Goals
Context
POPE Construction
Results
POPE: Partial Order Preserving Encoding
Daniel S. Roche* Daniel Apon† Seung Geol Choi*
Arkady Yerukhimovich‡
*U.S. Naval Academy
†University of Maryland
‡MIT Lincoln Laboratory
ACM CCS 2016
Vienna, Austria
Roche, Apon, Choi, Yerukhimovich (USA)
POPE
October 27, 2016
1 / 23
Goals
Context
POPE Construction
Results
Problem: Encrypting a Database Index
Cloud databases are popular for many reasons:
Low cost
High availability
High performance
...
But these systems are regularly compromised by attackers.
(Consider just voter databases in the last year!)
Challenge: Securing data without compromising performance (too much)
Roche, Apon, Choi, Yerukhimovich (USA)
POPE
October 27, 2016
2 / 23
Goals
Context
POPE Construction
Results
Tradeoffs and Choices
1
Features
(Query support, multi/single user)
2
Performance
(Server time/memory, client time/memory, transfer size, rounds)
3
Privacy
(What might be leaked? What kind of adversary?)
Roche, Apon, Choi, Yerukhimovich (USA)
POPE
October 27, 2016
3 / 23
Goals
Context
POPE Construction
Results
Our Target Features
This work focuses on a common big data scenario:
Many insertions (should be as fast as possible)
Fewer lookups or range queries
Data: Key/value store, i.e. all queries on a single column.
Example Dataset
4 million employees, with lookups by salary.
(California public employees database)
Roche, Apon, Choi, Yerukhimovich (USA)
POPE
October 27, 2016
4 / 23
Goals
Context
POPE Construction
Results
This talk
Focusing on many insertions and fewer range queries:
1
Existing approaches, performance/privacy tradeoffs
2
Our construction: POPE
Provides a new compromise between performance and privacy
3
Evaluation and experiments
Roche, Apon, Choi, Yerukhimovich (USA)
POPE
October 27, 2016
5 / 23
Goals
Context
POPE Construction
Results
Context of POPE
Our target: Many insertions,
few range queries
Current options:
No encryption
performance
TB scale
GB scale
Traditional OPE
PPE, ORE, or Interactive
OPE
MB scale
ORAMs
KB scale
Encrypt the entire
database
Roche, Apon, Choi, Yerukhimovich (USA)
POPE
ak
ed
ak
ed
si
ze
s
le
le
de
r
POPE will provide a new
compromise in this space
or
ke
ys
le
ak
ed
privacy
October 27, 2016
6 / 23
Goals
Context
POPE Construction
Results
Storing keys in plaintext
Trivial solution:
Store keys in plaintext,
encrypt payloads only
Possible with any existing
cloud database solution.
performance
Plaintext
TB scale
GB scale
MB scale
KB scale
Roche, Apon, Choi, Yerukhimovich (USA)
POPE
ak
ed
ak
ed
si
ze
s
le
le
de
r
or
ke
ys
le
ak
ed
privacy
October 27, 2016
7 / 23
Goals
Context
POPE Construction
Results
Order-Preserving Encryption (OPE)
Idea:
Can compare keys by
comparing ciphertexts.
These schemes are used in
industry today!
Hot topic:
Agrawal et. al.’04
performance
Plaintext
TB scale
OPE
GB scale
MB scale
KB scale
Baldyreva et. al., ’09, ’11
Mavroforakis et. al., ’15
Roche, Apon, Choi, Yerukhimovich (USA)
POPE
ak
ed
ak
ed
s
le
le
si
ze
or
ke
ys
Lewi & Wu ’16 (ORE)
de
r
le
ak
ed
privacy
October 27, 2016
8 / 23
Goals
Context
POPE Construction
Results
Order-Preserving Encryption (OPE)
Idea:
Can compare keys by
comparing ciphertexts.
These schemes are used in
industry today!
Hot topic for attacks:
Baldyreva et. al.’11
performance
Plaintext
TB scale
OPE
GB scale
MB scale
KB scale
Naveed et. al.’15
Durak et. al.’16
Roche, Apon, Choi, Yerukhimovich (USA)
POPE
ak
ed
ak
ed
s
le
le
si
ze
or
ke
ys
Grubbs et. al.’16
de
r
le
ak
ed
privacy
October 27, 2016
8 / 23
Goals
Context
POPE Construction
Results
Interactive OPE
Idea:
Use an interactive protocol to
compare ciphertexts
Achieves ideal security
leaking only the order
performance
Plaintext
TB scale
OPE
GB scale
Interactive OPE
MB scale
Popa et. al.’13
Kerschbaum et. al., ’14
KB scale
Kerschbaum ’15
privacy
Roche, Apon, Choi, Yerukhimovich (USA)
POPE
ak
ed
ak
ed
si
ze
s
le
le
de
r
(Ideal ORE of Boneh et. al.’15
fits most closely here.)
or
ke
ys
le
ak
ed
Boelter ’16
October 27, 2016
9 / 23
Goals
Context
POPE Construction
Results
Oblivious RAM (ORAM)
Idea:
Store data structure in an
ORAM to hide access patterns
performance
Plaintext
TB scale
OPE
GB scale
Goldreich & Ostrovsky ’96
Stefanov et. al. ’13
Interactive OPE
MB scale
ORAM
Wang et. al. ’14
Devadas et. al. ’15
KB scale
R., Aviv, Choi ’16
Roche, Apon, Choi, Yerukhimovich (USA)
POPE
ak
ed
ak
ed
s
le
le
si
ze
or
ke
ys
. . . and many more!
de
r
le
ak
ed
privacy
October 27, 2016
10 / 23
Goals
Context
POPE Construction
Results
Encrypt the whole thing
Trivial solution:
Download and re-encrypt the
whole database on each
access
performance
Plaintext
TB scale
OPE
GB scale
Interactive OPE
MB scale
ORAM
KB scale
Total encryption
Roche, Apon, Choi, Yerukhimovich (USA)
POPE
ak
ed
ak
ed
si
ze
s
le
le
de
r
or
ke
ys
le
ak
ed
privacy
October 27, 2016
11 / 23
Goals
Context
POPE Construction
Results
This talk: Partial Order Preserving Encoding
Our idea:
Only perform comparisons
necessary to execute the
queries.
Improves performance
and security compared to
interative OPE
performance
Plaintext
TB scale
OPE
POPE
GB scale
Interactive OPE
MB scale
ORAM
KB scale
Total encryption
Roche, Apon, Choi, Yerukhimovich (USA)
POPE
ak
ed
ak
ed
si
ze
s
le
le
de
r
or
ke
ys
le
ak
ed
privacy
October 27, 2016
12 / 23
Goals
Context
POPE Construction
Results
POPE Data Structure
Main Idea
Server stores a partially ordered B-tree
Every node contains an unordered buffer of key/value pairs
Non-leaf nodes also have a small ordered list of ciphertexts
Encryption uses any (randomized) symmetric cipher
Client performs comparisons at query-time
Influences:
Buffer trees (Arge ’03)
Mutable OPE (Popa, Li, Zeldovich ’13)
Roche, Apon, Choi, Yerukhimovich (USA)
POPE
October 27, 2016
13 / 23
Goals
Context
POPE Construction
Results
Initial insertions
Inserted ciphertexts are appended (unordered) to the root node.
Server
Client
Insert(89)
?
89
Roche, Apon, Choi, Yerukhimovich (USA)
POPE
October 27, 2016
14 / 23
Goals
Context
POPE Construction
Results
Initial insertions
Inserted ciphertexts are appended (unordered) to the root node.
Server
Client
Insert(42)
? ?
89 42
Roche, Apon, Choi, Yerukhimovich (USA)
POPE
October 27, 2016
14 / 23
Goals
Context
POPE Construction
Results
Range search Base case
For a small leaf node, send the entire node to the client.
Server
Client
Range(40,50)
? ?
89 42
Roche, Apon, Choi, Yerukhimovich (USA)
42
POPE
October 27, 2016
15 / 23
Goals
Context
POPE Construction
Results
More insertions
Further insertions are appended to the root.
Server
Client
Insert(. . . )
? ? ? ? ? ? ? ?
89 42 55 93 77 13 69 41
Roche, Apon, Choi, Yerukhimovich (USA)
POPE
October 27, 2016
16 / 23
Goals
Context
POPE Construction
Results
Splitting leaf nodes
Searching a large leaf node requires splitting.
Server
Client
Range(0,20)
? ? ? ? ? ? ? ?
89 42 55 93 77 13 69 41
Roche, Apon, Choi, Yerukhimovich (USA)
POPE
October 27, 2016
17 / 23
Goals
Context
POPE Construction
Results
Splitting leaf nodes
1. Server promotes m random items and sends to client.
Server
Client
? ?
55 41
Range(0,20)
? ? ? ? ? ?
89 42 93 77 13 69
Roche, Apon, Choi, Yerukhimovich (USA)
POPE
October 27, 2016
17 / 23
Goals
Context
POPE Construction
Results
Splitting leaf nodes
2. Client sorts, stores, and remembers the m items.
Server
Client
1 2
41 55
Range(0,20)
? ? ? ? ? ?
89 42 93 77 13 69
1 2
41 55
Roche, Apon, Choi, Yerukhimovich (USA)
POPE
October 27, 2016
17 / 23
Goals
Context
POPE Construction
Results
Splitting leaf nodes
3. Client partitions remaining items.
Server
Client
1 2
41 55
0.?
