Sei sulla pagina 1di 27

Privacy Preserving Schemes for SQL Operations

Abhinav Parate, Bhupendra Singh

Indian Institute of Technology, Kanpur

Abstract. With the global emergence of concerns for the privacy of huge amount of information being collected in the databases, the research work in the field of protecting databases from exposure or any other attack has increased. Encryption techniques- both conventional and modern have proved out to be good technol- ogy in protecting the sensitive data. However, once encrypted, data can no longer be queried for operations like Greater Than, Less Than, Substring matching and others. The only operation that could be done on encrypted data is to find ex- act match. Hence, performing query over encrypted data is associated with the overhead of decrypting the entire encrypted data and then performing the oper- ations. Here we present two schemes which can perform operations of substring matching directly over the encrypted string data. We also present schemes for performing aggregate operations like SUM and AVG over encrypted numerical data.The advantage of the scheme includes no overhead of decryting the entire data.The encryption scheme is robust and well protective.



Present day Database Systems offer the protection of database from attack through the means of access control which restricts the access to sensitive data. The access control mechanism protects the privacy of sensitive data from intrusion through the database system interfaces. The basic assumption is that the database is accessed through database system interfaces. However, it is important to have such protection but this can prove out to be insufficient. It is because the raw database files remain the part of operating system and hence, the attack on computer systems may lead to privacy breach if some- one gets the access to raw database files. The access to these files cannot be prevented by the access control mechanisms. Encryption Techniques which have been proved out to be efficient in protecting the sensitive information from being revealed easily.However, the present techniques of encryption were not designed with the goal of protecting databases which can be very huge in size. As a result, incorporating the present encryption schemes directly involves a huge overhead of decrypting the entire encrypted data before performing any kind of operation on them. We present here two encryption techniques for encrypting the data of type STRING.These techniques have been designed while taking care of the requirements of performing the operations related to strings directly over the encrypted data. The SQL queries involves the following operations-

– String Matching: The result of the operation includes all those strings which are equal to the given string as parameter

– LIKE operation %abc%: This operation results in all those strings which have ’abc’ as substring

– LIKE operation a b : This operation results in strings of the form ’axb’ where x is any character

– Pattern Matching:Mix of above two operations to result in strings matching some pattern

Our first encryption scheme is ’VDES’ i.e. Varying Distribution Encrytion Scheme. The idea behind this scheme is to completely change the distribution pattern of the characters present in the data. The reason being that there are some characters which occur much more than other characters. As a result, if someone knows the original distribution of the character, he may guess the encryption scheme by looking over the distribution of encrypted characters. This scheme has been designed specifically for the domain where program being used to answer the queries, is assumed to be protected. The encrypted database itself is useless if the program to answer query is not known or available. The advantages of VDES over other encryption schemes are-

– Operations It supports all the operations mentioned above and a very good encryp- tion

– No false positives The results of the query over encrypted results only in true values and no false positives

It makes database useless if the VDES program is not available

It handles updates very easily

We can change the distribution of characters very easily with updates

However,the application of the VDES is limited to incorporating it directly with database which should know the unencrypted pattern i.e. it works in semi-encrypted domain.It is not possible with this scheme to give the pattern itself in encrypted form. To overcome this limitation, we have another scheme which works entirely in encrypted domain. This scheme we call as PPES or Product of Primes Encryption Scheme. The advantage of PPES over VDES is that it can work in distributed domain where key to decrypt is with client and it may not be necessarily present with the databases having the encrypted data. The client may send the pattern itself in encrypted form and databases will perform the pattern matching operations and return the result having encrypted data. This encrypted data can then be decrypted by the client using key. However, this scheme can be used in place of VDES with databases. The above mentioned schemes are for STRING data type. However, there are also numeric data types in databases on which various operations like finding SUM or AVG are more common. For example, a firm may want to calculate the average salary of its employees or an accounting firm may want to calculate the sum total of the data it has. Due to privacy considerations, such operations should be performed over encrypted data and it should be answered in encrypted form. For such scenario, we present a scheme for performing aggregate operations like SUM, AVG or COUNT over encrypted numeri- cal values. This scheme, like PPES, can be used to answer queries in encrypted and distributed domain. This technique has got application in mobile computing and cryp- tography where it is necessary to perform operations on secure encrypted data without

decryption. It is also important to keep the interaction to be minimal due to security concerns.

1.1 Encryption of Databases

The encryption of database is possible in two ways as follows- i.Encrypt all the files of database. ii.Encrypt the data values and store them in tables. As it must have been clear from the context, we will be encrypting data values and not the files.

1.2 Report Layout

The rest of our report is organized as follows. We will first discuss the related work in section 2 and describe in brief the various approaches till now. We will give the details of VDES in section 3 followed by the details of step by step approach for PPES in sections 4,5 and 6. In section 7, we describe the scheme for finding all occurences of a pattern specified as regular expression against a given database string.We will then discuss our scheme for performing aggregate operations for numerical data types. Finally, we give the formal aspects of privacy-preserving computation followed by conclusion and directions for future work.


The problem we are discussing is a relatively new problem and hence, there is no work related to performing pattern matching over encrypted data. However, the similar prob- lem has been dealt in the field of numerical data as opposed to the string data.The ideas applied in encrypting numerical data have been helpful in understanding the various problems that can arise out of encryption in string data. The technique described in [1] includes strictly increasing polynomial functions to encrypt integer values so that the order of input is preserved even in encrypted values. Hence, the operations like Greater Than, Less Than,Equal to, can be very easily per- formed on the encrypted data. Following that, the resulting encrypted values can be very easily decrypted. This reduced the overhead of decrypting entire database.However, this scheme had the drawback that it revealed the distribution of input data which could be exploited using probabilistic techniques to estimate the values in some interval with some confidence level. In [2], there are some schemes to support keyword searches over encrypted text in emails.But these were not meant and suited for relational queries and databases. In [3], for the first time, there was talk about executing SQL over Encrypted data. This model was for numerical data and it required many interaction between client and server to get the results.Moreover, it resulted in the false positives whose post process- ing involved considerable overhead. In [4], a scheme is proposed for performing operations related to order of input nu- merical data. The scheme proposed had the advantage that the distribution of encrypted

data is totally independent of the distribution of input data. This scheme is robust against

computer systems attack and is well compatible with the databases. This scheme can be

extended for lexicographical ordering of strings but other pattern matching operations cannot be supported. This scheme can be used to answer queries like MAX,MIN and GROUP BY. But this cannot answer the queries like SUM or AVG. The model being used by us for PPES is similar to the model described in this paper. In [13], techniques have been proposed for performing arithmetic operations like addition and multiplication over encrypted data. These techniques are not applicable to database as it cannot be used for addition of more than two numbers. It requires message passing for each operation being performed.

In[15],there is a data partitioning technique to buid privacy-preserving indices on sensitive attributes of relational table. In other papers [5][6][7][8] and [9], some encryption transformations have been

discussed which allow direct computation on encrypted data.Such encryption transfor-

mations are called Privacy Homomorphisms. These papers presented the privacy homo- morphisms for performing addition,multiplication and multiplicative inverse computa- tion on encrypted data.However, these schemes handled very small subset of input data and had no application in databases. In [14], there is a technique for secure computation in mobile cryptography.


As the name suggests, the idea of this scheme is to effect the distribution of characters so that attack based on cipher-text analysis is not possible.To understand the complete idea, let us look at simpler idea and the following distribution of characters in database:

character Frequency a 200 b 100 e 300

Let us now look at the following encoding scheme.

character Encoding a 1234,3578 b 2598 e 1079,2234,7634

With the above encoding, we can encode the character a as either 1234 or as 3578 with equal probability. As we saw in the frequency table above, frequency of a is 200.Hence, a will be encrypted as 1234 100 times and as 3578 for another 100 times. Similarily, b will be present as 2598 for 100 times. And e will be encrypted as 1079,2234 and 7634 each 100 times. String abe may get encrypted as 357825981079 without giving any idea of what characters are present in string. Encryption of String abe for the second time may give completely different result.

However, this simple idea has the drawback of assuming static distribution of char- acters which is not true in many cases.And hence, we need to add further encrypting values in character-encoding table. Also, the decrypting key needs to be updated for variable distribution case.

3.1 Improving the Scheme

character Characteristic Prime Prime Multipliers a a p a 1 , a 2 , a
Characteristic Prime
a p
a 1 , a 2 , a 3 ,
b 1 , b 2 , b 3 ,
e 1 , e 2 , e 3 , e 4 ,

In this scheme, we have a characteristic prime associated with each character.For char- acter a, we will have a p as the characteristic prime. We also have set of prime multipliers associated with a.When a is to be encrypted, some character is chosen randomly from the given multiplier set and is multiplied with a p . Hence, a may get encrypted as a p a 1 or a p a 2 or a p a 3 and so on.The decryption key for this scheme will be the set of char- acteristic primes C p . Using C p , we can check if some encrypted character is equal to a or not by checking its divisibility with a p .Moreover, we can effect the distribution at any instant by changing the set of Prime Multipliers P m . Any further, updates will be handled by the new set. The advantage we have is that we can change the distribution of the characters as we may want.Another advantage that we have is that we are not required to change the decryption key although the Prime Multipliers set P m may have got changed. Hence, we can change the set P m , expand it or have completely new elements in it but it does not effect the already encrypted values in any case and are not required to be updated.

3.2 Performing the operations

String Matching The string matching algorithm over encrypted string is similar to normal string matching. In this algorithm,the characters of given string are matched with the characters at respective positions of the second string.In our scheme, if we are checking the equality of character a with encrypted character d, we will get the characteristic prime a p for character a and check that whether encrypted character d is divisible by a p or not.

Pattern Matching and Substring matching This operation which checks for the ex-

istence of a given pattern in the encrypted string is as easy as matching a string with

encrypted string. The pattern string may have % symbol which represents presence of

one or more random characters at the postion of %. The pattern string may also have symbol to indicate presence of exactly one character at the position of in the pattern string. If the pattern does not have % or then the problem reduces to finding a string with given pattern as its substring. There are efficient algorithms to deal with problem of substring existence. Those algorithms can be easily applied in our case.

Search for patterns like ab%cd in string s can be handled easily by searching for ab followed by searching for presence of cd in the substring in s following ab. Similarily search for patterns like ab cd in string s can be handled by first searching for presence of ab in s and then, skipping the character following b in s.If the character at this position in s matches c and the character following matches d, string s will be given out as the string having pattern ab cd.

Normal String Matching Algorithm

characterAt(int pos,String s)( return the character present at position pos in the String s


Stringmatch(String s, String t)(

int position = 1 for(position=1, ,position++)(

if(characterAt(position,s)==null and characterAt(position,t)!=null) return ”Unequal strings” else if(characterAt(position,s)!=null and characterAt(position,t)==null) return ”Unequal strings” else if(characterAt(position,s)==null and characterAt(position,t)==null) return ”Equal Strings” else if(characterAt(position,s)!= characterAt(position,t)) return ”Unequal Strings” else continue



Correctness of VDES

VDES requires the following sets for its operations:

Σ: Set containing all the characters in a language C p : A set containing of characteristic primes of each character belonging to Σ P m : Set containing a set of Prime numbers.This set must be disjoint to set C p i.e.C p P m = φ P i : Multiplier Set for the character c i Σ. P i P m

We have some functions as described below:

f:Σ C p

The function f is one to one and it maps each character c i Σ to p i C p .Hence, if

f(c i ) =f(c j )

c i = c j

g: A function that takes a set of elements as input and return one element taken off randomly from the input set.

h:Σ P m The function h takes a character c i as input and it returns some element m from its mul- tiplier set P i . Hence,h(c i ) = g(P i )

Using above functions, we can encrypt any character c i Σ as follows- E(c i ) = f (c i ) × h(c i )

Theorem 1 Encryption of character x Σ as E(x) using VDES results in a unique mapping and decryption of E(x) does not result in any false positive i.e. the result of decryption is correct.

