Upload
irina
View
51
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Privacy-Preserving Computation and Verification of Aggregate Queries on Outsourced Databases. Brian Thompson 1 , Stuart Haber 2 , William G. Horne 2 , Tomas Sander 2 , and Danfeng Yao 1. 1. 2. Rutgers University Dept. of Computer Science Piscataway, NJ. Hewlett-Packard Labs - PowerPoint PPT Presentation
Citation preview
Privacy-Preserving Computation and Verification of Aggregate
Queries on Outsourced Databases
Brian Thompson1, Stuart Haber2, William G. Horne2, Tomas Sander2, and Danfeng Yao1
Rutgers UniversityDept. of Computer SciencePiscataway, NJ
Hewlett-Packard Labs5 Vaughn Dr., Suite 301Princeton, NJ
1 2
PDAS: Privacy-Preserving Database-As-a-Service
PETS 2009
Contributions
• An efficient, distributed architecture for outsourcing databases
• A privacy-preserving protocol for computing aggregate queries that is resistant to collusion of dishonest service providers
• A mechanism that allows users to verify the integrity and correctness of aggregate query responses
Outline
• Motivation
• PDAS Architecture and Protocol
• Secure Computation of Aggregate Queries
• Correctness Verification
• Conclusions and Future Work
Outline
• Motivation
• PDAS Architecture and Protocol
• Secure Computation of Aggregate Queries
• Correctness Verification
• Conclusions and Future Work
PDAS: Privacy-Preserving Database-As-a-Service
PETS 2009
Simple Client-Server Model
Data Owner
Client
query response
Client
ClientClient
Client
What if data owner has insufficient time or resources to answer all queries?
PDAS: Privacy-Preserving Database-As-a-Service
PETS 2009
Database-As-a-Service• Outsource database to a trusted third-party
service provider (SP).• SP supports and maintains DBMS infrastructure,
stores data and responds to queries.• Applications: Census data, medical records,
network monitoring, recommendation systems.• Data may be private or sensitive.
– Only answer queries that follow a pre-defined inference control policy. outside scope
of our work
PDAS: Privacy-Preserving Database-As-a-Service
PETS 2009
Database-As-a-Service
Data Owner
Service Provider
Client
query Q result AQ
Security threat!What if server is compromised or SP is malicious?
Integrity issue!How does Client know that results
are correct?
sensitive data,inference control policy
query rejected!
PDAS: Privacy-Preserving Database-As-a-Service
PETS 2009
Database-As-a-Service
• Encryption [HIM02, MT06]– When client is the original data owner.
• Publish only statistics– Limits utility for complex data mining apps.
• Publish representative subset– Good for approximate query results.– No privacy for individuals in released dataset.
PDAS: Privacy-Preserving Database-As-a-Service
PETS 2009
Our Solution: Privacy-Preserving Database-As-a-Service (PDAS)• Outsource database to m service providers.• Each SP gets a “share” of each data item.• Each share gives zero information, but the
shares can be combined to reconstruct the original data. [Shamir ’79]
• A homomorphic commitment scheme is used to guarantee correctness. [Pedersen ’91]
Outline
• Motivation
• PDAS Architecture and Protocol
• Secure Computation of Aggregate Queries
• Correctness Verification
• Conclusions and Future Work
PDAS: Privacy-Preserving Database-As-a-Service
PETS 2009
PDAS Architecture
Data Owner
SP2 SP3SP1
Client
aggregate query Q
request shares of AQ
calculate share AQ
1calculate share AQ
3calculate share AQ
2calculate result AQ
result AQ,proof of correctness
PDAS Protocol
1. COMMIT: Data owner generates commitment values, signs root of Merkle hash tree.
2. DISTRIBUTE: Shares of each data item are distributed to SPs using Shamir secret-sharing.
3. QUERY: Client submits aggregate query to SP.4. RESPOND: SP requests shares of aggregate
from other SPs, recovers result, returns to Client.5. VERIFY: Client checks commitments against
signed root hash, verifies commitment for result.
