This application claims priority under 35 U.S.C. § 119(a) to Korean Application Patent No. 10-2014-0057838, which was filed in the Korean Intellectual Property Office on May 14, 2014, the entire content of which is hereby incorporated by reference.
One or more exemplary embodiments relates to a method and an apparatus for encrypting data, and more particularly to a method and an apparatus for encrypting data while maintaining a sequential order of the original data in the encrypted data.
When data is encrypted and the encrypted data is stored in a database, the encrypted data may be arranged in an order entirely different from an order of the original data. This is because an encryption process converts original data into optional values, which causes the original data to be unpredictable. For this reason, when the data stored in the database is encrypted, a search, such as a range query, cannot be made without first decrypting the data.
As a method in the related art enabling a search such as a range query, there is an order-preserving encryption method. The order-preserving encryption method is a scheme which provides order information of original data elements to encrypted data elements. For example, a case is considered in which original data elements A, B, and C exist and are values different from each other in accordance with A<B<C. Also, in this case, when ciphertext of A encrypted by using the order-preserving encryption method is A′, ciphertext of B encrypted by using the order-preserving encryption method is B′, and ciphertext of C encrypted by using the order-preserving encryption method is C′, and A′, B′ and C′ have sizes expressed by A′<B′<C′, which is identical to the order according to the sizes of the original data elements.
However, when the length of the original data is equal to m bits, the length of ciphertext is equal to n bits where m<n, the above-described order-preserving encryption method needs to repeatedly perform an arithmetic operation up to a maximum of n times in order to decrypt the ciphertext. Accordingly, the order-preserving encryption method is disadvantageous in that complex arithmetic operations are performed.
An aspect of one or more exemplary embodiment is to provide a method and an apparatus for encryption which are capable of easily performing encryption or decryption while maintaining a sequential order according to sizes of original data elements.
In accordance with an aspect of the present disclosure, a method for performing encryption by an encryption apparatus is provided. The method may include generating a secret key or a parameter for encrypting plaintext; converting the plaintext into ciphertext by using the secret key or the parameter; and transmitting the ciphertext to a database. The secret key may be represented as {α, β, γ, K}, the parameter may be represented by N, the plaintext may be represented by x, and the ciphertext may be represented by C.
The method may further include delivering a range query to the database; and receiving ciphertext corresponding to the range query from the database.
The method may further include reconstructing plaintext from the ciphertext by using the parameter N or the secret key {α, β, γ, K}.
The generating of the secret key {α, β, γ, K} or the parameter N for encrypting the plaintext x may include determining the parameter N and the secret key {α, β, γ, K} by using a bit size d of the plaintext x.
Among the secret key {α, β, γ, K}, γ is a number between 0 and α (0<γ<α), β is a number between ½ and 1 (½<β<1), K is a pseudo-random number according to a pseudo-random function, and α is equal to 1 minus β (α=1−β). τ may represent a value which minimizes a distance between two output values which are output from the encryption apparatus. N may be the ceiling of
Converting the plaintext x into the ciphertext C may include: determining a set of secret key vectors a based on parameter N, secret key {α, β, γ, K}, and plaintext x; and converting plaintext x into ciphertext C using the set of secret key vectors a. Plaintext x may be a d-bit binary number, and xd-j may represent a bit value of plaintext x at the (d−j)th position, where (1≤j≤d), according to: x:=(xd-1, xd-2, . . . , x0). The set of secret key vectors a may include one or more secret key vectors ai, where (0≤i≤d), according to: ai:=(a0, a1, . . . , ad). The ciphertext C may be determined according to the equation: C=a0+a1(2xd-1−1)+ . . . ad(2x0−1)=a0+Σi=1d(2xd-i−1))ai, where (0≤i≤d).
The generating the secret key {α, β, γ, K} or the parameter N may include generating both the secret key {α, β, γ, K} and the parameter N.
The secret key vector ai, with (0≤i≤d), may be defined by:
wherein Fi, with (0≤i≤d), is a function.
Fi, with (0≤i≤d), may be a cryptographic hash function or a pseudo-random function.
In accordance with another aspect of the present disclosure, an encryption apparatus is provided. The encryption apparatus may include a key generator that generates a secret key or a parameter for encrypting plaintext; and an encryptor that converts the plaintext into ciphertext by using the secret key or the parameter and delivers the ciphertext to a database. The secret key may be represented as {α, β, γ, K}, the parameter may be represented by N, the plaintext may be represented by x, and the ciphertext may be represented by C.
The encryption apparatus may be configured to deliver a range query to the database, and receive ciphertext corresponding to the range query from the database.
The key generator may be configured to determine the parameter N and the secret key {α, β, γ, K} by using a bit size d of the plaintext x.
The encryption apparatus may further include a decryptor configured to reconstruct plaintext from the ciphertext by using the parameter N or the secret key {α, β, γ, K}.
Among the secret key {α, β, γ, K}, γ is a number between 0 and α (0<γ<α), β is a number between ½ and 1 (½<β<1), K is a pseudo-random number according to a pseudo-random function, and α is equal to 1 minus β (α=1−β). τ may represent a value which minimizes a distance between two output values which are output from the encryption apparatus. N may be the ceiling of
The key generator may be further configured to calculate α and N according to their respective functions.
The encryptor may be further configured to: determine a set of secret key vectors a based on parameter N, secret key {α, β, γ, K}, and plaintext x; and convert plaintext x into ciphertext C using the set of secret key vectors a. Plaintext x may be a d-bit binary number, and xd-j may represent a bit value of plaintext x at the (d−j)th position, where (1≤j≤d), according to: x:=(xd-1, xd-2, . . . , x0). The set of secret key vectors a may include one or more secret key vectors ai, where (0≤i≤d), according to: ai:=(a0, a1, . . . , ad). The ciphertext C may be determined according to the equation: C=a0+a1(2xd-1−1)+ . . . ad(2x0−1)=a0+Σi=1d(2xd-i−1))ai, where (0≤i≤d).
The key generator may be configured to generate both the secret key {α, β, γ, K} and the parameter N.
The secret key vector ai, with (0≤i≤d), may be defined by:
wherein Fi, with (0≤i≤d), is a function.
Fi, with (0≤i≤d), may be a cryptographic hash function or a pseudo-random function.
According to embodiments of the present disclosure, the method and the apparatus for encryption can be provided which are capable of easily performing encryption or decryption simultaneously with maintaining the order according to the sizes of the original data elements.
The above and other aspects, features, and advantages of one or more exemplary embodiments will be more apparent from the following detailed description taken in conjunction with the accompanying drawings, in which:
Hereinafter, various exemplary embodiments will be described with reference to the enclosed drawings. The present disclosure may be modified in various forms and include various embodiments. Although specific examples are illustrated in the drawings and described herein, it should be understood that there is no intent to limit various exemplary embodiments of the present disclosure to the particular exemplary embodiments disclosed, but the present disclosure should be construed to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the various exemplary embodiments. In description of the drawings, similar elements are indicated by similar reference numerals.
Hereinafter, the terms “include” or “may include”, which may be used in various exemplary embodiments, refer to the presence of disclosed functions, operations or elements, and do not restrict the addition of one or more functions, operations or elements. In the present disclosure, the terms such as “include” or “have” may be construed to denote a certain characteristic, number, step, operation, constituent element, component or a combination thereof, but may not be construed to exclude the existence of or a possibility of additional one or more other characteristics, numbers, steps, operations, constituent elements, components or combinations thereof.
The term “or” in various exemplary embodiments means the inclusion of at least one or all of the disclosed elements. For example, the expression “A or B” may include A, may include B, or may include both A and B.
The expressions “1”, “2”, “first”, or “second” used in various exemplary embodiments may modify various components but do not limit the corresponding components. For example, the above expressions do not limit the sequence and/or importance of the corresponding elements. The expressions may be used to distinguish a component element from another component element. For example, a first user device and a second user device indicate different user devices although both of them are user devices. However, without departing from the scope of the present disclosure, the first user device may be called the second user device. Similarly, the second user device may be called the first user device.
It should be noted that if it is described that one component element is “coupled” or “connected” to another component element, the first component element may be directly coupled or connected to the second component, and a third component element may be “coupled” or “connected” between the first and second component elements. Conversely, when one component element is “directly coupled” or “directly connected” to another component element, it may be construed that a third component element does not exist between the first component element and the second component element.
The terms used in various exemplary embodiments are merely used to exemplify a certain exemplary embodiment and should not be construed as limiting. As used herein, the singular forms are intended to include the plural forms as well, unless the context clearly indicates otherwise.
Unless defined differently, all terms used herein, which include technical terminologies or scientific terminologies, have the same meaning as a person skilled in the art to which the present disclosure belongs. Such terms as those defined in a generally used dictionary are to be interpreted to have the meanings equal to the contextual meanings in the relevant field of art, and are not to be interpreted to have ideal or excessively formal meanings unless clearly defined in the present disclosure.
Hereinafter, an encryption apparatus according to various exemplary embodiments will be described with reference to the accompanying drawings.
Referring to
The key generator 110 may generate a parameter or a secret key to be used by the encryptor 120 or the decryptor 130.
The encryptor 120 may encrypt data, for example, original data (i.e., plaintext), which has been input to the encryption apparatus 100, and thereby may generate ciphertext. The encryptor 120 may convert the plaintext by using the secret key or the parameter generated by the key generator 110, and thereby may generate ciphertext. An order according to sizes, or values, of the pieces of ciphertext generated by the encryptor 120 may be identical to an order according to sizes of the pieces of plaintext. For example, when pieces of plaintext are A, B, and C, and the pieces of plaintext have sizes expressed by A<B<C, A′, B′ and C′, which are pieces of ciphertext generated by the encryptor 120, may have sizes expressed by A′<B′<C′.
The decryptor 130 may decrypt the ciphertext by using the secret key or the parameter generated by the key generator 110, and may reconstruct the plaintext.
The controller 140 may control an overall operation of the encryption apparatus 100. The controller 140 may control the key generator 110 to generate the parameter or the secret key. The controller 140 may control the encryptor 120 to encrypt plaintext which is input to the encryption apparatus 100 or is stored in the database 200. The controller 140 may control the decryptor 130 to decrypt ciphertext, which is input to the encryption apparatus 100 or is stored in the database 200, and to convert the ciphertext into plaintext.
The database 200 may store the ciphertext generated by the encryptor 120, and may store plaintext, which is input to the encryption apparatus 100, or plaintext decrypted by the decryptor 130. The database 200 may extract pieces of ciphertext corresponding to a range query, from the encryption apparatus 100. To this end, pieces of ciphertext may be arranged in order of sizes, and the pieces of ciphertext arranged in order of the sizes may be stored in the database 200. For example, when pieces of ciphertext are natural numbers from 1 to 100, the natural numbers from 1 to 100 may be stored in the database 200 in a state of being arranged in order of values of the natural numbers.
According to another exemplary embodiment, the database 200 may be implemented as a separate element from the encryption apparatus 100. When the database 200 is implemented as a separate element from the encryption apparatus 100, the database 200 may not store the secret key and the parameter generated by the key generator 110. Accordingly, the database 200 may not decrypt pieces of the ciphertext.
Referring to
For example, a case is considered in which plaintext x includes 1, 2, 3, and 4, and in which an order according to values is expressed by ‘4>3>2>1’. The encryption apparatus 100 may generate 12 which is ciphertext matched to 1, 34 which is ciphertext matched to 2, 56 which is ciphertext matched to 3, and 78 which is ciphertext matched to 4. Accordingly, an order according to values of the pieces of ciphertext may be expressed by ‘78>56>34>12’ as in the case of the plaintext. The database 200 may store 78, 56, 34 and 12, which are the pieces of ciphertext, in descending order. Alternatively, the database 200 may store 12, 34, 56, and 78, which are the pieces of ciphertext, in ascending order.
In operation S204, the key generator 110 may determine α, β, γ and K, which are the secret keys, by using the bit size d of plaintext x. According to an exemplary embodiment, in order to maintain an order according to values of the pieces of plaintext, among the secret keys generated by the key generator 110, γ may be any random number (0<γ<α) among numbers between 0 and α, and β may be any random number (½<β<1) between ½ and 1. When β and γ are determined among the secret keys, the key generator 110 may calculate a parameter N and a secret key vector a as follows:
τ is a value which minimizes a distance between two output values (i.e., pieces of ciphertext) of the encryption apparatus 100. τ may be set to 2 as a default value. Also, an encryption key K may be determined as a pseudo-random number according to a pseudo-random function.
By setting the secret keys as described above, the encryption apparatus 100 may generate ciphertext including information on the order of the values of the pieces of plaintext x.
When the parameter (i.e., param=N) and the secret key (i.e., key={α, β, γ, K}) have been determined in operation S204 as described above, in operation S206, the encryptor 120 may encrypt the plaintext. Specifically, in operation S206, the encryptor 120 may convert the plaintext x (i.e., x∈{0, 1, . . . , M−1}) into ciphertext C (i.e., C∈{0, 1, . . . , N−1},) by using the param=N and the key={α, β, γ, K}.
According to an exemplary embodiment, a case is considered in which the plaintext x and a secret key vector ai are as follows:
The secret key vector ai may be calculated as follows:
Ciphertext C may be calculated by using Equation (1) below based on the equations as described above.
C=a0+a1(2xd-1−1)+ . . . ad(2x0−1)=a0+Σi=1d(2xd-i−1))ai (1)
In Equation (1), x is a d-bit binary number, and xd-i (1≤i≤d) is a bit value at the position of each bit. xd-1 may be the value of a leftmost significant bit. Also, Fi (0≤i≤d) is a random function, and may be implemented in the form of a cryptographic hash function (e.g., SHA-128) or a pseudo-random function (e.g., HMAC-SHA-128).
When the ciphertext C has been calculated as described above, in operation S208, the encryption apparatus 100 may output the ciphertext C and may store the ciphertext C in the database 200. According to another exemplary embodiment, when the database 200 is implemented as an apparatus separate from the encryption apparatus 100, the encryption apparatus 100 may transmit the ciphertext C to the database 200.
Referring to
The encryption apparatus 100 may decrypt ciphertext by using a parameter param or key, which is a secret key, and thereby may reconstruct plaintext. Hereinafter, an example will be described in which plaintext x is reconstructed from ciphertext C. In
Referring to
a0=F0(K,0).
In operation S406, the decryptor 130 may compare the secret key vector a0 with the ciphertext C. The decryptor 130 may set the value of plaintext bit xd-1 based on a result of the comparison of the secret key vector a0 with the ciphertext C in operation S406. When C<a0, the decryptor 130 may set the plaintext bit xd-1 to “0.” In contrast, when C≥a0, the decryptor 130 may set the plaintext bit xd-1 to “1.”
In operation S408, the decryptor 130 may initialize a sum A of secret key vectors to a0 (i.e., A=a0), and may initialize i to 2 (i.e., i=2).
Referring to
ai-1={Fi(K,xd-i+1) (2)
A=A+(2xd-i+1−1)ai-1, where 2≤i≤d. (3)
In operation S416, the decryptor 130 may compare the sum A with the ciphertext C, and may reconstruct the value of the plaintext xd-i. In operation S416, the decryptor 130 may set the plaintext xd-i to “0” when C<A, or may set the plaintext xd-i to “1” when C≥A. The decryptor 130 may increase i by 1 in operation S418, and the controller 140 may again determine, in operation S412, whether i is less than or equal to d.
When i exceeds d (No in operation S412), in operation S420, the decryptor 130 may calculate ad and A by using Equations (4) and (5) below.
(ad=Fd(K,x0)) (4)
A=A+(2x0−1)ad (5)
In operation S422, the controller 140 may determine whether the sum A is identical to the ciphertext C. When it is determined in operation S422 that the sum A is identical to the ciphertext C (Yes in operation S422), in operation S424, the decryptor 130 may output x in Equation (3) as the plaintext x.
In contrast, when it is determined in operation S422 that the sum A is different from the ciphertext C (No in operation S422), in operation S426, the controller 140 may output an error message. By outputting the error message as described above, the encryption apparatus according to embodiments of the present disclosure may notify a user that the plaintext has not been reconstructed.
Referring to
The database 200 may extract ciphertext in a relevant range in operation S504, and may transmit the extracted ciphertext to the encryption apparatus 100 in operation S506. In operation S508, the encryption apparatus 100 may decrypt the ciphertext received from the database 200, and may reconstruct plaintext. For example, in operation S504, the database 200 may extract 12, 22, 34, 42, 57, 63, 73, 84, 99 and 104, as pieces of ciphertext matched to respective pieces of plaintext 1 through 10.
