Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Abstract. With the global emergence of concerns for the privacy of huge amount
of information being collected in the databases, the research work in the field of
protecting databases from exposure or any other attack has increased. Encryption
techniques- both conventional and modern have proved out to be good technol-
ogy in protecting the sensitive data. However, once encrypted, data can no longer
be queried for operations like Greater Than, Less Than, Substring matching and
others. The only operation that could be done on encrypted data is to find ex-
act match. Hence, performing query over encrypted data is associated with the
overhead of decrypting the entire encrypted data and then performing the oper-
ations. Here we present two schemes which can perform operations of substring
matching directly over the encrypted string data. We also present schemes for
performing aggregate operations like SUM and AVG over encrypted numerical
data.The advantage of the scheme includes no overhead of decryting the entire
data.The encryption scheme is robust and well protective.
1 INTRODUCTION
Present day Database Systems offer the protection of database from attack through the
means of access control which restricts the access to sensitive data. The access control
mechanism protects the privacy of sensitive data from intrusion through the database
system interfaces. The basic assumption is that the database is accessed through database
system interfaces. However, it is important to have such protection but this can prove
out to be insufficient. It is because the raw database files remain the part of operating
system and hence, the attack on computer systems may lead to privacy breach if some-
one gets the access to raw database files. The access to these files cannot be prevented
by the access control mechanisms.
Encryption Techniques which have been proved out to be efficient in protecting
the sensitive information from being revealed easily.However, the present techniques of
encryption were not designed with the goal of protecting databases which can be very
huge in size. As a result, incorporating the present encryption schemes directly involves
a huge overhead of decrypting the entire encrypted data before performing any kind of
operation on them.
We present here two encryption techniques for encrypting the data of type STRING.These
techniques have been designed while taking care of the requirements of performing the
operations related to strings directly over the encrypted data. The SQL queries involves
the following operations-
– String Matching: The result of the operation includes all those strings which are
equal to the given string as parameter
– LIKE operation %abc%: This operation results in all those strings which have
’abc’ as substring
– LIKE operation a b : This operation results in strings of the form ’axb’ where x
is any character
– Pattern Matching:Mix of above two operations to result in strings matching some
pattern
Our first encryption scheme is ’VDES’ i.e. Varying Distribution Encrytion Scheme.
The idea behind this scheme is to completely change the distribution pattern of the
characters present in the data. The reason being that there are some characters which
occur much more than other characters. As a result, if someone knows the original
distribution of the character, he may guess the encryption scheme by looking over the
distribution of encrypted characters. This scheme has been designed specifically for the
domain where program being used to answer the queries, is assumed to be protected.
The encrypted database itself is useless if the program to answer query is not known or
available.
The advantages of VDES over other encryption schemes are-
– Operations It supports all the operations mentioned above and a very good encryp-
tion
– No false positives The results of the query over encrypted results only in true values
and no false positives
– It makes database useless if the VDES program is not available
– It handles updates very easily
– We can change the distribution of characters very easily with updates
However,the application of the VDES is limited to incorporating it directly with
database which should know the unencrypted pattern i.e. it works in semi-encrypted
domain.It is not possible with this scheme to give the pattern itself in encrypted form.
To overcome this limitation, we have another scheme which works entirely in encrypted
domain. This scheme we call as PPES or Product of Primes Encryption Scheme. The
advantage of PPES over VDES is that it can work in distributed domain where key to
decrypt is with client and it may not be necessarily present with the databases having the
encrypted data. The client may send the pattern itself in encrypted form and databases
will perform the pattern matching operations and return the result having encrypted
data. This encrypted data can then be decrypted by the client using key. However, this
scheme can be used in place of VDES with databases.
The above mentioned schemes are for STRING data type. However, there are also
numeric data types in databases on which various operations like finding SUM or AVG
are more common. For example, a firm may want to calculate the average salary of its
employees or an accounting firm may want to calculate the sum total of the data it has.
Due to privacy considerations, such operations should be performed over encrypted data
and it should be answered in encrypted form. For such scenario, we present a scheme for
performing aggregate operations like SUM, AVG or COUNT over encrypted numeri-
cal values. This scheme, like PPES, can be used to answer queries in encrypted and
distributed domain. This technique has got application in mobile computing and cryp-
tography where it is necessary to perform operations on secure encrypted data without
decryption. It is also important to keep the interaction to be minimal due to security
concerns.
2 RELATED WORK
The problem we are discussing is a relatively new problem and hence, there is no work
related to performing pattern matching over encrypted data. However, the similar prob-
lem has been dealt in the field of numerical data as opposed to the string data.The ideas
applied in encrypting numerical data have been helpful in understanding the various
problems that can arise out of encryption in string data.
