doc

Privacy Preserving Schemes for SQL Operations

Abhinav Parate, Bhupendra Singh

Indian Institute of Technology, Kanpur

Abstract. With the global emergence of concerns for the privacy of huge amountof information being collected in the databases, the research work in the field ofprotecting databases from exposure or any other attack has increased. Encryptiontechniques- both conventional and modern have proved out to be good technol-ogy in protecting the sensitive data. However, once encrypted, data can no longerbe queried for operations like Greater Than, Less Than, Substring matching andothers. The only operation that could be done on encrypted data is to find ex-act match. Hence, performing query over encrypted data is associated with theoverhead of decrypting the entire encrypted data and then performing the oper-ations. Here we present two schemes which can perform operations of substringmatching directly over the encrypted string data. We also present schemes forperforming aggregate operations like SUM and AVG over encrypted numericaldata.The advantage of the scheme includes no overhead of decryting the entiredata.The encryption scheme is robust and well protective.

1 INTRODUCTION

Present day Database Systems offer the protection of database from attack through themeans of access control which restricts the access to sensitive data. The access controlmechanism protects the privacy of sensitive data from intrusion through the databasesystem interfaces. The basic assumption is that the database is accessed through databasesystem interfaces. However, it is important to have such protection but this can proveout to be insufficient. It is because the raw database files remain the part of operatingsystem and hence, the attack on computer systems may lead to privacy breach if some-one gets the access to raw database files. The access to these files cannot be preventedby the access control mechanisms.

Encryption Techniques which have been proved out to be efficient in protectingthe sensitive information from being revealed easily.However, the present techniques ofencryption were not designed with the goal of protecting databases which can be veryhuge in size. As a result, incorporating the present encryption schemes directly involvesa huge overhead of decrypting the entire encrypted data before performing any kind ofoperation on them.

We present here two encryption techniques for encrypting the data of type STRING.Thesetechniques have been designed while taking care of the requirements of performing theoperations related to strings directly over the encrypted data. The SQL queries involvesthe following operations-

– String Matching: The result of the operation includes all those strings which areequal to the given string as parameter

– LIKE operation %abc%: This operation results in all those strings which have’abc’ as substring

– LIKE operation a b : This operation results in strings of the form ’axb’ where xis any character

– Pattern Matching:Mix of above two operations to result in strings matching somepattern

Our first encryption scheme is ’VDES’ i.e. Varying Distribution Encrytion Scheme.The idea behind this scheme is to completely change the distribution pattern of thecharacters present in the data. The reason being that there are some characters whichoccur much more than other characters. As a result, if someone knows the originaldistribution of the character, he may guess the encryption scheme by looking over thedistribution of encrypted characters. This scheme has been designed specifically for thedomain where program being used to answer the queries, is assumed to be protected.The encrypted database itself is useless if the program to answer query is not known oravailable.

The advantages of VDES over other encryption schemes are-

– Operations It supports all the operations mentioned above and a very good encryp-tion

– No false positives The results of the query over encrypted results only in true valuesand no false positives

– It makes database useless if the VDES program is not available– It handles updates very easily– We can change the distribution of characters very easily with updates

However,the application of the VDES is limited to incorporating it directly withdatabase which should know the unencrypted pattern i.e. it works in semi-encrypteddomain.It is not possible with this scheme to give the pattern itself in encrypted form.To overcome this limitation, we have another scheme which works entirely in encrypteddomain. This scheme we call as PPES or Product of Primes Encryption Scheme. Theadvantage of PPES over VDES is that it can work in distributed domain where key todecrypt is with client and it may not be necessarily present with the databases having theencrypted data. The client may send the pattern itself in encrypted form and databaseswill perform the pattern matching operations and return the result having encrypteddata. This encrypted data can then be decrypted by the client using key. However, thisscheme can be used in place of VDES with databases.

The above mentioned schemes are for STRING data type. However, there are alsonumeric data types in databases on which various operations like finding SUM or AVGare more common. For example, a firm may want to calculate the average salary of itsemployees or an accounting firm may want to calculate the sum total of the data it has.Due to privacy considerations, such operations should be performed over encrypted dataand it should be answered in encrypted form. For such scenario, we present a scheme forperforming aggregate operations like SUM, AVG or COUNT over encrypted numeri-cal values. This scheme, like PPES, can be used to answer queries in encrypted anddistributed domain. This technique has got application in mobile computing and cryp-tography where it is necessary to perform operations on secure encrypted data without

decryption. It is also important to keep the interaction to be minimal due to securityconcerns.

1.1 Encryption of Databases

The encryption of database is possible in two ways as follows-i.Encrypt all the files of database.ii.Encrypt the data values and store them in tables.As it must have been clear from the context, we will be encrypting data values and notthe files.

1.2 Report Layout

The rest of our report is organized as follows. We will first discuss the related work insection 2 and describe in brief the various approaches till now. We will give the details ofVDES in section 3 followed by the details of step by step approach for PPES in sections4,5 and 6. In section 7, we describe the scheme for finding all occurences of a patternspecified as regular expression against a given database string.We will then discussour scheme for performing aggregate operations for numerical data types. Finally, wegive the formal aspects of privacy-preserving computation followed by conclusion anddirections for future work.

2 RELATED WORK

The problem we are discussing is a relatively new problem and hence, there is no workrelated to performing pattern matching over encrypted data. However, the similar prob-lem has been dealt in the field of numerical data as opposed to the string data.The ideasapplied in encrypting numerical data have been helpful in understanding the variousproblems that can arise out of encryption in string data.

The technique described in [1] includes strictly increasing polynomial functions toencrypt integer values so that the order of input is preserved even in encrypted values.Hence, the operations like Greater Than, Less Than,Equal to, can be very easily per-formed on the encrypted data. Following that, the resulting encrypted values can be veryeasily decrypted. This reduced the overhead of decrypting entire database.However, thisscheme had the drawback that it revealed the distribution of input data which could beexploited using probabilistic techniques to estimate the values in some interval withsome confidence level.

In [2], there are some schemes to support keyword searches over encrypted text inemails.But these were not meant and suited for relational queries and databases.

In [3], for the first time, there was talk about executing SQL over Encrypted data.This model was for numerical data and it required many interaction between client andserver to get the results.Moreover, it resulted in the false positives whose post process-ing involved considerable overhead.

In [4], a scheme is proposed for performing operations related to order of input nu-merical data. The scheme proposed had the advantage that the distribution of encrypted

data is totally independent of the distribution of input data. This scheme is robust againstcomputer systems attack and is well compatible with the databases. This scheme can beextended for lexicographical ordering of strings but other pattern matching operationscannot be supported. This scheme can be used to answer queries like MAX,MIN andGROUP BY. But this cannot answer the queries like SUM or AVG. The model beingused by us for PPES is similar to the model described in this paper.

In [13], techniques have been proposed for performing arithmetic operations likeaddition and multiplication over encrypted data. These techniques are not applicable todatabase as it cannot be used for addition of more than two numbers. It requires messagepassing for each operation being performed.

In[15],there is a data partitioning technique to buid privacy-preserving indices onsensitive attributes of relational table.

In other papers [5][6][7][8] and [9], some encryption transformations have beendiscussed which allow direct computation on encrypted data.Such encryption transfor-mations are called Privacy Homomorphisms. These papers presented the privacy homo-morphisms for performing addition,multiplication and multiplicative inverse computa-tion on encrypted data.However, these schemes handled very small subset of input dataand had no application in databases. In [14], there is a technique for secure computationin mobile cryptography.

