Multi Dimensional Queries on Encrypted Data

7/30/2019 Multi Dimensional Queries on Encrypted Data

1/15

Multi-Dimensional Range Query over Encrypted Data

Elaine Shi John Bethencourt T-H. Hubert Chan Dawn Song Adrian Perrig

Carnegie Mellon University

Abstract

We design an encryption scheme called Multi-dimensional

Range Query over Encrypted Data (MRQED), to address the

privacy concerns related to the sharing of network audit logs

and various other applications. Our scheme allows a network

gateway to encrypt summaries of network flows before sub-mitting them to an untrusted repository. When network intru-

sions are suspected, an authority can release a key to an au-

ditor, allowing the auditor to decrypt flows whose attributes

(e.g., source and destination addresses, port numbers, etc.)

fall within specific ranges. However, the privacy of all irrele-

vant flows are still preserved. We formally define the securityfor MRQED and prove the security of our construction un-

der the decision bilinear Diffie-Hellman and decision linear

assumptions in certain bilinear groups. We study the practi-

cal performance of our construction in the context of network

audit logs. Apart from network audit logs, our scheme alsohas interesting applications for financial audit logs, medical

privacy, untrusted remote storage, etc. In particular, we show

that MRQED implies a solution to its dual problem, which en-

ables investors to trade stocks through a broker in a privacy-

preserving manner.

1 Introduction

Recently, the network intrusion detection community hasmade large-scale efforts to collect network audit logs fromdifferent sites [25, 35, 24]. In this application, a network gate-way or an Internet Service Provider (ISP) can submit networktraces to an audit log repository. However, due to the pres-ence of privacy sensitive information in the network traces,the gateway will allow only authorized parties to search theiraudit logs. We consider the following four types of entities: agateway, an untrusted repository, an authority, and an audi-

tor. We design a cryptographic primitive that allows the gate-way to submit encrypted audit logs to the untrusted reposi-tory. Normally, no one is able to decrypt these audit logs.

This research was supported in part by CyLab at Carnegie Mellon undergrant DAAD19-02-1-0389 and Cyber-TA Research grant No. W911NF-06-1-0316 from the Army Research Office, and grants 0433540 and 0448452from the National Science Foundation, and a grant from GM. The viewsand conclusions contained here are those of the authors and should not beinterpreted as necessarily representing the official policies or endorsements,either express or implied, of ARO, CMU, GM, NSF, or the U.S. Governmentor any of its agencies.

However, when malicious behavior is suspected, an auditormay ask the authority for a search capability. With this searchcapability, the auditor can decrypt entries satisfying certainproperties, e.g., network flows whose destination address andport number fall within a certain range. However, the privacyof all other flows should still be preserved. Note that in prac-tice, to avoid a central point of trust, we can have multipleparties to jointly act as the authority. Only when a sufficientnumber of the parities collaborate, can they generate a validsearch capability.

We name our encryption scheme Multi-dimensionalRange Query over Encrypted Data (MRQED). In MRQED,we encrypt a message with a set of attributes. For example, inthe network audit log application, the attributes are the fieldsof a network flow, e.g., source and destination addresses, portnumbers, time-stamp, protocol number, etc. Among these at-tributes, suppose that we would like to support queries on thetime-stamp t, the source address a and the destination portnumber p. Our encryption scheme provides the followingproperties:

Range query on attributes. An authority can issue adecryption key for all flows whose (t,a,p) falls withina certain range:

t [t1, t2]and

a [a1, a2]and

p [p1, p2]. Notice that range query implies equalityand greater-than (smaller-than) tests, e.g., t t1 anda = a1 and p p1. With this decryption key, all flowswhose (t,a,p) tuple falls within the above range can bedecrypted.

Security requirement. Normally, no one can learn anyinformation from the ciphertexts. Under special circum-stances, however, an auditor may obtain a decryptionkey from an authority for some range t [t1, t2] anda [a1, a2] andp [p1, p2]. For any flow, if at least oneattribute among t,a,p lies outside the specified range,the auditor fails to decrypt it. The auditor inevitablylearns that the (t,a,p) tuple of this flow does not lie

within the given range. However, apart from this in-formation, the auditor cannot learn anything more aboutthe flow. For example, the auditor cannot learn anythingabout attributes other than t,a,p; in addition, she cannotdecide whether t < t1 or t > t2, etc.

Our results and contributions. We are among the earliestto study the problem of point encryption, range query, andconditional decryption of matching entries. We propose aprovably secure encryption scheme that allows us to achieve


2/15

Scheme Pub. Key Size Encrypt. Cost CT Size Decrypt. Key Size Decrypt. Cost Security Model

BonehWaters06 [13] O(D T) O(D T) O(D T) O(D) O(D) MC

Naive AIBE-based scheme O(1) O((logT)D) O((logT)D) O((logT)D) O((logT)D) MR

Our scheme O(D logT) O(D logT) O(D logT) O(D logT) O((logT)D) MR

Table 1. Performance of different approaches. D denotes the number of dimensions and T the number of points in each.The naive AIBE-based scheme is described in Section 4.3. MC and MR refer to the match-concealing and match-revealing

security models respectively as defined in Section 3.

these properties. Table 1 summarizes the asymptotic perfor-mance of our scheme in comparison with other approaches.Please refer to Section 2 for a detailed comparison betweenour scheme MRQED, and the concurrent work BonehWa-ters06 [13]. We study the practical performance of MRQED,and show that it makes the encrypted network audit log appli-cation feasible. We also study the dual problem to MRQED,where one encrypts under a hyper-range in multi-dimensionalspace, and decrypts under a point. We show that MRQED im-plies a solution to its dual problem, which enables investors totrade stocks through a broker in a privacy-preserving manner.

Paper organization. In the remainder of this section, we

give more example applications of MRQED. We review re-lated work in Section 2, and formally define the MRQEDproblem in Section 3. In Section 4, we demonstrate someinitial attempts at constructing MRQED; while in Section 5,we describe our novel construction which we consider themain contribution of this paper. We note that the purposeof Section 4 is not only to exhibit straw-man schemes, butalso to better motivate our design of MRQED as describedin Section 5. In particular, some of the primitives introducedin Section 4 will later be used in Section 5 when we explainour novel construction. Due to limit of space, formal securityproofs of security are provided in the online technical reportversion [43]. In the proof, we borrow techniques from theAHIBE scheme of Boyen and Waters [15]. As a result, thesecurity of our construction is likewise based on the hardnessof Decision Bilinear Diffie-Hellman problem and the Deci-sion Linear problem. In Section 7, we consider the practicalperformance of the scheme in the context of network auditlogs. We show that MRQED implies a solution to its dualproblem in Section 8, and show that the dual problem is ofparticular interest to investors who would like to trade stocksthrough a broker in a privacy-preserving manner.

1.1 Application to Network Audit Logs

We briefly mentioned network audit logs at the beginningof this section. Throughout the paper, we will keep using

this example to motivate the design of MRQED. To providecontext for the remainder of the paper, we now describe thisapplication in greater detail.

Firewalls and network intrusion detection systems (NIDS)such as Snort [44], Emerald [40], and Bro [39] produce logssummarizing detected or blocked activities suspected to bemalicious. Log entries typically correspond to either a sin-gle packet (perhaps rejected by a firewall) or an establishedflow deemed suspicious. Each entry normally includes fieldssuch as source and destination IP address and port, date and

time, protocol (e.g., TCP, UDP, or ICMP), and, in the caseof NIDS, the type of rule causing an alert. Sharing and com-paring such logs across organizations is a method for gainingbroader information about malicious activities on the Internetso that administrators may better protect their systems. Cur-rent large scale efforts to collect and aggregate network au-dit logs for this purpose include DShield [25], myNetWatch-man [35], and Deepsight [24].

However, sharing of network audit logs is hampered by thepresence of security and privacy sensitive information. By en-crypting each log entry before sending it to another party, thesource can allay these concerns. Later, the source may release

a decryption key for a carefully specified set of log entriesdeemed currently relevant. For example, suppose a particularhost with IP address a1 is determined to have been compro-mised at time t1 and later involved in scanning other hosts forvulnerabilities on a certain range of ports [p1, p2]. A trustedauthority may then choose to release a key decrypting anyentries at time t, with source address a, connecting to port psuch that t t1, a = a1, andp1 p p2. Note that to avoida central point of trust, we can have multiple parties jointlyact as the authority. Using techniques from secure multi-partycomputation [27], only when a sufficient number of them col-laborate, can they generate a valid decryption key. The sourcewould then have precise guarantees about the privacy of theirnetwork while providing useful information to other individ-

ual organizations or a global monitoring effort. The publickey nature of the scheme would allow distributed, encryptedsubmissions to a central monitoring organization possessingthe master private key and giving out decryption keys as nec-essary. There have been some previous attempts to protectthe security of audit logs through encryption or anonymiza-tion while allowing limited queries [47, 23, 33], but in noprevious scheme has it been possible to issue keys for con-junctions of ranges over multiple attributes while maintainingthe secrecy of the attributes. In particular, we are not aware ofany previous method supporting queries such as our exampleof(t t1) (a = a1) (p1 p p2) that does not requireeither revealing the attribute values or issuing an exponentialnumber of key components.

1.2 Other Applications

Apart from the network audit log application, and thestock-trading application described in Section 8, we men-tion here some other potentially interesting applications ofMRQED.

Financial audit logs. Financial audit logs contain sensi-tive information about financial transactions. Our MRQED


3/15

scheme allows financial institutions to release audit logs inencrypted format. When necessary, an authorized auditor canobtain a decryption key from a trusted authority. With thisdecryption key, the auditor can decrypt certain transactionsthat may be suspected of fraudulent activities. However, theprivacy of all other transactions are preserved.