The technique described in [1] includes strictly increasing polynomial functions to
encrypt integer values so that the order of input is preserved even in encrypted values.
Hence, the operations like Greater Than, Less Than,Equal to, can be very easily per-
formed on the encrypted data. Following that, the resulting encrypted values can be very
easily decrypted. This reduced the overhead of decrypting entire database.However, this
scheme had the drawback that it revealed the distribution of input data which could be
exploited using probabilistic techniques to estimate the values in some interval with
some confidence level.
In [2], there are some schemes to support keyword searches over encrypted text in
emails.But these were not meant and suited for relational queries and databases.
In [3], for the first time, there was talk about executing SQL over Encrypted data.
This model was for numerical data and it required many interaction between client and
server to get the results.Moreover, it resulted in the false positives whose post process-
ing involved considerable overhead.
In [4], a scheme is proposed for performing operations related to order of input nu-
merical data. The scheme proposed had the advantage that the distribution of encrypted
data is totally independent of the distribution of input data. This scheme is robust against
computer systems attack and is well compatible with the databases. This scheme can be
extended for lexicographical ordering of strings but other pattern matching operations
cannot be supported. This scheme can be used to answer queries like MAX,MIN and
GROUP BY. But this cannot answer the queries like SUM or AVG. The model being
used by us for PPES is similar to the model described in this paper.
In [13], techniques have been proposed for performing arithmetic operations like
addition and multiplication over encrypted data. These techniques are not applicable to
database as it cannot be used for addition of more than two numbers. It requires message
passing for each operation being performed.
In[15],there is a data partitioning technique to buid privacy-preserving indices on
sensitive attributes of relational table.
In other papers [5][6][7][8] and [9], some encryption transformations have been
discussed which allow direct computation on encrypted data.Such encryption transfor-
mations are called Privacy Homomorphisms. These papers presented the privacy homo-
morphisms for performing addition,multiplication and multiplicative inverse computa-
tion on encrypted data.However, these schemes handled very small subset of input data
and had no application in databases. In [14], there is a technique for secure computation
in mobile cryptography.
As the name suggests, the idea of this scheme is to effect the distribution of characters
so that attack based on cipher-text analysis is not possible.To understand the complete
idea, let us look at simpler idea and the following distribution of characters in database:
character Frequency
a 200
b 100
e 300
Let us now look at the following encoding scheme.
character Encoding
a 1234,3578
b 2598
e 1079,2234,7634
With the above encoding, we can encode the character a as either 1234 or as 3578 with
equal probability. As we saw in the frequency table above, frequency of a is 200.Hence,
a will be encrypted as 1234 100 times and as 3578 for another 100 times. Similarily, b
will be present as 2598 for 100 times. And e will be encrypted as 1079,2234 and 7634
each 100 times.
String abe may get encrypted as 357825981079 without giving any idea of what
characters are present in string. Encryption of String abe for the second time may give
completely different result.
However, this simple idea has the drawback of assuming static distribution of char-
acters which is not true in many cases.And hence, we need to add further encrypting
values in character-encoding table. Also, the decrypting key needs to be updated for
variable distribution case.
In this scheme, we have a characteristic prime associated with each character.For char-
acter a, we will have ap as the characteristic prime. We also have set of prime multipliers
associated with a.When a is to be encrypted, some character is chosen randomly from
the given multiplier set and is multiplied with ap . Hence, a may get encrypted as ap a1
or ap a2 or ap a3 and so on.The decryption key for this scheme will be the set of char-
acteristic primes Cp . Using Cp , we can check if some encrypted character is equal to
a or not by checking its divisibility with ap .Moreover, we can effect the distribution at
any instant by changing the set of Prime Multipliers Pm . Any further, updates will be
handled by the new set.
The advantage we have is that we can change the distribution of the characters as
we may want.Another advantage that we have is that we are not required to change the
decryption key although the Prime Multipliers set Pm may have got changed. Hence,
we can change the set Pm , expand it or have completely new elements in it but it does
not effect the already encrypted values in any case and are not required to be updated.
Pattern Matching and Substring matching This operation which checks for the ex-
istence of a given pattern in the encrypted string is as easy as matching a string with
encrypted string. The pattern string may have % symbol which represents presence of
one or more random characters at the postion of %. The pattern string may also have
symbol to indicate presence of exactly one character at the position of in the pattern
string. If the pattern does not have % or then the problem reduces to finding a string
with given pattern as its substring. There are efficient algorithms to deal with problem
of substring existence. Those algorithms can be easily applied in our case.
Search for patterns like ab%cd in string s can be handled easily by searching for ab
followed by searching for presence of cd in the substring in s following ab.
