomorphic Cryptosystem
Overall System
Implementation and Experimental Results
Conclusions Future Work
System Experiments
12 140
SIENA l = 25 bits
PP-CBPS l = 10 bits
120
10
100
8
Time (in microsec)
Time (in ms)
80
6
60
4
40
2
20
0 0
1000 1500 2000 2500 3000 3500 4000 4500 5000 1000 1500 2000 2500 3000 3500 4000 4500 5000
No. of subscriptions No. of subscriptions
(e) Equality Filtering (f) Inequality Filtering
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
27. Introduction
Overview
Background
Tweaking Pailliear Homomorphic Cryptosystem
Overall System
Implementation and Experimental Results
Conclusions Future Work
Conclusions
We proposed approach for brokers to perform matching and
covering operations without learning the actual subscriptions
and notifications
Experimental results shows that the approach is practical
Our privacy preserving matching technique can be utilized in
other applications
Future work
Implement our scheme on an industry strength JMS
Support frequent subscriptions/unsubscriptions
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS