privacy-preserving computation and verification of aggregate queries on outsourced databases brian...

Privacy-Preserving Computation and Verification of Aggregate

Queries on Outsourced Databases

Brian Thompson1, Stuart Haber2, William G. Horne2, Tomas Sander2, and Danfeng Yao1

Rutgers University

Dept. of Computer Science

Piscataway, NJ

Hewlett-Packard Labs

5 Vaughn Dr., Suite 301

Princeton, NJ

1 2

PDAS: Privacy-Preserving Database-As-a-Service

PETS 2009

Contributions

• An efficient, distributed architecture for outsourcing databases

• A privacy-preserving protocol for computing aggregate queries that is resistant to collusion of dishonest service providers

• A mechanism that allows users to verify the integrity and correctness of aggregate query responses

Outline

• Motivation

• PDAS Architecture and Protocol

• Secure Computation of Aggregate Queries

• Correctness Verification

• Conclusions and Future Work


PETS 2009

Simple Client-Server Model

Data Owner

Client

query response

Client

ClientClient

Client

What if data owner has insufficient time or resources to answer all queries?


PETS 2009

Database-As-a-Service• Outsource database to a trusted third-party

service provider (SP).

• SP supports and maintains DBMS infrastructure, stores data and responds to queries.

• Applications: Census data, medical records, network monitoring, recommendation systems.

• Data may be private or sensitive.– Only answer queries that follow a pre-defined

inference control policy. outside scope of our work


PETS 2009

Database-As-a-Service

Data Owner

Service Provider

Client

query Q result AQ

Security threat!

What if server is compromised or SP is malicious?

Integrity issue!

How does Client know that results

are correct?

sensitive data,inference control policy

query rejected!


PETS 2009

Database-As-a-Service

• Encryption [HIM02, MT06]– When client is the original data owner.

• Publish only statistics– Limits utility for complex data mining apps.

• Publish representative subset– Good for approximate query results.– No privacy for individuals in released dataset.


PETS 2009

Our Solution: Privacy-Preserving Database-As-a-Service (PDAS)

• Outsource database to m service providers.

• Each SP gets a “share” of each data item.

• Each share gives zero information, but the shares can be combined to reconstruct the original data. [Shamir ’79]

• A homomorphic commitment scheme is used to guarantee correctness. [Pedersen ’91]

Outline

• Motivation






PETS 2009

PDAS Architecture

Data Owner

SP2 SP3SP1

Client

aggregate query Q

request shares of AQ

calculate share AQ

1

calculate share AQ

3

calculate share AQ

2

calculate result AQ

result AQ,proof of correctness

PDAS Protocol

1. COMMIT: Data owner generates commitment values, signs root of Merkle hash tree.

2. DISTRIBUTE: Shares of each data item are distributed to SPs using Shamir secret-sharing.

3. QUERY: Client submits aggregate query to SP.

4. RESPOND: SP requests shares of aggregate from other SPs, recovers result, returns to Client.

5. VERIFY: Client checks commitments against signed root hash, verifies commitment for result.


PETS 2009

Outline

• Motivation






PETS 2009

• Construct a random (k-1)-degree polynomial P with P(0) = S.

• Each share is a point on the curve.

• k points are both necessary and sufficientto uniquely determine the polynomial.

Secret Sharing with Polynomials

Note: Computation in the field Fq

Note: Allows for threshold scheme

[Shamir ’79]

x1 x2 x3

(0, A)

PA(x)

(x1, PA(x1))

(x2, PA(x2))(x3, PA(x3))

Secret Sharing with PolynomialsPETS 2009

x1 x2 x3

(0, B)

PB(x)

(x1, PB(x1))(x2, PB(x2))

(x3, PB(x3))


x1 x2 x3

(0, A)

PA(x)

(x1, PA(x1))

(x2, PA(x2))

(0, B)

PB(x)

(x1, PB(x1))(x2, PB(x2))

(x3, PA(x3))

(x3, PB(x3))

Task: secure computation of A + B


Task: computeA + B

x1 x2 x3

PA(x)

(x1, PA(x1))

(x2, PA(x2))PB(x)

(x1, PB(x1))(x2, PB(x2))

PA+B(x)

(0, A+B)(x1, PA+B(x1))

(x2, PA+B(x2))

(x3, PA(x3))

(x3, PB(x3))

Player 1 calculates: PA(x1) + PB(x1)

(x3, PA+B(x3))

Determined the sum A+B without revealing A or B !





PETS 2009

• A secret-sharing polynomial Pj is constructed for each data element Dj , i.e.