Medical privacy. Consider a health monitoring program.

When Alice moves about in her daily life, a PDA or smart-phone she carries automatically deposits encrypted crumbs ofher trajectory at a storage server. Assume that each crumb isof the form ((x,y,t), ct), where (x, y) represents the loca-tion, t represents time, and ct is Alices contact information.During an outbreak of an epidemic, Alice wishes to be alertedif she was present at a site borne with the disease during anincubation period, i.e., if(x,y,t) falls within a certain range.However, she is also concerned with privacy, and she does notwish to leak her trajectory if she has not been to a site bornewith the disease.

Untrusted remote storage. Individual users may wish tostore emails and files on a remote server, but because the stor-age server is untrusted, the content must be encrypted beforeit is stored at the remote server. Emails and files can be clas-sified with multi-dimensional attributes. Users may wish toperform range queries and retrieve only data that satisfy thequeries.

Using biometrics in anonymous IBE. The MRQED schemecan also be used in biometric-based Anonymous Identity-Based Encryption (AIBE). Using biometrics in identity-basedencryption first appeared in the work by Sahai and Wa-ters [41]. In this application, a persons biometric featuressuch as finger-prints, blood-type, year of birth, eye color, etc.,are encoded as a point X in a multi-dimensional lattice. Per-sonal data is encrypted using the owners biometric featuresas the identity, and the encryption protects both the secrecy

of the personal data and the owners biometric identity. Dueto potential noise each time a persons biometric features aresampled, a user holding the private key for biometric identityX should be allowed to decrypt data encrypted under X, iffX and X have small distance. In particular, the SahaiWa-ters04 construction [41] considered the set-overlap distance(or the Hamming distance); and their encryption scheme doesnot hide the identity of the user. Our construction allows auser with the private key for identity X, to decrypt an en-try encrypted under X, iff (X, X) . Here de-notes the distance between X and X

, and is defined asmax{|x1 x1| , . . . , |xD xD|}. In this case, the decryp-tion region is a hyper-cube in multi-dimensional space. One

can also associate a different weight to each dimension, inwhich case the decryption region becomes a hyper-rectangle.

2 Related Work

Search on encrypted data. The problem of search on en-crypted data (SoE) was introduced in the symmetric key set-ting by Song et al. [45] and has had some recent improve-ments in security definitions and efficiency [21]. Boneh

et al. [10] later proposed Public Key Encryption with Key-word Search (PEKS), in which any party possessing the pub-lic key can encrypt and the owner of the corresponding pri-vate key can generate keyword search capabilities. BothSoE and PEKS can be trivially extended to support one-dimensional range queries; the extension is similar to theMRQED1 scheme described in Section 4.2. However, it isnot clear that either can be used to construct a scheme sup-

porting range queries over multiple attributes. Recent workon traitor-tracing systems [14, 12] allows a more specializedsort of range query. Given a ciphertext C with attributesX = (x1, x2, . . . , xD), a master key owner can issue a tokenfor some value x that allow us to decide whether xd x forall 1 d D with O(T) ciphertext size and token size.Applications of searchable encryption have been studied bythe database community [30, 22, 2]. Other works related tosearches on encrypted data include oblivious RAMs [37, 28],and private stream searching [5, 38].

IBE. The notion of Identity-Based Encryption (IBE) was in-troduced by Shamir [42]. Several IBE schemes [20, 11, 7, 6,18, 46, 36], hierarchical IBE (HIBE) schemes [31, 26, 8, 48],

and applications [41, 29] were proposed since then. In par-ticular, the HIBE scheme proposed by Boneh, Boyen, andGoh [8] can be extended to multiple dimensions (M-HIBE)efficiently and in a collusion-resistant1 manner. The resultingscheme can be used to solve a problem similar to MRQED,but lacking the third property in the previous discussion. Thatis, when using M-HIBE it would not be possible to hide theattribute values associated with a ciphertext.

Anonymous IBE. Recently, researchers have proposedanonymous IBE and HIBE schemes (AIBE, AHIBE) [15, 1].The notion of anonymity is also related to key privacy [4, 3].Like the HIBE scheme mentioned above, the AHIBE schemeof Boyen and Waters [15] can be extended to multiple dimen-

sions in a collusion-resistant manner, resulting in a Multi-dimensional AHIBE (M-AHIBE) scheme. An M-AHIBEscheme could be used to implement MRQED (including thethird property), but applying it directly would have a seriousdrawback. Because the encryption is anonymous and hidesthe attributes used as the public key, at time of decryptionone would need to try all possible decryption keys on a givenciphertext. This incurs O(TD) decryption cost on a singleciphertext, where T is the number of possible values eachattribute may assume and may be quite large. Nevertheless,on a technical level, this AHIBE scheme and its extension toM-AHIBE are the most closely related work to ours. In par-ticular, we prevent collusion in the same way the M-AHIBEconstruction does. Since we do not require the key delegation

property of HIBE schemes, however, we are able to improvedecryption cost to be logarithmic in T.

Recent developments. Concurrent to our work, Boneh andWaters [13] propose another construction (BonehWaters06in Table 1) for complex queries over encrypted data. Theypropose a primitive called Hidden Vector Encryption, and

1Collusion-resistance, in this sense, means thattwo parties who have beenissued different decryption keys cannot combine their keys in some way toallow decryption of ciphertexts that neither could decrypt previously.


4/15

use it in conjunctive range and subset queries. When ap-plied to multi-dimensional range query, their scheme resultsin O(DT) encryption time, ciphertext size, and public keysize, and O(D) decryption key size and decryption cost. Asin Table 1, D and T are the number of attributes and the num-ber of discrete values for each attribute. Their scheme is moreexpensive in terms of public key size, encryption cost and ci-phertext size; but saves on decryption key size and decryption

cost. In applications with large T and small D (e.g., net-work audit logs, and the stock trading application mentionedin Section 8), our approach is more appropriate. In particu-lar, for network audit logs, T = 232 for an IP address, andD may range from 2 to 4. In other applications where Dis large and T is small, the BonehWaters06 construction ismore appropriate. We also would like to note that the Bone-hWaters06 construction achieves a stronger notion of secu-rity. Their construction hides the attribute values, even whenthe message is successfully decrypted. This stronger secu-rity property is a key difference from our construction, inwhich the attribute values are revealed upon successful de-cryption. In Section 3, we name these two different security

modelsmatch-concealing

security andmatch-revealing

secu-rity respectively. For applications like encrypted network au-dit logs, it is acceptable to reveal the attributes of a messagewhen it is successfully decrypted. By relaxing the securitydefinition to allow this possibility, we achieve O(D log T)encryption time, ciphertext size, and public key size. Thismakes applications such as the encrypted network audit logspossible. However, one may conceive of other applicationswhere the stronger security notion is necessary.

3 Problem Definition and Preliminary

3.1 Problem Definition

In the network audit log application, a gateway encryptsnetwork flows, and submits them to an untrusted repository.When necessary, an auditor may ask an authority for a keythat allows the decryption of all flows whose attributes fallwithin a certain range; while the privacy of all irrelevant flowsare still preserved. There is a geometric interpretation to thesemulti-attribute range queries. Suppose that we would like toallow queries on these three fields: time-stamp t, source ad-dress a, and destination port p. The tuple (t,a,p) can be re-garded as a point X in multi-dimensional space. Now sup-pose we query for all flows whose t, a, p falls within somerange: t [t1, t2], a [a1, a2] and p [p1, p2]. Herethe hyper-range [t1, t2]

[a1, a2]

[p1, p2] forms a hyper-

rectangle B in space. The above range query is equivalent totesting whether a point X falls inside the hyper-rectangle B.

We now formally define these notions mentioned above.Assume that an attribute can be encoded using discrete inte-ger values 1 through T. For example, an IP address can beencoded using integers 1 through 232. We use the notation[T] to denote integers from 1 to T, i.e., [T] = {1, 2, . . . , T }.Let S T be integers, we use [S, T] to denote integers fromS to T inclusive, i.e., [S, T] = {S, S+ 1, . . . , T }. Through-out this paper, we assume that T is a power of 2, and denote

log2 as simply log. Suppose that we would like to supportrange queries on D different attributes, each of them can takeon values in [T1], [T2], . . . , [TD] respectively. We formallydefine a D-dimensional lattice, points and hyper-rectanglesbelow.

Definition 1 (D-dimensional lattice, point, hyper-rectan-gle). Let = (T1, T2, . . . , T D). L = [T1] [T2] . . . [TD] defines a D-dimensional lattice. A D-tupleX = (x1, x2, . . . , xD) defines a point in L, where xd [Td](d [D]). A hyper-rectangle B in L is definedas B(s1, t1, s2, t2, . . . , sD, tD) = {(x1, x2, . . . , xD)

d [D], xd [sd, td]} (d [D], 1 sd td Td).

A MRQED scheme consists of four (random-ized) polynomial-time algorithms: Setup, Encrypt,DeriveKey and QueryDecrypt. In the network auditlog example, an authority runs Setup to generate publicparameters and a master private key; a gateway runs theEncrypt algorithm to encrypt a flow. Encryption isperformed on a pair (Msg, X). The message Msg is anarbitrary string, and X is a point in multi-dimensional space,

representing the attributes. For example, suppose that wewould like to support queries on the following three attributesof a flow: time-stamp t, source address a, and destinationport p. The tuple (t,a,p) then becomes the point X, and theentire flow summary forms the message Msg. Whenevernecessary, the authority can run the DeriveKey algorithm,and compute a decryption key allowing the decryption offlows whose attributes fall within a certain range. Giventhis decryption key, an auditor runs the QueryDecryptalgorithm over the encrypted data to decrypt the relevantflows. We now formally define MRQED.