PDAS: Privacy-Preserving Database-As-a-Service
PETS 2009
Outline
• Motivation
• PDAS Architecture and Protocol
• Secure Computation of Aggregate Queries• Correctness Verification
• Conclusions and Future Work
PDAS: Privacy-Preserving Database-As-a-Service
PETS 2009
• Construct a random (k-1)-degree polynomial P with P(0) = S.
• Each share is a point on the curve.• k points are both necessary and sufficient
to uniquely determine the polynomial.
Secret Sharing with Polynomials
Note: Computation in the field Fq
Note: Allows for threshold scheme
[Shamir ’79]
x1 x2 x3
(0, A)
PA(x)
(x1, PA(x1))
(x2, PA(x2))(x3, PA(x3))
Secret Sharing with PolynomialsPETS 2009
x1 x2 x3
(0, B)
PB(x)
(x1, PB(x1))(x2, PB(x2))
(x3, PB(x3))
Secret Sharing with PolynomialsPETS 2009
x1 x2 x3
(0, A)
PA(x)
(x1, PA(x1))
(x2, PA(x2))
(0, B)
PB(x)
(x1, PB(x1))(x2, PB(x2))
(x3, PA(x3))
(x3, PB(x3))
Task: secure computation of A + B
Secret Sharing with PolynomialsPETS 2009
Task: computeA + B
x1 x2 x3
PA(x)
(x1, PA(x1))
(x2, PA(x2))PB(x)
(x1, PB(x1))(x2, PB(x2))
PA+B(x)
(0, A+B)(x1, PA+B(x1))
(x2, PA+B(x2))
(x3, PA(x3))
(x3, PB(x3))
Player 1 calculates: PA(x1) + PB(x1)
(x3, PA+B(x3))
Determined the sum A+B without revealing A or B !
Secret Sharing with PolynomialsPETS 2009
Player 2 calculates: PA(x2) + PB(x2)
Player 3 calculates: PA(x3) + PB(x3)
PDAS: Privacy-Preserving Database-As-a-Service
PETS 2009
• A secret-sharing polynomial Pj is constructed for each data element Dj , i.e.
• The share of data Dj for SPi is
• Suppose client queries for• SPi computes and broadcasts
• Using polynomial interpolation, the SPs can derive the polynomial
•
)()(ˆ iPiP j
)()(ˆ xPxP j
),,()0()0(ˆ1 nj DDSUMPP
Secret Sharing in PDAS
))(,( iPi j
jj DP )0(
),,( 1 nDDSUM
PDAS: Privacy-Preserving Database-As-a-Service
PETS 2009
• Honest SPs only contribute to a computation if the query follows the data owner’s policy.
• PDAS allows for a (k,m) threshold scheme, where any k of m SPs can answer a query. If less than k collaborate, they learn nothing.
• If there are less than k dishonest SPs, the system has information theoretic security.
• Privacy is preserved* – no information is leaked besides the query results!
Secret Sharing in PDAS
Outline
• Motivation
• PDAS Architecture and Protocol
• Secure Computation of Aggregate Queries
• Correctness Verification
• Conclusions and Future Work
PDAS: Privacy-Preserving Database-As-a-Service
PETS 2009
Verification in PDAS
The Pedersen Commitment Scheme [’91]
Prover: COMMIT( )• Publish generators of group• Choose random• Calculate commitment value:
Verifier: VERIFY( )• Check commitment:
rxr hgxC )(
pGhg,r
x
crx ,,rx
r hgxCc )(
PDAS: Privacy-Preserving Database-As-a-Service
PETS 2009
Verification in PDAS• Owner computes commitment to each data entry
and signs to authenticate.• Given , the client verifies the
commitment: .• This requires access to sensitive data !• Problem: How to verify an aggregate query result
without access to individual entries?
)( jr DCj
jjj CrD ,,
Use a homomorphic commitment scheme!
jj
j
rDjrj hgDCC )(
jD
PDAS: Privacy-Preserving Database-As-a-Service
PETS 2009
Verification in PDASPedersen commitment scheme is homomorphic:
What is x1+ x2?
