Transaction Processing onConfidential Datausing Cipherbase

Arvind Arasu, Ken Eguro, Manas Joglekar*

Raghav Kaushik, Donald Kossmann, Ravi Ramamurthy

Microsoft Research

Stanford University*

Cloud Data Security Concerns

2

Data in the cloud vulnerable to:

• Snooping administrators

• Hackers with illegal access

• Compromised servers

4/15/2015 ICDE 2015

Database Encryption

3

Client App

4/15/2015 ICDE 2015

Database Encryption

4

Client App

4/15/2015 ICDE 2015

Cipherbase Summary

• Data Confidentiality:

– Strong column-level encryption

– Decoupled from functionality

– *Lightweight “trusted module” in secure hardware

• Functionality:

– Industrial Strength Database system (SQL Server)

– Concurrency, Recovery, Stored Procedures.

• Performance on TPCC

– 85% of plaintext for typical encryption

– 40% of plaintext for “worst case” encryption

5

No prior work with this

{Confidentiality, Functionality, Performance}

characteristics

4/15/2015 ICDE 2015

Organization

• Introduction

• Solution Landscape & Design Choices

• Cipherbase Design & Engineering

• Evaluation

64/15/2015 ICDE 2015

What Makes Encryption Challenging?

7

Select Sum (Score)From AssignmentWhere StudentId = 1

a7be1a6997ad739bd8c9ca451f618b61b6ff744ed2c2c9bf6c590cbf0469bf4147f7f7bc95353e03f96c32bcfd8058df

𝜎𝑆𝑡𝑢𝑑𝑒𝑛𝑡𝐼𝑑=1

𝑆𝑢𝑚 (𝑆𝑐𝑜𝑟𝑒)

Assignment

4/15/2015 ICDE 2015

Solution Landscape

• Two fundamental techniques

– Directly compute over encrypted data

• Special homomorphic encryption schemes

• Challenge: limited class of computations

– Use a “secure” location

• Computations on plaintext

• Challenge: Expensive

84/15/2015 ICDE 2015

Deterministic Encryption

9

StudentId AssignId Score

1 1 68

1 2 71

3 4 99

… … …

select *from assignmentwhere studentid = 1

𝜎𝑆𝑡𝑢𝑑𝑒𝑛𝑡𝐼𝑑=1

4/15/2015 ICDE 2015

Deterministic Encryption

10

StudentId_DET AssignId Score

bd6e7c3df2b5779e0b61216e8b10b689 1 68

bd6e7c3df2b5779e0b61216e8b10b689 2 71

7ad5fda789ef4e272bca100b3d9ff59f 4 99

… … …

select *from assignmentwhere studentid_det = bd6e7c3df2b5779e0b61216e8b10b689

𝜎𝑆𝑡𝑢𝑑𝑒𝑛𝑡𝐼𝑑_𝑑𝑒𝑡=𝑏𝑑6…

4/15/2015 ICDE 2015

Homomorphic Encryption Schemes

Fully Homomorphic Encryption

Order-Preserving Encryption

Deterministic Encryption

Non-DeterministicEncryption

PaillierCryptosystem

ElGamalCryptosystem

(∅)

(==)

(≤)

(+) (×)

(Any function)

11

[G09, G10]

[P99] [E84]

[BCN11, PLZ13]

Partial Homomorphic Encryption

Part

ial H

om

om

orp

hic

En

cryp

tio

n (

PH

E)

4/15/2015 ICDE 2015

PHE Limitations

• Limited Server Functionality

– SUM(L_EXTENDEDPRICE*(1-L_DISCOUNT)*(1+L_TAX))

• Data Security tied to functionality

• Lack of Composability

– A + B = C

• Performance

– ≈ msec for a single addition under Paillier

12CryptDB [PRZ+11], Monomi [TFM 13], [HMH08]

4/15/2015 ICDE 2015

Solution Landscape

• Two fundamental techniques

– Directly compute over encrypted data

• Special homomorphic encryption schemes

• Challenge: limited class of computations

• Challenge: Not composable

– Use a “secure” location

• Hardware provisioned isolation and protection

• Computations on plaintext

• Challenge: Expensive

134/15/2015 ICDE 2015

Secure Location

14

Inaccessible

4/15/2015 ICDE 2015

Secure Hardware Landscape

• Long history

– Banking, Defense Applications

• Becoming mainstream and commoditized

• Players:

– Crypto co-processors

– FPGAs

– Intel SGX

– TPM, HSM

154/15/2015 ICDE 2015

Intel Software Guard Extensions

• Extensions to Intel Architecture

• Isolation to code + data within a designated region

called enclave

– Confidentiality

– Integrity

Virtual Addr Space

Physical MemoryEnclave

code/data

Encr

ypte

d &

Inte

grit

y P

rote

cted

Ack: Andrew Baumann

[MAB+ 13, AGJ+ 13, HLP+ 13] 164/15/2015 ICDE 2015

Design Choice: Trusted Functionality

17

Expr Eval

Secure h/w

OS

DBMS

Commodity h/w

TrustedDB [BS11] Cipherbase

Secure h/w

DBMS

Embedded OS

OS

DBMS

Commodity h/w

Secure h/w

DBMS

Library OS

OS

Commodity h/w

Haven [MPH14]

Larger Trusted Computing Base (TCB) Smaller TCB

4/15/2015 ICDE 2015

Design Choice: Trusted Functionality

18

Expr Eval

Secure h/w

OS

DBMS

Commodity h/w

TrustedDB [BS11] Cipherbase

Secure h/w

DBMS

Embedded OS

OS

DBMS

Commodity h/w

Secure h/w

DBMS

Library OS

OS

Commodity h/w

Haven [MPH14]

Less secure More secure

4/15/2015 ICDE 2015

Design Choice: Trusted Functionality

19

Expr Eval

Secure h/w

OS

DBMS

Commodity h/w

TrustedDB [BS11] Cipherbase

Secure h/w

DBMS

Embedded OS

OS

DBMS

Commodity h/w

Secure h/w

DBMS

Library OS

OS

Commodity h/w

Haven [MPH14]

Minimal software engg.

4/15/2015 ICDE 2015

Organization

• Introduction

• Solution Landscape & Design Choices

• Cipherbase Design & Engineering

• Evaluation

204/15/2015 ICDE 2015

Life of a Query in Cipherbase I

21

App

Cip

her

bas

e C

lien

t Li

b

EncryptionConfig

Stack Machine

(Expression Evaluation)

Insecure (x86)FPGA

Cipherbase Server

ModifiedSQL Server

PCIe

AccountId: PlaintextBranchId: AES-CBCBalance: AES-CBC…

(stateless*)

push $1decryptpush 10addencryptout

5

4/15/2015 ICDE 2015

Life of a Query in Cipherbase II

22

App

Cip

her

bas

e C

lien

t Li

b

EncryptionConfig

Stack Machine

(Expression Evaluation)

Insecure (x86)FPGA

Cipherbase Server

ModifiedSQL Server

PCIe

AccountId: AES-CBCBranchId: AES-CBCBalance: AES-CBC…

PK:

4/15/2015 ICDE 2015

B+-Tree Indexes over Encrypted Data

23

6C2AB4

BF48BC

DF60B9

20B9D4

AC2DB0

FC46B0

0A183E

C9B7F9

1DA6B5

4F3618

…

…

0A183E

C9B7F9

1DA6B5

4F3618

…

…

0A183E

…

…

…

…

…

0 1 2 3 4 5 6 7 8 9

6

4/15/2015 ICDE 2015

B+-Tree Indexes over Encrypted Data

24

6C2AB4

BF48BC

DF60B9

20B9D4

AC2DB0

FC46B0

0A183E

C9B7F9

1DA6B5

4F3618

…

…

0A183E

C9B7F9

1DA6B5

4F3618

…

…

0A183E

…

…

…

…

…

4/15/2015 ICDE 2015

Life of a Query in Cipherbase II

25

App

Cip

her

bas

e C

lien

t Li

b

EncryptionConfig

Stack Machine

(Expression Evaluation)