Definition 2 (MRQED). An Multi-dimensional Range Queryover Encrypted Data (MRQED) scheme consists of the fol-

lowing polynomial-time randomized algorithms.1. Setup(,L): Takes a security parameter and D-

dimensional lattice L and outputs public key PK andmaster private key SK.

2. Encrypt(PK, X, Msg): Takes a public key PK, apoint X, and a message Msg from the message spaceM and outputs a ciphertext C.

3. DeriveKey(PK, SK, B): Takes a public key PK, amaster private key SK, and a hyper-rectangle B and out-puts decryption key for hyper-rectangle B.

4. QueryDecrypt(PK, DK, C): Takes a public keyPK, a decryption key DK, and a ciphertext C and out-puts either a plaintext Msg or

, signaling decryption

failure.

For each message Msg M, hyper-rectangle B L,and point X L, the above algorithms must satisfy thefollowing consistency constraints:

QueryDecrypt(PK, DK, C) =

Msg ifX B

w.h.p., ifX / B

(1)where C = Encrypt(PK, X, Msg) and DK =DeriveKey(PK, SK, B).


5/15

3.2 Security Definitions

Suppose that during time [t1, t2], there is an outbreak of aworm characteristic by the port number p1. Now the trustedauthority issues a key for the range t [t1, t2] and p = p1to a research group who has been asked to study the wormbehavior. With this key, the research group should be ableto decrypt only flows whose time-stamp and port numberfall within the given range. The privacy of all other flowsshould still be preserved. Informally, suppose that a com-putationally bounded adversary has obtained decryption keysfor regions B0, B1, . . . , Bq. Now given a ciphertext C =Encrypt(PK, X, Msg) such that X / B0, B1, . . . , Bq,the adversary cannot learn X or Msg from C. Of course,since the adversary fails to decrypt C using keys for regionsB0, B1, . . . , Bq , the adversary inevitably learns that the pointX encrypted does not fall within these regions. But apartfrom this fact, the adversary cannot learn more informationabout X or Msg.

We now formalize this intuition into a selective securitygame for MRQED. Here, the selective security notion is sim-

ilar to the selective-ID security for IBE schemes [16, 17, 6].We prove the security of our construction in the selectivemodel. A stronger security notion is adaptive security, wherethe adversary does not have to commit to two points in theInit stage of the security game defined below. In the technicalreport version [43], we give a formal definition for adaptivesecurity, and state how it is related to the selective securitymodel.

Definition 3 (MR-selective security). An MRQED scheme isselectively secure in the match-revealing (MR) model if allpolynomial-time adversaries have at most a negligible advan-

tage in the selective security game defined below.

Init: The adversary submits two points X0, X1 Lwhere it wishes to be challenged.

Setup: The challenger runs the Setup(,L) algo-rithm to generate PK, SK. It gives PK to the adver-sary, keeping SK secret.

Phase 1: The adversary adaptively issues decryptionkey queries for hyper-rectangles B1, B2, . . . , Bq0 . Fur-thermore, X0 and X

1 are not contained in any hyper-

rectangles queried in this phase, i.e., for 0 < i q0,X0 / Bi, and X1 / Bi.

Challenge: The adversary submits two equal lengthmessages Msg0, Msg1 M. The challenger flips arandom coin, b, and encrypts Msgb under X

b . The ci-phertext is passed to the adversary.

Phase 2: Phase 1 is repeated. The adversary adap-tively issues decryption key queries for hyper-rectanglesBq0+1, Bq0+2, . . . , Bq . As before, all hyper-rectanglesqueried in this stage must not contain X0 and X

1.

Guess: The adversary outputs a guess b ofb.

An adversary As advantage in the above game is definedas AdvA() =

Pr[b = b] 12 .

We would like to note that a stronger notion of securityis possible as defined by Boneh and Waters in their concur-rent work [13]. We call this stronger security notion match-concealing (MC) security, since it requires that the attributevalues (i.e., the point X) remain hidden even when an entrymatches a query. MC-selective security can be formally de-fined through the following game between an adversary anda challenger.

Definition 4 (MC-selective security [13]). An MRQEDscheme is selectively secure in the match-concealing (MC)model if all polynomial-time adversaries have at most a neg-

ligible advantage in the selective security game defined be-low.

Init: The adversary submits two points X0, X1 Lwhere it wishes to be challenged.

Setup: The challenger runs the Setup(,L) algo-rithm to generate PK, SK. It gives PK to the adver-sary, keeping SK secret.

Phase 1: The adversary adaptively issues decryptionkey queries for hyper-rectangles B1, B2, . . . , Bq0 , sat-isfying the condition that for all 0 < i q0, either(X0 Bi) (X1 Bi), or (X0 / Bi) (X1 / Bi).

Challenge: The adversary submits two equal lengthmessages Msg0, Msg1 M. If in Phase 1, there ex-ists some 0 < i q0 such that (X0 Bi)(X1 Bi),then Msg0 = Msg1. The challenger flips a randomcoin, b, and encrypts Msgb under X

b . The ciphertext is

passed to the adversary.

Phase 2: Phase 1 is repeated. The adversary adap-tively issues decryption key queries for hyper-rectanglesBq0+1, Bq0+2, . . . , Bq , satisfying the condition that forall q0 < i q, either (X0 Bi) (X1 Bi), or(X

0/

Bi)

(X1

/

Bi). In addition, if in the Chal-

lenge stage, Msg0 = Msg1, then for all q0 < i q,(X0 / Bi) (X1 / Bi).

Guess: The adversary outputs a guess b ofb.

Likewise, an adversary As advantage in the above game isdefined as AdvA() =

Pr[b = b] 12 .In this paper, we use the MR security model, i.e., we do

not protect the privacy of the attributes if an entry is matchedby the query. This security notion suffices for applicationssuch as network audit logs, and the stock-trading applicationas described in Section 8.

3.3 Preliminary: Bilinear Groups

A pairing is an efficiently computable, non-degenerate

function, e : G G G, satisfying the bilinear propertythat e(gr,gs) = e(g,g)rs. G, G and G are all groups ofprime order. g, g and e(g,g) are generators ofG, G andG respectively. Although our MRQED scheme can be con-structed using asymmetric pairing, for simplicity, we describeour scheme using symmetric pairing in the remainder of the

paper, i.e., G = G.


6/15

We name a tuple G = [p,G,G, g, e] a bilinear instance,where G and G are two cyclic groups of prime order p. Weassume an efficient generation algorithm that on input of a

security parameter , outputs GR Gen() where log2p =

().We rely on the following complexity assumptions:

Decision BDH Assumption: The Decision Bilinear DH as-

sumption, first used by Joux [32], later used by IBE sys-tems [11], posits the hardness of the following problem:Given [g, gz1 , gz2 , gz3 , Z] G4 G, where exponentsz1, z2, z3 are picked at random from Zp, decide whetherZ = e(g, g)z1z2z3 .

Decision Linear Assumption: The Decision Linear assump-tion, first proposed by Boneh, Boyen and Shacham for groupsignatures [9], posits the hardness of the following problem:Given [g, gz1 , gz2 , gz1z3 , gz2z4 , Z] G6, where z1, z2, z3, z4are picked at random from Zp, decide whether Z = g

z3+z4 .

4 A First Step towards MRQED

In this section, we first show a trivial construction forMRQED which has O(T2D) public key size, O(T2D) en-cryption cost and ciphertext size, O(1) decryption key sizeand decryption cost. Then in Section 4.2, we show that usingAIBE, we can obtain an improved one-dimension MRQEDscheme. Henceforth, we refer to a one-dimension MRQEDscheme as MRQED1 and refer to multi-dimension MRQEDas MRQEDD. The AIBE-based MRQED1 construction hasO(1) public key size, O(log T) encryption cost, ciphertextsize, decryption key size and decryption cost. While de-scribing the AIBE-based MRQED1 construction, we intro-duce some primitives and notations that will later be usedin our main construction in Section 5. In Section 4.3, wedemonstrate that a straightforward extension of the AIBE-based MRQED1 scheme into multiple dimensions results inO

(log T)D

encryption cost, ciphertext size, decryption key

size and decryption cost. The AIBE-based MRQED1 con-struction aids the understanding of our main construction inSection 5. By contrast, details of the AIBE-based MRQEDD

scheme are not crucial towards the understanding of our mainconstruction. Therefore, we only highlight a few importantdefinitions and give a sketch of the scheme in Section 4.3. Wegive the detailed description of the AIBE-based MRQEDD

scheme in the technical report version [43].

4.1 Trivial Construction

We first give a trivial construction for one-dimensionalrange query over encrypted data. We refer to one-dimensionalrange query over encrypted data as MRQED1 where the su-perscript represents the number of dimensions.

In the trivial MRQED1 construction, we make use ofany secure public key encryption scheme. We first generateO(T2) public-private key pairs, one for each range [s, t] [1, T]. To encrypt a message Msg under a point x, we pro-duce O(T2) ciphertexts, one for each range [s, t] [1, T].In particular, if x [s, t], we encrypt Msg with public key

pks,t; otherwise, we encrypt an invalid message with pks,t.The decryption key for any range [s, t] is then sks,t, the pri-vate key for [s, t]. In the technical report version [43], we givea formal description of this trivial construction.

One can extend this idea into multiple dimensions.The resulting MRQEDD scheme requires that one encryptB(Msg, X) for all hyper-rectangles B in space. Therefore,the trivial MRQEDD scheme has O(T2D) public key size,

O(T2D) encryption cost and ciphertext size, O(1) decryptionkey size and O(1) decryption cost.

4.2 Improved MRQED1 ConstructionBased on AIBE

We show an improved MRQED construction based onAnonymous Identity-Based Encryption (AIBE). For clarity,we first explain the construction for one dimension. We callthe scheme MRQED1 where the superscript denotes the num-ber of dimensions. We note that the primitives and notationsintroduced in this section will be used in our main construc-tion.