The encryption apparatus 100 may deliver, to the database 200, the pieces of ciphertext respectively matched to 1 through 10, and thereby may transmit a range query which requests, from the database 200, the pieces of ciphertext respectively matched to 1 through 10. The database 200 may return, to the encryption apparatus 100, the pieces of ciphertext respectively matched to 2 through 9 as well as the ciphertext matched to 1 and the ciphertext matched to 10. Accordingly, the database 200 may transmit, to the encryption apparatus 100, a response to the range query of the encryption apparatus 100. The database 200 is capable of transmitting, to the encryption apparatus 100, the response to the range query as described above because the pieces of ciphertext matched to the respective pieces of plaintext 1 through 100 are capable of being arranged in order of sizes in the database 200. Specifically, sizes of the pieces of ciphertext stored in the database 200 may be values different from each other in accordance with “the ciphertext matched to 1<the ciphertext matched to 2<the ciphertext matched to 3<the ciphertext matched to 4< . . . <the ciphertext matched to 100.” Therefore, the database 200 may extract the pieces of ciphertext respectively matched to 1 through 10 without decrypting the pieces of ciphertext matched to the respective pieces of plaintext 1 through 100.
Also, according to an exemplary embodiment, the pieces of ciphertext matched to the respective pieces of plaintext 1 through 100 are all obtained by being encrypted by the encryption apparatus 100 before being stored in the database 200. Accordingly, the database 200 may not know the parameter and the secret key used to encrypt the pieces of plaintext 1 through 100.
The disclosure disclosed in this description as described above may be employed in the case of encrypting data elements having a sequential order and storing the encrypted data elements in a database. A range query is capable of being performed on the data elements, which are encrypted before being stored according to one or more exemplary embodiments, without a decryption process. One or more exemplary embodiments can be employed without performing a process for decrypting encrypted data in a situation where data is encrypted before being stored and a range query is required. For example, one or more exemplary embodiments may be applied to a relational database, such as MySQL which is a public database. When the one or more exemplary embodiments are applied, the database does not have to perform a decryption process in order to perform a range query on the encrypted data. Because the database does not have to perform the decryption process as described above, the search speed of the database may be identical to that of a database system which is storing pieces of plaintext. Also, because the decryption process may be omitted, a system manager (not shown) (e.g., a Database Management System (DBMS)) that performs a search in the database is not capable of knowing a secret key used for the encryption or decryption. Accordingly, the system manager is not capable of knowing information (e.g., plaintext) stored on the encrypted data, so security may be improved.
For example, a case is considered in which a user stores personal information (e.g., an annual salary, a schedule, age, physical information which is quantized, etc.). The database may store only ciphertext obtained by encrypting the personal information, and only the user may have a secret key or a parameter for decrypting the ciphertext. Accordingly, even if a person hacks into the database or the system manager releases data stored in the database, only the ciphertext is exposed, and thus the personal information of the user is not exposed. As described above, according to the one or more exemplary embodiments, the personal information can be prevented from being exposed, and the database enables a range query simultaneously with providing the confidentiality of data.
The exemplary embodiments disclosed in the specification and the drawings are only particular examples proposed in order to easily describe the technical matters of the present disclosure and help with comprehension of the present disclosure, and do not limit the scope of the present disclosure. Therefore, in addition to the exemplary embodiments disclosed herein, the scope of the various embodiments of the present disclosure should be construed to include all modifications or modified forms drawn based on the technical idea of the various exemplary embodiments of the present disclosure.
Number | Date | Country | Kind |
---|---|---|---|
10-2014-0057838 | May 2014 | KR | national |
Number | Name | Date | Kind |
---|---|---|---|
9037860 | Kerschbaum | May 2015 | B1 |
20080282096 | Agrawal et al. | Nov 2008 | A1 |
20120121080 | Kerschbaum | May 2012 | A1 |
20120163586 | Jho et al. | Jun 2012 | A1 |
20140089678 | Teranishi | Mar 2014 | A1 |
20150149427 | Kerschbaum | May 2015 | A1 |
Number | Date | Country |
---|---|---|
10-1115490 | May 2012 | KR |
Entry |
---|
Mengke et al., “Key-Controlled Order-Processing Encryption”, 2010, pp. 1-5, https://eprint.iacr.org/2010/268.pdf. |
Boldyreva et al., “Order-Preserving Symmetric Encryption”, Georgia Institute of Technology, Atlanta, GA, USA, 24 pages, 2009. |
Number | Date | Country | |
---|---|---|---|
20170063528 A1 | Mar 2017 | US |