Proof. Let us suppose we encrypt character c i Σ as E(c i ) then E(c i ) = f (c i ) × h(c i )

Assuming that the VDES results in false positive i.e.some character c j identifies for c i .Hence, Based on the VDES, we must have a characteristic prime p j = f (c j ) that divides E(c i ). Since, E(c i ) is product of only two prime numbers hence, if f (c j ) divides E(c i ) then either f (c j ) = f (c i ) or f (c j ) = h(c i ). If f (c j ) = f (c i ), then c i = c j as f is one to one mapping.Hence, it leads to contra- diction to assumption that we had a false positive. If f (c j ) = h(c i ), we know that f (c j ) C p and h(c i ) P m .Also, C p and P m are

disjoint.Hence, f (c j )

Hence, we cannot find any c j Σ which can act as a false positive for c i .Thus, decryption of any encrypted character will result in correct character and not false char- acters.


h(c i ).

As we know that, algorithms to find a given substring t in a string sproceed by match- ing character by character.And as Theorem 1 says, if some character is matched then it must be the correct one.So, if each character found is correct and we have matched the pattern,then pattern matching must also be correct as we did it character by charac- ter.Hence,VDES query execution results only in correct results and no false positive.It can be stated in the form of lemma as follows-

Lemma 1. Pattern matching using VDES does not result in any false positives.

3.4 Analysis of Cryptographic Attack on VDES

As the purpose of encryption scheme is to protect the sensitive data from being exposed, we must analyse the kinds of attack that are possible and how succesfully they can be handled. Let us suppose | P m | = m and | Σ | = n.Hence, we have n characters in a lan- guage.Also, the number of possible multipliers for each character is m. When we en- crypt a database using VDES, we can use each multiplier along with each characteristic

prime to encrypt and result in some random distribution.As a result of using m mul- tipliers for n characters, the encrypted language consists of mn numbers.So, we have encrypted each character with m possible numbers.

If someone has the idea of n, then he can calculate m from mn.Now, the attacker

knows that each character is mapped to m different numbers.So, if he tries to apply Brute Force analysis method to identify the character and its encryption set then he can do so in following way- Of the mn numbers known to him, he can select m numbers randomly and map it for some character c 1 .From the remaining (n-1)m numbers, he can select further m numbers

c n .After getting sets for each

to map it for character c 2 .He can continue to do so c 3 , c 4 character, he can try to check if this sets work correctly.

In this brute force way, he would be required to test around

nm C m × (n1)m C m × (n2)m C m × (n3)m C m

= (nm)!/(m!) n

= (nm)(nm 1)(nm 2)




> (n 1) m (n 2) m

= ((n 1)!) m



× 2m C m × m C m

Hence, we see that if we have m>1 then, we can improve the complexity for brute force analysis significantly.And we must have mn to take care of the distribution sce- nario.

Cipher-Text Analysis Another kind of attack is based on the distribution analysis of cipher-text. By distribu- tion analysis, we mean that in general texts, frequency of some characters may occur much more than other characters.Using this information we can look for the character with maximum frequency and guess the character. As in English Language, character e is used most and hence, it can be easily recognised.After recognizing e, other charac- ters can be guessed using idea of distribution of other characters.For example, if z can occur 0.1 times e occurs, then we can look for the encrypted character whose frequency is roughly 0.1 times the most frequent character.Knowledge of domain can help very much in such cases.

As a result, it is very important to protect the distribution of characters.Hence, we came up with the idea of varying distribution. VDES results in a distribution which gives no idea of the original distribution of characters.Hence, it is secure from Cipher- text analysis attack.

However, there is another kind of cipher-text analysis where we look for the most frequent digram (two characters in a sequence) in cipher-text.This is also not possible in VDES as the same digram can be mapped in m*m ways.Hence, it is difficult to tell which digram is most frequent.

Another way to attack is to identify the set C p .This set can be obtained only by fac- torising the product terms available to the attacker.This attack can be made very costly if we use very big prime numbers in the set.Hence, factorization becomes difficult.


Memory Requirement

VDES has been made very efficient to protect the sensitive data by using very large prime numbers in C p andP m . However, this comes at a cost in terms of memory re- quirements. Any prime number p requires lg(p) + 1 bits of memory. Since, we need to save the product terms, memory for a product term is 2lg(p) + 1 where p is the largest prime number in C p P m . Hence, a character which required 8-bits now requires around ( 2lg(p) + 1)-bits.

3.6 Strength of VDES

The strength of VDES lies in the fact that it performs the task of pattern matching over encrypted data in an elegant manner and at the same time, the encryption scheme is strong enough against brute force analysis attack or cipher-text analysis attack. Al- though the encryption key may change, the length and the value of decryption key remain fixed. This scheme can be readily integrated with the Database softwares available in the market and can be used for the goals we inteded to achieve. i.To reduce the overhead of decrypting entire database in order to perform a query. ii.To design an encryption scheme which achieves the goal stated above along with the protection of database from cipher-text analysis attack.


4.1 Why introducing PPES when VDES works?

As we have seen in the previous section that with VDES, we have been able to achieve the goals we intended to achieve.The use scenario of next scheme called Product Of Primes Encryption Scheme is little bit different from the scenario of VDES. In VDES, database program is required to have knowledge of decryption keys for answering the queries.On the other hand, PPES has no knowledge of encrypting or decrypting keys and it can still execute the queries and answer directly in encrypted form.PPES returns the correct results or atleast a superset of correct results. The results will be in encrypted form as the database is not aware of the key.Also, the query will have the pattern string in encrypted form. Hence, PPES works entirely in an encrypted domain. This has an advantage when we deal with databases and the results distributed over network. VDES can be used efficiently where protecting pattern itself is not important and the program answering query is assumed to be protected. Based on the knowledge of keys,VDES database performs the query execution and returns unencrypted answers if desired.PPES can also be used in this use scenario. For this, we can make database aware of the keys.And when the query arrives, we can modify this query to have en- crypted pattern and then perform execution of this modified query. With the help of decryption key, we can decrypt the result to give final result as output. As it is clear from the two use scenarios, there was a need of PPES.


Model of PPES

Model of PPES is shown in figure below.