• The share of data Dj for SPi is

• Suppose client queries for

• SPi computes and broadcasts

• Using polynomial interpolation, the SPs can derive the polynomial

•

)()(ˆ iPiP j

)()(ˆ xPxP j

),,()0()0(ˆ1 nj DDSUMPP

Secret Sharing in PDAS

))(,( iPi j

jj DP )0(

),,( 1 nDDSUM


PETS 2009

• Honest SPs only contribute to a computation if the query follows the data owner’s policy.

• PDAS allows for a (k,m) threshold scheme, where any k of m SPs can answer a query. If less than k collaborate, they learn nothing.

• If there are less than k dishonest SPs, the system has information theoretic security.

• Privacy is preserved* – no information is leaked besides the query results!

Secret Sharing in PDAS

Outline

• Motivation






PETS 2009

Verification in PDAS

The Pedersen Commitment Scheme [’91]

Prover: COMMIT( )• Publish generators of group• Choose random• Calculate commitment value:

Verifier: VERIFY( )• Check commitment:

rxr hgxC )(

pGhg,r

x

crx ,,rx

r hgxCc )(


PETS 2009

Verification in PDAS• Owner computes commitment to each data

entry and signs to authenticate.

• Given , the client verifies the commitment: .

• This requires access to sensitive data !• Problem: How to verify an aggregate query

result without access to individual entries?

)( jr DCj

jjj CrD ,,

Use a homomorphic commitment scheme!

jj

j

rDjrj hgDCC )(

jD


PETS 2009

Verification in PDASPedersen commitment scheme is homomorphic:

What is x1+ x2?

)()()( 2121 21

2121

21xxChgxCxC rr

rrxxrr

Verify:)()()ˆ( 21ˆ 21

xCxCxC rrr

Service Provider

22

2

11

1

)(

)(

ˆˆ

2

1

2121

rxr

rxr

hgxC

hgxC

rrrxxx

rx ˆ,ˆ

21, rr CC

commitments signed by data owner


PETS 2009

Verification in PDAS

• Use Merkle hash tree to improve efficiency.

• Data owner only signs once: the root hash.

h00 h01 h10 h11

h0 h1

hroot

)( 22xCr)( 11

xCr )( 44xCr)( 33

xCr )( 66xCr)( 55

xCr )( 88xCr)( 77

xCr

hroot

Outline

• Motivation





Security Properties of PDAS

• Secrecy: Only query results are revealed.

• Security: Commitments are computationally binding and unconditionally hiding.

• Correctness: Accuracy, integrity guaranteed.

• Collusion resistance: Privacy is protected against k-1 collaborating adversaries.

• Accountability: Malicious SPs will be caught.


PETS 2009

In practice, may relax some properties to achieve greater functionality. Details in corrected version of paper.


PETS 2009

Efficiency of PDAS

• Setup cost is O(nm) time* for data owner, but there is no maintenance cost.

• Space required is O(n) for each SP.• Time complexity to compute a query over

subset S is only O(|S|) for each SP, plus O(|S| log n) communication cost.

• Verification has computational and communication cost O(min(|S| log n, n)).


PETS 2009

Extensions

• Dynamic databases– Support efficient addition/deletion

• Multiple data owners• Load balancing• Selection over insensitive attributes

– “Mixed” databases

– Guaranteeing completeness


PETS 2009

Future Work

• Complex queries– Nested queries– Selection over sensitive attributes– MAX, MIN

• Inference control– Differential privacy [Dwork06]

• Private Information Retrieval– [Chor, Goldreich, Kushilevitz, Sudan ‘95]


PETS 2009

Conclusions

PDAS accomplishes the following goals:

• A distributed architecture for computing aggregate queries over sensitive data in outsourced databases.

• An efficient protocol for verifying the accuracy and integrity of query results.

• A secure system that is robust against a network of k-1 collaborating adversaries.


PETS 2009

Thank you!

Corrected version to be available soon:

http://www.cs.rutgers.edu/~danfeng/


PETS 2009


PETS 2009

Extra Slides


PETS 2009

• How to enforce a query response policy?

SUM = ?

Okay, sure!

Please give me your share of Σ Dj!

Our Solution: Secret Sharing


PETS 2009

• How to enforce a query response policy?

No, I’m not supposed to. . .

Please give me your share of x!

Our Solution: Secret Sharing


PETS 2009

Secret Sharing


PETS 2009

Related Work

• H. Hacigümüs, B. Iyer, S. Mehrotra. “Efficient Execution of Aggregation Queries over Encrypted Relational Databases.” DASFAA, 2004.

• F. Chin. “Security Problems on Inference Control for SUM, MAX, and MIN Queries.” Journal of ACM, 1986.

• G. Jagannathan, R. Wright. “Private Inference Control for Aggregate Database Queries.” PADM, 2007.

privacy-preserving computation and verification of aggregate queries on outsourced databases brian...

Documents