Secure Data Outsourcing

Outline Motivation Background Research issues Summary

Motivation Cost of maintaining/mining large data

4-5 times of the cost of data acquisition DBAs are paid well

More and more data service providers Low cost – cloud computing

Maintain one database for one user multiple users Examples:

Alentus.com Datapipe.com Discountasp.net …

Concerns about data security and privacy Untrusted service provider

Un-trusted service provider Lazy: incentives to perform less Curious: incentives to acquire

information Malicious:

Denial of service Incorrect results Possibly compromised

Challenges Data confidentiality

Data need to be encrypted (?) Utility of protected data?

Query utility Mining utility

Access pattern privacy Integrity

Data integrity Query integrity

Correct Complete Fresh

Why is it hard for query services? Arbitrary expressivity

SQL statements Often, restricted for certain type of query

for simplicity (e.g. range query, knn query)

Cost Communication Computation (server side vs client side)

Why it is hard for mining services? Many data mining models

Different utilities to preserve No one-size-for-all solutions

Data confidentiality Bucketization method (crypto-index) Order preserving encryption Perturbations

Bucketization method Hacigumus (SIGMOD02)

Main steps Partition sensitive attributes

Order preserving: supports comparison Random: query rewriting becomes hard

Build index on the partitions Rewrite queries to target partitions

‘john doe’ 105 Select * from T’ where name=105

Execute queries and return results Prune/post-process results on client

Trade off between confidentiality and overhead Larger partition increased privacy

increased overheads

Order preserving encryption Agrawal2004, Boldyreva2009 The set of data is securely

transformed so that the order is preserved but the distribution and domain are changed

Benefits: indexing/searching on OPE encrypted data

Weakness: once the original distribution is known, OPE is broken

Not attribute-wise order preserving Order preserving encryption (OPE, Agrawal et al

2004) is not resilient to distribution-based attacks

Original Xi distribution is known Transformed Xi’ distribution

OPE

Bucket basedEstimation

Data perturbation Definition

1. randomly change the original data2. the attacker cannot effectively recover

the original data 3. the desired properties are preserved

Techniques Single dimension: noise addition Multidimensional

Geometric perturbation Random projection RASP random space perturbation

Noise addition Y = X+ R

X: original data column, R: random noise (distribution published), Y: published data

Applications in data mining Reconstructing column distribution

Rakesh Agrawal SIGMOD 2000 Applied to privacy-preserving decision tree, naïve

bayes classifier

Attacks Spectral filtering (Kargupta ICDM 2004) PCA reconstruction (Huang SIGMOD2005)

Multiplicative perturbations Geometric data perturbation for

outsourced data mining Random Projection RASP perturbation for query services

(range query, kNN query).

Perturbation-based framework

Mining service

Geometric data perturbation Y=RX+T+D

R: secret rotation matrix (preserve Euclidean distances) T: secret random translation matrix, D: secret random

noise matrix Distances are approximately preserved (D) Resilient to most attacks to rotation perturbation

Applications Outsourced privacy preserving data mining, applicable

for many classification and clustering algorithms

Attacks Population based attacks (when covariance matrix is

revealed)

Random Projection Y=AX+D

A: random projection, e.g., entries from N(0,1)

Distances are approximately preserved Applications

Many classification and clustering algorithms Worse accuracy than geometric perturbation

Good for sparse high-dimensional data (text data), i.e., sketch methods (A is randomly generated for EACH record)

Attacks Possibly more resilient than other two

perturbation methods But utility (distance) is not well preserved

RASP perturbationk-dimensional numeric data, n records, represented as a k x n matrix, x: a record

(1) Extend x to k+2 dimensions - (K+1) th dimension is always 1 – homogeneous dimension- (K+2) th dimension v is a real random number drawn from

(2) Encryption

- A is a (k+2)x(k+2) invertible real value matrix, with at least two non-zero values for each row and the last column of A has all non-zero values

- A is shared by all records

Properties Not an OPE Preserves convexity of the dataset

Convex dataset in Rk another convex dataset in Rk+2.

Good for range query Each range query in Rk

hyperplane based query range query in Rk+2 .

RASP properties Convexity preserving

Queried range (hypercube) is convex RASP transforms the range to another convex (polyhedron)

wTx=a

half space: wTx<=a

The intersection of convex sets is also convex.

illustration of convexity preserving

Original space Encrypted space

Secure query transformation A naïve solution

Based on the convexity preserving property

Problems: (1) A-1 can be probed (2) is . . If a is known, the whole dimension i is breached.