Similarily search for patterns like ab cd in string s can be handled by first searching
for presence of ab in s and then, skipping the character following b in s.If the character
at this position in s matches c and the character following matches d, string s will be
given out as the string having pattern ab cd.
Normal String Matching Algorithm
g: A function that takes a set of elements as input and return one element taken off
randomly from the input set.
h:Σ → Pm
The function h takes a character ci as input and it returns some element m from its mul-
tiplier set Pi .
Hence,h(ci ) = g(Pi )
Assuming that the VDES results in false positive i.e.some character c j identifies for
ci .Hence, Based on the VDES, we must have a characteristic prime p j = f (cj ) that
divides E(ci ). Since, E(ci ) is product of only two prime numbers hence, if f (cj ) divides
E(ci ) then either f (cj ) = f (ci ) or f (cj ) = h(ci ).
If f (cj ) = f (ci ), then ci = cj as f is one to one mapping.Hence, it leads to contra-
diction to assumption that we had a false positive.
If f (cj ) = h(ci ), we know that f (cj ) ∈ Cp and h(ci ) ∈ Pm .Also, Cp and Pm are
disjoint.Hence, f (cj ) 6= h(ci ).
Hence, we cannot find any cj ∈ Σ which can act as a false positive for ci .Thus,
decryption of any encrypted character will result in correct character and not false char-
acters.
Lemma 1. Pattern matching using VDES does not result in any false positives.
As the purpose of encryption scheme is to protect the sensitive data from being exposed,
we must analyse the kinds of attack that are possible and how succesfully they can be
handled.
Let us suppose | Pm | = m and | Σ | = n.Hence, we have n characters in a lan-
guage.Also, the number of possible multipliers for each character is m. When we en-
crypt a database using VDES, we can use each multiplier along with each characteristic
prime to encrypt and result in some random distribution.As a result of using m mul-
tipliers for n characters, the encrypted language consists of mn numbers.So, we have
encrypted each character with m possible numbers.
If someone has the idea of n, then he can calculate m from mn.Now, the attacker
knows that each character is mapped to m different numbers.So, if he tries to apply
Brute Force analysis method to identify the character and its encryption set then he can
do so in following way-
Of the mn numbers known to him, he can select m numbers randomly and map it for
some character c1 .From the remaining (n-1)m numbers, he can select further m numbers
to map it for character c2 .He can continue to do so c3 , c4 ...cn .After getting sets for each
character, he can try to check if this sets work correctly.
In this brute force way, he would be required to test around
nm
Cm ×(n−1)m Cm ×(n−2)m Cm ×(n−3)m Cm ... ×2m Cm ×m Cm
= (nm)!/(m!)n
= (nm)(nm − 1)(nm − 2)....1/(1.2.3....m)n
> (n − 1)m (n − 2)m ....1m
= ((n − 1)!)m
Hence, we see that if we have m>1 then, we can improve the complexity for brute
force analysis significantly.And we must have m≥n to take care of the distribution sce-
nario.
Cipher-Text Analysis
Another kind of attack is based on the distribution analysis of cipher-text. By distribu-
tion analysis, we mean that in general texts, frequency of some characters may occur
much more than other characters.Using this information we can look for the character
with maximum frequency and guess the character. As in English Language, character e
is used most and hence, it can be easily recognised.After recognizing e, other charac-
ters can be guessed using idea of distribution of other characters.For example, if z can
occur 0.1 times e occurs, then we can look for the encrypted character whose frequency
is roughly 0.1 times the most frequent character.Knowledge of domain can help very
much in such cases.
As a result, it is very important to protect the distribution of characters.Hence, we
came up with the idea of varying distribution. VDES results in a distribution which
gives no idea of the original distribution of characters.Hence, it is secure from Cipher-
text analysis attack.
However, there is another kind of cipher-text analysis where we look for the most
frequent digram (two characters in a sequence) in cipher-text.This is also not possible
in VDES as the same digram can be mapped in m*m ways.Hence, it is difficult to tell
which digram is most frequent.
Another way to attack is to identify the set Cp .This set can be obtained only by fac-
torising the product terms available to the attacker.This attack can be made very costly
if we use very big prime numbers in the set.Hence, factorization becomes difficult.
3.5 Memory Requirement
VDES has been made very efficient to protect the sensitive data by using very large
prime numbers in Cp andPm . However, this comes at a cost in terms of memory re-
quirements.
Any prime number p requires blg(p)c + 1 bits of memory. Since, we need to save
the product terms, memory for a product term is b2lg(p)c + 1 where p is the largest
prime number in Cp ∪ Pm .
Hence, a character which required 8-bits now requires around (b2lg(p)c + 1)-bits.