4.2.1 Primitives: Efficient Representation of Ranges

To represent ranges efficiently, we build a binary interval treeover integers 1 through T.

Definition 5 (Interval tree). Lettr(T) denote a binary inter-val tree over integers from 1 to T. Each node in the tree has apre-assigned unique ID. For convenience, we define tr(T) tobe the set of all node IDs in the tree. Each node in tr(T) rep-resents a range. Letcv(ID) denote the range represented bynode ID tr(T). Define cv(ID) as the following: LetIDbe the ith leaf node, then cv(ID) = i. Otherwise, when IDis an internal node, letID1 andID2 denote its child nodes,then cv(ID) = cv(ID1)

cv(ID2). In other words, cv(ID)

is the set of integers that correspond to the leaf descendantsofID.

Given the interval tree tr(T), we define the P(x) of IDscovering a point x [1, T], and the set (x) of IDs repre-senting a range [s, t] [1, T].

Set of IDs covering a point x. For a point x [1, T]and some node ID tr(T), we say that ID coversthe point x if x cv(ID). Define P(x) to be theset of IDs covering point x. Clearly, P(x) is the col-lection of nodes on the path from the root to the leafnode representing x. As an example, in Figure 1 (a),P(x) = {ID1, ID2, ID3, ID4}.

Range as a collection of IDs. A range [s, t] [1, T]is represented by a collection of nodes: (s, t) tr(T).We define (s, t) to be the smallest of all subsets V tr(T) such that

IDV cv(ID) = [s, t]. It is not hard

to see that for any [s, t] [1, T], (s, t) is uniquelydefined, and its size |(s, t)| is at most O(log T).

We will make use of the following properties in our AIBE-based construction: Ifx [s, t], then P(x) (s, t) = ; inaddition, P(x) and (s, t) intersect at only one node. Other-wise, ifx / [s, t], then P(x) (s, t) = .


7/15

x T1 . . . . . .ID4

ID3

ID2

ID1

(a) The path from a leaf to the root.

c4

c3

2c

c1

IDBIDA

IDC

x T1 . . . 1 T3. . .. . .

[3,7]

. . . 7

k

k k

(b) A ciphertext and a decryption key in MRQED1.

Figure 1. An MRQED1 scheme. (a) Path from the leaf node representing x [T] to the root. P(x) = {ID1, ID2, ID3, ID4}.(b) Encryption under the pointx = 3 and the keys released for the range [3, 7].

4.2.2 AIBE-Based MRQED1 Scheme

AIBE encrypts a message Msg using an identity ID as thepublic key. Given the private key for ID, one can success-fully decrypt all messages encrypted by identity ID. Theencryption scheme protects both the secrecy of the messageMsg and the identity ID in the following sense: Given ci-phertext C, which is an encryption ofMsg by identity ID0,and given decryption keys for identities ID1, ID2, . . . , I Dq

but not for ID0, a computationally bounded adversary cannotlearn anything about Msg or about ID0 from the ciphertextC. Researchers have successfully constructed secure AIBEschemes [15, 1] with O(1) cost in all respects: in public pa-rameter size, encryption cost, ciphertext size, decryption keysize and decryption cost.

Given a secure AIBE scheme, we can construct anMRQED1 scheme based on the following intuition. To en-crypt the message Msg under point x, we encrypt Msg un-der all IDs in P(x). To release the decryption key for a range[s, t] [1, T], we release the keys for all IDs in (s, t).Now ifx [s, t], then P(x) (s, t) = . Suppose P(x) and(s, t) intersect at node ID. Then we can apply the decryp-tion key at ID to the ciphertext encrypted under ID, and ob-tain the plaintext message Msg. Otherwise, ifx / [s, t], thenP(x)(s, t) = . In this case, the security of the underlyingAIBE scheme ensures that a computationally bounded adver-sary cannot learn any information about the message Msg

or the point x, except for the obvious fact (since decryptionfails) that x / [s, t].Example. In Figure 1(b), we show a ciphertext C en-crypted under the point x. Let L = O(log T) denote theheight of the tree, C is composed of O(log T) components:{c1, c2, . . . , cL}. On the right, we show the decryption keysfor the range [3, 7]. Since [3, 7] can be represented by the setof nodes (3, 7) = {IDA, IDB, IDC}, the decryption keyfor [3, 7] consists of three sub-keys, kIDA , kIDB and kIDC .

The AIBE-based construction has O(1) public keysize, O(|P(x)|) encryption cost and ciphertext size, andO(|(s, t)|) decryption key size. Since |P(x)| = O(log T),and |(s, t)| = O(log T), we get O(log T) in encryptioncost, ciphertext size, and decryption key size. Later, we willshow that decryption can be done in O(log T) time as well.

Stated more formally, given a secure AIBE schemeSetup(), DeriveKey(PK, SK, ID),Encrypt(PK,ID, Msg), Decrypt(PK, DK, C)

,

one can construct a secure MRQED1 scheme as below:

Setup(, T) calls Setup() and outputs PK andSK.

Encrypt(PK, x, Msg) encrypts the message Msgunder every ID P(x). In other words, Encryptyields C =

cID

ID P(x), where cID =Encrypt(PK,ID, Msg||0m). To check whether adecryption is valid, prior to encryption, we append m

trailing 0s denoted 0m

to message Msg {0, 1}m. DeriveKey(PK, SK, [s, t]) releases a decryption keykID for each ID (s, t). kID is computed askID = DeriveKey

(PK, SK, ID). The entire de-cryption key for the range [s, t] is then the set DKs,t =kID

ID (s, t). QueryDecrypt(PK, DK, C) tries each key kID

DKs,t on each ciphertext cID C. IfID = ID, thenDecrypt(PK, kID , cID) yields result of the formMSG||0m . In this case, we accept the result and exitthe QueryDecrypt algorithm. If all trials fail to yield

result of the form M SG

||0m

, QueryDecrypt out-

puts , indicating failure to decrypt.Note that in the AIBE-based construction, if we simply

try all decryption keys over all ciphertexts, then decryptionwould require O(|P(x)| |(s, t)|) time; and since |P(x)| =O(log T), |(s, t)| = O(log T), decryption would requireO(log2 T) time. However, observe that it is not necessaryto try kID on cID , if ID and ID

are at different depth inthe tree; since then, ID and ID cannot be equal. Thus weonly need to try kID on cID ifID and ID are at the samedepth in the tree, which requires knowledge of the depth ofID for ciphertext cID . Of course, we cannot directly re-lease ID for ciphertext cID , since the encryption is meantto hide ID. However, since each ciphertext C has a portion

at every depth of the tree, we can give out the depth ofID foreach cID C without leaking any information about ID.In this way, we reduce the decryption cost to O(log T) ratherthan O(log2 T).

We emphasize that using AIBE as the underlying encryp-tion scheme is crucial to ensuring the security of the de-rived MRQED1 scheme. In particular, a non-anonymous IBEscheme is not suitable to use as the underlying encryptionscheme, since IBE hides only the message Msg but not theattribute x.


8/15

4.3 AIBE-Based MRQEDD Construction

The same idea can be applied to construct an MRQEDD

scheme, resulting in O(1) public key size, O

(log T)D

en-cryption cost, ciphertext size, decryption key size, and de-cryption cost. Since the details of this construction is not cru-cial to the understanding of our main construction, we onlygive a sketch here and leave the full description of the schemeto the technical report version [43]. However, we highlighta few important definitions here, including the notion of asimple hyper-rectangle, and the definition of (B). Thesedefinitions will later be used in our main construction.

We build D binary interval trees, one for each dimension.We assign a globally unique ID to each node in the D trees.

Representing a hyper-rectangle. We represent an arbitraryhyper-rectangle as a collection of simple hyper-rectangles.To illustrate this idea, we first give a formal definition ofa simple hyper-rectangle, and then state how to representan arbitrary hyper-rectangle as a collection of simple hyper-rectangles. Simply put, a simple hyper-rectangle is a hyper-rectangle B0 in space, such that B0 can be represented by

a single node in the tree of every dimension. More specif-ically, a hyper-rectangle B(s1, t1, . . . , sD, tD) in space iscomposed of a range along each dimension. If for all 1 d D, |(sd, td)| = 1, i.e., [sd, td] is a simple rangein the dth dimension, then we say that the hyper-rectangleB(s1, t1, . . . , sD, tD) is a simple hyper-rectangle. A simplehyper-rectangle can be defined by a single node from eachdimension. We can assign a unique identity to each simple-rectangle B0(s1, t1, . . . , sD, tD) in space. Define

idB0 = (ID1, ID2, . . . , I DD) ,

where IDd(1 i D) is the node representing [sd, td] inthe dth dimension.

Definition 6 (Hyper-rectangle as a collection of sim-ple hyper-rectangles). Given an hyper-rectangleB(s1, t1, . . . , sD, tD), denote d(B) := (sd, td) ford [D]. (B) is the collection of nodes representingrange [sd, td] in the d

th dimension. The hyper-rectangleB can be represented as a collection (B) of simplehyper-rectangles:

(B) = 1(B) 2(B) . . . D(B)

In particular, for every id (B), id is a vector of the form(ID1, ID2, . . . , I DD), where IDd (d [D]) is a node inthe tree corresponding to the dth dimension. Therefore, id

uniquely specifies a simple hyper-rectangle B0 in space.

Clearly, |(B)| = O (log T)D; in addition, (B)can be efficiently computed. Given the above definitions,we briefly describe the AIBE-based MRQEDD construction.The detailed description is provided the technical report ver-sion [43].

