Transaction Processing onConfidential Datausing Cipherbase
Arvind Arasu, Ken Eguro, Manas Joglekar*
Raghav Kaushik, Donald Kossmann, Ravi Ramamurthy
Microsoft Research
Stanford University*
Cloud Data Security Concerns
2
Data in the cloud vulnerable to:
• Snooping administrators
• Hackers with illegal access
• Compromised servers
4/15/2015 ICDE 2015
Database Encryption
3
Client App
4/15/2015 ICDE 2015
Database Encryption
4
Client App
4/15/2015 ICDE 2015
Cipherbase Summary
• Data Confidentiality:
– Strong column-level encryption
– Decoupled from functionality
– *Lightweight “trusted module” in secure hardware
• Functionality:
– Industrial Strength Database system (SQL Server)
– Concurrency, Recovery, Stored Procedures.
• Performance on TPCC
– 85% of plaintext for typical encryption
– 40% of plaintext for “worst case” encryption
5
No prior work with this
{Confidentiality, Functionality, Performance}
characteristics
4/15/2015 ICDE 2015
Organization
• Introduction
• Solution Landscape & Design Choices
• Cipherbase Design & Engineering
• Evaluation
64/15/2015 ICDE 2015
What Makes Encryption Challenging?
7
Select Sum (Score)From AssignmentWhere StudentId = 1
a7be1a6997ad739bd8c9ca451f618b61b6ff744ed2c2c9bf6c590cbf0469bf4147f7f7bc95353e03f96c32bcfd8058df
𝜎𝑆𝑡𝑢𝑑𝑒𝑛𝑡𝐼𝑑=1
𝑆𝑢𝑚 (𝑆𝑐𝑜𝑟𝑒)
Assignment
4/15/2015 ICDE 2015
Solution Landscape
• Two fundamental techniques
– Directly compute over encrypted data
• Special homomorphic encryption schemes
• Challenge: limited class of computations
– Use a “secure” location
• Computations on plaintext
• Challenge: Expensive
84/15/2015 ICDE 2015
Deterministic Encryption
9
StudentId AssignId Score
1 1 68
1 2 71
3 4 99
… … …
select *from assignmentwhere studentid = 1
𝜎𝑆𝑡𝑢𝑑𝑒𝑛𝑡𝐼𝑑=1
4/15/2015 ICDE 2015
Deterministic Encryption
10
StudentId_DET AssignId Score
bd6e7c3df2b5779e0b61216e8b10b689 1 68
bd6e7c3df2b5779e0b61216e8b10b689 2 71
7ad5fda789ef4e272bca100b3d9ff59f 4 99
… … …
select *from assignmentwhere studentid_det = bd6e7c3df2b5779e0b61216e8b10b689
𝜎𝑆𝑡𝑢𝑑𝑒𝑛𝑡𝐼𝑑_𝑑𝑒𝑡=𝑏𝑑6…
4/15/2015 ICDE 2015
Homomorphic Encryption Schemes
Fully Homomorphic Encryption
Order-Preserving Encryption
Deterministic Encryption
Non-DeterministicEncryption
PaillierCryptosystem
ElGamalCryptosystem
(∅)
(==)
(≤)
(+) (×)
(Any function)
11
[G09, G10]
[P99] [E84]
[BCN11, PLZ13]
Partial Homomorphic Encryption
Part
ial H
om
om
orp
hic
En
cryp
tio
n (
PH
E)
4/15/2015 ICDE 2015
PHE Limitations
• Limited Server Functionality
– SUM(L_EXTENDEDPRICE*(1-L_DISCOUNT)*(1+L_TAX))
• Data Security tied to functionality
• Lack of Composability
– A + B = C
• Performance
– ≈ msec for a single addition under Paillier
12CryptDB [PRZ+11], Monomi [TFM 13], [HMH08]
4/15/2015 ICDE 2015
Solution Landscape
• Two fundamental techniques
– Directly compute over encrypted data
• Special homomorphic encryption schemes
• Challenge: limited class of computations
• Challenge: Not composable
– Use a “secure” location