The strength of VDES lies in the fact that it performs the task of pattern matching
over encrypted data in an elegant manner and at the same time, the encryption scheme
is strong enough against brute force analysis attack or cipher-text analysis attack. Al-
though the encryption key may change, the length and the value of decryption key
remain fixed.
This scheme can be readily integrated with the Database softwares available in the
market and can be used for the goals we inteded to achieve.
i.To reduce the overhead of decrypting entire database in order to perform a query.
ii.To design an encryption scheme which achieves the goal stated above along with the
protection of database from cipher-text analysis attack.
As we have seen in the previous section that with VDES, we have been able to achieve
the goals we intended to achieve.The use scenario of next scheme called Product Of
Primes Encryption Scheme is little bit different from the scenario of VDES. In VDES,
database program is required to have knowledge of decryption keys for answering the
queries.On the other hand, PPES has no knowledge of encrypting or decrypting keys
and it can still execute the queries and answer directly in encrypted form.PPES returns
the correct results or atleast a superset of correct results. The results will be in encrypted
form as the database is not aware of the key.Also, the query will have the pattern string
in encrypted form. Hence, PPES works entirely in an encrypted domain. This has an
advantage when we deal with databases and the results distributed over network.
VDES can be used efficiently where protecting pattern itself is not important and
the program answering query is assumed to be protected. Based on the knowledge of
keys,VDES database performs the query execution and returns unencrypted answers
if desired.PPES can also be used in this use scenario. For this, we can make database
aware of the keys.And when the query arrives, we can modify this query to have en-
crypted pattern and then perform execution of this modified query. With the help of
decryption key, we can decrypt the result to give final result as output.
As it is clear from the two use scenarios, there was a need of PPES.
4.2 Model of PPES
Now if E(t) divides E(s) where s is the string in which t is being searched then t is
present in s or we can say that t is one of the substring of s.
In PPES, string matching cost depends only on length of string being matched unlike
traditional techniques where cost depends on length of string being matched as well as
length of target string. So in PPES, string matching cost is just the cost of encrypting t
and cost of one division operation. So if the pattern string is small enough then string
matching can be done very fast.
Lets consider a given string s whose length is W so s will have W(W+1)/2 substrings.
And we are searching for string t of length w. Let E(s) and E(t) be the encryption of s
and t respectively.
And as t is a substring of s so all the substrings of t must be present in the set of all
substrings of s. So if s has n+k number of substrings then the encryption of s will be
E(s)= e(t1 ) × e(t2 ) × e(t3 ).... × e(tk ) × e(s1 ) × e(s2 ).... × e(sn )
And as we can see that all the factors of E(t) are present is E(s) so E(t) must divide
E(s). But vice versa is not true.
Lemma 2. String matching in PPES will result into a superset of actual resultset i.e.
false postivies may exist in the resulting set but there will be no false negative.
Proof. In above theorem we have shown that false negative will not exist. Now suppose
if t is not a substring of s then we can only assure of t not being present in s which
implies that all other substrings of t except t itself, may be present in s which implies if
e(t) and e(some substring of s) are mapped to same prime then it can make E(s) divisible
by E(t) so it will lead to false positive.
In this section we shall try to find out an upper bound on probabilty of a false posi-
tive. So lets assume t is pattern string of length w and s is the given string of length
W (W ≥ w) and E(t) divides E(s). So there are w(w + 1)/2 substrings in t, and each
of them is mapped to the same prime as some substring of s. In particular, the string t
is mapped to e(t) and e(t) is present in E(s). So we have to find out an upper bound on
the probability that E(t) divides E(s) but t is not a substring of s.
Since E(t) divides E(s), the string t maps to e(t) which is also the mapping of some
substring of s. Now there are W(W+1)/2 substrings of s so the probability of this is
bounded by
And the size of the number p is given by lg(p) bits. So the string s will consume
lg(E(s)) bits.
lg(E(s)) = (e1 × lg(e(t1 ))) × (e2 × lg(e(t2 ))) × ....(ek × lg(e(tk )))
Which implies that memory requirements will increase quadratically with the size of
string. So this scheme is not good for large documents but can handle strings of middle
size i.e. addresses.
Cipher text analysis of the data is very hard as all the data is in form of product of
many prime numbers so factorizing each one is very expensive hence attacked based on
distribution can’t happen.
Proof. Suppose that i 6= i0 , that is, the lengths are different. Thus, ||si,j | − |si0 ,j 0 || > w.