Insecure (x86)FPGA

Cipherbase Server

ModifiedSQL Server

PCIe

AccountId: AES-CBCBranchId: AES-CBCBalance: AES-CBC…

PK:

push $1decrpush $2decrcompareout

6

4/15/2015 ICDE 2015

B+-Tree Indexes over Encrypted Data

26

6C2AB4

BF48BC

DF60B9

20B9D4

AC2DB0

FC46B0

0A183E

C9B7F9

1DA6B5

4F3618

…

…

0A183E

C9B7F9

1DA6B5

4F3618

…

…

…

…

…

…

…

8DE526FPGA

0A183E

Search key:

comp(8DE526,0A183E)

<

4/15/2015 ICDE 2015

B+-Tree Indexes over Encrypted Data

27

6C2AB4

BF48BC

DF60B9

20B9D4

AC2DB0

FC46B0

0A183E

C9B7F9

1DA6B5

4F3618

…

…

0A183E

C9B7F9

1DA6B5

4F3618

…

…

…

…

…

…

…

8DE526FPGA

0A183E

Search key:

comp(8DE526,0A183E)

<

4/15/2015 ICDE 2015

Life of a Query in Cipherbase II

28

App

Cip

her

bas

e C

lien

t Li

b

EncryptionConfig

Stack Machine

(Expression Evaluation)

Insecure (x86)FPGA

Cipherbase Server

ModifiedSQL Server

PCIe

AccountId: AES-CBCBranchId: AES-CBCBalance: AES-CBC…

PK:

4/15/2015 ICDE 2015

Operational Security

294/15/2015 ICDE 2015

Operation Adversary Learns

𝜎𝐴=5(R) Unknown predicate p(A) over R tuples

𝑅 ⋈𝐴 𝑆 (hash-based) The join graph and the equivalence relation over R(A) and S(A) for joining A values

𝜋𝐴+𝐵(𝑅) Nothing

𝐺𝑟𝑜𝑢𝑝𝑏𝑦𝐴𝑆𝑈𝑀(𝐵)

(𝑅) The equivalence relation over R(A)

Data Security depends on the operations performed

Transaction Processing Performance Challenges

30

x86

FPGA

Life of a transaction

parsing, compilation, buffering, latching, locking, commit, …

Expression evaluation

1M instrs

≈ 10 instrs x 300

TPCC New Order:

Time/progress≈ 𝜇sec

4/15/2015 ICDE 2015

Summary of Performance Optimizations

31

Core 1

Core 2

Core 3

Core 4

Plaintext Data

Cache

Batch FPGA workAmortize communication

latency

Multiple FPGA coresParallelism

More FPGA compute

Plaintext Data CachesMinimize network comm.

Reduce decryption

ModifiedSQL Server

Vectorize index comparisonsMinimize FPGA roundtrips

Cip

her

bas

e C

lien

t Li

b

Expression foldingMinimize FPGA roundtrips

4/15/2015 ICDE 2015

Organization

• Introduction

• Solution Landscape & Design Choices

• Cipherbase Design & Engineering

• Evaluation

324/15/2015 ICDE 2015

Cipherbase Prototype

• SQL Server code

– Basic functionality

• ≈ 1000 LoC

• Localized to expression evaluation module

– Optimizations

• ≈ 5000-10000 LoC

• Localized to FPGA driver, indexing

– Unchanged: everything else

334/15/2015 ICDE 2015

Performance on TPCC

34

0

0.2

0.4

0.6

0.8

1

1.2

Plaintext Customer Strong/Weak Strong/Strong

Opt NoOpt

Tran

sact

ion

s p

er s

ec (

rela

tive

to

SQ

L Se

rver

)

Encryption schemes:

Customer: Customer PII data strongly encrypted

Strong/Weak: Index columns deterministic, all others strongly encrypted

Strong/Strong: All columns strongly encrypted

Increasing strength of encryption4/15/2015 ICDE 2015

Cipherbase Summary

• Security:

– Strong encryption

– Decoupled from functionality

• Functionality:

– Industrial Strength Database system (SQL Server)

– Transaction Processing

• Performance on TPCC

– 85% of plaintext for typical encryption

– 40% of plaintext for “worst case” encryption

• Lightweight “trusted module” in secure hardware

354/15/2015 ICDE 2015

36

http://research.microsoft.com/en-us/projects/cipherbase/

4/15/2015 ICDE 2015