Encryption. Suppose that now we would like to encrypt amessage Msg and the point X = (x1, x2, . . . , xD). Weencrypt the message Msg under all simple hyper-rectangles

that contain the point X = (x1, x2, . . . , xD). This is equiv-alent to encrypting Msg under the cross-product of D dif-ferent paths to the root. Specifically, for d [D], denotePd(X) := P(xd). Pd(X) is the path from the root to theleaf node representing xd in the d

th dimension. Define thecross-product of all D different paths to the root:

P(X) = P1(X) P2(X) . . . PD(X).Then, to encrypt Msg and X, we use AIBE to en-

crypt Msg under every id P(X). Since |P(X)| =O

(log T)D

, both encryption cost and ciphertext size are

O

(log T)D

.

Key derivation and decryption. To issue decryption keysfor a hyper-rectangle B, we issue a key for every id (B). Since |(B)| = O (log T)D, the decryptionkey has size O

(log T)D

. Now ifX B, then P(X)

(B) = ; in addition, P(X) and (B) intersect at ex-actly one simple hyper-rectangle idB0 , where the keys and theciphertexts overlap. In this case, we use the key for idB0 todecrypt the ciphertext for idB0 . Otherwise, if X / B, thenP(X)

(B) =

. In this case, the security of the under-

lying AIBE schemes ensures the security of the MRQEDD

constructions. In the technical report version [43], we showthat the cost of decryption is also O

(log T)D

.

5 Our MRQEDD Construction

In Section 4, we showed an AIBE-based MRQEDD con-struction with O(1) public key size, O

(log T)D

encryp-

tion cost and ciphertext size, O

(log T)D

decryption keysize and decryption cost. In this section, we propose a newMRQEDD construction with O (D log T) public key size,O (D log T) encryption cost and ciphertext size, O (D log T)

decryption key size, and O (log T)D decryption cost.5.1 Intuition

We build D interval trees over integers from 1 to T, eachrepresenting a separate dimension. Assume each tree nodehas a globally unique ID. In the previous section, we showeda naive construction for MRQEDD based on AIBE. The naiveconstruction encrypts Msg under the O((log T)D) simplehyper-rectangles that contain the point X; and releases de-cryption keys for the O((log T)D) simple hyper-rectanglesthat compose a hyper-rectangle B. Our goal is to reducethe ciphertext size and decryption key size to O(D log T) in-

stead. However, as we will soon explain, naively doing thisintroduces the collusion attackas shown in Figure 2 (b). Ourmain technical challenge, therefore, is to devise ways to se-cure against the collusion attack.

Reducing the ciphertext size. In other words, rather than en-cryption Msg for each simple hyper-rectangle in P(X) =P1(X) . . . PD(X), we would like to encrypt Msg foreach tree node in the the union of these D different paths:

P(X) = P1(X) . . . PD(X).


9/15

c1

c5

c6

c7

c8

c4

c3

c2

1

5

T

.

.

.

.

.

.

IDA

IDB IDC

IDF

IDE

IDD

1 3. . . T. . . 1 T2 . . . 6 . . .

1

T

7

3.

.

.

.

.

.

x

k

k

k

kk

k

(a) A ciphertext and a decryption key in MRQED2.

R1 R2

R3 R4

kx1 kx2

ky1

ky2

(b) Collusion.

Figure 2. An MRQED2 scheme. (a) Encryption under the pointx = (3, 5) and the keys released for the range [2, 6] [3, 7]. (b) Withdecryption keys kx1, ky1 for region R1 andkx2, ky2 for region R4, regions R2 andR3 are compromised.

Reducing the decryption key size. Instead of representingan arbitrary hyper-rectangle using the collection of simplehyper-rectangles, we can represent a simple hyper-rectangle

B as the collection of disjoint intervals over different dimen-sions:

Definition 7 (Hyper-rectangle as a collection of nodes). Ahyper-rectangle B L gives a collection of nodes corre-sponding to disjoint intervals over different dimensions:

(B) = 1(B) 2(B) . . . D(B)Note that for all hyper-rectangle B L, |(B)| =

O(D log T); in addition, (B) can be computed efficiently.Using the above definition, rather than releasing keys for

each simple hyper-rectangle in (B) = 1(B) . . . D(B), we would like to release keys for each ID in

1(B) . . . D(B).Example. Figure 2 (a) is an example in two dimensions. Toencrypt under the point (3, 5), we find the path from the leafnode 3 to the root in the first dimension, and the path fromthe leaf node 5 to the root in the second dimension. We thenproduce a block in the ciphertext corresponding to each nodeon the two paths. In the first dimension, we produce blocksc1, c2, c3 and c4. In the second dimension, we produce blocksc5, c6, c7 and c8. To release decryption keys for the range[2, 6] [3, 7], we find a collection (2, 6) of nodes coveringthe range [2, 6] in the first dimension; and a collection (3, 7)of nodes covering [3, 7] in the second dimension. We issuea block in the decryption key corresponding to each node

in (2, 6) and in (3, 7). In the first dimension, we createblocks kIDA , kIDB , and kIDC ; and in the second dimension,we create blocks kIDD , kIDE , and kIDF .

Preventing the collusion attack. Unfortunately, naivelydoing the above is equivalent to applying the AIBE-basedMRQED1 scheme independently in each dimension. As wedemonstrate in Figure 2 (b), such a scheme is susceptible tothe collusion attack. Suppose that Figure 2 (b), every rect-angle is a simple rectangle. Now suppose that an adversarywere given the decryption keys for region R1 and R4, then

the adversary would have collected keys kR1 = {kx1, ky1},kR4 = {kx2, ky2}. With these, the adversary would be ableto reconstruct the keys for R2 and R3: kR2 =

{kx2, ky1

},

kR3 = {kx1, ky2}. Hence, our major challenge is to finda way to secure against the collusion attack without incur-ring additional cost. We use a binding technique to preventthe collusion attack: we use re-randomization to tie togetherthe sub-keys in different dimensions. For example, in Fig-ure 2 (b), when we release the decryption key for region R1,instead of releasing {kx1, ky1}, we release {xkx1, yky1},where x and y are random numbers that we pick eachtime we issue a decryption key. Likewise, when releasingthe key for region R4, we release {xkx2, yky2}, where xand y are two random numbers picked independently fromx and

y . Of course, in the real construction,

x and

y (

x and

y) also need to satisfy certain algebraic properties

(e.g., xy = xy = some invariant) to preserve the in-ternal consistency of our scheme. In this way, components inthe decryption key for R1 cannot be used in combination withcomponents in the decryption key for R4.

5.2 The Main Construction

We are now ready to describe our construction. DefineL = O(log T) to represent the height of a tree. Assumethat node IDs are picked from Zp. We append a message

Msg {0, 1}m with a series of trailing zeros, 0m , prior toencryption. Assume that {0, 1}m+m G.Setup(,L) To generate public parameters and the mas-

ter private key, the setup algorithm first generates a bilinear

instance G = [p,G,G, g, e]R Gen(). Then, the setup

algorithm does the following.

1. Select at random the following parameters fromZ8DL+1p :

,

,1, ,2, ,1, ,2, ,1, ,2, ,1, ,2

=(d,l)[D][L]

In addition, we require that the s and the s be


10/15

forcibly non-zero. At this point, we give a brief expla-nation of our notation. The variable is used to index atuple (d, l) [D] [L], where d denotes the dimensionand l denote the depth of a node in the correspondingtree.

2. Publish G and the following public parameters PK G G8DL:

e(g, g),a,1 g,1,1 , a,2 g,2,2 ,a,1 g,1

,1 , a,2 g,2

,2 ,b,1 g,1,1 , b,2 g,2,2 ,b,1 g,1

,1 , b,2 g,2

,2 ,

=(d,l)[D][L]

3. Retain a master private key SK G8DL+1 comprisingthe following elements:

g,

a,1 g,1 , a,2 g,2 ,b,1 g,1 , b,2 g,2 ,y,1 g

,1,1,1

, y,2 g,2,2,2

,y,1 g,1,1

,1 , y,2 g,2,2

,2

=(d,l)[D][L]

Notice that in the public parameters and the master key,we have different versions of the same variable, e.g.,a,1, a,2, a,1, a

,2. Although they seem to be redun-

dant, they are actually need to provide sufficient degreesof randomness for our proof to go through. The reasonsfor having these different versions will become clearonce the reader has gone over the detailed proof pro-vided in the technical report version [43].

DeriveKey(PK, SK, B) The following steps compute the

decryption key for hyper-rectangle B, given public key PKand master private key SK.

1. PickO(D L) random integers from GD Z2|(B)|p :dd[D], [ID,1, ID,2]ID(B)such that

d[D] d = . The reason for having an

overhead tilde for the variable d is to associate it withthe variable , since they both belong to the group G,and they satisfy the condition that

d[D] d = . We

note that the random

ds generated in this stage are later

used to re-randomize the components of the decryption

key. In this way, components in different dimensionsare tied to each other; and components from one decryp-tion key cannot be used in combination with componentsfrom another decryption key. This is how we prevent thecollusion attack as shown in Figure 2 (b).

2. Compute and release a decryption key DK G5|

(B)|. DK is composed of a portion DK(ID)for each ID (B). In the following definition forDK(ID), = (d, l) = (ID) represents the dimen-sion and depth of node ID; without risk of ambiguity,

denote 1 = ID,1, 2 = ID,2. DK(ID) is definedbelow:

dyID,1y,11yID,2y,22 , a1,1 , b1,1 , a2,2 , b2,2Observe that we release a portion of the decryption keyfor each node in (B), as opposed to for each hyper-rectangle in (

B). In this way, the size of the private

key is O(DL), instead ofO(LD). Also observe that wemultiply the first element ofDK(ID) by d. This illus-trates the binding technique used to tie together compo-nents in different dimensions. In this way, componentsin one decryption key cannot be used in combinationwith components in another decryption key; therefore,we successfully prevent the collusion attack.