However, if t lies in the coverage of both the substrings, then, it follows that,
where, w1 = |si,j | − |t| and w2 = |si,j | − |t||. Since, both si,j and si,j 0 lies in the
w-extension ball centered at t, it follows that 0 ≤ w1 ≤ w and 0 ≤ w2 ≤ w, implying
a contradiction. Now suppose that i = i0 , that is the lengths of the substrings are the
same, and j 6= j 0 . A similar argument can be made for this case as well. t
u
The above argument shows that if t is any substring of s, then there is at most one s i,j
such that si,j is in the w-extension circle centered at t. We now show that for every
substring t of s, there is always one si,j lying within the 2w-extension ball centered at
t.
Lemma 4. Let t be a substring of s. Then there exists at least one si,j that 2 · w-covers
t.
Proof. Suppose that t starts at position p. Let r be the remainder and j 0 be the quotient
when p − 1 is divided by w + 1, that is,
Let i0 and r0 be the quotient and remainder respectively, when, |t| + r is divided by
w + 1, that is,
Proof. Let a denote the number of characters extended at the left end of t and b denote
the number of characters extended at the right end of t, to obtain s 0 . Each distinct choice
of a and b such that a + b ≤ w gives a distinct t such that s0 lies in the w-extension ball
centered at t. Therefore, the number of possible such substrings is given by
w w−a w w+1
X X X X 1
1= (w − a + 1) = a0 = · (w + 1) · (w + 2) .
2
a=0 b=0 a=0 a0 =1
Lemma 6. The number of substrings of a given string s of size n that must be stored
by any scheme that works based on testing the equality of one of the substrings with a
n·(n+1)
member of the w-extension of a given string t is at least (w+1)·(w+2) .
2
It follows that the number of substrings used by our proposed scheme is O( w n
2 ), which
n·(n+1)
is within a small constant factor of the lower bound, namely, (w+1)·(w+2) , by Lemma 6.
6 A Hierarchical Scheme
In this section, we propose a two-step scheme that is based on the previous scheme.
Let w1 and w2 be two integer parameters, where, w1 > w2 > 0. Given a database
string s, we first divide it into adjacent blocks of size w1 , that is, s = s1 s2 · · · sk , where,
each of the si ’s have size w1 and the last block is padded by the requisite number of
null characters to ensure that its length is exactly w1 . The encoding of s, namely, E(s),
is a hierarchical data structure. Its first field is the sequence of the encodings of the
blocks, that is, E(s1 ) ◦ E(s2 ) ◦ · · · ◦ E(sk ), where, ◦ denotes the sequencing operator.
We assume that w1 is large enough to negate statistical attacks to decode the encrypted
blocks. Let t be a substring of s. Then, the following two exclusive possibilities hold.
1. In a match of t with s, t spans more than one block of s. In other words, t can be
written as t = t0 t1 t2 . . . tl , where, l ≥ 1, and t1 , t2 , . . . , tl−1 are blocks of length
w1 each and |t0 | ≤ w1 and |tl | ≤ w1 . Further, there exists an index r with the
property that sr = t1 , sr+1 = t2 , . . . , sr+l−1 = tl−1 and t0 is a suffix of sr−1 and
tl is a prefix of the string sr .
2. In a match of t with s, t is contained within a block of s. That is, |t| ≤ w 1 and t is
a substring of sr , for some index r, 1 ≤ r ≤ k.
The second possibility can be effectively solved by storing, for each block s i , 1 ≤ i ≤
k, a set of substrings of si in their encoded form using an extension parameter w2 , as
detailed in Section 5. Thus, if |t| ≤ w1 , and there is a match of t with a substring of
s that is completely contained within a block, then, such a match can be effectively
decided. The total number of encodings in this scheme are as follows.
w12 n w12
n · w1
O k· 2 =O · =O (3)
w2 w1 w22 w22
Single Text Offset, Multiple Pattern Offsets. We now consider the scenario depicted by
the first possibility, namely, that t is a substring of s and a match of t spans multiple
blocks of s. Since the match of t with the matching portion of s may start at any po-
sition p, 1 ≤ p ≤ w1 , where, p is the starting position of first block of s from where
the match begins. To alleviate this situation, we assume that the pattern t is encoded in
w1 distinct ways, obtained by shifting the starting position of the first block of t by a
parameter u = 0, −1, −2, . . . , −(w1 − 1) respectively. Thus, if u = 0, the first block
contains the characters t1 t2 · · · tw1 and the remaining blocks are constructed sequen-
tially thereafter. If u = −1, then the first block contains the characters t 1 t2 · · · tw1 −1 ,
and the remaining blocks are constructed sequentially thereafter. For a general value of
u, the first block contains the characters t1 t2 · · · tw1 +u , and the remaining blocks are
encoded in sequence. Thus, t is encoded w1 times, with offsets ranging from 0 to w1 −1.
