BUILDING PRACTICAL SYSTEMS THAT COMPUTE ON ENCRYPTED DATA by RALUCA ADA POPA Master of Engineering, Massachusetts Institute of Technology (2010) Bachelor of Science, Massachusetts Institute of Technology (2009) Submitted to the Department of Electrical Engineering and Computer Science in partial fulfillment of the requirements for the degree of DOCTOR OF PHILOSOPHY at the MASSACHUSETTS INSTITUTE OF TECHNOLOGY September 2014 ○c Massachusetts Institute of Technology 2014. All rights reserved. Author................................................................................... Department of Electrical Engineering and Computer Science Certified by . Nickolai Zeldovich Associate Professor of Computer Science and Engineering Thesis Supervisor Accepted by . Leslie A. Kolodziejski Professor of Electrical Engineering Chair, Department Committee on Graduate Students 2 BUILDING PRACTICAL SYSTEMS THAT COMPUTE ON ENCRYPTED DATA by RALUCA ADA POPA Submitted to the Department of Electrical Engineering and Computer Science in partial fulfillment of the requirements for the degree of Doctor of Philosophy Abstract Theft of confidential data is prevalent. In most applications, confidential data is stored at servers. Thus, existing systems naturally try to prevent adversaries from compromising these servers. How- ever, experience has shown that adversaries still find a way to break in and steal the data. This dissertation shows how to protect data confidentiality even when attackers get access to all the data stored on servers. We achieve this protection through a new approach to building secure systems: building practical systems that compute on encrypted data, without access to the decryption key. In this setting, we designed and built a database system (CryptDB), a web application platform (Mylar), and two mobile systems, as well as developed new cryptographic schemes for them. We showed that these systems support a wide range of applications with low overhead. The work in this thesis has already had impact: Google uses CryptDB’s design for their new Encrypted BigQuery service, and a medical application of Boston’s Newton-Wellesley hospital is secured with Mylar. Thesis Supervisor: Nickolai Zeldovich Title: Associate Professor of Computer Science and Engineering 3 To my family. 5 Contents Previously Published Material 11 Acknowledgments 13 1 Introduction 15 1.1 Motivation....................................... 15 1.2 Our contributions................................... 16 1.3 How to build practical systems............................ 16 1.4 Systems we built................................... 18 1.4.1 CryptDB: Database confidentiality...................... 18 1.4.2 mOPE: Order queries on an encrypted database............... 20 1.4.3 Mylar: Securing web applications...................... 20 1.4.4 Multi-key search: search over data encrypted with different keys...... 21 1.4.5 PrivStats and VPriv: Securing mobile systems................ 21 1.5 Impact......................................... 21 1.6 Theoretical work on functional encryption...................... 22 1.7 Thesis roadmap.................................... 22 2 Approaches for computing on encrypted data in a practical system 25 2.1 Tools with no leakage................................. 25 2.1.1 Fully homomorphic encryption....................... 25 2.1.2 Partially homomorphic encryption (PHE).................. 27 2.2 Tools with controlled leakage............................. 27 2.2.1 Functional encryption............................ 28 2.2.2 Garbled circuits................................ 28 2.2.3 Secure multi-party computation (MPC)................... 29 2.2.4 Specialized tools............................... 30 2.3 Final lessons...................................... 31 7 3 Securing databases with CryptDB 33 3.1 Introduction...................................... 33 3.2 Security Overview.................................. 34 3.3 Queries over Encrypted Data............................. 37 3.3.1 SQL-aware Encryption............................ 37 3.3.2 Adjustable Query-based Encryption..................... 40 3.3.3 Executing over Encrypted Data....................... 41 3.3.4 Computing Joins............................... 43 3.3.5 Improving Security and Performance.................... 45 3.4 Discussion....................................... 46 3.5 Implementation.................................... 47 3.6 Experimental Evaluation............................... 47 3.6.1 Functional Evaluation............................ 48 3.6.2 Security Evaluation.............................. 49 3.6.3 Performance Evaluation........................... 50 3.7 Security........................................ 53 3.7.1 Main Theorems................................ 53 3.7.2 Preliminaries................................. 54 3.7.3 Cryptographic notions............................ 55 3.7.4 Formal definitions and statements...................... 55 3.7.5 Proofs..................................... 58 3.8 Conclusion...................................... 61 4 Securing web applications with Mylar 63 4.1 Motivation....................................... 63 4.2 Mylar’s architecture.................................. 65 4.2.1 System overview............................... 65 4.2.2 Mylar for developers............................. 66 4.2.3 Mylar for users................................ 68 4.2.4 Threat model................................. 68 4.2.5 Security overview............................... 69 4.3 Sharing data between users.............................. 69 4.3.1 Access graph................................. 70 4.3.2 Certification graph.............................. 70 4.3.3 Principals providing the root of trust..................... 71 4.3.4 User principals................................ 72 4.3.5 Data integrity................................. 72 4.4 Computing on encrypted data............................. 72 4.4.1 Multi-key search............................... 73 4.4.2 Cryptographic construction.......................... 73 4.4.3 Indexing search................................ 74 4.4.4 Integrating search with the principal graph................. 75 4.5 Verifying client-side code............................... 76 4.6 Implementation.................................... 77 4.7 Building a Mylar application............................. 78 8 4.8 Evaluation....................................... 80 4.8.1 Developer effort............................... 80 4.8.2 Performance................................. 80 4.9 Discussion....................................... 83 4.10 Conclusion...................................... 83 5 Multi-key searchable encryption 85 5.1 Introduction...................................... 85 5.2 Problem setting.................................... 86 5.3 Preliminaries..................................... 87 5.4 Syntax and security definitions............................ 87 5.4.1 Data hiding.................................. 89 5.4.2 Token hiding................................. 90 5.5 Construction...................................... 91 5.6 Implementation.................................... 92 5.7 Assumptions..................................... 92 5.8 Security proof..................................... 93 5.8.1 Data hiding proof............................... 93 5.8.2 Token hiding proof.............................. 99 6 Functional encryption 105 6.1 Introduction...................................... 105 6.1.1 Our Results.................................. 107 6.1.2 Technique Outline.............................. 111 6.2 Preliminaries..................................... 113 6.2.1 Building Blocks............................... 114 6.2.2 Attribute-Based Encryption (ABE)...................... 115 6.2.3 Functional Encryption (FE)......................... 116 6.3 Our Functional Encryption.............................. 117 6.4 Reusable Garbled Circuits.............................. 121 7 Impact: industry and academia 123 7.1 Industrial impact and deployments.......................... 123 7.2 Academic impact................................... 124 7.2.1 Extending CryptDB’s functionality..................... 124 7.2.2 Adapting CryptDB beyond SQL....................... 124 7.2.3 Using CryptDB in applications handling private data............ 125 7.2.4 Follow-up work related to the encryption schemes CryptDB uses...... 125 7.2.5 Security.................................... 126 7.2.6 Miscellaneous................................ 126 8 Related work 127 8.1 Global related work.................................. 127 8.1.1 Secure systems work............................. 127 8.1.2 Cryptography work.............................. 128 9 8.2 Work related to a specific chapter........................... 128 8.2.1 Work related to CryptDB........................... 128 8.2.2 Work related to Mylar............................ 129 8.2.3 Work related to multi-key search....................... 130 9 Conclusion 131 9.1 Future directions................................... 131 10 Previously Published Material Chapter3 revises a previous publication [PRZB11]: Raluca Ada Popa, Catherine M.S. Redfield, Nickolai Zeldovich, and Hari Balakrishnan. CryptDB: Protecting confidentiality with encrypted query processing. In the Proceedings of the ACM Sympo- sium on Operating Systems Principles (SOSP), 2011. Chapter4 revises a previous publication [PSV +14]: Raluca Ada Popa, Emily Stark, Steven Valdez, Jonas Helfer, Nickolai Zeldovich, M. Frans Kaashoek, and Hari Balakrishnan. Building Web Applications on Top of Encrypted Data using Mylar. In the