Secure query transformation Enhanced solution

Xk+2 is always positive

(Xi-a) 0 (Xi-a)Xk+2 0 Correspondingly, in the encrypted space

yTy 0,

Problems addressed: (1) A-1 cannot be derived from (2) (Xi-a)Xk+2 0 contains the random component Xk+2 that protects the condition (Xi-a) 0

Efficient two-stage query processing

illustrated

Original space Transformed space

Stage1:Querying this boundingbox

A multidimensional tree index is been built on the encrypted data (in the transformed space) in the server.

Stage2:Filter out the junk records

Stage 1: The client calculates the large bounding box;The server uses the index to find the results.Stage 2: filter the initial results with the conditions

yTiy 0 for 1…2k

Note: the two-stage strategy works, if the output of stage 1 is significantly smaller than the original database and can be fit into the memory.

Otherwise, use linear scan with stage 2 filtering.

RASP-based data mining Preserving range query linear

classifier Use the boosting framework to get

strong classifiers (PerturBoost, in ICDM 2013)

Access pattern privacy On database queries

Problem is the same as PIR Attackers may use the access pattern to

breach data confidentiality

Each of previous approaches should handle this problem!

PIR is impractical Solutions based on private

Information retrieval (PIR) PIR is still impractical

For Bucktization approach Based on the architecture of

Hacigumus (SIGMOD02) Hore VLDB04

For range query Privacy concern: reveal the distribution

of value in each bucket “Diffusion”: split buckets and combine

parts of different buckets Trade off: now the server needs to return

more noisy results larger size

For OPE Use queries to find out the

distributions, then break the encryption

For RASP Secure query transformation Attacks to transformed queries

Oblivious RAM Access pattern: read/write data items Setting:

Client has a small secure memory Server has large insecure storage, semi-

honest Data items are encrypted Client cannot hide the accessed locations

An active area

Existing Approaches

Inside a level Some real blocks

Useful data Some dummy blocks

Random data Randomly permuted

Only the client knows the permutation

Dummy Block

Real Block

Real Block

Dummy Block

Real Block

Dummy Block

Dummy Block

Real Block

Existing Approaches

Reading Read a block from

each level One real block. Remaining are

dummy blocks

ClientServer

realdummydummydummydummy

dummy

Existing Approaches

Writing Shuffle

consecutively filled levels.

Write into next unfilled level.

Clear the source levels

Server (before) Server (after)Client

shuffleblocks

Continuous Shuffling

…

To write:

The Problem with Existing Approaches

Integrity guarantee Merkle hash tree

H(H(x1)+H(x2)) , + is string concatenation

Can be stored with tree like structure : index, xml

Hash chains

Query correctness with merkleby Devanbu et. al.

Using merkle tree

Example:5<=q<=10

LUB(q) = 4GLB(q) = 11

Operations: Selections, projections, equijoins, set ops

Issues Works only on data with verification objects Query expressiveness Expensive

Related work Pang et. al (ICDE04, SIGMOD05), using ElGamal

function Sion VLDB05: challenge token F.Li SIGMOD06: freshness

Secure keyword search Simple information retrieval

For a keyword, find the documents containing the keyword

What if the documents are encrypted word by word

and if the keyword is also encrypted

Secure keyword search Song 2000

•Seed is random, different for each Wi•Key idea: Li and Ri are self-verifiable •Advantage of XOR

How to set K?

Setting of ki Ki = Fk’(Wi), k’ is secret User publishes W and k = Fk’(W) Server checks CiW

whether <Li, Fk(Li)> == CiW It reveals nothing if Ci is not the ciphertext

for W. And Li is random for different Wi – server

cannot find any information from Li.

Hidden search In previous schemes, W is revealed

Weakness: each search will have to release k for W Easy to collect information

Solution: encrypt Wi with an private key, then xor with <Li, Fk(Li)>

Recent developments Reza 2006

“Searchable symmetric encryption: improved definitions and efficient constructions”

Completely solved this problem, with a solution indistinguishability under chosen ciphertext attack (IND-CCA)

Trusted hardware

Possible benefits

Discussion Data confidentiality/access pattern

Restrict cryptographic definition (keyword search) or

Relaxed definition (perturbation, bucketization, OPE, etc.)

It is very difficult to formulate and prove the security of non-traditional approaches Do we need to reformulate the security

model? and how?