This increases the encoded size of the pattern t by a factor of w1 . Note that although
we have assumed that the offset for the text string s is 0, it is in general not necessary
to assume this. The offset for the text string can be set to any random value between 0
and −w1 + 1; this has the added advantage of reducing the chance of statistical attacks.
That is, the set Λi is the set of strings of size 2i that is constructed from letters from Σi .
For 1 ≤ i ≤ v − 1, define the following set.
The set ∆i is the cross set between Σi and the partitions with indices higher than j.
That is, it is the set of all strings of size 2i over the letters of partitions with indices i or
i
above (i.e., ∆i ⊂ (∪vj=i Σj )2 ). Further, all strings in ∆i are constrained to contained
at least one occurrence from the sets Σi and ∪vj=i+1 Σj (i.e., it is a cross string).
Let w = 2v . As a consequence of the construction, the sets ∪vi=1 Λi and the sets
v−1
∪i=1 ∆i can generate Σ w uniquely. That is, each string of Σ w can be uniquely repre-
sented as the concatenation of strings in the Λ and ∆ sets (prove!).
The transformed and equivalent automaton D 0 can be constructed so that it uses the
following alphabet.
That is, members of Σ 0 are encrypted members of Λi ’s and ∆i ’s. Accordingly, the
database string s is encrypted accordingly.
Cryptographic strength. The privacy of the scheme draws from the fact that the parti-
tion of the original alphabet into the subsets is not known to the third party. Further, the
value of v is also withheld from the third party. These two reasons reduce the effective-
ness of statistical attacks. However, some information about the length of the string can
be deduced.
In this section, we propose a scheme for performing aggregate operations like SUM,
AVG or COUNT on encrypted numeric data. A lot of work has been done in the past
in the field of security and mobile computing for performing arithmetic operations over
encrypted numbers. These are based on encryption transformations called Privacy Ho-
momorphisms (refer [5],[6],[7],[8],[9]). However, these techniques are not applicable to
databases. Many of these are limited to operations on two numbers and some of these
require message passing for each operation(refer [13]). Recent works related to perform-
ing query over encrypted data allow comparison operations like GREATER THAN,
LESS THAN, MAX or MIN (refer [4]).
The scheme proposed by us is directly applicable to the databases and is robust
against brute force or cipher-text analysis attack.
8.1 Scheme 1
Our scheme is based on the fact that we can use a function, say f , to encrypt a numeric
value d such that f (x, y, ..) = d. The solution < x, y, .. > can be used as an encrypted
value for d. The properties which a function f should satisfy are as follows-
1. The function f should have many solutions equation f (x, y, ..) = d where d can
be any numeric value in the range of data being encrypted i.e. f is many-to-one
function.
2. The function f should have atleast two arguments.
3. It should be possible to evaluate Σf (xi , yi , ...) given the values of Σxi , Σyi , ...
Let us consider a function f (x, y) = kx+y. This function satisfies all the properties
stated above. Hence, we can encrypt any data d as < x, y > such that kx + y = d.
Note that, it is possible to have many solutions for the same data d. Let us assume
that we have to add n numeric values d1 , d2 , ..., dn and we have the encrypted values
< x1 , y1 >, < x2 , y2 >, ..., < xn , yn >. Given the encrypted values, we can calculate
n
Σi=1 xi and Σi=1
n
yi . Obtaining these values, we can evaluate Σi=1 n
di as it is given by
Σi=1 di = kΣi=1 xi + Σi=1 yi . So, we see that we can perform the addition directly
n n n
over the encrypted data. Based on the knowledge of xi and yi , it is not possible to get
di without the knowledge of k. It is also possible to have function having n arguments
where n > 2.
This simple idea has a drawback that it discloses the data distribution. For above
example, encrypted values corresponding to same data d will lie on the same line with
slope k. Identification of any one line will give the value of k. Drawing lines through
other points and parallel to line corresponding to d will result in distribution knowledge
based on the distance between lines. This is the major limitation which needs to be
eliminated.
8.3 Scheme 2
Let us suppose, the data value d to be protected can be represented as N -bits long binary
number. Identify the set of Linear Transformations L. Now, do as follows-
1. Divide the N -bits long binary number into m consecutive unequal parts.
2. Apply linear transformations from the set L to each of the m parts so as to map
each part to a binary number of fixed length l.
3. Now, re-order these linearly operated parts and save these re-ordered parts in database.
The order for shuffling these parts will be fixed.
The data encrypted in above format can be used for performing addition directly without
decryption. To get the sum of any n numbers, we need to do the addition of entries
corresponding to these n numbers for each of the m columns. This gives the result in
encrypted form. The result can be decrypted as follows-
1. As the re-ordering sequence is known to us, we re-order the the m-parts of result in
original sequence.