3 VDES:VARYING DISTRIBUTION ENCRYPTION SCHEME

As the name suggests, the idea of this scheme is to effect the distribution of charactersso that attack based on cipher-text analysis is not possible.To understand the completeidea, let us look at simpler idea and the following distribution of characters in database:

character Frequencya 200b 100e 300

Let us now look at the following encoding scheme.

character Encodinga 1234,3578b 2598e 1079,2234,7634

With the above encoding, we can encode the character a as either 1234 or as 3578 withequal probability. As we saw in the frequency table above, frequency of a is 200.Hence,a will be encrypted as 1234 100 times and as 3578 for another 100 times. Similarily, bwill be present as 2598 for 100 times. And e will be encrypted as 1079,2234 and 7634each 100 times.

String abe may get encrypted as 357825981079 without giving any idea of whatcharacters are present in string. Encryption of String abe for the second time may givecompletely different result.

However, this simple idea has the drawback of assuming static distribution of char-acters which is not true in many cases.And hence, we need to add further encryptingvalues in character-encoding table. Also, the decrypting key needs to be updated forvariable distribution case.

3.1 Improving the Scheme

character Characteristic PrimePrime Multipliers

a ap a1, a2, a3, ...b bp b1, b2, b3, ...e ep e1, e2, e3, e4, ...

In this scheme, we have a characteristic prime associated with each character.For char-acter a, we will have ap as the characteristic prime. We also have set of prime multipliersassociated with a.When a is to be encrypted, some character is chosen randomly fromthe given multiplier set and is multiplied with ap. Hence, a may get encrypted as apa1

or apa2 or apa3 and so on.The decryption key for this scheme will be the set of char-acteristic primes Cp. Using Cp, we can check if some encrypted character is equal toa or not by checking its divisibility with ap.Moreover, we can effect the distribution atany instant by changing the set of Prime Multipliers Pm. Any further, updates will behandled by the new set.

The advantage we have is that we can change the distribution of the characters aswe may want.Another advantage that we have is that we are not required to change thedecryption key although the Prime Multipliers set Pm may have got changed. Hence,we can change the set Pm , expand it or have completely new elements in it but it doesnot effect the already encrypted values in any case and are not required to be updated.

3.2 Performing the operations

String Matching The string matching algorithm over encrypted string is similar tonormal string matching. In this algorithm,the characters of given string are matchedwith the characters at respective positions of the second string.In our scheme, if weare checking the equality of character a with encrypted character d, we will get thecharacteristic prime ap for character a and check that whether encrypted character d isdivisible by ap or not.

Pattern Matching and Substring matching This operation which checks for the ex-istence of a given pattern in the encrypted string is as easy as matching a string withencrypted string. The pattern string may have % symbol which represents presence ofone or more random characters at the postion of %. The pattern string may also havesymbol to indicate presence of exactly one character at the position of in the patternstring. If the pattern does not have % or then the problem reduces to finding a stringwith given pattern as its substring. There are efficient algorithms to deal with problemof substring existence. Those algorithms can be easily applied in our case.

Search for patterns like ab%cd in string s can be handled easily by searching for abfollowed by searching for presence of cd in the substring in s following ab.

Similarily search for patterns like ab cd in string s can be handled by first searchingfor presence of ab in s and then, skipping the character following b in s.If the characterat this position in s matches c and the character following matches d, string s will begiven out as the string having pattern ab cd.

Normal String Matching Algorithm

characterAt(int pos,String s)(return the character present at position pos in the String s

)Stringmatch(String s, String t)(

int position = 1for(position=1, ,position++)(

if(characterAt(position,s)==null and characterAt(position,t)!=null)return ”Unequal strings”else if(characterAt(position,s)!=null and characterAt(position,t)==null)return ”Unequal strings”else if(characterAt(position,s)==null and characterAt(position,t)==null)return ”Equal Strings”else if(characterAt(position,s)!= characterAt(position,t))return ”Unequal Strings”else continue

))

3.3 Correctness of VDES

VDES requires the following sets for its operations:Σ: Set containing all the characters in a language Cp: A set containing of characteristicprimes of each character belonging to ΣPm: Set containing a set of Prime numbers.This set must be disjoint to set Cpi.e.Cp ∩Pm = φPi: Multiplier Set for the character ci ∈ Σ. Pi ⊆ Pm

We have some functions as described below:f :Σ → Cp

The function f is one to one and it maps each character ci ∈ Σ to pi ∈ Cp.Hence, iff(ci) =f(cj)⇒ ci = cj

g: A function that takes a set of elements as input and return one element taken offrandomly from the input set.

h:Σ → Pm

The function h takes a character ci as input and it returns some element m from its mul-tiplier set Pi.Hence,h(ci) = g(Pi)

Using above functions, we can encrypt any character ci ∈ Σ as follows-E(ci) = f(ci) × h(ci)

Theorem 1 Encryption of character x ∈ Σ as E(x) using VDES results in a uniquemapping and decryption of E(x) does not result in any false positive i.e. the result ofdecryption is correct.

Proof. Let us suppose we encrypt character ci ∈ Σ as E(ci) thenE(ci) = f(ci) × h(ci)

Assuming that the VDES results in false positive i.e.some character cj identifies forci.Hence, Based on the VDES, we must have a characteristic prime pj = f(cj) thatdivides E(ci). Since, E(ci) is product of only two prime numbers hence, if f(cj) dividesE(ci) then either f(cj) = f(ci) or f(cj) = h(ci).

If f(cj) = f(ci), then ci = cj as f is one to one mapping.Hence, it leads to contra-diction to assumption that we had a false positive.

If f(cj) = h(ci), we know that f(cj) ∈ Cp and h(ci) ∈ Pm.Also, Cp and Pm aredisjoint.Hence, f(cj) 6= h(ci).

Hence, we cannot find any cj ∈ Σ which can act as a false positive for ci.Thus,decryption of any encrypted character will result in correct character and not false char-acters.

As we know that, algorithms to find a given substring t in a string sproceed by match-ing character by character.And as Theorem 1 says, if some character is matched thenit must be the correct one.So, if each character found is correct and we have matchedthe pattern,then pattern matching must also be correct as we did it character by charac-ter.Hence,VDES query execution results only in correct results and no false positive.Itcan be stated in the form of lemma as follows-

Lemma 1. Pattern matching using VDES does not result in any false positives.

3.4 Analysis of Cryptographic Attack on VDES

As the purpose of encryption scheme is to protect the sensitive data from being exposed,we must analyse the kinds of attack that are possible and how succesfully they can behandled.

Let us suppose | Pm | = m and | Σ | = n.Hence, we have n characters in a lan-guage.Also, the number of possible multipliers for each character is m. When we en-crypt a database using VDES, we can use each multiplier along with each characteristic

prime to encrypt and result in some random distribution.As a result of using m mul-tipliers for n characters, the encrypted language consists of mn numbers.So, we haveencrypted each character with m possible numbers.

If someone has the idea of n, then he can calculate m from mn.Now, the attackerknows that each character is mapped to m different numbers.So, if he tries to applyBrute Force analysis method to identify the character and its encryption set then he cando so in following way-Of the mn numbers known to him, he can select m numbers randomly and map it forsome character c1.From the remaining (n-1)m numbers, he can select further m numbersto map it for character c2.He can continue to do so c3, c4...cn.After getting sets for eachcharacter, he can try to check if this sets work correctly.

In this brute force way, he would be required to test aroundnmCm ×(n−1)m Cm ×(n−2)m Cm ×(n−3)m Cm... ×2m Cm ×m Cm

= (nm)!/(m!)n

= (nm)(nm − 1)(nm − 2)....1/(1.2.3....m)n

> (n − 1)m(n − 2)m....1m

= ((n − 1)!)m

Hence, we see that if we have m>1 then, we can improve the complexity for bruteforce analysis significantly.And we must have m≥n to take care of the distribution sce-nario.

Cipher-Text AnalysisAnother kind of attack is based on the distribution analysis of cipher-text. By distribu-tion analysis, we mean that in general texts, frequency of some characters may occurmuch more than other characters.Using this information we can look for the characterwith maximum frequency and guess the character. As in English Language, character eis used most and hence, it can be easily recognised.After recognizing e, other charac-ters can be guessed using idea of distribution of other characters.For example, if z canoccur 0.1 times e occurs, then we can look for the encrypted character whose frequencyis roughly 0.1 times the most frequent character.Knowledge of domain can help verymuch in such cases.

As a result, it is very important to protect the distribution of characters.Hence, wecame up with the idea of varying distribution. VDES results in a distribution whichgives no idea of the original distribution of characters.Hence, it is secure from Cipher-text analysis attack.

However, there is another kind of cipher-text analysis where we look for the mostfrequent digram (two characters in a sequence) in cipher-text.This is also not possiblein VDES as the same digram can be mapped in m*m ways.Hence, it is difficult to tellwhich digram is most frequent.

Another way to attack is to identify the set Cp.This set can be obtained only by fac-torising the product terms available to the attacker.This attack can be made very costlyif we use very big prime numbers in the set.Hence, factorization becomes difficult.

3.5 Memory Requirement

VDES has been made very efficient to protect the sensitive data by using very largeprime numbers in CpandPm. However, this comes at a cost in terms of memory re-quirements.

Any prime number p requires blg(p)c + 1 bits of memory. Since, we need to savethe product terms, memory for a product term is b2lg(p)c + 1 where p is the largestprime number in Cp ∪ Pm.

Hence, a character which required 8-bits now requires around (b2lg(p)c+ 1)-bits.

3.6 Strength of VDES

The strength of VDES lies in the fact that it performs the task of pattern matchingover encrypted data in an elegant manner and at the same time, the encryption schemeis strong enough against brute force analysis attack or cipher-text analysis attack. Al-though the encryption key may change, the length and the value of decryption keyremain fixed.

This scheme can be readily integrated with the Database softwares available in themarket and can be used for the goals we inteded to achieve.

i.To reduce the overhead of decrypting entire database in order to perform a query.ii.To design an encryption scheme which achieves the goal stated above along with theprotection of database from cipher-text analysis attack.

4 PPES: PRODUCT OF PRIMES ENCRYPTION SCHEME

4.1 Why introducing PPES when VDES works?

As we have seen in the previous section that with VDES, we have been able to achievethe goals we intended to achieve.The use scenario of next scheme called Product OfPrimes Encryption Scheme is little bit different from the scenario of VDES. In VDES,database program is required to have knowledge of decryption keys for answering thequeries.On the other hand, PPES has no knowledge of encrypting or decrypting keysand it can still execute the queries and answer directly in encrypted form.PPES returnsthe correct results or atleast a superset of correct results. The results will be in encryptedform as the database is not aware of the key.Also, the query will have the pattern stringin encrypted form. Hence, PPES works entirely in an encrypted domain. This has anadvantage when we deal with databases and the results distributed over network.

VDES can be used efficiently where protecting pattern itself is not important andthe program answering query is assumed to be protected. Based on the knowledge ofkeys,VDES database performs the query execution and returns unencrypted answersif desired.PPES can also be used in this use scenario. For this, we can make databaseaware of the keys.And when the query arrives, we can modify this query to have en-crypted pattern and then perform execution of this modified query. With the help ofdecryption key, we can decrypt the result to give final result as output.

As it is clear from the two use scenarios, there was a need of PPES.

4.2 Model of PPES

Model of PPES is shown in figure below.

4.3 Intuition behind PPES

Let us consider this encryption scheme-Assuming that there is a function e:Σ∗ → P where Σ is the set of alphabets or charactersand P is a set of prime numbers.Hence e is function that maps each substring to a uniqueprime number.

Using the above mapping, we can encrypt any string s as E(s) as follows:E(s) = e(t1) × e(t2) × e(t3).... × e(tn)where t1, t2, t3, ...., tn are the possible substrings present in s

Similarily, E(abc) = e(a)×e(b)×e(c)×e(ab)×e(bc)×e(abc) As a result of aboveway of encryption, E(s) has a term for every substring present in it. So, if we look for asubstring t in s, we can evaluate E(t) first and then check for the divisibility of E(s) byE(t). Divisibility implies the presence of substring t in s.This can be stated as

A string s will have string t as its substring if E(t)|E(s)

Inverse of above:If some number N divides E(s), then there exists a substring t ins such that E(t)=N.This statement may not be true. As we saw in case of E(abc), itis divisible by e(ab) × e(bc) but there exists no substring t such that E(t)=e(ab) ×e(bc).Hence, inverse statement is false in this case.

Although this idea can check the presence of a substring in just one step but thenumber of primes required to encrypt any string increases exponentially with the lengthof string. If the number of character are n and the maximum length of any string is l,then the number of primes required are around nl+1. If n is around 256 which is 28 thenthe number of primes required can go out of bound with l = 5 only.One way of savingthe number of primes required is to allot the prime number to only those substringswhich are actually present in dictionary.And all remaining substrings possible may begiven a single unique prime number. This idea is again not good as the size of dictionarymay also be very large.

4.4 Our approach to PPES

As we saw above that the requirement of primes is increasing exponentially with thesize of the strings handled by PPES scheme. So we can restructure the scheme in thefollowing manner so that it would be feasible to implement PPES:

Let Σ is the set of alphabets and P is the set of available prime numbers. Nowconsider the random (or private) mapping e : Σ∗ → P such that e maps strings over Σto pth prime number from the set P where 1 ≤p ≤| P |.

Since mapping is random (or private) then we can assume that the probability thattwo strings will map to same prime number is 1/| P | (or can be calculated based on theprivate mapping).

Now we can encrypt a string s as E(s) using above mapping as follows:

E(s)= e(t1) × e(t2) × e(t3).... × e(tn)

where t1, t2, t3, ...., tn are all the possible substrings present in s.The same is applied to the pattern t to get E(t). Hence if t is a substring of s then E(t)must divide E(s).

4.5 Performing the operations

String matching String matching in PPES is totally different from traditional stringmatching techniques. So if we are searching for string abc (let say string t) then first wehave to encrypt t using the above encryption function i.e.

E(t) = e(t1) × e(t2) × e(t3).... × e(tn)

where t1, t2, t3, ...., tn are the all possible substrings present in t

Now if E(t) divides E(s) where s is the string in which t is being searched then t ispresent in s or we can say that t is one of the substring of s.

In PPES, string matching cost depends only on length of string being matched unliketraditional techniques where cost depends on length of string being matched as well aslength of target string. So in PPES, string matching cost is just the cost of encrypting tand cost of one division operation. So if the pattern string is small enough then stringmatching can be done very fast.

4.6 Correctness of PPES: Existence of false positives

Lets consider a given string s whose length is W so s will have W(W+1)/2 substrings.And we are searching for string t of length w. Let E(s) and E(t) be the encryption of sand t respectively.

Theorem 2 If t is a substring of s then E(t) must divide E(s).

Proof. Lets t has k substrings t1, t2, ...., tk so E(t) will be

E(t)= e(t1) × e(t2) × e(t3).... × e(tk)

And as t is a substring of s so all the substrings of t must be present in the set of allsubstrings of s. So if s has n+k number of substrings then the encryption of s will be

E(s)= e(t1) × e(t2) × e(t3).... × e(tk) × e(s1) × e(s2).... × e(sn)

And as we can see that all the factors of E(t) are present is E(s) so E(t) must divideE(s). But vice versa is not true.

Lemma 2. String matching in PPES will result into a superset of actual resultset i.e.false postivies may exist in the resulting set but there will be no false negative.

Proof. In above theorem we have shown that false negative will not exist. Now supposeif t is not a substring of s then we can only assure of t not being present in s whichimplies that all other substrings of t except t itself, may be present in s which implies ife(t) and e(some substring of s) are mapped to same prime then it can make E(s) divisibleby E(t) so it will lead to false positive.