4.2 Model of PPES Model of PPES is shown in figure below. 4.3 Intuition behind PPES

4.3 Intuition behind PPES

Let us consider this encryption scheme- Assuming that there is a function e:Σ P where Σ is the set of alphabets or characters and P is a set of prime numbers.Hence e is function that maps each substring to a unique prime number. Using the above mapping, we can encrypt any string s as E(s) as follows:

E(s) = e(t 1 ) × e(t 2 ) × e(t 3 )

where t 1 , t 2 , t 3 ,

Similarily, E(abc) = e(a) × e(b) × e(c) × e(ab) × e(bc) × e(abc) As a result of above way of encryption, E(s) has a term for every substring present in it. So, if we look for a substring t in s, we can evaluate E(t) first and then check for the divisibility of E(s) by E(t). Divisibility implies the presence of substring t in s.This can be stated as

× e(t n )

, t n are the possible substrings present in s

A string s will have string t as its substring if E(t)|E(s)

Inverse of above:If some number N divides E(s), then there exists a substring t in s such that E(t)=N.This statement may not be true. As we saw in case of E(abc), it is divisible by e(ab) × e(bc) but there exists no substring t such that E(t)=e(ab) × e(bc).Hence, inverse statement is false in this case. Although this idea can check the presence of a substring in just one step but the number of primes required to encrypt any string increases exponentially with the length of string. If the number of character are n and the maximum length of any string is l, then the number of primes required are around n l+1 . If n is around 256 which is 2 8 then the number of primes required can go out of bound with l = 5 only.One way of saving the number of primes required is to allot the prime number to only those substrings which are actually present in dictionary.And all remaining substrings possible may be given a single unique prime number. This idea is again not good as the size of dictionary may also be very large.

4.4 Our approach to PPES

As we saw above that the requirement of primes is increasing exponentially with the size of the strings handled by PPES scheme. So we can restructure the scheme in the following manner so that it would be feasible to implement PPES:

Let Σ is the set of alphabets and P is the set of available prime numbers. Now consider the random (or private) mapping e : Σ P such that e maps strings over Σ to p th prime number from the set P where 1 p ≤| P |. Since mapping is random (or private) then we can assume that the probability that two strings will map to same prime number is 1/| P | (or can be calculated based on the private mapping). Now we can encrypt a string s as E(s) using above mapping as follows:

E(s)= e(t 1 ) × e(t 2 ) × e(t 3 )

× e(t n )

where t 1 , t 2 , t 3 ,

The same is applied to the pattern t to get E(t). Hence if t is a substring of s then E(t) must divide E(s).

, t n are all the possible substrings present in s.

4.5 Performing the operations

String matching String matching in PPES is totally different from traditional string matching techniques. So if we are searching for string abc (let say string t) then first we have to encrypt t using the above encryption function i.e.

E(t) = e(t 1 ) × e(t 2 ) × e(t 3 )

× e(t n )

where t 1 , t 2 , t 3 ,

, t n are the all possible substrings present in t

Now if E(t) divides E(s) where s is the string in which t is being searched then t is present in s or we can say that t is one of the substring of s.

In PPES, string matching cost depends only on length of string being matched unlike traditional techniques where cost depends on length of string being matched as well as length of target string. So in PPES, string matching cost is just the cost of encrypting t and cost of one division operation. So if the pattern string is small enough then string matching can be done very fast.

4.6 Correctness of PPES: Existence of false positives

Lets consider a given string s whose length is W so s will have W(W+1)/2 substrings. And we are searching for string t of length w. Let E(s) and E(t) be the encryption of s and t respectively.

Theorem 2 If t is a substring of s then E(t) must divide E(s).

Proof. Lets t has k substrings t 1 , t 2 ,

E(t)= e(t 1 ) × e(t 2 ) × e(t 3 )

× e(t k )

, t k so E(t) will be

And as t is a substring of s so all the substrings of t must be present in the set of all substrings of s. So if s has n+k number of substrings then the encryption of s will be

E(s)= e(t 1 ) × e(t 2 ) × e(t 3 )

× e(t k ) × e(s 1 ) × e(s 2 )

× e(s n )

And as we can see that all the factors of E(t) are present is E(s) so E(t) must divide E(s). But vice versa is not true.

Lemma 2. String matching in PPES will result into a superset of actual resultset i.e. false postivies may exist in the resulting set but there will be no false negative.

Proof. In above theorem we have shown that false negative will not exist. Now suppose if t is not a substring of s then we can only assure of t not being present in s which implies that all other substrings of t except t itself, may be present in s which implies if e(t) and e(some substring of s) are mapped to same prime then it can make E(s) divisible by E(t) so it will lead to false positive.

4.7 Probabilty analysis of false positives

In this section we shall try to find out an upper bound on probabilty of a false posi- tive. So lets assume t is pattern string of length w and s is the given string of length W (W w) and E(t) divides E(s). So there are w(w + 1)/2 substrings in t, and each of them is mapped to the same prime as some substring of s. In particular, the string t is mapped to e(t) and e(t) is present in E(s). So we have to find out an upper bound on the probability that E(t) divides E(s) but t is not a substring of s. Since E(t) divides E(s), the string t maps to e(t) which is also the mapping of some

substring of s. Now there are W(W+1)/2 substrings of s so the probability of this is bounded by

(W (W + 1)/2) × (1/

| P


So probability will decrease with larger | P |.

4.8 Memory requirements

, t k and substring t i repeats e i

times. And let t i is mapped to prime p i i.e. e(t i )=p i . Then the encryption corresponding to s will be

Let s be a string whose unique substrings are t 1 , t 2 ,

E(s) = e(t 1 ) e 1 × e(t 2 ) e 2 ×

× e(t k ) e k

And the size of the number p is given by lg(p) bits. So the string s will consume lg(E(s)) bits.

lg(E(s)) = (e 1 × lg(e(t 1 ))) × (e 2 × lg(e(t 2 ))) ×

(e k × lg(e(t k )))

If p max is the largest prime from the set of primes, P. Then

lg(E(s)) lg(p max ) × (e 1

+ e 2 +


e k )

And (e 1 + e 2 +

+ e k ) is same as W(W+1)/2 where W is the length of s. So,

log(E(s) lg(p max ) × W (W + 1)/2

Which implies that memory requirements will increase quadratically with the size of string. So this scheme is not good for large documents but can handle strings of middle size i.e. addresses.

4.9 Cryptographic analysis of PPES

For querying PPES encryted database, pattern t must be given in encrypted form, E(t), or indivdual factors can also be given over network but E(t) is preferred as individual factors may reveal the nature of query (if somebody knows about the domain i.e. if roll numbers are being stored into the database and somebody knows the format of roll number i.e. Y**** then he can easily break the query). But in database we are storing encrypted form of string s so factorizing E(s) will take significant amount of time. Lets assume that | Σ |=n and | P |=m. So if somebody knows n and m then tries to break this encryption then he can do as following:

1. Factorize reasonable amount of numbers from the database which is obviously very hard task as string of length l will have l(l + 1)/2 prime factors.

