![Introduction
Overview
Background
Tweaking Pailliear Homomorphic Cryptosystem
Overall System
Implementation and Experimental Results
Conclusions Future Work
Isn’t It a Solved Problem?
Secure pub-sub systems
Hinder matching functionality
False positives [Raiciu 2006]
Limited expressiveness [Srivatsa et al. 2007]
Key management overhead [Bacon et al. 2008]
Searchable encryption
Secure keyward matching [Song et al. 2000]
Order preserving encryption [Boldyreva et al. 2009]
Secure multi-party computation
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS](https://image.slidesharecdn.com/sacmat-120626202702-phpapp01/85/Efficient-privacy-preserving-publish-subscribe-systems-6-320.jpg)
![Introduction
Overview
Background
Tweaking Pailliear Homomorphic Cryptosystem
Overall System
Implementation and Experimental Results
Conclusions Future Work
Allowing to Compare
Notification = x ∈ [0, 2l ], where l is the domain size
Subscription = v ∈ [0, 2l ]
Difference d = x − v
The matching table is as follows:
d Decision
0 x =v
< n/2 x >v
> n/2 x <v
Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS](https://image.slidesharecdn.com/sacmat-120626202702-phpapp01/85/Efficient-privacy-preserving-publish-subscribe-systems-18-320.jpg)
Efficient privacy preserving publish subscribe systems
- 1. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future Work Efficient Privacy Preserving Content Based Publish Subscribe Systems Mohamed Nabeel, Ning Shang, Elisa Bertino nabeel@cs.purdue.edu June 21, 2012 Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
- 2. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future Work Publish Subscribe Systems Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
- 3. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future Work Content Based Pub/Sub Systems Notifications Produced by publishers Consist of set of attribute-value pairs Example: { symbol = ”MSFT”, price = 30.93, size = 1000 } Subscriptions Produced by subscribers Specify a condition on one or more attributes in a notification Examples: (symbol = ”GOOG” ∧ price ≥ 578), (1000 ≤ size ≤ 2000) Brokers match notifications against subscriptions and forward the matching notifications to authorized subscribers Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
- 4. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future Work Why Filtering? Access control restrictions Computational, storage and/or bandwidth considerations Subscribers do not have sufficient computational power, storage or bandwidth Subscribers are interested only in certain types of notifications Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
- 5. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future Work Security and Privacy With the utilization of third-party brokering networks, brokers cannot be trusted for the confidentiality/privacy Publication privacy Hide the notifications from brokers Subscription privacy Hide subscription from brokers Unable to link multiple subscriptions The goal of this work is to address these privacy issues Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
- 6. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future Work Isn’t It a Solved Problem? Secure pub-sub systems Hinder matching functionality False positives [Raiciu 2006] Limited expressiveness [Srivatsa et al. 2007] Key management overhead [Bacon et al. 2008] Searchable encryption Secure keyward matching [Song et al. 2000] Order preserving encryption [Boldyreva et al. 2009] Secure multi-party computation Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
- 7. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future Work Goals of our Work Allows brokers to make matching decisions without letting them learn the actual notifications and subscriptions Perform accurate matching and covering Support the same expressiveness as the system without security Minimize the overhead introdcued by the security layer Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
- 8. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future Work System Overview Publishers Produce ”encrypted” notifications Register subscribers Subscribers Make ”encrypted” subscriptions Brokers Authenticate subscribers and handle subscriptions Match incoming notifications with existing subscriptions and forward to the notifications to corresponding subscribers Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
- 9. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future Work Trust Model Brokers are honest-but-curious Brokers may collude with one another Publishers are trusted Subscribers are not trusted for subscriptions Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
- 10. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future Work Message Format Each notification consists of a set of attribute-value pairs (AVPs) The set of AVPs is called the payload The AVPs related to matching are ”blinded” using our scheme The payload is encrypted using a seperate cryptosystem Examples: Broadcast encryption, Proxy Re-Encryption, Attribute Based Encryption Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
- 11. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future Work Homomorphic Encryption E (m1 ) · E (m2 ) = E (m1 ⊙ m2 ) Partially vs. fully homomorphic cryptosystems Additive homomorphic cryptosystems E (m1 ) · E (m2 ) = E (m1 + m2 ) Examples: Paillier, Damgard, Benaloh Multiplicative homomorphic cryptosystems E (m1 ) · E (m2 ) = E (m1 · m2 ) Examples: Unpadded RSA, El-Gamal Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
- 12. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future Work Paillier Homomorphic Crytosystem (PHC) Key generation KG (p, q) p and q are large primes Private key = (λ, µ) Public key = (n, g ), n = pq and g ∈ Z/(n2 )× Encryption E (m, r ) c = g m · r n (mod n2 ) Decryption D(c) m = L(c λ (mod n2 )) · µ (mod n), where L(u) = (u − 1)/n Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