Encrypt(PK, X, Msg) We create a block in the ciphertextfor every ID P(X). Equivalently, for each dimension dand depth l, denote = (d, l), we create a portion of the ci-phertext corresponding to the nodeI, residing in the dth treeat depth l, on the path Pd(X) to the root. We now describethe Encrypt algorithm in the following steps:

1. Select 2DL + 1 random integers: select r R Zp, select[r,1, r,2]=(d,l)[D][L] R Z2DLp .

2. For = (d, l) [D] [L], define I = I(X), i.e.,the node at depth l in Pd(X) in the d

th dimension. Nowcompute and output the following ciphertext C G G4DL+1:

(Msg||0m) r, gr,(b,1

Ib,1)r,1

, (a,1Ia,1)

rr,1 ,

(b,2Ib,2)

r,2, (a,2Ia,2)

rr,2

=(d,l)

[D][L]

QueryDecrypt(PK, DK, C) We first give an overviewon how QueryDecrypt works. Recall that a decryptionkey DK =

DK(ID)

ID (B) is composed of aportion DK(ID) for each ID (B). We now re-construct a decryption key for each simple hyper-rectangleidB0 (B) as below. We grab from DK a sub-key fromeach dimension: for each d [D], grab a sub-key DK(IDd)from the dth dimension, where IDd d(B). The collec-tion of sub-keys {DK(ID1), DK(ID2), . . . , DK(IDD)}can now be jointly used to decrypt a message encrypted underthe simple hyper-rectangle idB0 = (ID1, . . . , I DD).

We also need to find the correct blocks in the ciphertextto apply this key for idB0 . Recall that the ciphertext is of

the form C =

c, c0, [c,1, c,2, c,3, c,4]=(d,l)[D][L]

.

For convenience, denote c := [c,1, c,2, c,3, c,4] for = (d, l) [D] [L]. c is the block in the ciphertextcorresponding to a node in the dth dimension and at depth lof the tree. Define (ID) := (d, l) to extract the dimensionand depth of the node ID. Now for a sub-key DK(ID), de-fine = (ID), it is not hard to see that DK(ID) shouldbe used in combination with the blockc in the ciphertext.


11/15

The following algorithm iterates through the simple hyper-rectangles in (B) and checks if the ciphertext can de-crypt to a valid message under each simple hyper-rectanglein (B).

For each simple hyper-rectangle (B0) ={(ID1, ID2, . . . , I DD)} (B),(1) Let DK(IDd) = (kIDd,0, kIDd,1, kIDd,2, kIDd,3, kIDd,4)

represent the element in DK for IDd, where d [D].(2) Try to decrypt C under B0 with the collection

{DK(ID1), DK(ID2), . . . , DK(IDD)} of sub-keys:

V c

d[D],d=(IDd)

e(c0, kIDd,0) e(cd,1, kIDd,1)

e(cd,2, kIDd,2) e(cd,3, kIDd,3) e(cd,4, kIDd,4)

If V is of the form Msg||0m , then output Msg as thedecrypted plaintext and exit.

If for all simple hyper-rectangles in (B), the previous stepfails to produce the plaintext, then output .

When done naively, the above QueryDecrypt algo-rithm takes O(D(log T)D) time. However, if one saves in-termediate results, it can be done in O((log T)D) time withO(D log T) storage. The above numbers takes into accountall group operations, include multiplication, exponentiationand bilinear pairing. However, since a pairing operation istypically more expensive than exponentiation (and far moreexpensive than multiplication) in known bilinear groups, weare particularly interested in reducing the number of pair-ings at time of decryption. Notice that we can precomputeall pairings e(c0, kIDd,0) and pairings e(cd,i, kIDd,i) for

1 i 4, and store the results in a look-up table. There-

fore, the decryption algorithm requires O(D log T) pairingsin total.

6 Consistency, Security

The following two theorems state the consistency and se-curity of our MRQED construction.

Theorem 6.1 (Internal consistency). The above definedMRQED construction satisfies the consistency requirement

posed by Equation (1).

Theorem 6.2 (Selective security). The above defined

MRQED construction is selectively secure againstpolynomial-time adversaries.

Below we give an overview of the techniques used inthe security proof. The detailed proofs of Theorem 6.1 andTheorem 6.2 are provided in the online technical report ver-sion [43]. To prove the selective security of our MRQEDD

construction, we decompose the selective MRQED game intotwo games: a selective confidentiality game and a selectiveanonymity game. By the hybrid argument, if no polynomial-time adversary has more than negligible advantage in either

the confidentiality game or the anonymity game, then nopolynomial-time adversary has more than negligible advan-tage in the combined selective MRQED game.

In the proof, we build a simulator that leverages anMRQED adversary to solve the D-BDH problem or the D-Linear problem. The simulator inherits parameters specifiedby the D-BDH/D-Linear instance, hence, it has incompleteinformation about the master key. Therefore, the crux of the

proof is how to simulate the key derivation algorithm with-out knowing the complete master key. In comparison, theanonymity proof is more complicated than the confidentialityproof, because it involves a hybrid argument containing 2DLsteps. In step (d1, l1, n1) of the hybrid argument, y1,n1 andy1,n1 (1 = (d1, l1)) in the master key contain unknown pa-rameters inherited from the D-Linear instance. Therefore, weneed to condition on the relative position between X and the

(d1, l1) in question. Our proof techniques are similar to thatpresented in the AHIBE paper [15].

7 Practical Performance

In this section, we give a detailed analysis of the perfor-mance of the MRQEDD scheme given in Section 5 in prac-tical scenarios. We use the conditional release of encryptednetwork audit logs as our motivating application.

Assumptions. To evaluate the scheme of Section 5 in this ap-plication, we detail a set of scenarios regarding the searchablefields present in the logs. We assume log entries contain thefields listed in Table 2. The 17-bit time field is sufficient todistinguish times over a period of about 15 years with a onehour resolution, or about three months at a one minute resolu-tion. More precise times may be stored in the non-searchableportion of the message if desired. The protocol field cor-

Field Abbr. Range Distinct Values

Source IP sip [0, Tsip 1] Tsip = 232Dest. IP dip [0, Tdip 1] Tdip = 232

Port port [0, Tport 1] Tport = 216Time time [0, Ttime 1] Ttime = 217

Protocol prot [0, Tprot 1] Tprot = 28

Table 2. Fields appearing in a network audit log and theirpossible values.

responds to the actual bits of the corresponding field in anIP header (where, for example, 6 denotes TCP and 133 de-

notes Fibre Channel). Various subsets of these fields may beincluded as searchable attributes in MRQEDD. Other fieldsand any additional associated data such as a payload may beincluded as the encrypted message. Regardless of messagelength, we need only use the MRQEDD scheme to encrypta single group element, which may be a randomly generatedsymmetric key (e.g., for AES) used to encrypt the message.

Benchmarks for the selected pairing were run on a modernworkstation. The processor was a 64-bit, 3.2 Ghz Pentium 4.We used the Pairing-Based Cryptography (PBC) library [34],


12/15

which is in turn based on the GNU Multiple Precision Arith-metic Library (GMP). The relevant results are given in Ta-ble 3. Using these benchmark numbers, we now estimate theperformance of our encryption scheme under several scenar-ios for the network audit log application.

Operation Time

pairing (no preprocessing) 5.5 ms

pairing (after preprocessing) 2.6 mspreprocess pairing 5.9 ms

exponentiation in G, bG 6.4 msexponentiation in G 0.6 ms

multiplication in G 5.1 s

Table 3. Group arithmetic and pairing performance bench-marks on a modern workstation [34].

Public parameters and master key. The space requiredto store the public parameters and master key is logarith-mic with respect to the number of possible attribute val-ues. Specifically, denote the set of attributes as A ={sip, dip, port, time, prot}. Then for each attribute a A,define the height of the tree La = log2 Ta + 1. For example,Lsip = 33 and Lprot = 9. Then the public parameters PK re-quire a total of8

aA La = 880 elements ofG and one el-

ement ofG. Assuming 512-bit representations2 of elementsofG and G, the total size of PK is 55KB. The master keySK contains the same number of elements, again requiring55KB of storage. More space efficient pairings than the oneused in this estimate are available, but this one was selectedfor speed of evaluation.

Computation time for Setup is reasonable, given that itis only run once. Computing the public and private parame-ters in Setup requires roughly 16aA La exponentiationsand one pairing, for a total of about 11.3s. Time spent onmultiplication in this case is negligible.

Encryption. Saving the group elements of a ciphertext re-quires 4

aA La + 2 group elements, or 28KB. Note that

we normally just encrypt a session key, so this is a constantoverhead beyond the actual length of the message. RunningEncrypt requires about two exponentiations for each groupelement, resulting in a time of about 5.6s. While significant,this overhead should be acceptable in most cases in the net-work audit log example. If audit logs are high volume, thebest strategy may be to produce periodic summaries ratherthan separately encrypting each packet. The searchable at-tributes of such summaries would reflect the collection of en-

tries they represent, and the full contents of the entries couldbe included as the encrypted message without incurring ad-ditional overhead. In systems containing a cryptographic ac-celerator chip supporting ECC (such as some routers), muchhigher performance is possible. For example, the EllipticSemiconductor CLP-17 could reduce the time of exponentia-

2We consider a type A pairing using the singular curve y2 = x3 + x for

the groups G and bG with a base field size of 512-bits. Note that all groupsinvolved have 160-bit group order; the storage requirements arise from thespecific representation of elements in the elliptic curves.

tion from 6.4ms to 30s [19], resulting in a total encryptiontime as low as 27ms.