)()()( 2121 21
2121
21xxChgxCxC rr
rrxxrr
Verify:)()()ˆ( 21ˆ 21
xCxCxC rrr
Service Provider
22
2
11
1
)(
)(
ˆˆ
2
1
2121
rxr
rxr
hgxC
hgxC
rrrxxx
rx ˆ,ˆ
21, rr CC
commitments signed by data owner
PDAS: Privacy-Preserving Database-As-a-Service
PETS 2009
Verification in PDAS• Use Merkle hash tree to improve efficiency.• Data owner only signs once: the root hash.
h00 h01 h10 h11
h0 h1
hroot
)( 22xCr)( 11
xCr )( 44xCr)( 33
xCr )( 66xCr)( 55
xCr )( 88xCr)( 77
xCr
hroot
Outline
• Motivation
• PDAS Architecture and Protocol
• Secure Computation of Aggregate Queries
• Correctness Verification
• Conclusions and Future Work
Security Properties of PDAS• Secrecy: Only query results are revealed.• Security: Commitments are computationally
binding and unconditionally hiding.• Correctness: Accuracy, integrity guaranteed.• Collusion resistance: Privacy is protected
against k-1 collaborating adversaries.• Accountability: Malicious SPs will be caught.
PDAS: Privacy-Preserving Database-As-a-Service
PETS 2009
In practice, may relax some properties to achieve greater functionality. Details in corrected version of paper.
PDAS: Privacy-Preserving Database-As-a-Service
PETS 2009
Efficiency of PDAS
• Setup cost is O(nm) time* for data owner, but there is no maintenance cost.
• Space required is O(n) for each SP.• Time complexity to compute a query over
subset S is only O(|S|) for each SP, plus O(|S| log n) communication cost.
• Verification has computational and communication cost O(min(|S| log n, n)).
PDAS: Privacy-Preserving Database-As-a-Service
PETS 2009
Extensions
• Dynamic databases– Support efficient addition/deletion
• Multiple data owners• Load balancing• Selection over insensitive attributes
– “Mixed” databases– Guaranteeing completeness
PDAS: Privacy-Preserving Database-As-a-Service
PETS 2009
Future Work• Complex queries
– Nested queries– Selection over sensitive attributes– MAX, MIN
• Inference control– Differential privacy [Dwork06]
• Private Information Retrieval– [Chor, Goldreich, Kushilevitz, Sudan ‘95]
PDAS: Privacy-Preserving Database-As-a-Service
PETS 2009
ConclusionsPDAS accomplishes the following goals:• A distributed architecture for computing
aggregate queries over sensitive data in outsourced databases.
• An efficient protocol for verifying the accuracy and integrity of query results.
• A secure system that is robust against a network of k-1 collaborating adversaries.
PDAS: Privacy-Preserving Database-As-a-Service
PETS 2009
Thank you!
Corrected version to be available soon:http://www.cs.rutgers.edu/~danfeng/
PDAS: Privacy-Preserving Database-As-a-Service
PETS 2009
PDAS: Privacy-Preserving Database-As-a-Service
PETS 2009
Extra Slides
PDAS: Privacy-Preserving Database-As-a-Service
PETS 2009
• How to enforce a query response policy?
SUM = ?
Okay, sure!
Please give me your share of Σ Dj!
Our Solution: Secret Sharing
PDAS: Privacy-Preserving Database-As-a-Service
PETS 2009
• How to enforce a query response policy?
No, I’m not supposed to. . .
Please give me your share of x!
Our Solution: Secret Sharing
PDAS: Privacy-Preserving Database-As-a-Service
PETS 2009
Secret Sharing
PDAS: Privacy-Preserving Database-As-a-Service
PETS 2009
Related Work• H. Hacigümüs, B. Iyer, S. Mehrotra. “Efficient Execution
of Aggregation Queries over Encrypted Relational Databases.” DASFAA, 2004.
• F. Chin. “Security Problems on Inference Control for SUM, MAX, and MIN Queries.” Journal of ACM, 1986.
• G. Jagannathan, R. Wright. “Private Inference Control for Aggregate Database Queries.” PADM, 2007.