• Hardware provisioned isolation and protection
• Computations on plaintext
• Challenge: Expensive
134/15/2015 ICDE 2015
Secure Location
14
Inaccessible
4/15/2015 ICDE 2015
Secure Hardware Landscape
• Long history
– Banking, Defense Applications
• Becoming mainstream and commoditized
• Players:
– Crypto co-processors
– FPGAs
– Intel SGX
– TPM, HSM
154/15/2015 ICDE 2015
Intel Software Guard Extensions
• Extensions to Intel Architecture
• Isolation to code + data within a designated region
called enclave
– Confidentiality
– Integrity
Virtual Addr Space
Physical MemoryEnclave
code/data
Encr
ypte
d &
Inte
grit
y P
rote
cted
Ack: Andrew Baumann
[MAB+ 13, AGJ+ 13, HLP+ 13] 164/15/2015 ICDE 2015
Design Choice: Trusted Functionality
17
Expr Eval
Secure h/w
OS
DBMS
Commodity h/w
TrustedDB [BS11] Cipherbase
Secure h/w
DBMS
Embedded OS
OS
DBMS
Commodity h/w
Secure h/w
DBMS
Library OS
OS
Commodity h/w
Haven [MPH14]
Larger Trusted Computing Base (TCB) Smaller TCB
4/15/2015 ICDE 2015
Design Choice: Trusted Functionality
18
Expr Eval
Secure h/w
OS
DBMS
Commodity h/w
TrustedDB [BS11] Cipherbase
Secure h/w
DBMS
Embedded OS
OS
DBMS
Commodity h/w
Secure h/w
DBMS
Library OS
OS
Commodity h/w
Haven [MPH14]
Less secure More secure
4/15/2015 ICDE 2015
Design Choice: Trusted Functionality
19
Expr Eval
Secure h/w
OS
DBMS
Commodity h/w
TrustedDB [BS11] Cipherbase
Secure h/w
DBMS
Embedded OS
OS
DBMS
Commodity h/w
Secure h/w
DBMS
Library OS
OS
Commodity h/w
Haven [MPH14]
Minimal software engg.
4/15/2015 ICDE 2015
Organization
• Introduction
• Solution Landscape & Design Choices
• Cipherbase Design & Engineering
• Evaluation
204/15/2015 ICDE 2015
Life of a Query in Cipherbase I
21
App
Cip
her
bas
e C
lien
t Li
b
EncryptionConfig
Stack Machine
(Expression Evaluation)
Insecure (x86)FPGA
Cipherbase Server
ModifiedSQL Server
PCIe
AccountId: PlaintextBranchId: AES-CBCBalance: AES-CBC…
(stateless*)
push $1decryptpush 10addencryptout
5
4/15/2015 ICDE 2015
Life of a Query in Cipherbase II
22
App
Cip
her
bas
e C
lien
t Li
b
EncryptionConfig
Stack Machine
(Expression Evaluation)
Insecure (x86)FPGA
Cipherbase Server
ModifiedSQL Server
PCIe
AccountId: AES-CBCBranchId: AES-CBCBalance: AES-CBC…
PK:
4/15/2015 ICDE 2015
B+-Tree Indexes over Encrypted Data
23
6C2AB4
BF48BC
DF60B9
20B9D4
AC2DB0
FC46B0
0A183E
C9B7F9
1DA6B5
4F3618
…
…
0A183E
C9B7F9
1DA6B5
4F3618
…
…
0A183E
…
…
…
…
…
0 1 2 3 4 5 6 7 8 9
6
4/15/2015 ICDE 2015
B+-Tree Indexes over Encrypted Data
24
6C2AB4
BF48BC
DF60B9
20B9D4
AC2DB0
FC46B0
0A183E
C9B7F9
1DA6B5
4F3618
…
…
0A183E
C9B7F9
1DA6B5
4F3618
…
…
0A183E
…
…
…
…
…
4/15/2015 ICDE 2015
Life of a Query in Cipherbase II
25
App
Cip
her
bas
e C
lien
t Li
b
EncryptionConfig
Stack Machine
(Expression Evaluation)
Insecure (x86)FPGA
Cipherbase Server
ModifiedSQL Server
PCIe
AccountId: AES-CBCBranchId: AES-CBCBalance: AES-CBC…
PK:
push $1decrpush $2decrcompareout
6
4/15/2015 ICDE 2015
