Reducing Data Decryption Cost by Broadcast Encryption and Account Assignment for Web Applications

Reducing Data Decryption Cost
by Broadcast Encryption and Account Assignment
for Web Applications

Junpei Kawamoto, Qiang Ma, Masatoshi Yoshikawa
(Kyoto University, JAPAN)

Background
 Web Applications etc.
 facilitate data sharing and collaboration.
 have become notable platforms for the innovative service and
CGMs.
 User data are stored and managed by service providers.

 Can we trust providers?

2 the Ninth International Conference on Web-Age Information Management 2008/7/22

Can we trust providers?
 Of course No!
 Data encryption keeps contents confidential.
Original data: e Encrypted data: Encke(e)
e common key encryption: ke Encke(e)

Encrypt user data in client site. Server

 However data encryption is not enough.
 Social information is leaked.


Social information
 For example: Access control list by plain text

Enck1(data1) Alice Bob
Enck1(data2) Alice
Enck1(data3) Bob Carol
Enck1(data4) Bob Carol
 There are at least two groups:
 {Alice, Bob} and {Bob, Carol}
 Bob is a key person probably.


Encryption of social information
 We must hide social information.
 How do we keep social information confidential?

 We will introduce two methods.
1. Naïve method
 has high decryption cost and low authority precision.
2. Our method
 by Broadcast encryption and Account Assignment.
 has low decryption cost and high authority precision.


Naïve method
 Alice stores a data1 and grants Bob access
 She encrypts
 the data1 by a common key k1
 the k1 by her public key and Bob’s public key

Enck1(data1) EncAlice(k1) EncBob(k1)

 Bob gets the above data.
 He decrypts the key data for Bob.
 He gets the common key k1
 He can decrypt and get the data1 Server


Naïve method

Authority information
Authority information is a list, which is the individually
encrypted ke with the public key of users who are permitted.
Encpub1(ke) Encpub2(ke) Encpub n(ke)
Only authorized user can decrypt ke
and thus get the original data e.
Encke(e) and the key chain are stored in the server.


Problems
Key chains (as an authority information) are too long.

Encpub1(ke) Encpub2(ke) Encpub n(ke)
Neither user knows which data he/she can decrypt.
Therefore they must try to decrypt until successful.
If they do not have authority, they need to attempt to decrypt all data.

There are many decryption candidate data.

query ○
×
×

The result are many data to which
result
the user dose not access.

Decryption cost and Authority precision
 The decryption cost of u: cost(u)
 cost(u) = # of data user u has to try decryption
 Precision of access authority of u: r(u)
 r(u) = Auth(u) / Check(u)
 Auth(u) : # of data u has authority to
 Check(u): # of data u must check permission for


Cost and Precision of Naïve method
 How much is their cost?
Service Provider
 The cost of three users is 7.
Enck1(data1) EncAlice(k1) EncBob(k1)
Enck2(data2) EncAlice(k2)  How much is their precision?
Enck3(data3) EncBob(k3) EncCarol(k3)  r(Alice) = 2 / 4 = 0.5

Enck4(data4) EncBob(k4) EncCarol(k4)  r(Bob) = 3 / 4 = 0.75
 r(Carol) = 2 / 4 = 0.5

Alice Bob Carol


Overview of our method
Service Provider 1) Authority information
by broad cast encryption
Account 1 Account 2

Enck1(data1) Enck3(data3)
Users have to decrypt only one
to use the data.
Enck2(data2) Enck4(data4)

2) Account assignment
•Authority information
is not leaked directly.
•Reducing the data possibly
Alice Bob Carol requires decryption.
Account List: A1 Account List: A1, A2 Account List: A2

Pairing based broadcast encryption†

Alic’s public key: pubAlice
create Broadcast key: K

Bob’s public key: pubBob
The data encrypted by this key are decrypted
by each private key of Alice, Bob and Carol.

Carol’s public key: pubCarol

† D. Boneh et al, “Collusion resistant broadcast encryption with short cipher texts and private keys,”
Lecture Notes in Computer Science, 3621:258–275, November 2005.

Pairing based broadcast encryption
 Applying broadcast encryption

Encke(e) Encpub1(ke) Encpub n(ke)

Encke(e) EncK(ke)

Encrypted user data Encrypted authority information

 This approach
 keeps who has authority confidential.
 keeps how many user have authority confidential.
 needs only one decryption when user access a data.


Account assignment
 Authority information is not leaked directly.
 Reducing decrypt candidate data.
Service Provider
Alice has to get and decrypt
Account 1 Account 2 data only in the account1.
Enck1(data1) Enck3(data3) Bob does not has authority
Enck2(data2) Enck4(data4) for data2.

Alice Bob Carol

Account List: A1 Account List: A1, A2 Account List: A2

Account assignment
 Increase of decryption candidate data.
 When a account is added to account list.
 the data included in the account is added to
decryption candidate data.
 The increase of account a for group S is defined:
 IncreaseS(a) = d×Δ
 d : # of users whose account list includes a.
 Δ: # of users is S whose account list dose not
include a.
 When a new data is added,
 the increase of each account is calculated.
 the data is stored in the account with the lowest increase.


Example of our method
Service Provider  How much is their cost?
 Cost(Alice) = 2
Account 1 Account 2  Cost(Bob) = 4
Enck1(data1) Enck3(data3)  Cost(Carol) = 2
Enck2(data2) Enck4(data4)  How much is their precision?
 r(Alice) = 2 / 2 = 1
 r(Bob) = 3 / 4 = 0.75
 r(Carol) = 2 / 2 = 1

Alice Bob Carol


Experiment
 Simulation experiment
 Using a model based on BA-model† to reflect the people's
relationship

 Please refer to the paper for details.

† Albert-László et al, “Emergence of scaling in random networks,” Science, vol. 286, no. 5439, pp. 509-
512, October 1999.


Experiment result
Number Number Naïve method Our method
of users of groups Key chain avg. Precision Key chain avg. Precision

100 112 19.0 0.190 1 0.982
1,000 1034 27.3 0.0273 1 0.988
10,000 10563 42.5 0.00425 1 0.988
 Our method’s
 key chain length keeps only one.
 average of precision is higher than naïve method’s one.
 average of precision is independent on the # of users.


Experiment result

100 users 10,000 users

 The precision for most users is high.
 Most users can avoid useless decryptions.


Summary and Applications
 ACLs are encrypted for social information preservation.
 To reduce decryption cost, we introduced
1. Authority information by broad cast encryption
2. Reducing decryption candidate data by account assignment
 Our method
 dose not demand any function on the part of servers.
 can be applied to usual DBMS.
 requires re-encryption when authority is reset.
 is effective to the applications to which authority is not updated
often. (e.g. social calendar etc.)


Reducing Data Decryption Cost by Broadcast Encryption and Account Assignment for Web Applications

More Related Content

Similar to Reducing Data Decryption Cost by Broadcast Encryption and Account Assignment for Web Applications (20)

More from Junpei Kawamoto (14)

Recently uploaded (20)

Reducing Data Decryption Cost by Broadcast Encryption and Account Assignment for Web Applications