When Query Authentication Meets Fine-Grained Access Control: A Zero-Knowledge Approach

Query authentication has been extensively studied to ensure the integrity of query results for outsourced databases, which are often not fully trusted. However, access control, another important security concern, is largely ignored by existing works. Notably, recent breakthroughs in cryptography have enabled fine-grained access control over outsourced data. In this paper, we take the first step toward studying the problem of authenticating relational queries with fine-grained access control. The key challenge is how to protect information confidentiality during query authentication, which is essential to many critical applications. To address this challenge, we propose a novel access-policy-preserving (APP) signature as the primitive authenticated data structure. A useful property of the APP signature is that it can be used to derive customized signatures for unauthorized users to prove the inaccessibility while achieving the zero-knowledge confidentiality. We also propose a grid-index-based tree structure that can aggregate APP signatures for efficient range and join query authentication. In addition to this, a number of optimization techniques are proposed to further improve the authentication performance. Security analysis and performance evaluation show that the proposed solutions and techniques are robust and efficient under various system settings.

[1]  Brent Waters,et al.  Fuzzy Identity-Based Encryption , 2005, EUROCRYPT.

[2]  Jianliang Xu,et al.  Authenticating location-based services without compromising location privacy , 2012, SIGMOD Conference.

[3]  Ying Cai,et al.  Authentication of function queries , 2016, 2016 IEEE 32nd International Conference on Data Engineering (ICDE).

[4]  Feifei Li,et al.  Authenticated Index Structures for Aggregation Queries , 2010, TSEC.

[5]  Manoj Prabhakaran,et al.  Attribute-Based Signatures , 2011, CT-RSA.

[6]  Ralph C. Merkle,et al.  A Certified Digital Signature , 1989, CRYPTO.

[7]  Yin Yang,et al.  Authenticated join processing in outsourced databases , 2009, SIGMOD Conference.

[8]  Svetla Nikova,et al.  New Monotone Span Programs from Old , 2004, IACR Cryptol. ePrint Arch..

[9]  Kim-Kwang Raymond Choo,et al.  Fine-grained Database Field Search Using Attribute-Based Encryption for E-Healthcare Clouds , 2016, Journal of Medical Systems.

[10]  Jon Louis Bentley,et al.  Multidimensional binary search trees used for associative searching , 1975, CACM.

[11]  Kian-Lee Tan,et al.  Verifying completeness of relational query results in data publishing , 2005, SIGMOD '05.

[12]  Jianliang Xu,et al.  Authenticating Aggregate Queries over Set-Valued Data with Confidentiality , 2018, IEEE Transactions on Knowledge and Data Engineering.

[13]  Roberto Tamassia,et al.  Efficient Verifiable Range and Closest Point Queries in Zero-Knowledge , 2016, Proc. Priv. Enhancing Technol..

[14]  Hong Chen,et al.  Access Control Friendly Query Verification for Outsourced Data Publishing , 2008, ESORICS.

[15]  Kyriakos Mouratidis,et al.  Authenticating the query results of text search engines , 2008, Proc. VLDB Endow..

[16]  Brent Waters,et al.  Ciphertext-Policy Attribute-Based Encryption , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[17]  Elisa Bertino,et al.  DBMask: Fine-Grained Access Control on Encrypted Relational Databases , 2015, Trans. Data Priv..

[18]  Sushmita Ruj,et al.  Privacy Preserving Access Control with Authentication for Securing Data in Clouds , 2012, 2012 12th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (ccgrid 2012).

[19]  Dongqing Xie,et al.  Attribute-based signature and its applications , 2010, ASIACCS '10.

[20]  Zhenfu Cao,et al.  Efficient Generation of Linear Secret Sharing Scheme Matrices from Threshold Access Trees , 2014 .

[21]  Yin Yang,et al.  Authenticated indexing for outsourced spatial databases , 2009, The VLDB Journal.

[22]  Jianliang Xu,et al.  Authenticated Online Data Integration Services , 2015, SIGMOD Conference.

[23]  Jingwei Li,et al.  MMB$^{cloud}$ -Tree: Authenticated Index for Verifiable Cloud Service Selection , 2017, IEEE Transactions on Dependable and Secure Computing.

[24]  Sunil Prabhakar,et al.  Access Control and Query Verification for Untrusted Databases , 2013, DBSec.

[25]  Brent Waters,et al.  Attribute-based encryption for fine-grained access control of encrypted data , 2006, CCS '06.

[26]  Feifei Li,et al.  Dynamic authenticated index structures for outsourced databases , 2006, SIGMOD Conference.

[27]  Jonathan Katz,et al.  IntegriDB: Verifiable SQL for Outsourced Databases , 2015, CCS.

[28]  Bart Preneel,et al.  On the Size of Monotone Span Programs , 2004, SCN.

[29]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[30]  Yiwei Thomas Hou,et al.  Protecting Your Right: Verifiable Attribute-Based Keyword Search with Fine-Grained Owner-Enforced Search Authorization in the Cloud , 2016, IEEE Transactions on Parallel and Distributed Systems.

[31]  Jianliang Xu,et al.  Authenticating Top-k Queries in Location-based Services with Confidentiality , 2013, Proc. VLDB Endow..

[32]  Vaidy S. Sunderam,et al.  Towards Secure Cloud Database with Fine-Grained Access Control , 2014, DBSec.

[33]  Man Lung Yiu,et al.  Authentication of moving kNN queries , 2011, 2011 IEEE 27th International Conference on Data Engineering.

[34]  S. Kotsiantis,et al.  Discretization Techniques: A recent survey , 2006 .

[35]  Kian-Lee Tan,et al.  Authenticating query results in edge computing , 2004, Proceedings. 20th International Conference on Data Engineering.

[36]  Philip S. Yu,et al.  Privacy-preserving data publishing: A survey of recent developments , 2010, CSUR.