Patent Application
20240054136
The present invention generally relates to the field of confidentially querying a database. It involves additive homomorphic encryption and requesting by Private Information Retrieval (PIR) protocol.
The confidential querying of a database makes it possible for a client to extract data from a base hosted by a remote server, without disclosing to third parties or to the server itself the subject of the request and the result thereof.
Confidential querying methods generally involve homomorphic encryption processing of the database queried. It is possible to distinguish those that use a Full Homomorphic Encryption (FHE) of the database and those that simply use an additive homomorphic encryption.
The first authorise a wide variety of types of requests but do not make it possible to scale in terms of size of the database, in other words they are not scalable to significant sizes of the base, at least for latency times (that is to say of response to a request) less than an acceptable threshold value (typically of a few minutes).
The second only make it possible for requests of restricted format but authorise easy scaling relative to the size of the database.
The Private Information Retrieval (PIR) protocol is a method for confidentially querying a database involving additive homomorphic encryption processing using the Paillier cryptosystem.
For example, a description will be found of a method for confidentially querying a database by means of the PIR protocol in the article entitled “EncryptedQuery scalable Private Information Retrieval”, EnQuery, 29.11.2018.
However, this confidential querying method corresponds to a single-user use case. Indeed, the data stored in the base are hash values obtained by means of a private key encryption hash function, said private key belonging to the user.
Thus, if a second user desires to query the base in question, the private key used in the hash function must be communicated to the second user, without passing through the server, so as to protect the confidentiality with respect to the latter.
More generally, if various users each have a database (of the type envisaged above) and desire to share their access rights, they must exchange their private keys, which is not a satisfactory solution. Furthermore, it is understood in this scenario that there are as many private keys as databases, which leads to a multiplication of the number of requests for the same query.
The aim of the present invention is to propose a method for multi-user querying of a database that does not have the drawbacks of the prior art, in particular that does not require an exchange of confidential information between said users when a user desires to authorise another to access said base.
The present invention is defined by a method for confidentially querying the presence of a record in a database hosted by a server, said records being stored in the database in the form of digital footprints, each digital footprint being obtained by hashing a record by means of a public hash function and each row of the database containing the digital footprints sharing their m>1 first bits, said confidential querying method being original in that:
The stream cipher may use an encryption primitive selected for example from AES-CTR, Trivium and Grain.
The cryptographic public hash function may be SHA-3.
According to an advantageous embodiment, the homomorphic cryptosystem is an additive homomorphic encryption.
The additive homomorphic encryption may preferably use a public key Paillier cryptosystem (g, n) with n=pq where p, q are two prime numbers.
In this case, the server returns as response a first and a second ciphertext stored in the row qm, the second user performing a decryption of each of the first and second ciphertexts by means of the private key of its homomorphic cryptosystem, then performs a decryption by means of this same private key of the results thus obtained after having concatenated them.
According to one variant, the additive homomorphic encryption uses a plurality N of ciphertexts of “0” by a Paillier encryption, hi, i=1, . . . ,N, the additive homomorphic encryption of an integer μ being obtained by:
c=g
μπi=iN max(1, uihi) mod n2 [Math. 1]
where ui, i=1, . . . , N are random bits selecting said ciphertexts of “0”.
Advantageously, the ciphertexts of “0” are computed once for all and stored by the second user.
The transcryption of the rows of the database can be carried out once for all by the server when the second user has been authorised to query the database by the first user. Alternatively, the transcryption of the rows of the database is carried out dynamically by the server upon each query of the second user.
Other features and advantages of the invention will appear upon reading a preferred embodiment of the invention, made with reference to the appended figures wherein:
Firstly, we will consider a use case representative of the application context of the present invention. In this context, a client (also called user) can query a database hosted by a remote server. For this purpose, the client sends a request having as argument a record likely to be present in the base and receives in return information indicating whether or not this record is effectively present. More generally, a plurality of clients are likely to query the database and receive in return an indicator of the presence of the records sought. One or more administrators can further proceed to add or delete records in the base. The client stations and the administrator stations collectively form the client domain. As the remote server can itself use clusters of servers distributed in the Cloud, the servers that host the database collectively form the server domain.
In the use case considered, the database, although hosted in the server domain remains the property of the client domain. In other terms, the confidentiality of the data present in the base must be guaranteed with respect to the server while making it possible for the clients of the client domain to query the latter confidentially. The confidentiality constraints to be respected between the client domain and the server domain can be stated as follows:
In this use case, a first user A having a terminal 110 desires to make it possible for a second user B, having a terminal 120, to query, confidentially, a database, 130, hosted by a remote server, 140. We will assume that the various actors (users and server) are curious but semi-honest, that is to say follow the protocol that is imposed on them.