Key derivation and decryption. We now consider decryp-tion keys and the running time of the decryption algorithm,the more interesting aspects of the schemes computationaland storage requirements. The space required to store a de-cryption key, the time to derive it, and the time to decrypt

using it depend only on the ranges of attributes for which itpermits decryption. Unlike the computational and storage re-quirements discussed thus far, these costs do not depend onthe full range of possible values, only those associated withthe key. These costs depend on the number of key com-ponents necessary to represent the permissible range alongeach dimension. For example, suppose a particular decryp-tion key DK only allows decryption of entries with a desti-nation port in the range [3, 7] (perhaps placing other require-ments on the other attributes). Referring back to Figure 1,we see that three tree nodes are necessary to cover this range,so DeriveKey would include these three for the destinationport dimension in DK. Similarly, given some decryption keyDK, we denote the number of tree nodes necessary to cover

the decryption range in each of the dimensions a A byNa = |a(B)| (using the notation of Section 5). So in thisexample, Nport = 3. Note that for any a A, in the worstcase, Na = 2La 2.

Now given Na for each a A, we may com-pute the decryption costs. A decryption key consistsof 5

aA Na group elements and DeriveKey performs

8

aA Na exponentiations. The number of operationsnecessary to decrypt using a key DK is slightly moresubtle. While QueryDecrypt is (

aA La) (i.e.,

((log T)D)) overall, only O(

aA La) (i.e., O(D log T))pairings are required, as mentioned in Section 5.2. Specif-ically, we need only compute 5aA Na pairings to pop-ulate a lookup table containing values of e(c0, kID,0),e(c,1, kID,1), e(c,2, kID,2), e(c,3, kID,3), e(c,4, kID,4),and e(c,5, kID,5). These values are enough to completethe QueryDecrypt algorithm. Assuming a key will nor-mally be used to decrypt a batch of ciphertexts one after an-other, we may further reduce the cost of pairings by prepro-cessing with the key. As shown in Table 3, preprocessingreduces the pairing time by about half, at a one time cost(per decryption key DK) equivalent to one or two decryp-tions. Computed naively, the sequence of trials in step one ofQueryDecrypt end up requiring a total of |A|aA Namultiplications in G. This can be somewhat reduced. LetS1, . . . S |A| be { Na | a A } sorted in ascending order:S1

S2

. . . S |A|

. Then by saving intermediate re-sults between trials and ordering the dimensions appropri-ately, it is possible to complete step one with a total ofS1 + S1S2 + S1S2S3 + . . . S 1S2 S|A| multiplications.Specific scenarios. We have now computed the costs associ-ated with the storage and usage of a decryption key in termsof Na for a A, but we have not yet specified Na. If weassume the range for each attribute is randomly selected (uni-formly), then for each a A, the expected value of Na isLa 1. This results in a decryption key size of 33KB and


13/15

a running time for DeriveKey of 5.4s. The correspondingworst-case decryption time3 is 13.1s. We note that this is amajor cost, and likely to be inconvenient if significant quan-tities of log entries must be decrypted. Fortunately, querieseliciting such long decryption times are not likely to be nec-essary in practice. In fact, fairly elaborate queries are possiblewhile keeping decryption costs low.

In Table 4 we provide several examples that help demon-

strate this. The first entry illustrates the fact that specifying asingle value, all values, or a range of values falling on power-of-two boundaries (as in the case of an IP subnet) for someattribute a results in Na = 1, reducing decryption time dra-matically. In the next example, several attributes are requiredto be in general ranges, or, in the case ofprot, selected froma small set. This results in larger numbers of key compo-nents and slightly longer decryption times. Still, the decryp-tion time in this case is far below the time with each rangerandomly selected. As shown by the third example, largerranges result in larger values of Na and, again, somewhatlarger, but still relatively low, decryption times.

8 Extensions and Discussions

8.1 The Dual Problem and Stock Tradingthrough a Broker

In the MRQED problem, one encrypts a message Msg un-der a point X in multi-dimensional space, and given a hyper-rectangle B, the master key owner can construct a capability,allowing an auditor to decrypt all entries satisfying X B.On the other hand, the privacy of the irrelevant entries are stillpreserved.

Informally, the natural dual problem to MRQED is whereone encrypts under a hyper-rectangle B, and given a pointX, the master key owner can construct a capability allowingan auditor to decrypt all entries satisfying B X. Like inMRQED, we require that the privacy of all irrelevant entriesbe preserved. We now show an interesting application of thedual problem, and then show that MRQED implies a solutionfor the dual problem.

An interesting application of the dual problem is for trad-ing stocks and other securities. Suppose an investor tradesstocks through a broker. The investor specifies a price rangeand a time range, such that if the stock price falls within thatrange during a specific period of time, the broker can buy orsell the stock on behalf of the investor. This is usually referredto as a stop order, limit order, or stop-limit order. Sometimes,

the investor may not fully trust the broker, and may wish toconceal the price and time ranges from the broker before anorder is executed.

The dual problem can be applied in such scenarios to ad-dress the privacy concerns of investors. In particular, the stockexchange, or any third-party with knowledge of the real-time

3In reality, the average decryption time is smaller than this number, sinceupon a successful decryption, the QueryDecrypt algorithm exits aftertrying half of the combinations in expectation and thus performing half theworst-case multiplications.

stock price can act as the trusted authority who owns the mas-ter key. For convenience, in the following description, weassume that the stock exchange is the trusted authority. Theinvestor first encrypts the order along with the desired priceand time ranges, and sends the encrypted order to the broker.Suppose that at a certain point of time t, the stock price is p.The stock exchange constructs a decryption key for the pair(t, p), and hands it to the broker. With this decryption key,

the broker can decrypt all orders whose price and time rangesmatch the current price p and the current time t, and executethese orders. For orders whose price and time ranges do notmatch the current price and time, the broker cannot learn anyadditional information about these orders.

MRQED implies the dual problem. We use a two-dimensional example to illustrate how MRQED implies a so-lution for the dual problem.

Dual.Setup (, [T]2): Call MRQED.Setup (, [T]4),and output the public key PK, and master key SK.

Dual.Encrypt (PK, [x1, x2] [y1, y2], Msg): Toencrypt a message

Msgunder the range [x1, x2] [y1, y2] in 2 dimensions, call MRQED.Encrypt

(PK, (x1, x2, y1, y2), Msg). Observe that here arange [x1, x2] [y1, y2] in [T]2 is mapped to a point(x1, x2, y1, y2) in [T]

4.

Dual.DeriveKey (PK, SK, (x, y)): To generatea decryption key for the point (x, y) [T]2,call MRQED.DeriveKey (PK, SK, [1, x] [x, T] [1, y] [y, T]).

Dual.QueryDecrypt (PK, DK, C): To try to de-crypt a ciphertext C using the decryption key DK, callMRQED.QueryDecrypt (PK, DK, C).

In essence, the above construction maps a range [x1, x2][y1, y2] [T]2 to a point (x1, x2, y1, y2) [T]4, and test-ing if a point (x, y) is within the range [x1, x2] [y1, y2]is equivalent to testing whether (x1, x2, y1, y2) [1, x] [x, T] [1, y] [y, T]. It is easy to verify that the securityof the MRQED scheme guarantees a similar notion of secu-rity for the dual construction, i.e., if a decryption key fails todecrypt a certain ciphertext entry, then a probablistic polyno-mial adversary cannot learn any additional information aboutthat entry.

8.2 Adaptive Security

Our scheme is provably secure in the selective-ID model.A stronger notion of security is adaptive-ID security (alsoknown as full security), i.e., the adversary does not have tocommit ahead of time which point in the lattice to attack. Wepresent the formal definition for MRQED adaptive-ID secu-rity in the online technical report version [43]. Previous re-search has shown that IBE schemes secure in the selective-IDsense can be converted to schemes fully secure [6, 18, 46, 36]with some loss in security. In particular, Boneh and Boyenprove the following theorem:


14/15

Pairing Worst-case Worst-case

Example Query Nsip Ndip Nport Ntime Nprot Time Mult. Time Dec. Time

sip=207.44.178.,dip=216.187.103.169, port=22,

time=, prot= TCP

1 1 1 1 1 65ms < 0.1ms 65ms

sip [207.44.178.123, 207.44.182.247],dip=, port=22,

time [5pm 10/31, 9am 11/5],prot

{TCP, UDP, ICMP

}

10 1 1 7 3 286ms 1.2ms 287ms

sip [207.44.178.123, 207.60.177.15],dip [207.44.178.123, 207.60.177.15],

port [3024, 35792],time [10/31/2006, 10/31/2020],

prot{TCP, UDP, ICMP}

20 20 15 17 3 0.98s 1.64s 2.62s

Table 4. Decryption times resulting from decryption keys of various sizes.

Theorem 8.1 ([6]). A (t ,q,)-selective identity secure IBEsystem (IND-sID-CPA) that admits N distinct identities isalso a (t ,q,N)-fully secure IBE (IND-ID-CPA).

This technique can be applied to our case to achieve fullconfidentiality and anonymity. In our case, the scheme admitsN = TD identities and hence that would be the loss factor insecurity.

9 Conclusion

We design an encryption scheme that allows us to encryptan arbitrary message and a set of attributes. An authorityholding a master key can issue a search capability to an autho-rized party, allowing it to decrypt data entries whose attributesfall within specific ranges; while the privacy of other data en-tries is preserved. We prove the security of our scheme underthe D-BDH and the D-Linear assumptions in certain bilineargroups. We also study the practical performance of our con-struction in network audit log applications. Apart from net-work audit logs, MRQED can be useful in various other ap-plications such as financial audit logs, untrusted email serversand medical privacy. In particular, we show that the dualproblem can be useful for investors who wish to trade stocksthrough a broker in a privacy-preserving manner.