- 13. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future Work Homomorphic Properties of PHC PHC is additive homomorphic: D(E (m1 , r1 )E (m2 , r2 ) (mod n2 )) = m1 + m2 (mod n) D(E (m1 , r1 )k (mod n2 )) = km1 (mod n) Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
- 14. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future Work Tweaking PHC Making µ public Shifting the computation so that matching and covering operations are efficient Allowing to compute the randomized difference without decrypting individual values Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
- 15. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future Work Making µ Public Original private key = (λ, µ) and public key = (n, g ) Modified private key = λ and public key = (n, g , µ) Due to the hardness of Computational Diffie-Hellman problem, it is hard to derive λ from µ. Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
- 16. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future Work Shifting the Computation Encryption E ′ (m, r , λ) E ′ (m, r ) = E (m, r )λ = g mλ · r nλ (mod n2 ) =c Decryption D(c) D(c) = L(c (mod n2 )) · µ (mod n) Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
- 17. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future Work Allowing to Compute Differences Allowing to find the difference of x and v Encryption E ′′ (x, v ) x ′ = g t · E ′ (x, r1 ) (mod n2 ) v ′ = g −t · E ′ (−v , r2 ) (mod n2 ) We get the following: x ′ · v ′ = E ′ (x − v , r3 ) Decryption D(x ′ · v ′ ) D(x ′ · v ′ ) = x − v Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
- 18. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future Work Allowing to Compare Notification = x ∈ [0, 2l ], where l is the domain size Subscription = v ∈ [0, 2l ] Difference d = x − v The matching table is as follows: d Decision 0 x =v < n/2 x >v > n/2 x <v Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
- 19. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future Work How to hide the difference? The current approach reveals the difference to brokers The key idea: using the unused range to hide the difference Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
- 20. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future Work Hiding the Difference Introduce two random numbers rp and rq during blinding: x ′′ = g t · E ′ (x, r1 )rp E ′ (rq ) (mod n2 ) v ′′ = g −t · E ′ (−v , r2 )rp (mod n2 ) x ′′ and v ′′ are called blinded values The decryption results in the following output: D(x ′′ · v ′′ ) = rp (x − v ) + rq = d ′ The matching table is as follows: d’ Decision ≤ n/2 x≥v > n/2 x <v Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
- 21. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future Work System Protocols and Interactions Setup Intialize system security parameters Domain size = l bits (2l << n) Register Subscribers initially registers with publishers and obtain randomized access tokens Subscribe Subscribers submit blinded subscriptions (v ′′ ) to brokers Publish Publishers submit blinded notifications (x ′′ ) to brokers Match For each notification, brokers compute x ′′ · v ′′ and make matching decision Cover Brokers find covering relationships among subscriptions Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
- 22. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future Work Correctness of Matching The following shows the correctness of d ′ . Let y = x ′′ · v ′′ (mod n2 ) y = g t · (E ((rp x + rq )λ) · g −t · (E (−v ))rp λ (mod n2 ) = {E (rp x + rq )) · E (−rp v )}λ (mod n2 ) = (E (rp (x − v ) + rq ))λ (mod n2 ) d ′ = L(y ) · µ (mod n) = rp (x − v ) + rq Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
- 23. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future Work Implemenation Implementation Environment Intel Core 2 Duo CPU 2.50GHz 4GB Linux kernel version 2.6.27 Java 1.6 with Bouncy Castle Two types of experiments Protocols Extension to SIENA Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
- 24. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future Work Protocol Experiments (Blinding) 100 20 Encrypt Subscription (Sub) Encrypt Subscription (Sub) Blind Encrypted Subscription (Pub) Blind Encrypted Subscription (Pub) 90 Blind Notification (Pub) Blind Notification (Pub) 80 15 70 60 Time (in ms) Time (in ms) 50 10 40 30 5 20 10 0 0 200 400 600 800 1000 1200 1400 1600 1800 2000 2200 10 20 30 40 50 60 70 80 90 100 Bit length of n (Paillier) Bit length of content (l) (a) Varying n (b) Varying l Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
- 25. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future Work Protocol Experiments (Match/Cover) 400 110 Match (Broker) Match (Broker) Cover (Broker) Cover (Broker) 350 300 105 Time (in microseconds) Time (in microseconds) 250 200 100 150 100 95 50 0 90 200 400 600 800 1000 1200 1400 1600 1800 2000 2200 10 20 30 40 50 60 70 80 90 100 Bit length of n (Paillier) Bit length of content (l) (c) Varying n (d) Varying l Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
- 26. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future Work System Experiments 12 140 SIENA l = 25 bits PP-CBPS l = 10 bits 120 10 100 8 Time (in microsec) Time (in ms) 80 6 60 4 40 2 20 0 0 1000 1500 2000 2500 3000 3500 4000 4500 5000 1000 1500 2000 2500 3000 3500 4000 4500 5000 No. of subscriptions No. of subscriptions (e) Equality Filtering (f) Inequality Filtering Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS
- 27. Introduction Overview Background Tweaking Pailliear Homomorphic Cryptosystem Overall System Implementation and Experimental Results Conclusions Future Work Conclusions We proposed approach for brokers to perform matching and covering operations without learning the actual subscriptions and notifications Experimental results shows that the approach is practical Our privacy preserving matching technique can be utilized in other applications Future work Implement our scheme on an industry strength JMS Support frequent subscriptions/unsubscriptions Mohamed Nabeel, Ning Shang, Elisa Bertino PP-CBPS