2. Then analyze the distribution of all prime numbers or choose brute force analysis i.e. map each prime to all possible strings.

Now if n=40 and l=20 where l is domain parameter which tells that all strings in database can be of atmost length l then then all possible strings in that domain((n × n l 1 )) will be around 40 20 (> 10 25 ). So brute force approach will have that many mappings for a single prime.


Cipher text analysis of the data is very hard as all the data is in form of product of many prime numbers so factorizing each one is very expensive hence attacked based on distribution can’t happen.

4.10 Strength of PPES

The main strength of PPES is that we can query the database over the network with high safety. Pattern matching operation (which is a very common operation on strings in database) in PPES is very fast and is independent of size the target string.

5 Extension of substring method

, s m } of distinct

substrings of s. Encode each of these substrings, that is, obtain, E(s 1 ), E(s 2 ),

and then multiply these m primes to obtain the encoding of the string. The number of distinct substrings of s is n · (n + 1)/2. Therefore, this scheme saves space compared to the PPES scheme, provided, m < n · (n + 1)/2.

The method for checking whether a given string t is a substring of s is as follows. t is a substring of s if and only if t can be extended (perhaps on both sides) so that the extended string becomes equal to s. If t cannot be extended as above , then t is not a substring of s. Equivalently, if t can be extended in either direction so that it becomes

, s m , then also t can be inferred to be

a substring of s. The problem is therefore the following.

, s m of s in such a way so that for every string

t, it can be efficiently inferred whether t is a substring of s. For a given value w, a string

w. The set

of all strings that are w -extensions of a given string t, where, w <= w, defines the w-extension ball centered at t. Suppose t lies in the w-extension ball centered at t, and an encoding E(t ) is avail- able. Then, if t is extended by a total of at most w characters on either side and then encoded, this encoding will equal the encoding of t . The complexity of this operation is the number of extension strings that are checked, that is, the size of a w-extension ball. Let Σ denote the alphabet over which the strings are formed. Then, the size of any w-extension ball is given by

t is said to be a w-extension of t, if, t is a substring of t and |t | − |t| =

equal to any one of the known substrings s 1 , s 2 ,

Let s be a string. Let n = |s|. Suppose that we store a set {s 1 , s 2 ,

, E(s m )

Design a choice of the substrings s 1 ,


|Σ| x+y (x + y + 1) = O(w · |Σ| w+2 )

The problem is to design substrings s 1 ,

there exists an index r, 1 r m, and s r lies within a w-extension ball centered at

, s m such that given any substring t of s,

t. Consider the following scheme. Keep substrings s i,j , where, 1 i w+1 , and 1 j 1 + w+1 . The substring s i,j refers to the substring of s of length (w + 1) · i

that begins at position (w + 1) · (j 1) + 1. For a fixed value of i, the set of substrings

s i,j gives substrings of a fixed length at offsets 1, 1 + (w + 1), 1 + 2 · (w + 1),

The set of substring lengths ranges from w + 1, 2 · (w + 1), 3 · (w + 1),



., etc

., etc

5.1 Correctness of the scheme

In this section, we argue the correctness of the above scheme. We say that a substring t of s is w-covered by a substring s i,j , provided, s i,j is in the w-extension ball centered at t. We first show that the set of strings that are w-covered

by the s i,j ’s are all distinct. That is, if (i, j) = (i , j ), then, the set of strings covered

by s i,j and the set of strings covered by s i ,j has no overlap.

Lemma 3. Let t be a substring of s that is w-covered by both s i,j and s i ,j . Then,

i = i and j = j .

Proof. Suppose that i

= i , that is, the lengths are different. Thus, ||s i,j |−|s i ,j || > w.

However, if t lies in the coverage of both the substrings, then, it follows that,

w > ||s i,j | − |s i ,j || = |(|s i,j | − |t|) (|s i,j | − |t|) = |w 1 w 2 | ≤


where, w 1 = |s i,j | − |t| and w 2 = |s i,j | − |t||. Since, both s i,j and s i,j lies in the w-extension ball centered at t, it follows that 0 w 1 w and 0 w 2 w, implying a contradiction. Now suppose that i = i , that is the lengths of the substrings are the

same, and j

= j . A similar argument can be made for this case as well.

The above argument shows that if t is any substring of s, then there is at most one s i,j such that s i,j is in the w-extension circle centered at t. We now show that for every

substring t of s, there is always one s i,j lying within the 2w-extension ball centered at


Lemma 4. Let t be a substring of s. Then there exists at least one s i,j that 2 · w-covers


Proof. Suppose that t starts at position p. Let r be the remainder and j be the quotient when p 1 is divided by w + 1, that is,

p 1 = (w + 1) · j + r,

where, 0 r < w + 1.


Let i and r be the quotient and remainder respectively, when, |t| + r is divided by w + 1, that is,

|t| + r = (w + 1) · i + r , where, 0 r < w + 1.


Consider the substring s i,j , where, j = j + 1 and i = i if r = 0 and i = i + 1 otherwise.

Since p 1 = (w + 1) · j + r, it follows that the starting position of the string s i,j ,

namely, (w + 1) · (j 1) + 1 = (w + 1) · j + 1 (w + 1) · j + r + 1 = p. Therefore,

the starting position of s i,j lies on or before the starting position of the given substring t. The length of the string s i,j is given by (w + 1) · i. The effective length of the string becomes |t| + r. If r = 0, then, the ending location of s i,j matches the ending location of t. Otherwise, r > 0 and i = i + 1. Therefore, ending location of s i,j equals

(w + 1) · (j 1) + (w + 1) · i


(w + 1) · j + (w + 1) · (i + 1) = (w + 1) · j + (w + 1) · i + (w + 1)


(w + 1) · j + |t| + r r + (w + 1)


(w + 1) · j + r + |t| − r + (w + 1)


p 1 + r + |t| − r + w + 1 = (p + |t| − 1) + r + (w + 1 r )


(p + |t| − 1)

Thus, s i,j ends on or after t ends. It follows that s i,j contains t. By the above analysis, it follows that,

|s i,j | − |t| = (w + 1) · i − |t|


There are two cases, namely, i = i , if r = 0 and i = i + 1, if r > 0. Suppose that r = 0. Then,

|s i,j | − |t| =

(w + 1) · i − |t| = |t| + r − |t|, by equation (2)

= r w, by equation (1).