2. As each part was linearly transformed, so the addition of linearly transformed value
corresponds to linear transformation of addition of original values i.e. h(Σ i=1
n
xi ) =
Σi=1 h(xi ). This linear transformation h is known to us and we know h(Σi=1
n n
xi ),
we can use the inverse function h−1 to get Σi=1n
xi .
3. Get the binary representation of Σi=1
n
xi for each of the m columns. The resulting
m parts can be used to get the final result.
The strength of above scheme is based on the fact that the way N -bits number is bro-
ken into m unequal parts, is not known to the third party performing computation on
encrypted data. Total number of ways in which N -bits number can be broken into m
consecutive unequal parts is N −1 Cm−1 − 1. For N =128 and m=10, number of ways
for this are O(1014 ). Also, the number of ways m parts can be reordered is m! which is
O(106 ) for m=10.So, to break the encryption, the intruder must be able to guess the lin-
ear transformations corresponding to each part and then check O(10 20 ) cases in worst
case.
As we saw, Scheme 1 is not strong enough to protect the data itself but it hides the
distribution very well.On the other hand, Scheme 2 is highly protective but it does not
hide the data distribution. Hence, we came up with a final scheme which is fusion of
Scheme 1 and Scheme 2.
Compute < x, y > and calculate < a, b > tuple using scheme1 and protect a and b
using scheme 2. In this manner, we not only protect the data but also the distribution.
In this section, we formally define privacy preserving computations and partial privacy
preserving computations.
The intended meaning of the string (x, y) of L is that x is a database string and y is an
encoding of the property being checked. We present several examples later on to clarify
the above definition. In general, the calculation of the conditional entropy function may
prove to be difficult. In order to extend the scope of the definition, we also introduce
the notion of partially privacy preserving computations and the index of privacy preser-
vation. In this section, the letter M , together with subscripts and superscripts, typically
denote Turing Machines (TMs).
Definition 8. A language L ⊆ Σ ∗ ×Σ ∗ is said to be computable in a partially privacy-
preserving fashion if there exist computable functions f and g and a Turing machine
M 0 such that, (x, y) ∈ L if and only if (f (x), g(y)) ∈ L(M 0 ) and E NTROPY ((x, y) |
(f (x), g(y))) ≤ E NTROPY ((x, y)). The index of privacy preservation is defined as
E NTROPY ((x,y)|(f (x),g(y)))
E NTROPY ((x,y)) . t
u
The formal definitions are intended for comparing competitive privacy preserving schemes.
We now present examples of languages that can be computed while partially preserving
privacy.
Example 9. Let L = {(x, y) | y is a substring of x}. Then, f (x) can be the PPES
encoding of x, and g(y) could be the function mapping strings to primes, using the
same mapping function used by f . Here, the TM M 0 checks whether g(y)|f (x). t
u
Example 10. Let L be any language that satisfies the following property: |{y | (x, y) ∈
L}| is finite. Let L1 denote the language {x | ∃y such that (x, y) ∈ L}. For every
x ∈ Σ ∗ , f (x) is the PPES encoding of {y | (x, y) ∈ L}. Since this set is finite for all
x ∈ Sigma∗ , the PPES encoding is well-defined. The function g(y) is the mapping of
y to a prime using the same mapping function used by f . The mapping described is,
in general, partially privacy preserving, since, for every x, such that x ∈ Σ ∗ − L1 , the
PPES encoding f (x) corresponds to the empty string. This reveals some information
about the database strings. t
u
Example 11. The universal language U = {(x, hM i) | x ∈ L(M )}, where, hM i repre-
sents the encoding of the TM M . Consider the alphabet scrambling scheme discussed
in Section 7.4. Let g(hM i) = hM 00 i, where, M 00 is the TM that is isomorphic to M ,
except that the alphabet used is the transformed alphabet Σ 0 , corresponding to the spe-
cific bits used by the alphabet scrambling scheme. Let f (x) be the encoding of x in the
alphabet Σ 0 . Let M 0 be the universal TM over the alphabet Σ 0 .
The reason for calling this language as the universal language for privacy preserva-
tion is that if L can be computed in a privacy preserving fashion, then, all recursive sets
can be computed in a privacy preserving fashion. This can be argued as follows. Let L
be a language that is computable in a privacy preserving fashion. Then, there exists com-
putable functions, f1 , g1 and a TM R such that (x, y) ∈ L iff (f1 (x), g1 (y) ∈ L(R).