4.7 Probabilty analysis of false positives

In this section we shall try to find out an upper bound on probabilty of a false posi-tive. So lets assume t is pattern string of length w and s is the given string of lengthW (W ≥ w) and E(t) divides E(s). So there are w(w + 1)/2 substrings in t, and eachof them is mapped to the same prime as some substring of s. In particular, the string tis mapped to e(t) and e(t) is present in E(s). So we have to find out an upper bound onthe probability that E(t) divides E(s) but t is not a substring of s.Since E(t) divides E(s), the string t maps to e(t) which is also the mapping of some

substring of s. Now there are W(W+1)/2 substrings of s so the probability of this isbounded by

(W (W + 1)/2) × (1/ | P |).So probability will decrease with larger | P |.

4.8 Memory requirements

Let s be a string whose unique substrings are t1, t2, ...., tk and substring ti repeats ei

times. And let ti is mapped to prime pi i.e. e(ti)=pi. Then the encryption correspondingto s will be

E(s) = e(t1)e1 × e(t2)

e2 × .... × e(tk)ek

And the size of the number p is given by lg(p) bits. So the string s will consumelg(E(s)) bits.

lg(E(s)) = (e1 × lg(e(t1))) × (e2 × lg(e(t2))) × ....(ek × lg(e(tk)))

If pmax is the largest prime from the set of primes, P. Then

lg(E(s)) ≤ lg(pmax) × (e1 + e2 + .... + ek)

And (e1 + e2 + .... + ek) is same as W(W+1)/2 where W is the length of s. So,

log(E(s) ≤ lg(pmax) × W (W + 1)/2

Which implies that memory requirements will increase quadratically with the size ofstring. So this scheme is not good for large documents but can handle strings of middlesize i.e. addresses.

4.9 Cryptographic analysis of PPES

For querying PPES encryted database, pattern t must be given in encrypted form, E(t),or indivdual factors can also be given over network but E(t) is preferred as individualfactors may reveal the nature of query (if somebody knows about the domain i.e. ifroll numbers are being stored into the database and somebody knows the format of rollnumber i.e. Y**** then he can easily break the query). But in database we are storingencrypted form of string s so factorizing E(s) will take significant amount of time. Letsassume that | Σ |=n and | P |=m. So if somebody knows n and m then tries to breakthis encryption then he can do as following:

1. Factorize reasonable amount of numbers from the database which is obviously veryhard task as string of length l will have l(l + 1)/2 prime factors.

2. Then analyze the distribution of all prime numbers or choose brute force analysisi.e. map each prime to all possible strings.

Now if n=40 and l=20 where l is domain parameter which tells that all strings indatabase can be of atmost length l then then all possible strings in that domain(≥(n× nl−1

n−1 )) will be around 4020(> 1025). So brute force approach will have that manymappings for a single prime.

Cipher text analysis of the data is very hard as all the data is in form of product ofmany prime numbers so factorizing each one is very expensive hence attacked based ondistribution can’t happen.

4.10 Strength of PPES

The main strength of PPES is that we can query the database over the network withhigh safety. Pattern matching operation (which is a very common operation on stringsin database) in PPES is very fast and is independent of size the target string.

5 Extension of substring method

Let s be a string. Let n = |s|. Suppose that we store a set {s1, s2, . . . , sm} of distinctsubstrings of s. Encode each of these substrings, that is, obtain, E(s1), E(s2), . . . , E(sm)and then multiply these m primes to obtain the encoding of the string. The number ofdistinct substrings of s is n · (n + 1)/2. Therefore, this scheme saves space comparedto the PPES scheme, provided, m < n · (n + 1)/2.

The method for checking whether a given string t is a substring of s is as follows.t is a substring of s if and only if t can be extended (perhaps on both sides) so that theextended string becomes equal to s. If t cannot be extended as above , then t is not asubstring of s. Equivalently, if t can be extended in either direction so that it becomesequal to any one of the known substrings s1, s2, .., sm, then also t can be inferred to bea substring of s. The problem is therefore the following.

Design a choice of the substrings s1, .., sm of s in such a way so that for every stringt, it can be efficiently inferred whether t is a substring of s. For a given value w, a stringt′ is said to be a w-extension of t, if, t is a substring of t′ and |t′| − |t| = w. The setof all strings that are w′-extensions of a given string t, where, w′ <= w, defines thew-extension ball centered at t.

Suppose t′ lies in the w-extension ball centered at t, and an encoding E(t′) is avail-able. Then, if t is extended by a total of at most w characters on either side and thenencoded, this encoding will equal the encoding of t′ . The complexity of this operationis the number of extension strings that are checked, that is, the size of a w-extensionball. Let Σ denote the alphabet over which the strings are formed. Then, the size of anyw-extension ball is given by

∑

0≤x+y≤w

|Σ|x+y(x + y + 1) = O(w · |Σ|w+2)

The problem is to design substrings s1, . . . , sm such that given any substring t of s,there exists an index r, 1 ≤ r ≤ m, and sr lies within a w-extension ball centered at

t. Consider the following scheme. Keep substrings si,j , where, 1 ≤ i ≤ d nw+1e, and

1 ≤ j ≤ 1 + b nw+1c. The substring si,j refers to the substring of s of length (w + 1) · i

that begins at position (w + 1) · (j − 1) + 1. For a fixed value of i, the set of substringssi,j gives substrings of a fixed length at offsets 1, 1 + (w + 1), 1 + 2 · (w + 1), . . ., etc..The set of substring lengths ranges from w + 1, 2 · (w + 1), 3 · (w + 1), . . ., etc..

5.1 Correctness of the scheme

In this section, we argue the correctness of the above scheme.We say that a substring t of s is w-covered by a substring si,j , provided, si,j is in the

w-extension ball centered at t. We first show that the set of strings that are w-coveredby the si,j’s are all distinct. That is, if (i, j) 6= (i′, j′), then, the set of strings coveredby si,j and the set of strings covered by si′,j′ has no overlap.

Lemma 3. Let t be a substring of s that is w-covered by both si,j and si′,j′ . Then,i = i′ and j = j′.

Proof. Suppose that i 6= i′, that is, the lengths are different. Thus, ||si,j |− |si′,j′ || > w.However, if t lies in the coverage of both the substrings, then, it follows that,

w > ||si,j | − |si′,j′ || = |(|si,j | − |t|) − (|si,j | − |t|) = |w1 − w2| ≤ w

where, w1 = |si,j | − |t| and w2 = |si,j | − |t||. Since, both si,j and si,j′ lies in thew-extension ball centered at t, it follows that 0 ≤ w1 ≤ w and 0 ≤ w2 ≤ w, implyinga contradiction. Now suppose that i = i′, that is the lengths of the substrings are thesame, and j 6= j′. A similar argument can be made for this case as well. ut

The above argument shows that if t is any substring of s, then there is at most one si,j

such that si,j is in the w-extension circle centered at t. We now show that for everysubstring t of s, there is always one si,j lying within the 2w-extension ball centered att.

Lemma 4. Let t be a substring of s. Then there exists at least one si,j that 2 ·w-coverst.

Proof. Suppose that t starts at position p. Let r be the remainder and j ′ be the quotientwhen p − 1 is divided by w + 1, that is,

p − 1 = (w + 1) · j′ + r, where, 0 ≤ r < w + 1. (1)

Let i′ and r′ be the quotient and remainder respectively, when, |t| + r is divided byw + 1, that is,

|t| + r = (w + 1) · i′ + r′, where, 0 ≤ r′ < w + 1. (2)

Consider the substring si,j , where, j = j′ + 1 and i′ = i if r′ = 0 and i′ = i + 1otherwise.