Otherwise, assume that 0 < r w and i = i + 1. Then, we have,

|s i,j | − |t|



+ 1) · i − |t| = (w + 1) · (i + 1) − |t|



+ 1) · i + (w + 1) − |t|


|t| + r r + (w

+ 1) − |t|, by equation (2)


w + 1 + r r

2 · w, since, r 1 and r w.

This worst case is attained if t is the substring s[w + 1, w + 2] of size 2. Then, it is covered by the substring s 2,1 of size 2 · (w + 1). Therefore, the minimum extension necessary is 2 · (w + 1) 2 = 2 · w, matching the bound in Lemma 4. The test for whether a given string t is a substring of the string s is as follows. Enumerate the w- extension ball centered at t and check if any of them is exactly equal to one of the s i,j ’s (or, equivalently, encode each string of the w-extension ball centered at t and check if the encoding divides the product i,j E(s i,j )). In view of Lemma 4, this test works if instead of w, we use the parameter w in the definition of the s i,j ’s. Therefore, the number of strings s i,j is given by


2 n n = O w 2 w + 1 2 2
= O w
w + 1 2

5.2 Lower bound on number of substrings required

We now consider a lower bound on the space used by any encoding algorithm that uses the above principle of matching strings from a w-extension ball centered at t.

Lemma 5. Let s be any substring of s of size at least w + 1. Then, the number of substrings t such that s lies in the w-extension ball centered at t is at most 1 2 · (w + 1) · (w + 2).

Proof. Let a denote the number of characters extended at the left end of t and b denote the number of characters extended at the right end of t, to obtain s . Each distinct choice of a and b such that a + b w gives a distinct t such that s lies in the w-extension ball centered at t. Therefore, the number of possible such substrings is given by

w wa



1 =



(w a + 1) =


a =1

a =



· (w + 1) · (w + 2)


Lemma 6. The number of substrings of a given string s of size n that must be stored by any scheme that works based on testing the equality of one of the substrings with a

member of the w-extension of a given string t is at least


(w+1)·(w+2) .

Proof. The number of substrings of a given string s is n · (n + 1)/2. By Lemma 5, it follows that each substring of size at least w + 1 w-covers (w + 1) · (w + 2) substrings. Substrings of size less than w + 1 w-covers even fewer strings. Therefore, in order to w-cover all substrings, the minimum number of strings that must be used is at least


(w+1)·(w+2) .

It follows that the number of substrings used by our proposed scheme is O(

is within a small constant factor of the lower bound, namely,


2 ), which




(w+1)·(w+2) , by Lemma 6.

6 A Hierarchical Scheme

In this section, we propose a two-step scheme that is based on the previous scheme. Let w 1 and w 2 be two integer parameters, where, w 1 > w 2 > 0. Given a database string s, we first divide it into adjacent blocks of size w 1 , that is, s = s 1 s 2 · · · s k , where, each of the s i ’s have size w 1 and the last block is padded by the requisite number of null characters to ensure that its length is exactly w 1 . The encoding of s, namely, E(s), is a hierarchical data structure. Its first field is the sequence of the encodings of the blocks, that is, E(s 1 ) E(s 2 ) ◦ · · · ◦ E(s k ), where, denotes the sequencing operator. We assume that w 1 is large enough to negate statistical attacks to decode the encrypted blocks. Let t be a substring of s. Then, the following two exclusive possibilities hold.

1. In a match of t with s, t spans more than one block of s. In other words, t can be

, t l1 are blocks of length

w 1 and |t l | ≤ w 1 . Further, there exists an index r with the

, s r+l1 = t l1 and t 0 is a suffix of s r1 and

written as t = t 0 t 1 t 2

w 1 each property

t l is a prefix of the string s r .

t l , where, l 1, and t 1 , t 2 ,



|t 0 |

s r = t 1 , s r+1 = t 2 ,

2. In a match of t with s, t is contained within a block of s. That is, |t| ≤ w 1 and t is a substring of s r , for some index r, 1 r k.

The second possibility can be effectively solved by storing, for each block s i , 1 i k, a set of substrings of s i in their encoded form using an extension parameter w 2 , as

detailed in Section 5. Thus, if |t| ≤ w 1 , and there is a match of t with a substring of

s that is completely contained within a block, then, such a match can be effectively decided. The total number of encodings in this scheme are as follows.

O k · w 2 = O








· w 2





= O n · w 1





In order to identify a match where t is a substring of a block of s, the w 2 -extension ball of t has to enumerated and compared against all the encodings of the substrings of the blocks of s. Assuming that all the encodings are stored as a hash table, then, the dominant component of the cost of this operation is the cost of enumerating the

w 2 -extension ball centered at t. As discussed in Section 5, this cost is O(w 2 · |Σ| w 2 ).

Single Text Offset, Multiple Pattern Offsets. We now consider the scenario depicted by the first possibility, namely, that t is a substring of s and a match of t spans multiple blocks of s. Since the match of t with the matching portion of s may start at any po- sition p, 1 p w 1 , where, p is the starting position of first block of s from where

the match begins. To alleviate this situation, we assume that the pattern t is encoded in

w 1 distinct ways, obtained by shifting the starting position of the first block of t by a

, (w 1 1) respectively. Thus, if u = 0, the first block

contains the characters t 1 t 2 · · · t w 1 and the remaining blocks are constructed sequen- tially thereafter. If u = 1, then the first block contains the characters t 1 t 2 · · · t w 1 1 , and the remaining blocks are constructed sequentially thereafter. For a general value of u, the first block contains the characters t 1 t 2 · · · t w 1 +u , and the remaining blocks are encoded in sequence. Thus, t is encoded w 1 times, with offsets ranging from 0 to w 1 1. This increases the encoded size of the pattern t by a factor of w 1 . Note that although we have assumed that the offset for the text string s is 0, it is in general not necessary to assume this. The offset for the text string can be set to any random value between 0 and w 1 + 1; this has the added advantage of reducing the chance of statistical attacks.

parameter u = 0, 1, 2,

Matching Algorithm. For a given offset position u, w 1 + 1 u 0, denote the j th

block of t defined for this offset position as t

t encoded with an offset of u. Assume that t is a substring of s and there is a match of t spanning multiple blocks of s. Then, there exists an offset position u, w 1 +1 u 0,

and an index r, 1 r k, such that, t

. Let l u denote the number of blocks of



= s r+j , for 2 j

) = E(s r+j ).