The records can include a plurality of fields, and consist of, for example, alphanumeric data. For example, each record may comprise the name, first name, gender, date and place of birth, address of a person. It is essential to note that this information is not however stored as such in the base but only in the form of digital footprints. Unlike the prior art, these footprints are obtained by a public cryptographic hash function, for example the SHA-3 hash function. Public hash function means a hash function that does not use confidential elements such as a secret key.
The user A or an administrator of the client domain may compute the digital footprints of the records to be stored. The digital footprints all have the same size T, for example 256 or 512 bits. Only a portion of the bits of the digital footprint provided by the hash function may be kept, for example 64 bits. For the sake of simplification, these reduced footprints will be assimilated to the digital footprints within the previous meaning, as the size reduction of the footprint can be taken into account in the hash function.
The database is “row oriented” and the digital footprints are advantageously grouped by rows. The various rows are of size L, in other words each row can comprise up to L footprints. If applicable, dummy bits may be provided to complete an incomplete row. The grouping of footprints is carried out so that the footprints of the same row possess the same m first (or alternatively last) bits, in other words the footprints represent hash values that collide on their m first bits, that is to say, in an equivalent manner; that they belong to the same collision class on these m first bits.
Preferably, the value m is selected, such as K>2m (or even K>>2m) and K<2mL where K is the total number of records in the base. The first condition makes it possible to have collision classes that are not reduced to singletons, in other words to obtain a sufficiently high L value. The second condition makes it possible to classify all the footprints of the base.
The database consists of 2m rows (some of which may be empty), the content of each row i=1, . . . , 2m able to be represented by an integer i of
n=
/n
with log2 n≤LT. For reasons explained below, advantageously n=pg will be selected where p and q are prime numbers. The rows can be considered as integers taking their values in the set {0, . . . ,n−1}.
Originally, each integer i is encrypted with the aid of a stream cipher with the aid of a symmetric key belonging to the user A. It is reminded that a stream cipher is an encryption which the message to be encrypted is simply added to a sequence of bits generated on the basis of a symmetric key, here noted skA. To this end, encryption primitives known by the person skilled in the art may be used such as AES-CTR (Advanced Encryption Standard in Counter Mode), Grain, Trivium, etc.
Regardless of the stream cipher algorithm retained, the words i of the rows i=1, . . . , 2m are encrypted (or masked) by the user A by computing the sums (
i+bi) mod n, i=1, . . . 2m where the integers bi are extracted from the sequence of bits generated by skA. It should be noted that the sequence of words bi, also referred to as keystream, does not need to be stored by the user A given 15 that it can be regenerated at any time on the basis of the symmetric key skA. The integers bi are also called masks because they make it possible to make the content of the database confidential with respect to the server.
The structure of the base before stream cipher is represented in 210. Each of the rows i=1, . . . , 2m is formed by a word i of size log2 n bits and comprises at most L digital footprints Eij, j=1, . . . , L of size T.
The structure of the base after stream cipher is shown in 220. It comprises the same number of rows, each row i=1, . . . , 2m being of size log2 n and formed by the masked word (i+bi) mod n.
The idea behind the present invention is to transcrypt the rows thus encrypted by means of an (at least) additive homomorphic cryptosystem.
It is reminded that a homomorphic encryption makes it possible to perform operations (in practice arithmetic operations of adding or multiplying) on data without ever revealing them. More specifically, an additive homomorphic encryption is an asymmetric key encryption Encpk_H of public key pk_H) verifying the following property:
Encpk_H:
Ω→τ
Decsk_H[Encpk_H(a) ⊕Encpk_H(b)]=a+b (1)
where Ω is the plaintext message space (more simply referred to as plaintext space) and τ is the encrypted message space (more simply referred to as ciphertext space), + an additive operation in the plaintext space conferring to Ω a group structure, ⊕ an internal addition operation in the ciphertext space conferring to τ a group structure. Thus, it is understood that the application of (Ω, +) in (τ, ⊕) is a group homomorphism. Decsk_H is the decryption function corresponding to Encpk_H where sk_H is the secret key of the user).
The result of the expression (1) is that it is possible to perform an additive operation between two plaintexts (a, b) on the basis of a corresponding operation between their ciphertexts (Encpk_H(a), Encpk_H(b)).