13
1.?
42
Roche, Apon, Choi, Yerukhimovich (USA)
Range(0,20)
2.? 2.? 2.? 2.?
89 93 77 69
POPE
1 2
41 55
October 27, 2016
17 / 23
Goals
Context
POPE Construction
Results
Splitting leaf nodes
4. Finally, the range query results are returned.
Server
Client
1 2
41 55
0.?
13
1.?
42
Roche, Apon, Choi, Yerukhimovich (USA)
Range(0,20)
2.? 2.? 2.? 2.?
89 93 77 69
POPE
13
October 27, 2016
17 / 23
Goals
Context
POPE Construction
Results
More insertions
Further insertions are appended to the root.
Server
Client
1 2 ? ? ?
41 55 24 57 16
0.?
13
1.?
42
Roche, Apon, Choi, Yerukhimovich (USA)
Insert(. . . )
2.? 2.? 2.? 2.?
89 93 77 69
POPE
October 27, 2016
18 / 23
Goals
Context
POPE Construction
Results
Range query
Queries start by partitioning the root buffer to child nodes.
Server
Client
1 2 ? ? ?
41 55 24 57 16
0.?
13
1.?
42
Roche, Apon, Choi, Yerukhimovich (USA)
2.? 2.? 2.? 2.?
89 93 77 69
POPE
Range(60,70)
1 2
41 55
October 27, 2016
19 / 23
Goals
Context
POPE Construction
Results
Range query
Queries start by partitioning the root buffer to child nodes.
Server
Client
1 2
41 55
0.? 0.? 0.?
13 24 16
1.?
42
Roche, Apon, Choi, Yerukhimovich (USA)
Range(60,70)
2.? 2.? 2.? 2.? 2.?
89 93 77 69 57
POPE
1 2
41 55
October 27, 2016
19 / 23
Goals
Context
POPE Construction
Results
Range query
This may result in further leaf node splits.
Server
Client
1 2 3 4
41 55 57 89
0.? 0.? 0.?
13 24 16
1.?
42
Roche, Apon, Choi, Yerukhimovich (USA)
Range(60,70)
3.? 3.?
77 69
POPE
4.?
93
3 4
57 89
October 27, 2016
19 / 23
Goals
Context
POPE Construction
Results
Range query
The sorted parts of nodes are not allowed to get too large.
Server
2
55
Client
Range(60,70)
3 4
57 89
1
41
0.? 0.? 0.?
13 24 16
1.?
42
Roche, Apon, Choi, Yerukhimovich (USA)
3.? 3.?
77 69
POPE
4.?
93
69
October 27, 2016
19 / 23
Goals
Context
POPE Construction
Results
Performance
While some queries may be costly due to interactive partitioning,
the average cost per operation is optimal:
Amortized Analysis
The average cost per operation is O(1), and
the worst-case round complexity per operation is O(1), assuming:
n insertions
Reasonable client-side temporary storage
(L ∈ Ω(nO(1)) )
Not too many range queries
(m ≤ Ln )
Roche, Apon, Choi, Yerukhimovich (USA)
POPE
October 27, 2016
20 / 23
Goals
Context
POPE Construction
Results
Experimental Performance
thousands of ops per second
160
POPE, repeated queries
POPE, bunched queries
POPE, random queries
140
120
100
80
60
40
20
0
103
104
105
106
107
108
number of entries
Note: Number of queries was
Roche, Apon, Choi, Yerukhimovich (USA)
√
n in all cases.
POPE
October 27, 2016
21 / 23
Goals
Context
POPE Construction
Results
POPE Security
Server cannot learn more than the order of the keys.
(IND-OCPA notion of Boldyreva et. al. ’11, achieved by Popa et. al. ’13)
Tie-breaking randomness hides key frequencies also.
(IND-FAOCPA of Kerschbaum ’15)
Only a partial order is leaked.
Under previous assumptions of n insertions, m queries and
client storage L, the relative order between at least
n2
−n
Ω
mL
!
pairs of elements is not revealed.
Roche, Apon, Choi, Yerukhimovich (USA)
POPE
October 27, 2016
22 / 23
Goals
Context
POPE Construction
Results
Thanks!
The Paper
Daniel S. Roche, Daniel Apon, Seung Geol Choi,
and Arkady Yerukhimovich
“POPE: Partial Order Preserving Encoding”
https://arxiv.org/abs/1610.04025
Code: https://github.com/dsroche/pope
Thanks to: National Science Foundation, Office of Naval Research
Roche, Apon, Choi, Yerukhimovich (USA)
POPE
October 27, 2016
23 / 23