Since p− 1 = (w + 1) · j ′ + r, it follows that the starting position of the string si,j ,namely, (w + 1) · (j − 1) + 1 = (w + 1) · j ′ + 1 ≤ (w + 1) · j′ + r +1 = p. Therefore,

the starting position of si,j lies on or before the starting position of the given substringt. The length of the string si,j is given by (w + 1) · i. The effective length of the stringbecomes |t|+ r. If r′ = 0, then, the ending location of si,j matches the ending locationof t. Otherwise, r′ > 0 and i = i′ + 1. Therefore, ending location of si,j equals

(w + 1) · (j − 1) + (w + 1) · i= (w + 1) · j′ + (w + 1) · (i′ + 1) = (w + 1) · j′ + (w + 1) · i′ + (w + 1)

= (w + 1) · j′ + |t| + r − r′ + (w + 1) = (w + 1) · j ′ + r + |t| − r′ + (w + 1)

= p − 1 + r + |t| − r′ + w + 1 = (p + |t| − 1) + r + (w + 1 − r′)

> (p + |t| − 1)

Thus, si,j ends on or after t ends. It follows that si,j contains t. By the above analysis,it follows that,

|si,j | − |t| = (w + 1) · i − |t| .

There are two cases, namely, i = i′, if r′ = 0 and i = i′ + 1, if r′ > 0. Suppose thatr′ = 0. Then,

|si,j | − |t| = (w + 1) · i′ − |t| = |t| + r − |t|, by equation (2)= r ≤ w, by equation (1).

Otherwise, assume that 0 < r′ ≤ w and i = i′ + 1. Then, we have,

|si,j | − |t| = (w + 1) · i − |t| = (w + 1) · (i′ + 1) − |t|= (w + 1) · i′ + (w + 1) − |t|= |t| + r − r′ + (w + 1) − |t|, by equation (2)= w + 1 + r − r′

≤ 2 · w, since, r′ ≥ 1 and r ≤ w. ut

This worst case is attained if t is the substring s[w + 1, w + 2] of size 2. Then, it iscovered by the substring s2,1 of size 2 · (w + 1). Therefore, the minimum extensionnecessary is 2 · (w + 1) − 2 = 2 · w, matching the bound in Lemma 4. The test forwhether a given string t is a substring of the string s is as follows. Enumerate the w-extension ball centered at t and check if any of them is exactly equal to one of the si,j ’s(or, equivalently, encode each string of the w-extension ball centered at t and check ifthe encoding divides the product

∏

i,j E(si,j)). In view of Lemma 4, this test worksif instead of w, we use the parameter w

2 in the definition of the si,j’s. Therefore, thenumber of strings si,j is given by

⌈ n

bw2 c + 1

⌉2= O

(

n2

w2

)

5.2 Lower bound on number of substrings required

We now consider a lower bound on the space used by any encoding algorithm that usesthe above principle of matching strings from a w-extension ball centered at t.

Lemma 5. Let s′ be any substring of s of size at least w + 1. Then, the number ofsubstrings t such that s′ lies in the w-extension ball centered at t is at most 1

2 · (w +1) ·(w + 2).

Proof. Let a denote the number of characters extended at the left end of t and b denotethe number of characters extended at the right end of t, to obtain s′. Each distinct choiceof a and b such that a + b ≤ w gives a distinct t such that s′ lies in the w-extension ballcentered at t. Therefore, the number of possible such substrings is given by

w∑

a=0

w−a∑

b=0

1 =

w∑

a=0

(w − a + 1) =

w+1∑

a′=1

a′ =1

2· (w + 1) · (w + 2) .

Lemma 6. The number of substrings of a given string s of size n that must be storedby any scheme that works based on testing the equality of one of the substrings with amember of the w-extension of a given string t is at least n·(n+1)

(w+1)·(w+2) .

Proof. The number of substrings of a given string s is n · (n + 1)/2. By Lemma 5, itfollows that each substring of size at least w +1 w-covers (w + 1) · (w +2) substrings.Substrings of size less than w + 1 w-covers even fewer strings. Therefore, in order tow-cover all substrings, the minimum number of strings that must be used is at least

n·(n+1)(w+1)·(w+2) . ut

It follows that the number of substrings used by our proposed scheme is O( n2

w2 ), whichis within a small constant factor of the lower bound, namely, n·(n+1)

(w+1)·(w+2) , by Lemma 6.

6 A Hierarchical Scheme

In this section, we propose a two-step scheme that is based on the previous scheme.Let w1 and w2 be two integer parameters, where, w1 > w2 > 0. Given a database

string s, we first divide it into adjacent blocks of size w1, that is, s = s1s2 · · · sk, where,each of the si’s have size w1 and the last block is padded by the requisite number ofnull characters to ensure that its length is exactly w1. The encoding of s, namely, E(s),is a hierarchical data structure. Its first field is the sequence of the encodings of theblocks, that is, E(s1) ◦ E(s2) ◦ · · · ◦E(sk), where, ◦ denotes the sequencing operator.We assume that w1 is large enough to negate statistical attacks to decode the encryptedblocks. Let t be a substring of s. Then, the following two exclusive possibilities hold.

1. In a match of t with s, t spans more than one block of s. In other words, t can bewritten as t = t0t1t2 . . . tl, where, l ≥ 1, and t1, t2, . . . , tl−1 are blocks of lengthw1 each and |t0| ≤ w1 and |tl| ≤ w1. Further, there exists an index r with theproperty that sr = t1, sr+1 = t2, . . . , sr+l−1 = tl−1 and t0 is a suffix of sr−1 andtl is a prefix of the string sr.

2. In a match of t with s, t is contained within a block of s. That is, |t| ≤ w1 and t isa substring of sr, for some index r, 1 ≤ r ≤ k.

The second possibility can be effectively solved by storing, for each block si, 1 ≤ i ≤k, a set of substrings of si in their encoded form using an extension parameter w2, asdetailed in Section 5. Thus, if |t| ≤ w1, and there is a match of t with a substring ofs that is completely contained within a block, then, such a match can be effectivelydecided. The total number of encodings in this scheme are as follows.

O

(

k · w21

w22

)

= O

(

n

w1· w2

1

w22

)

= O

(

n · w1

w22

)

(3)

In order to identify a match where t is a substring of a block of s, the w2-extensionball of t has to enumerated and compared against all the encodings of the substringsof the blocks of s. Assuming that all the encodings are stored as a hash table, then,the dominant component of the cost of this operation is the cost of enumerating thew2-extension ball centered at t. As discussed in Section 5, this cost is O(w2 · |Σ|w2).

Single Text Offset, Multiple Pattern Offsets. We now consider the scenario depicted bythe first possibility, namely, that t is a substring of s and a match of t spans multipleblocks of s. Since the match of t with the matching portion of s may start at any po-sition p, 1 ≤ p ≤ w1, where, p is the starting position of first block of s from wherethe match begins. To alleviate this situation, we assume that the pattern t is encoded inw1 distinct ways, obtained by shifting the starting position of the first block of t by aparameter u = 0,−1,−2, . . . ,−(w1 − 1) respectively. Thus, if u = 0, the first blockcontains the characters t1t2 · · · tw1

and the remaining blocks are constructed sequen-tially thereafter. If u = −1, then the first block contains the characters t1t2 · · · tw1−1,and the remaining blocks are constructed sequentially thereafter. For a general value ofu, the first block contains the characters t1t2 · · · tw1+u, and the remaining blocks areencoded in sequence. Thus, t is encoded w1 times, with offsets ranging from 0 to w1−1.This increases the encoded size of the pattern t by a factor of w1. Note that althoughwe have assumed that the offset for the text string s is 0, it is in general not necessaryto assume this. The offset for the text string can be set to any random value between 0and −w1 + 1; this has the added advantage of reducing the chance of statistical attacks.

Matching Algorithm. For a given offset position u, −w1 + 1 ≤ u ≤ 0, denote the jth

block of t defined for this offset position as t(u)j . Let lu denote the number of blocks of

t encoded with an offset of u. Assume that t is a substring of s and there is a match of tspanning multiple blocks of s. Then, there exists an offset position u, −w1+1 ≤ u ≤ 0,and an index r, 1 ≤ r ≤ k, such that, t

(u)1 is a suffix of sr, t

(u)j = sr+j , for 2 ≤ j ≤

lu−1 and t(u)lu

is a prefix of sr+lu . Since t(u)j = sr+j , it follows that E(t

(u)j ) = E(sr+j).