An additive homomorphic encryption has an external multiplication operation of Ω×τ in τ, noted ⊗ext, such as
Decsk_H[a⊗ext Encpk_H(b)]=ab (2-1)
This internal addition operation is nothing more than a consequence of the expression (1) insofar as a ⊗ext means that the internal addition is applied a times.
In other words, the external multiplication operation makes it possible to multiply a plaintext by a ciphertext to obtain a ciphertext. It will be noted that this operation carries out an absorption in the homomorphic domain.
Similarly, it is always possible to define an external addition operation of Ω×τ in τ, noted ⊗ext, by means of:
a⊕ext Encpk_H(b)=Encpk_H(a) (61 ) Encpk_H(b) (2-2)
in which case:
Decsk_H[a−ext Encpk_H(b)]=a+b (2-3)
In some cases, the cryptosystem natively has an external addition operation. This is particularly and advantageously the case for the Paillier cryptosystem.
Without loss of generality, we will assume in the following that the additive homomorphic cryptosystem is a Paillier cryptosystem.
It is assumed in the following that each user has their own additive homomorphic cryptosystem. The private key-public key pair of the homomorphic cryptosystem of the user A is noted (skA_H, pkA_H) and that of B is noted (skB_H, pkB_H).
Transcryption is a cryptographic technique making it possible to change data encrypted by a first cryptosystem to the same data encrypted by a second cryptosystem (inevitably homomorphic), without passing through an intermediate step of decrypting in the plaintext space.
In the present case, the transcryption operation makes it possible to change from a stream ciphertext to a ciphertext in the homomorphic domain. More specifically, if the homomorphic ciphertext of x is noted [x]B by means of the public keypkB_H, the following is obtained:
(i+bi)(⊕ext [−bi]B=[
i+bi−bi]B=[
i]B (3)
that is to say the homomorphic ciphertext of the row in question.
In practice, when the user A desires to authorise the user B to query their database, they encrypt the inverse masks, that is to say the words −bi i=1, . . . , 2m (the masks bi being from the keystream), by means of the public key of the additive homomorphic cryptosystem of B then transmit them to the server which performs the unmasking operation (3) on the rows of the database. This unmasking operation in the homomorphic domain may be carried out once for all in “offline” mode or on the contrary, on the fly, whenever the user B asks the user A to access the database (owned by A). It will be noted that the operation (3) protects the 5 confidentiality of data with respect to the server because the latter does not have access to the first term of the expression (due to the masking) or to the second due to the homomorphic encryption.
According to one alternative embodiment, instead of the operation (3), the server can overencrypt the values (i+bi) of the base with the aid of the public key pkB_H to obtain the homomorphic ciphertext [
i+bi]B. The homomorphic ciphertext of the row i can then be obtained by means of the internal addition operation:
(i+bi)⊕ext[−bi]B=[
i+bi−b]B=[
i]B (4)
Returning back to i]B, i=1, . . . , 2m. Each ciphertext [
i]B consequently consists of two words of log2 (n), noted aβi1 and βi2, stored in the row i.
The user B can then transmit to the server a request concerning the presence of a given record, according to a PIR-type protocol. For this purpose, the user B computes the digital footprint of the record sought by means of the public hash function having served for constructing the base. The integer value associated with the digital footprint is noted q and the integer value associated with the m first bits of this footprint is noted qm. The request is formed by a vector u of 2m encrypted with a ciphertext of the value “1” in position qm, the remainder consisting of ciphertexts of the value “0”. In other words:
Decsk
where ui is the ith element of the vector u and δ is the Kronecker symbol.
For any i=1, . . . , 2m, the server computes Ui ⊗ext δi1 and ui ⊗ext δi2, without taking into account the fact that the values and fL are ciphertext portions, then computes the following sums in the homomorphic space:
in application of the expressions (1) and (2). It will be noted that these expression correspond to an evaluation in the homomorphic domain of a scalar product in the plaintext domain.
The homomorphic ciphertexts [βq1m]B and [βq2m]B form the response that is returned to the user B. It will be understood that the server can under no circumstances determine the row (qm) that has responded or a fortiori the content of the response.
The user B then decrypts [βq1m]B and [βq2m]B by means of their private key, skB_H, then concatenates the values obtained βq1, and βq2m to form the ciphertext of the row:
[qm]B=βq1m|βq2m (7)
which is, in turn, decrypted with the private key skB_H to provide the list of footprints Eqmj, j=1, . . . , L initially stored in the row qm of the base.
The user can finally verify whether the digital footprint of the record sought is part of the list of footprints Eqmj, j=1, . . . , L thus obtained.