For a given y ∈ Σ ∗ , let < N (y) > be the encoding of a Turing machine N (y) that
works as follows. N (y) takes an input u and runs R on the pair (f1 (u), g1 (y)), ac-
cepting iff R accepts. Consider the pair (x, < N (y) >). Clearly, x ∈ L(N (y)) iff
(f1 (x), g1 (y) ∈ L(R). t
u
10 Conclusions
With increasing concerns for privacy and safety of data, it has become necessary to
develop techniques for the preservation of data being collected in databases. As it is
possible for an intruder to get access to raw database files, there is a threat of informa-
tion leakage or exposure.Encryption techniques come as a rescuing technique for this
problem but it renders the encrypted data useless for answering any SQL queries.In this
paper, we have presented schemes which can perform SQL queries directly over the
encrypted data. The VDES scheme suggested in this paper can be used for protecting
variable length string data and answering pattern matching queries. This scheme can be
used in the domain where program running to answer the query is assumed to be safe.
Another scheme, for string pattern related queries, called Extension of PPES given in
Section 5 can be used for complete security. This can also be used for third party com-
putation without any revelation. We also provide a scheme in Section 8 that preserves
the result of SUM and AVERAGE operations of numerical data types. We see that if
above schemes are incorporated with the OPES scheme presented in [4], the encrypted
database will be able to answer the following queries: Exact String Matching, Finding
Substrings in given set of Strings, Pattern matching in strings (LIKE operations) and
queries related to numerical data type like SUM,AVG,COUNT,MAX,MIN,GROUP BY
and ORDER BY.
11 Future Work
In future, the work done in this paper can be extended to find a better technique for
regular expression matching. Also, the techniques presented by us for answering SQL
queries come with a cost in terms of higher secondary memory/storage requirements.
Although secondary memory is getting cheaper, reduction in its usage can have a bet-
ter performance impact on implementation. Also, the scheme described in Section 8
for preserving aggregate operations on numerical data types can be extended to answer
MAX or MIN queries.
Acknowledgments . We would like to thank Dr. Sumit Ganguly for his constant guid-
ance, motivation and for being a source of inspiration for us.
References
1. Ozsoyoglu, Singer. Anti-tamper databases :querying encrypted databases.In Proc. Of 17th
annual IFIP WG11.3 Working conference on Database and Application Security, Colorado,
August 2003.
2. Song, Wagner and A.Perrig. Practical techniques for searches on encrypted data.In IEE
Symp. on security and privacy, Oakland, California, 2000
3. H.Hacigumus, B.R.Iyer, C.Li and S.Mehrotra. Executing SQL over encrypted database-
service-provider model.In Proc. Of ACM SIGMOD Conf on Mamagement of Data, Madison,
Wisconsin, June 2002.
4. R.Agrawal, J.Kiernan, R.Srikant and Y.Xu. Order Preserving Encryption for Numeric
Data.In SIGMOD 2004, Paris, France, June 2004.
5. N.Ahituv, Y.Lapid and Neumann. Processing encrypted data.Communications of
ACM30(9):777-780, 1987.
6. J. Domingo-Ferrer and J.Herrera-Joancomarati. A privacy homomorphism allowing field op-
erations on encrypted data.Journes de Matematica Discreta i Algorismica, Universitat Po-
litecnica de Catalunya, March 1998.
7. J.Domingo-Ferrer. A new Privacy homomorphism and applications.Information Processing
Letters, 60(5):277-282, 1996.
8. Feigenbaum, Liberman and R.N.Wright. Cryptographic protection of databases and soft-
ware.In Proc. of DIMACS Workshop on Distributed Computing and Cryptography, 1990.
9. R.L.Rivest, L.Adelman and M.Dertouzos. On data banks and privacy homomorphisms.In
Foundations of secure computation, 169-178, 1978.
10. R.Agrawal, D.Asonov and R.Srikant. Enabling sovereign informatrion sharing using web
service.In SIGMOD 2004,Paris,France,June 2004.
11. R.Agrawal, Bayardo, Kiernan, Faloustsos, Rantzau and R.Srikant. Auditing Compliance
With a Hippocratic Database.In Proceedings of VLDB Conference, Toronto, Canada, 2004
12. R.Agrawal and R.Srikant. In Proc. Of ACM SIGMOD Conference on Management of Data,
2000.
13. I-Ling Yen,Wei Li,Qingkai Ma and Farokh Bastani.Secure Computation with Low Overhead.
In University of Texas at Dallas,Richardson
14. Tomas Sanderand Christian F. Tschudin. Towards Mobile Cryptography. In Proceedings of
the IEEE Symposium on Security and Privacy
15. Bijit Hore, Sharad Mehrotra and Gene Tsudik.A Privacy-Presrving Index for Range Queries.
In Proceedings of 30th VLDB Conference, Toronto,Canada, 2004.
Appendix
1
the notation (a, b) stands for the GCD of a and b.