Further, since there are at most w 1 possible non-empty prefixes and w 1 possible non-

empty suffixes of any block, the encodings of the prefixes and suffixes of each block of the text string are also stored along with the chosen set of substrings for the block.

1 . The number of prefixes and suffixes of a block is

2 · w 1 . Therefore, the total number of prefix and suffix encodings is

The number of blocks are k =

l u 1 and t




is a suffix of s r , t






is a prefix of s r+l u . Since t




= s r+j , it follows that E(t





1 · 2 · w 1 2 · n + 2 · w 1 = O(n)



1 = O(|t|), and is

therefore, linear in the size of the pattern string. The total number of encodings (space) required for the text string s is given by the sum of equations (3) and (4), which is

+ n). Suppose that the database string size n is large, and w 1 is chosen to be

say 64. If w 2 is chosen to be 4, then, this reflects a substantial improvement over the


number of text encodings is linear in n. The time complexity of the substring matching

2 ) encodings scheme presented in Section 5. Specifically, if w 2 w 1 , then, the

The number of encodings required for the pattern string is w 1 ·



O( n·w 1







operation is O(w 2 · n · |Σ| w 1 ).


Cryptographic Strength. Suppose that t is a substring of s and there is a match of t that

overlaps multiple blocks of s. Then, in the encrypted string, the approximate position of

t within s can be inferred. Although, if s and t are both unknown to a third party (say,

the data mining outfit), then, this revelation is of no consequence. If t is a substring of

s that is completely contained in a single block of s, then, no positional information is

revealed. Another property of the hierarchical scheme is that all matches of t with s can

be found. That is, if t occurs many times in s, then, all occurrences of t can be found using the data structure. Once again, if this inference is being done by a third party, which is not privy to either s or t, then, no information is revealed.

7 Matching Patterns specified as Regular Expressions

In this section, we present a scheme for finding all occurrences of a pattern specified as a regular expression against a given encrypted database string s. We first discuss a simple principle of privacy preserving computations, and, then, state the problem that arises in the context of privacy preserving finite automaton computations and then present one possible solution to it.

7.1 A principle of privacy preserving computations

Privacy cannot be preserved by computations that encrypt or decrypt using symmetric keys. Further, privacy is not preserved if text is either encrypted or decrypted within the program. The principle states the following. Suppose that there is a privacy preserv- ing computation being carried out within a third party, and the computation applies a symmetric key encryption (or decryption) function to some text. We can assume that the key is available to the program and therefore to the third party (using program anal- ysis). Further, we assume that the encryption algorithm is also known. Therefore, the third party can both encrypt and decrypt the text or cipertext, as the case may be. The second statement of the principle is more general; clearly, if a string is encrypted or decrypted, then the string is revealed. A consequence of the above discussion is that the all privacy preserving computations must work on ciphertext.

7.2 Privacy preservation of state transition computations

Let D be a deterministic finite automaton that accepts a given regular expression. We note that there is a basic problem in preserving the privacy of a string accepted by a finite automaton.

Consider the state transition function of the given DFA D. We can assume that the set of states of the automaton is known to the data mining party (or can be inferred from the code available). Let t be the string seen so far by the DFA D, and let q be the current state of D. The next transition reveals the letter that extends t and the next state of D. By keeping track of the matching letters in this manner, the matching string can be known in entirety. Therefore, the most that can be assumed is that the letters of the alphabet Σ are encrypted. This is equivalent to assuming that the alphabet Σ has been permuted, using a permutation that is not known to the data mining party. However, using statistical analysis, the data mining party can gain some information, and therefore can make a guess for the pattern string whose probability of being correct is greater than that of a random guess. Note that the problem is independent of the mechanism used for encrypting the database string s.

7.3 A weak solution

The problem outlined in Section 7.2 is inherent to finite automaton computations.

A DFA extends the prefix of a matching string by a single letter to obtain a longer prefix. Thus, the unit of encryption possible are the letters of the alphabet Σ , making it susceptible to statistical attacks. A simple extension is to transform the given DFA D into another machine D (D is a finite state automaton with a little extra power) such that, D makes its transformations on the strings of Σ w , where, w is a parameter. The final suffix of any string of the regular language whose size is not a multiple of w uses

=1 Σ w . The value of w is not known to the

data mining party. We choose a permutation π that maps Σ w to Σ w , and ensure that D uses the transformed alphabet π(Σ w ). The values of w and π are withheld from the data mining party. The scheme is better than the previous scheme, since statistical attacks would re- quire knowledge of statistics of strings of size w, for an unknown (though small) value of w. This reduces the effectiveness of statistical attacks. This approach can be strength- ened slightly, as demonstrated below by means of an example.

transitions from the enlarged alphabet w1


7.4 A slightly better solution

Consider the alphabet Σ = {a 1 , a 2 ,

2, 2 2 ,

1 i v, such that the subsets are pair-wise disjoint. Define the following sets.

., a k }. Suppose we choose powers of 2, namely,

, 2 v , where, v is a parameter, v k. Partition the alphabet into w subsets, Σ i ,

Λ i = Σ




, for 1 i v.

That is, the set Λ i is the set of strings of size 2 i that is constructed from letters from Σ i . For 1 i v 1, define the following set.

i = {σ | |σ| = 2 i and σ (j=i Σ j ) and a, b σ such that a Σ i and b (



j=i+1 Σ j ) }

The set i is the cross set between Σ i and the partitions with indices higher than j. That is, it is the set of all strings of size 2 i over the letters of partitions with indices i or

above (i.e., i (j=i Σ j ) 2 i ). Further, all strings in i are constrained to contained at least one occurrence from the sets Σ i and j=i+1 Σ j (i.e., it is a cross string). Let w = 2 v . As a consequence of the construction, the sets i=1 v Λ i and the sets

i can generate Σ w uniquely. That is, each string of Σ w can be uniquely repre-

sented as the concatenation of strings in the Λ and sets (prove!). The transformed and equivalent automaton D can be constructed so that it uses the following alphabet.