Further, since there are at most w1 possible non-empty prefixes and w1 possible non-empty suffixes of any block, the encodings of the prefixes and suffixes of each blockof the text string are also stored along with the chosen set of substrings for the block.The number of blocks are k = d n

w1

e. The number of prefixes and suffixes of a block is2 · w1. Therefore, the total number of prefix and suffix encodings is

d n

w1e · 2 · w1 ≤ 2 · n + 2 · w1 = O(n) . (4)

The number of encodings required for the pattern string is w1 · d |t|w1

e = O(|t|), and istherefore, linear in the size of the pattern string. The total number of encodings (space)required for the text string s is given by the sum of equations (3) and (4), which isO(n·w1

w2

2

+ n). Suppose that the database string size n is large, and w1 is chosen to besay 64. If w2 is chosen to be 4, then, this reflects a substantial improvement over theO( n2

w2 ) encodings scheme presented in Section 5. Specifically, if w2 ≥ √w1, then, the

number of text encodings is linear in n. The time complexity of the substring matchingoperation is O(w2

1 · n · |Σ|√

w1).

Cryptographic Strength. Suppose that t is a substring of s and there is a match of t thatoverlaps multiple blocks of s. Then, in the encrypted string, the approximate position oft within s can be inferred. Although, if s and t are both unknown to a third party (say,the data mining outfit), then, this revelation is of no consequence. If t is a substring ofs that is completely contained in a single block of s, then, no positional information isrevealed. Another property of the hierarchical scheme is that all matches of t with s canbe found. That is, if t occurs many times in s, then, all occurrences of t can be foundusing the data structure. Once again, if this inference is being done by a third party,which is not privy to either s or t, then, no information is revealed.

7 Matching Patterns specified as Regular Expressions

In this section, we present a scheme for finding all occurrences of a pattern specified as aregular expression against a given encrypted database string s. We first discuss a simpleprinciple of privacy preserving computations, and, then, state the problem that arises inthe context of privacy preserving finite automaton computations and then present onepossible solution to it.

7.1 A principle of privacy preserving computations

Privacy cannot be preserved by computations that encrypt or decrypt using symmetrickeys. Further, privacy is not preserved if text is either encrypted or decrypted withinthe program. The principle states the following. Suppose that there is a privacy preserv-ing computation being carried out within a third party, and the computation applies asymmetric key encryption (or decryption) function to some text. We can assume thatthe key is available to the program and therefore to the third party (using program anal-ysis). Further, we assume that the encryption algorithm is also known. Therefore, thethird party can both encrypt and decrypt the text or cipertext, as the case may be. Thesecond statement of the principle is more general; clearly, if a string is encrypted ordecrypted, then the string is revealed. A consequence of the above discussion is that theall privacy preserving computations must work on ciphertext.

7.2 Privacy preservation of state transition computations

Let D be a deterministic finite automaton that accepts a given regular expression. Wenote that there is a basic problem in preserving the privacy of a string accepted by afinite automaton.

Consider the state transition function of the given DFA D. We can assume that theset of states of the automaton is known to the data mining party (or can be inferredfrom the code available). Let t′ be the string seen so far by the DFA D, and let q bethe current state of D. The next transition reveals the letter that extends t′ and the nextstate of D. By keeping track of the matching letters in this manner, the matching stringcan be known in entirety. Therefore, the most that can be assumed is that the lettersof the alphabet Σ are encrypted. This is equivalent to assuming that the alphabet Σhas been permuted, using a permutation that is not known to the data mining party.However, using statistical analysis, the data mining party can gain some information,and therefore can make a guess for the pattern string whose probability of being correctis greater than that of a random guess. Note that the problem is independent of themechanism used for encrypting the database string s.

7.3 A weak solution

The problem outlined in Section 7.2 is inherent to finite automaton computations.A DFA extends the prefix of a matching string by a single letter to obtain a longer

prefix. Thus, the unit of encryption possible are the letters of the alphabet Σ , makingit susceptible to statistical attacks. A simple extension is to transform the given DFA Dinto another machine D′ (D′ is a finite state automaton with a little extra power) suchthat, D′ makes its transformations on the strings of Σw, where, w is a parameter. Thefinal suffix of any string of the regular language whose size is not a multiple of w usestransitions from the enlarged alphabet ∪w−1

w′=1Σw′

. The value of w is not known to thedata mining party. We choose a permutation π that maps Σw to Σw, and ensure thatD′ uses the transformed alphabet π(Σw). The values of w and π are withheld from thedata mining party.

The scheme is better than the previous scheme, since statistical attacks would re-quire knowledge of statistics of strings of size w, for an unknown (though small) valueof w. This reduces the effectiveness of statistical attacks. This approach can be strength-ened slightly, as demonstrated below by means of an example.

7.4 A slightly better solution

Consider the alphabet Σ = {a1, a2, . . . , ak}. Suppose we choose powers of 2, namely,2, 22, . . . , 2v, where, v is a parameter, v ≤ k. Partition the alphabet into w subsets, Σi,1 ≤ i ≤ v, such that the subsets are pair-wise disjoint. Define the following sets.

Λi = Σ2i

i , for 1 ≤ i ≤ v.

That is, the set Λi is the set of strings of size 2i that is constructed from letters from Σi.For 1 ≤ i ≤ v − 1, define the following set.

∆i = {σ | |σ| = 2i and σ ∈ (∪vj=iΣj)

∗ and ∃ a, b ∈ σ such that a ∈ Σi and b ∈ (∪vj=i+1Σj)

∗}

The set ∆i is the cross set between Σi and the partitions with indices higher than j.That is, it is the set of all strings of size 2i over the letters of partitions with indices i or

above (i.e., ∆i ⊂ (∪vj=iΣj)

2i

). Further, all strings in ∆i are constrained to containedat least one occurrence from the sets Σi and ∪v

j=i+1Σj (i.e., it is a cross string).Let w = 2v. As a consequence of the construction, the sets ∪v

i=1Λi and the sets∪v−1

i=1 ∆i can generate Σw uniquely. That is, each string of Σw can be uniquely repre-sented as the concatenation of strings in the Λ and ∆ sets (prove!).

The transformed and equivalent automaton D′ can be constructed so that it uses thefollowing alphabet.

Σ′ = alphabet of D′ = E(∪vi=1Λi ∪ ∪v−1

i=1 ∆i)

That is, members of Σ ′ are encrypted members of Λi’s and ∆i’s. Accordingly, thedatabase string s is encrypted accordingly.

Cryptographic strength. The privacy of the scheme draws from the fact that the parti-tion of the original alphabet into the subsets is not known to the third party. Further, thevalue of v is also withheld from the third party. These two reasons reduce the effective-ness of statistical attacks. However, some information about the length of the string canbe deduced.

8 Performing Aggregate Operations on Encrypted NumericValues

In this section, we propose a scheme for performing aggregate operations like SUM,AVG or COUNT on encrypted numeric data. A lot of work has been done in the pastin the field of security and mobile computing for performing arithmetic operations overencrypted numbers. These are based on encryption transformations called Privacy Ho-momorphisms (refer [5],[6],[7],[8],[9]).However, these techniques are not applicable todatabases. Many of these are limited to operations on two numbers and some of theserequire message passing for each operation(refer [13]). Recent works related to perform-ing query over encrypted data allow comparison operations like GREATER THAN,LESS THAN, MAX or MIN (refer [4]).

The scheme proposed by us is directly applicable to the databases and is robustagainst brute force or cipher-text analysis attack.