B+-Tree Indexes over Encrypted Data
26
6C2AB4
BF48BC
DF60B9
20B9D4
AC2DB0
FC46B0
0A183E
C9B7F9
1DA6B5
4F3618
…
…
0A183E
C9B7F9
1DA6B5
4F3618
…
…
…
…
…
…
…
8DE526FPGA
0A183E
Search key:
comp(8DE526,0A183E)
<
4/15/2015 ICDE 2015
B+-Tree Indexes over Encrypted Data
27
6C2AB4
BF48BC
DF60B9
20B9D4
AC2DB0
FC46B0
0A183E
C9B7F9
1DA6B5
4F3618
…
…
0A183E
C9B7F9
1DA6B5
4F3618
…
…
…
…
…
…
…
8DE526FPGA
0A183E
Search key:
comp(8DE526,0A183E)
<
4/15/2015 ICDE 2015
Life of a Query in Cipherbase II
28
App
Cip
her
bas
e C
lien
t Li
b
EncryptionConfig
Stack Machine
(Expression Evaluation)
Insecure (x86)FPGA
Cipherbase Server
ModifiedSQL Server
PCIe
AccountId: AES-CBCBranchId: AES-CBCBalance: AES-CBC…
PK:
4/15/2015 ICDE 2015
Operational Security
294/15/2015 ICDE 2015
Operation Adversary Learns
𝜎𝐴=5(R) Unknown predicate p(A) over R tuples
𝑅 ⋈𝐴 𝑆 (hash-based) The join graph and the equivalence relation over R(A) and S(A) for joining A values
𝜋𝐴+𝐵(𝑅) Nothing
𝐺𝑟𝑜𝑢𝑝𝑏𝑦𝐴𝑆𝑈𝑀(𝐵)
(𝑅) The equivalence relation over R(A)
Data Security depends on the operations performed
Transaction Processing Performance Challenges
30
x86
FPGA
Life of a transaction
parsing, compilation, buffering, latching, locking, commit, …
Expression evaluation
1M instrs
≈ 10 instrs x 300
TPCC New Order:
Time/progress≈ 𝜇sec
4/15/2015 ICDE 2015
Summary of Performance Optimizations
31
Core 1
Core 2
Core 3
Core 4
Plaintext Data
Cache
Batch FPGA workAmortize communication
latency
Multiple FPGA coresParallelism
More FPGA compute
Plaintext Data CachesMinimize network comm.
Reduce decryption
ModifiedSQL Server
Vectorize index comparisonsMinimize FPGA roundtrips
Cip
her
bas
e C
lien
t Li
b
Expression foldingMinimize FPGA roundtrips
4/15/2015 ICDE 2015
Organization
• Introduction
• Solution Landscape & Design Choices
• Cipherbase Design & Engineering
• Evaluation
324/15/2015 ICDE 2015
Cipherbase Prototype
• SQL Server code
– Basic functionality
• ≈ 1000 LoC
• Localized to expression evaluation module
– Optimizations
• ≈ 5000-10000 LoC
• Localized to FPGA driver, indexing
– Unchanged: everything else
334/15/2015 ICDE 2015
Performance on TPCC
34
0
0.2
0.4
0.6
0.8
1
1.2
Plaintext Customer Strong/Weak Strong/Strong
Opt NoOpt
Tran
sact
ion
s p
er s
ec (
rela
tive
to
SQ
L Se
rver
)
Encryption schemes:
Customer: Customer PII data strongly encrypted
Strong/Weak: Index columns deterministic, all others strongly encrypted
Strong/Strong: All columns strongly encrypted
Increasing strength of encryption4/15/2015 ICDE 2015
Cipherbase Summary
• Security:
– Strong encryption
– Decoupled from functionality
• Functionality:
– Industrial Strength Database system (SQL Server)
– Transaction Processing
• Performance on TPCC
– 85% of plaintext for typical encryption
– 40% of plaintext for “worst case” encryption
• Lightweight “trusted module” in secure hardware
354/15/2015 ICDE 2015
36
http://research.microsoft.com/en-us/projects/cipherbase/
4/15/2015 ICDE 2015