The left section of the figure corresponds to the terminal of the user B, and the right section to the server hosting the database. It is assumed that the database has been encrypted beforehand by means of a keystream generated on the basis of a symmetric key of A, skA. More specifically, each row i of the base has been encrypted beforehand by means of a word bi from this keystream.
The terminal B has an additive homomorphic cryptosystem (skB_H, pkB_H) in 310 and the hosting server of the database has received from the user A, in 315, the homomorphic ciphertexts [−bi]B obtained by encryption on the basis of the public key of B, pkB_H.
In step 325, the server performs a transcryption of the rows of the database by means of (i+bi)⊕ext[−bi]B=[
i]B, i=1, . . . , 2m. This transcryption converts the rows encrypted by a symmetric key encryption skA into rows encrypted by an additive homomorphic encryption by means of the public key pkB_H.
In step 330, the user B searching in the base for a given record, computes their digital footprint by means of the public hash function having served for constituting the base, and deduces therefrom the integer value qm associated with the first m bits of this footprint.
In step 340, the user B constructs a request R(qm) in the form of a vector u of 2m encrypted with a homomorphic ciphertext of the value “1” in position qm, the other elements of this vector being homomorphic ciphertexts of the value “0”:
u=([0]B, . . . , [0]B, [0]B, . . . , [0]B) (8)
The request R(qm) is then transmitted to the server.
In step 345, the server evaluates in the homomorphic domain the scalar product between the vector u and the vector d of size 2m consisting of the encrypted rows [i]B, i=1, . . . , 2m:
d=([1]B, . . . , [
2m]B) (9)
and sends the result S(q m) back to the user B. In the case where the additive homomorphic cryptosystem is a Paillier cryptosystem, the result may consist of two homomorphic ciphertexts stored at the row qm, [βq1m]B and [βq2m]B, as explained above.
In step 350, the user B performs a decryption of the response received, by means of their private key skB_H to obtain the content of the row qm in plaintext, i.e. qm. It is reminded that, in the case of a Paillier system, this step comprises three decryption steps: decryption of the ciphertexts [βq1m]B and [βq2m]B, then decryption of the concatenated results [
qm]B=βq1m|βq2m. In the case of a fully homomorphic cryptosystem or Fully Homomorphic Encryption (FHE), a single decryption operation is necessary for the user B, the first operation able to be carried out in the homomorphic domain by the server according to a technique referred to as bootstrapping.
Finally, in step 360, the user B determines whether the digital footprint sought is among the footprints Eqmj, j=1, . . . , L of t he row qm.
Although the present invention has been described in the case of an additive homomorphic cryptosystem, the person skilled in the art will understand that it applies a fortiori in the case of a FHE cryptosystem. It is reminded that a FHE is a group homomorphism both in accordance with an internal addition law and with an internal multiplication law. The homomorphic encryption (additive or FHE) may be based on a Learning With Errors (LWE) scheme, in a manner known per se.
Generally, an additive homomorphic cryptosystem will be preferred, because leading to simpler computations than in the case of a FHE cryptosystem.
According to a first example of embodiment already mentioned, the additive homomorphic cryptosystem may be a Paillier cryptosystem.
It is reminded that the public key of a Paillier cryptosystem is defined by a pair of integers (g, n) and that the ciphertext of a message μ ∈ n is given by:
c=g
μ
r
n mod n2 (10)
It will be noted that the computation of the scalar product in step 345 only involves ciphertexts of “1” and of “0” and that consequently the cost of the encryption is essentially dominated by the computation of the term rn n mod n2, and is therefore generally high as a result of high values of the exponent n. It is reminded that n =pq where p, q are two prime numbers of large size.
Advantageously, a simpler encryption may alternatively be selected, by precomputing ciphertexts of “0” with N various random variable values, i.e.:
the ciphertext of a message μ ∈ n being given by:
c=g
μπi=1N max (1, uihi) mod n2 (12)
where ui, i=1, . . . , N are random bits aiming to select said ciphertexts of “0”. It will be understood that the expression max(1, uihi) leaves the product invariant when the ciphertext of “0”, hi, is not selected. The operation (13) is therefore the same in the homomorphic domain with the addition to the message μ of a random number ν=Σi=1N ui of “0”. The values hi, i=1, . . . , N can be computed once for all and stored by the second user. These values hi can even be public. In any case, the additive homomorphic encryption simply involves selecting bits ui and performing the computation of the expression (13), the latter not requiring modular exponentiation. Of course, the bits ui may be, for their part, single-use and therefore do not need to be stored by the second user.
| Number | Date | Country | Kind |
|---|---|---|---|
| 2203495 | Apr 2022 | FR | national |