8.1 Scheme 1

Our scheme is based on the fact that we can use a function, say f , to encrypt a numericvalue d such that f(x, y, ..) = d. The solution < x, y, .. > can be used as an encryptedvalue for d. The properties which a function f should satisfy are as follows-

1. The function f should have many solutions equation f(x, y, ..) = d where d canbe any numeric value in the range of data being encrypted i.e. f is many-to-onefunction.

2. The function f should have atleast two arguments.3. It should be possible to evaluate Σf(xi, yi, ...) given the values of Σxi, Σyi, ...

Let us consider a function f(x, y) = kx+y. This function satisfies all the propertiesstated above. Hence, we can encrypt any data d as < x, y > such that kx + y = d.Note that, it is possible to have many solutions for the same data d. Let us assumethat we have to add n numeric values d1, d2, ..., dn and we have the encrypted values< x1, y1 >, < x2, y2 >, ..., < xn, yn >. Given the encrypted values, we can calculateΣn

i=1xi and Σni=1yi. Obtaining these values, we can evaluate Σn

i=1di as it is given byΣn

i=1di = kΣni=1xi + Σn

i=1yi. So, we see that we can perform the addition directlyover the encrypted data. Based on the knowledge of xi and yi, it is not possible to getdi without the knowledge of k. It is also possible to have function having n argumentswhere n > 2.

This simple idea has a drawback that it discloses the data distribution. For aboveexample, encrypted values corresponding to same data d will lie on the same line withslope k. Identification of any one line will give the value of k. Drawing lines throughother points and parallel to line corresponding to d will result in distribution knowledgebased on the distance between lines. This is the major limitation which needs to beeliminated.

8.2 Improving the Scheme

Based on the above idea, we find a function f which satisfies the properties statedearlier. Let us take f(x, y) = kx+y. Now, we select two prime numbers p and q. Then,we find the solution < x, y > for f(x, y) = d where d is numeric data being encrypted.Now, instead of encrypting d as < x, y >, we encrypt d as < a, b > such that a modp = x and b mod q = y. Note that the encrypted set consisting of all < a, b > forf(amod p, b mod q) = d is spread over the entire space and not just on a line. And it isnot possible to guess the value of d without knowing prime numbers p and q.

But the above scheme is prone to attack. As p is a large prime number and x1 andx2 are mapped to mp + x1 and np + x2 respectively so one can get approximate valueof m/n by calculating (mp + x1)/(np + x2) and subsequently m and n as m, n areintegers. Now one can guess p very closely. Using same approach q can also be guessed.Knowing p and q one will retrieve all < x, y > tuple.

8.3 Scheme 2

Let us suppose, the data value d to be protected can be represented as N -bits long binarynumber. Identify the set of Linear Transformations L. Now, do as follows-

1. Divide the N -bits long binary number into m consecutive unequal parts.2. Apply linear transformations from the set L to each of the m parts so as to map

each part to a binary number of fixed length l.3. Now, re-order these linearly operated parts and save these re-ordered parts in database.

The order for shuffling these parts will be fixed.

The data encrypted in above format can be used for performing addition directly withoutdecryption. To get the sum of any n numbers, we need to do the addition of entriescorresponding to these n numbers for each of the m columns. This gives the result inencrypted form. The result can be decrypted as follows-

1. As the re-ordering sequence is known to us, we re-order the the m-parts of result inoriginal sequence.

2. As each part was linearly transformed, so the addition of linearly transformed valuecorresponds to linear transformation of addition of original values i.e. h(Σn

i=1xi) =Σn

i=1h(xi). This linear transformation h is known to us and we know h(Σni=1xi),

we can use the inverse function h−1 to get Σni=1xi.

3. Get the binary representation of Σni=1xi for each of the m columns. The resulting

m parts can be used to get the final result.

The strength of above scheme is based on the fact that the way N -bits number is bro-ken into m unequal parts, is not known to the third party performing computation onencrypted data. Total number of ways in which N -bits number can be broken into mconsecutive unequal parts is N−1Cm−1 − 1. For N=128 and m=10, number of waysfor this are O(1014). Also, the number of ways m parts can be reordered is m! which isO(106) for m=10.So, to break the encryption, the intruder must be able to guess the lin-ear transformations corresponding to each part and then check O(1020) cases in worstcase.

8.4 Final Scheme

As we saw, Scheme 1 is not strong enough to protect the data itself but it hides thedistribution very well.On the other hand, Scheme 2 is highly protective but it does nothide the data distribution. Hence, we came up with a final scheme which is fusion ofScheme 1 and Scheme 2.

Compute < x, y > and calculate < a, b > tuple using scheme1 and protect a and busing scheme 2. In this manner, we not only protect the data but also the distribution.

9 Formal aspects of privacy preserving computations

In this section, we formally define privacy preserving computations and partial privacypreserving computations.

Definition 7. A language L ⊆ Σ∗×Σ∗ is said to be computable in a privacy-preservingfashion if there exist computable functions f and g and a Turing machine M ′ such that,(x, y) ∈ L if and only if (f(x), g(y)) ∈ L(M ′) and ENTROPY((x, y) | (f(x), g(y))) =ENTROPY((x, y)). ut

The intended meaning of the string (x, y) of L is that x is a database string and y is anencoding of the property being checked. We present several examples later on to clarifythe above definition. In general, the calculation of the conditional entropy function mayprove to be difficult. In order to extend the scope of the definition, we also introducethe notion of partially privacy preserving computations and the index of privacy preser-vation. In this section, the letter M , together with subscripts and superscripts, typicallydenote Turing Machines (TMs).

Definition 8. A language L ⊆ Σ∗×Σ∗ is said to be computable in a partially privacy-preserving fashion if there exist computable functions f and g and a Turing machineM ′ such that, (x, y) ∈ L if and only if (f(x), g(y)) ∈ L(M ′) and ENTROPY((x, y) |(f(x), g(y))) ≤ ENTROPY((x, y)). The index of privacy preservation is defined asENTROPY((x,y)|(f(x),g(y)))

ENTROPY((x,y)) . ut

The formal definitions are intended for comparing competitive privacy preserving schemes.We now present examples of languages that can be computed while partially preservingprivacy.

Example 9. Let L = {(x, y) | y is a substring of x}. Then, f(x) can be the PPESencoding of x, and g(y) could be the function mapping strings to primes, using thesame mapping function used by f . Here, the TM M ′ checks whether g(y)|f(x). ut

Example 10. Let L be any language that satisfies the following property: |{y | (x, y) ∈L}| is finite. Let L1 denote the language {x | ∃y such that (x, y) ∈ L}. For everyx ∈ Σ∗, f(x) is the PPES encoding of {y | (x, y) ∈ L}. Since this set is finite for allx ∈ Sigma∗, the PPES encoding is well-defined. The function g(y) is the mapping ofy to a prime using the same mapping function used by f . The mapping described is,in general, partially privacy preserving, since, for every x, such that x ∈ Σ∗ − L1, thePPES encoding f(x) corresponds to the empty string. This reveals some informationabout the database strings. ut

The complexity of a partially privacy preserving mapping is parameterized by severalmeasures. The database size measure is given by |f(x)| as a function of |x|. This is ameasure of the expansion in the size of the database strings. The input size measure isgiven by |g(y)| as a function of the input size |y|. The time and space complexity of theinput transformations f and g form yet another set of relevant complexity measures.The time and space complexity of deciding the transformed language {(f(x), g(y)) |(x, y) ∈ Σ∗} yields the final measure of complexity.

Example 11. The universal language U = {(x, 〈M〉) | x ∈ L(M)}, where, 〈M〉 repre-sents the encoding of the TM M . Consider the alphabet scrambling scheme discussedin Section 7.4. Let g(〈M〉) = 〈M ′′〉, where, M ′′ is the TM that is isomorphic to M ,except that the alphabet used is the transformed alphabet Σ ′, corresponding to the spe-cific bits used by the alphabet scrambling scheme. Let f(x) be the encoding of x in thealphabet Σ′. Let M ′ be the universal TM over the alphabet Σ ′.