Σ = alphabet of D = E(v

i=1 Λ i



i )

That is, members of Σ are encrypted members of Λ i ’s and i ’s. Accordingly, the database string s is encrypted accordingly.

Cryptographic strength. The privacy of the scheme draws from the fact that the parti- tion of the original alphabet into the subsets is not known to the third party. Further, the value of v is also withheld from the third party. These two reasons reduce the effective- ness of statistical attacks. However, some information about the length of the string can be deduced.

8 Performing Aggregate Operations on Encrypted Numeric Values

In this section, we propose a scheme for performing aggregate operations like SUM, AVG or COUNT on encrypted numeric data. A lot of work has been done in the past in the field of security and mobile computing for performing arithmetic operations over encrypted numbers. These are based on encryption transformations called Privacy Ho- momorphisms (refer [5],[6],[7],[8],[9]). However, these techniques are not applicable to databases. Many of these are limited to operations on two numbers and some of these require message passing for each operation(refer [13]). Recent works related to perform- ing query over encrypted data allow comparison operations like GREATER THAN, LESS THAN, MAX or MIN (refer [4]). The scheme proposed by us is directly applicable to the databases and is robust against brute force or cipher-text analysis attack.

8.1 Scheme 1

Our scheme is based on the fact that we can use a function, say f , to encrypt a numeric

value d such that f (x, y,

> can be used as an encrypted

value for d. The properties which a function f should satisfy are as follows-

) = d. The solution < x, y,

1. The function f should have many solutions equation f (x, y,

) = d where d can

be any numeric value in the range of data being encrypted i.e. f is many-to-one


2. The function f should have atleast two arguments.

3. It should be possible to evaluate Σf (x i , y i ,

) given the values of Σx i , Σy i ,

Let us consider a function f (x, y) = kx+y. This function satisfies all the properties stated above. Hence, we can encrypt any data d as < x, y > such that kx + y = d. Note that, it is possible to have many solutions for the same data d. Let us assume

, d n and we have the encrypted values

, < x n , y n >. Given the encrypted values, we can calculate

Σ i=1 x i and Σ i=1 y i . Obtaining these values, we can evaluate Σ i=1 d i as it is given by

Σ i=1 d i =

over the encrypted data. Based on the knowledge of x i and y i , it is not possible to get d i without the knowledge of k. It is also possible to have function having n arguments where n > 2. This simple idea has a drawback that it discloses the data distribution. For above example, encrypted values corresponding to same data d will lie on the same line with slope k. Identification of any one line will give the value of k. Drawing lines through other points and parallel to line corresponding to d will result in distribution knowledge based on the distance between lines. This is the major limitation which needs to be eliminated.

i=1 n y i . So, we see that we can perform the addition directly

< x 1 , y 1 >, < x 2 , y 2 >,

that we have to add n numeric values d 1 , d 2 ,






i=1 x i + Σ

8.2 Improving the Scheme

Based on the above idea, we find a function f which satisfies the properties stated earlier. Let us take f (x, y) = kx + y. Now, we select two prime numbers p and q. Then, we find the solution < x, y > for f (x, y) = d where d is numeric data being encrypted. Now, instead of encrypting d as < x, y >, we encrypt d as < a, b > such that a mod

p = x and b mod q = y. Note that the encrypted set consisting of all < a, b > for

f (amod p, b mod q) = d is spread over the entire space and not just on a line. And it is

not possible to guess the value of d without knowing prime numbers p and q. But the above scheme is prone to attack. As p is a large prime number and x1 and x2 are mapped to mp + x1 and np + x2 respectively so one can get approximate value of m/n by calculating (mp + x1)/(np + x2) and subsequently m and n as m, n are integers. Now one can guess p very closely. Using same approach q can also be guessed. Knowing p and q one will retrieve all < x, y > tuple.

8.3 Scheme 2

Let us suppose, the data value d to be protected can be represented as N -bits long binary number. Identify the set of Linear Transformations L. Now, do as follows-

1. Divide the N -bits long binary number into m consecutive unequal parts.

2. Apply linear transformations from the set L to each of the m parts so as to map each part to a binary number of fixed length l.

3. Now, re-order these linearly operated parts and save these re-ordered parts in database. The order for shuffling these parts will be fixed.

The data encrypted in above format can be used for performing addition directly without decryption. To get the sum of any n numbers, we need to do the addition of entries corresponding to these n numbers for each of the m columns. This gives the result in encrypted form. The result can be decrypted as follows-


As the re-ordering sequence is known to us, we re-order the the m-parts of result in original sequence.

2. As each part was linearly transformed, so the addition of linearly transformed value

corresponds to linear transformation of addition of original values i.e. h(Σ

Σ i=1 h(x i ). This linear transformation h is known to us and we know h(Σ

we can use the inverse function h 1 to get Σ

n i=1 x i ) =

i=1 x i ),



n i=1 x i .

3. Get the binary representation of Σ i=1 x i for each of the m columns. The resulting m parts can be used to get the final result.


The strength of above scheme is based on the fact that the way N -bits number is bro- ken into m unequal parts, is not known to the third party performing computation on encrypted data. Total number of ways in which N -bits number can be broken into m consecutive unequal parts is N1 C m1 1. For N =128 and m=10, number of ways for this are O(10 14 ). Also, the number of ways m parts can be reordered is m! which is O(10 6 ) for m=10.So, to break the encryption, the intruder must be able to guess the lin- ear transformations corresponding to each part and then check O(10 20 ) cases in worst case.

8.4 Final Scheme

As we saw, Scheme 1 is not strong enough to protect the data itself but it hides the distribution very well.On the other hand, Scheme 2 is highly protective but it does not hide the data distribution. Hence, we came up with a final scheme which is fusion of Scheme 1 and Scheme 2. Compute < x, y > and calculate < a, b > tuple using scheme1 and protect a and b using scheme 2. In this manner, we not only protect the data but also the distribution.

9 Formal aspects of privacy preserving computations

In this section, we formally define privacy preserving computations and partial privacy preserving computations.

Definition 7.