10 Acknowledgments

We would especially like to thank Brent Waters, DanBoneh, Matthew Wachs, and Eno Thereska for their valuablesuggestions on how to improve the paper. We also thank the

anonymous reviewers for their insightful comments.

References

[1] Michel Abdalla, Mihir Bellare, Dario Catalano, Eike Kiltz,

Tadayoshi Kohno, Tanja Lange, John Malone-Lee, Gregory

Neven, Pascal Paillier, and Haixia Shi. Searchable encryption

revisited: Consistency properties, relation to anonymous IBE,

and extensions. In Advances in Cryptology - Proceedings of

CRYPTO 05, pages 205222. Springer-Verlag, August 2005.

[2] Rakesh Agrawal, Jerry Kiernan, Ramakrishnan Srikant, and

Yirong Xu. Order preserving encryption for numeric data. In

SIGMOD 04: Proceedings of the 2004 ACM SIGMOD inter-

national conference on Management of data, pages 563574,

2004.[3] Giuseppe Ateniese, Marina Blanton, and Jonathan Kirsch. Se-

cret handshakes with dynamic and fuzzy matching. In Network

and Distributed System Security Symposium, 2007.

[4] Mihir Bellare, Alexandra Boldyreva, Anand Desai, and David

Pointcheval. Key-privacy in public-key encryption. In ASI-

ACRYPT 01: Proceedings of the 7th International Conference

on the Theory and Application of Cryptology and Information

Security, pages 566582, 2001.

[5] John Bethencourt, Dawn Song, and Brent Waters. New con-

structions and practical applications for private stream search-

ing (extended abstract). In SP 06: Proceedings of the 2006

IEEE Symposium on Security and Privacy (S&P06), pages

132139, 2006.

[6] Dan Boneh and Xavier Boyen. Efficient selective-id secure

identity-based encryption without random oracles. In EURO-

CRYPT, pages 223238, 2004.

[7] Dan Boneh and Xavier Boyen. Secure identity based encryp-

tion without random oracles. In CRYPTO, pages 443459,

2004.

[8] Dan Boneh, Xavier Boyen, and Eu-Jin Goh. Hierarchical

identity based encryption with constant size ciphertext. In

Ronald Cramer, editor, Proceedings of Eurocrypt 2005, LNCS.

Springer, 2005.

[9] Dan Boneh, Xavier Boyen, and Hovav Shacham. Short group

signatures. In CRYPTO, pages 4155, 2004.

[10] Dan Boneh, Giovanni Di Crescenzo, Rafail Ostrovsky, and

Giuseppe Persiano. Public key encryption with keywordsearch. In EUROCRYPT, pages 506522, 2004.

[11] Dan Boneh and Matthew Franklin. Identity-based encryption

from the weil pairing. SIAM J. Comput., 32(3):586615, 2003.

[12] Dan Boneh, Amit Sahai, and Brent Waters. Fully collusion

resistant traitor tracing with short ciphertexts and private keys.

In EUROCRYPT, 2006.

[13] Dan Boneh and Brent Waters. Conjunctive, subset, and range

queries on encrypted data. To appear in the Theory of Cryp-

tography Conference (TCC), 2007.


15/15

[14] Dan Boneh and Brent Waters. A fully collusion resistant

broadcast, trace and revoke system. In CCS, 2006.

[15] Xavier Boyen and Brent Waters. Anonymous hierarchi-

cal identity-based encryption (without random oracles). In

CRYPTO, 2006.

[16] Ran Canetti, Shai Halevi, and Jonathan Katz. A forward-

secure public-key encryption scheme. In EUROCRYPT, pages

255271, 2003.

[17] Ran Canetti, Shai Halevi, and Jonathan Katz. Chosen-

ciphertext security from identity-based encryption. In EURO-

CRYPT, pages 207222, 2004.

[18] Sanjit Chatterjee and Palash Sarkar. Trading time for space:

Towards an efficient IBE scheme with short(er) public param-

eters in the standard model. In Proceedings of ICISC, 2004.

[19] The Elliptic Semiconductor CLP-17 high performance elliptic

curve cryptography point multiplier core: Product brief.

http://www.ellipticsemi.com/pdf/

CLP-17 60102.pdf.

[20] Clifford Cocks. An identity based encryption scheme based on

quadratic residues. In IMA Int. Conf., pages 360363, 2001.

[21] Reza Curtmola, Juan Garay, Seny Kamara, and Rafail Ostro-

vsky. Searchable symmetric encryption: Improved definitionsand efficient constructions. In CCS, 2006.

[22] Ernesto Damiani, S. De Capitani Vimercati, Sushil Jajodia,

Stefano Paraboschi, and Pierangela Samarati. Balancing confi-

dentiality and efficiency in untrusted relational dbmss. In CCS

03: Proceedings of the 10th ACM conference on Computer

and communications security, pages 93102, 2003.

[23] D. Davis, F. Monrose, and M. K. Reiter. Time-scoped search-

ing of encrypted audit logs. In Proceeding of the Interna-

tional Conference on Information and Communications Secu-

rity (ICICS), 2004.

[24] Symantec deepsight threat management system technology

brief. https://tms.symantec.com.

[25] The dshield project. http://www.dshield.org.

[26] Craig Gentry and Alice Silverberg. Hierarchical ID-based

cryptography. In ASIACRYPT 02: Proceedings of the 8th

International Conference on the Theory and Application of

Cryptology and Information Security, pages 548566, London,

UK, 2002. Springer-Verlag.

[27] Oded Goldreich. Secure multi-party computation. Volume 2,

Foundations of Cryptography, 1998.

[28] Oded Goldreich and Rafail Ostrovsky. Software protection and

simulation on oblivious rams. J. ACM, 43(3):431473, 1996.

[29] Vipul Goyal, Omkant Pandey, Amit Sahai, and Brent Waters.

Attribute-based encryption for fine-grained access control of

encrypted data. In CCS 06: Proceedings of the 13th ACM

conference on Computer and communications security, pages

8998, 2006.

[30] Hakan Hacigumus, Bala Iyer, Chen Li, and Sharad Mehro-

tra. Executing sql over encrypted data in the database-service-

provider model. In SIGMOD 02: Proceedings of the 2002

ACM SIGMOD international conference on Management of

data, pages 216227, 2002.

[31] Jeremy Horwitz and Ben Lynn. Toward hierarchical identity-

based encryption. In EUROCRYPT 02: Proceedings of

the International Conference on the Theory and Applications

of Cryptographic Techniques, pages 466481, London, UK,

2002. Springer-Verlag.

[32] Antoine Joux. A one round protocol for tripartite Diffie-

Hellman. In ANTS-IV: Proceedings of the 4th International

Symposium on Algorithmic Number Theory, pages 385394,

London, UK, 2000. Springer-Verlag.

[33] Patrick Lincoln, Phillip A. Porras, and Vitaly Shmatikov.

Privacy-preserving sharing and correlation of security alerts.

In USENIX Security Symposium, pages 239254, 2004.

[34] Ben Lynn. The Pairing-Based Cryptography (PBC) library.

http://crypto.stanford.edu/pbc.

[35] The mynetwatchman project. http://www.

mynetwatchman.com.

[36] David Naccache. Secure and practicalidentity-based encryp-

tion. Cryptology ePrint Archive, Report 2005/369, 2005.

http://eprint.iacr.org/.

[37] Rafail Ostrovsky. Software protection and simulation on obliv-

ious RAMs. Ph.D. thesis, MIT, 1992. Preliminary version in

STOC 1990.

[38] Rafail Ostrovsky and William E. Skeith III. Private searching

on streaming data. In CRYPTO, pages 223240, 2005.

[39] Vern Paxson. Bro: A system for detecting network intruders

in real-time. In USENIX Security Symposium, 1998.

[40] P. Porras and P. Neumann. EMERALD: Event monitoring en-

abling responses to anomalous live disturbances. In National

Information Systems Security Conference, 1997.

[41] Amit Sahai and Brent Waters. Fuzzy identity-based encryp-

tion. In EUROCRYPT, pages 457473, 2005.

[42] Adi Shamir. Identity-based cryptosystems and signature

schemes. In Proceedings of CRYPTO 84 on Advances in cryp-

tology, pages 4753, New York, NY, USA, 1985. Springer-

Verlag New York, Inc.

[43] Elaine Shi, John Bethencourt, T-H. Hubert Chan, Dawn

Song, and Adrian Perrig. Multi-dimension range query

over encrypted data. Technical Report CMU-CS-06-

135, May, 2006, http://sparrow.ece.cmu.edu/

elaine/docs/rangequery.ps.

[44] The Snort open source network intrusion detection system.

http://www.snort.org.

[45] Dawn Xiaodong Song, David Wagner, and Adrian Perrig.

Practical techniques for searches on encrypted data. In SP 00:

Proceedings of the 2000 IEEE Symposium on Security and Pri-

vacy, page 44, Washington, DC, USA, 2000. IEEE Computer

Society.

[46] Brent Waters. Efficient identity-based encryption without ran-

dom oracles. In Proceedings of Eurocrypt, 2005.

[47] Brent R. Waters, Dirk Balfanz, Glenn Durfee, and D. K. Smet-

ters. Building an encrypted and searchable audit log. In Pro-

ceedings of Network and Distributed System Security Sympo-

sium (NDSS), San Diego, CA, February 2004.[48] Danfeng Yao, Nelly Fazio, Yevgeniy Dodis, and Anna Lysyan-

skaya. ID-based encryption for complex hierarchies with ap-

plications to forward security and broadcast encryption. In

CCS 04: Proceedings of the 11th ACM conference on Com-

puter and communications security, pages 354363, New

York, NY, USA, 2004. ACM Press.

Documents

Multi Dimensional Queries on Encrypted Data