The reason for calling this language as the universal language for privacy preserva-tion is that if L can be computed in a privacy preserving fashion, then, all recursive setscan be computed in a privacy preserving fashion. This can be argued as follows. Let Lbe a language that is computable in a privacy preserving fashion. Then, there exists com-putable functions, f1, g1 and a TM R such that (x, y) ∈ L iff (f1(x), g1(y) ∈ L(R).For a given y ∈ Σ∗, let < N(y) > be the encoding of a Turing machine N(y) thatworks as follows. N(y) takes an input u and runs R on the pair (f1(u), g1(y)), ac-cepting iff R accepts. Consider the pair (x, < N(y) >). Clearly, x ∈ L(N(y)) iff(f1(x), g1(y) ∈ L(R). ut

10 Conclusions

With increasing concerns for privacy and safety of data, it has become necessary todevelop techniques for the preservation of data being collected in databases. As it ispossible for an intruder to get access to raw database files, there is a threat of informa-tion leakage or exposure.Encryption techniques come as a rescuing technique for thisproblem but it renders the encrypted data useless for answering any SQL queries.In thispaper, we have presented schemes which can perform SQL queries directly over theencrypted data. The VDES scheme suggested in this paper can be used for protectingvariable length string data and answering pattern matching queries. This scheme can beused in the domain where program running to answer the query is assumed to be safe.Another scheme, for string pattern related queries, called Extension of PPES given inSection 5 can be used for complete security. This can also be used for third party com-putation without any revelation. We also provide a scheme in Section 8 that preservesthe result of SUM and AVERAGE operations of numerical data types. We see that ifabove schemes are incorporated with the OPES scheme presented in [4], the encrypteddatabase will be able to answer the following queries: Exact String Matching, FindingSubstrings in given set of Strings, Pattern matching in strings (LIKE operations) andqueries related to numerical data type like SUM,AVG,COUNT,MAX,MIN,GROUP BYand ORDER BY.

11 Future Work

In future, the work done in this paper can be extended to find a better technique forregular expression matching. Also, the techniques presented by us for answering SQLqueries come with a cost in terms of higher secondary memory/storage requirements.Although secondary memory is getting cheaper, reduction in its usage can have a bet-ter performance impact on implementation. Also, the scheme described in Section 8for preserving aggregate operations on numerical data types can be extended to answerMAX or MIN queries.Acknowledgments . We would like to thank Dr. Sumit Ganguly for his constant guid-ance, motivation and for being a source of inspiration for us.

References

1. Ozsoyoglu, Singer. Anti-tamper databases :querying encrypted databases.In Proc. Of 17thannual IFIP WG11.3 Working conference on Database and Application Security, Colorado,August 2003.

2. Song, Wagner and A.Perrig. Practical techniques for searches on encrypted data.In IEESymp. on security and privacy, Oakland, California, 2000

3. H.Hacigumus, B.R.Iyer, C.Li and S.Mehrotra. Executing SQL over encrypted database-service-provider model.In Proc. Of ACM SIGMOD Conf on Mamagement of Data, Madison,Wisconsin, June 2002.

4. R.Agrawal, J.Kiernan, R.Srikant and Y.Xu. Order Preserving Encryption for NumericData.In SIGMOD 2004, Paris, France, June 2004.

5. N.Ahituv, Y.Lapid and Neumann. Processing encrypted data.Communications ofACM30(9):777-780, 1987.

6. J. Domingo-Ferrer and J.Herrera-Joancomarati. A privacy homomorphism allowing field op-erations on encrypted data.Journes de Matematica Discreta i Algorismica, Universitat Po-litecnica de Catalunya, March 1998.

7. J.Domingo-Ferrer. A new Privacy homomorphism and applications.Information ProcessingLetters, 60(5):277-282, 1996.

8. Feigenbaum, Liberman and R.N.Wright. Cryptographic protection of databases and soft-ware.In Proc. of DIMACS Workshop on Distributed Computing and Cryptography, 1990.

9. R.L.Rivest, L.Adelman and M.Dertouzos. On data banks and privacy homomorphisms.InFoundations of secure computation, 169-178, 1978.

10. R.Agrawal, D.Asonov and R.Srikant. Enabling sovereign informatrion sharing using webservice.In SIGMOD 2004,Paris,France,June 2004.

11. R.Agrawal, Bayardo, Kiernan, Faloustsos, Rantzau and R.Srikant. Auditing ComplianceWith a Hippocratic Database.In Proceedings of VLDB Conference, Toronto, Canada, 2004

12. R.Agrawal and R.Srikant. In Proc. Of ACM SIGMOD Conference on Management of Data,2000.

13. I-Ling Yen,Wei Li,Qingkai Ma and Farokh Bastani.Secure Computation with Low Overhead.In University of Texas at Dallas,Richardson

14. Tomas Sanderand Christian F. Tschudin. Towards Mobile Cryptography. In Proceedings ofthe IEEE Symposium on Security and Privacy

15. Bijit Hore, Sharad Mehrotra and Gene Tsudik.A Privacy-Presrving Index for Range Queries.In Proceedings of 30th VLDB Conference, Toronto,Canada, 2004.

Appendix Privacy of the SUM operator

In this section, we present a solution to the following problem. Given a column of valuesd1, d2, . . . , dn, compute the sumd1 + d2 + . . . + dn in a privacy preserving fashion.Assume thatM is an upper bound on this sum. This section should be studied withSection 8 of this paper.

Fix an elementd = di occurring in the column. Letd be partitioned as the sumd = x + y of two elementsx andy, where,x < U andy < U for some upper boundU . Choose two distinct numbersa andb, each larger thanM · U , such thata andb areboth prime numbers.1 Further, without loss of generality, assume thata > b.

Consider the groupG = {0, 1, 2, . . . , a − 1} under the operation of+ mod a.Consider the groupH = (b), that is, the group generated byb, that is, the setH ={b, 2b, 3b, . . .}. H is a subgroup ofG. By Lagrange’s theorem,|H|||G|. Let |H| = h.SinceH is a subgroup ofG, it contains the 0 element. Let the zero element bekb,where,1 ≤ k ≤ h ≤ a. Thus,kb|a. Since,(a, b) = 1, therefore,k|a. Sincea is prime,k|a andk ≤ a iff k = a. This implies thath = |G| and therefore,H = G. Thus, thereexists a unique indexk1 such thatk1b = 1 mod a. Let a′ = a mod b. In a similarway, it can be argued that there exists a unique integerk2 such thatk2a = 1 mod b.

We can now design the encoding scheme as follows. Corresponding to a given inte-gerd, construct the following integer.

ENCODING(d) = k1 · b · x+ k2 · a · y, where,x+ y = d, x < U, andy < U .

Given valuesd1, d2, . . . , dn, each of the values is first transformed intodi = xi + yi,using private bits. Subsequently, we form ENCODING(di), for i = 1, 2, . . . , n. The sumis obtained by taking the sum of the encodings. That is,

ENCODING(n∑i=1

di) =n∑i=1

ENCODING(di) = k1 · b ·n∑i=1

xi + k2 · a ·n∑i=1

yi .

The decoding operation is as follows.

x = ENCODING(d) mod a and y = ENCODING(d) mod b

The correctness of the decoding operation can be shown provided, each ofa andb areat leastM . Since,k1 · b = 1 mod a andx < M ≤ a, therefore,

ENCODING(d) mod a = k1 · b · x mod a = x mod a = x.

Similarly, it can be shown that ENCODING(d) mod b = y. Now x + y can be addedto obtaind.

1 the notation(a, b) stands for theGCD of a andb.

doc

Technology

entire encrypted data

sensitive data

privacy of huge

sql operations abhinav

nd ex act match

research work

good technol ogy

global emergence of