A Non-interactive Multi-user Protocol for Private Authorised Query Processing on Genomic Data

Abstract

This paper introduces a new non-interactive multi-user model for secure and efficient query executions on outsourced genomic data to the cloud. We instantiate this model by leveraging searchable symmetric encryption (SSE). This new construction supports various types of queries (i.e., count, Boolean, \(k'\)-out-of-k match queries) on encrypted genomic data, and we call it NIMUPrivGenDB. Most importantly, it eliminates the need for the data owner and/or trusted entity to be online and avoids per-query interaction between the data owner and/or trusted entity and users. This is achieved by introducing a new mechanism called QUAuth to enforce access control based on the types of queries (Q) each user (U) is authorised (Auth) to submit. To the best of our knowledge, this is the first paper proposing an authorisation mechanism based on queries on genomic data. Moreover, QUAuth offers user management by supporting authorisation updates. We proved that our construction achieves strong security against malicious behaviour among authorised users, where a malicious user pretends to be other users by using others’ unique IDs, and colluding attacks among these users are also considered. Finally, our proposed protocol’s implementation and evaluation demonstrate its practicality and efficiency in terms of search computational complexity and storage cost.

Appendix

Appendix 1

Our Techniques: Following the idea of authorising different users for submitting different types of queries, the main task is to develop a scheme that can authorise the users before starting the execution process. We observe that the scheme of [18] supports authorising users (clients) based on the keywords they are allowed to search. What we need is to authorise the users based on the types of supported queries. Apart from that, we want to control and manage the users individually. To achieve this, our main idea is to use a query-authorised key created in advance by the data owner for each user. The user then employs this query-authorised key to create a tag for the requested query, and the data server may determine if this user is authorised to perform the query. The main difference between our protocol and [18] is that in [18] authorised keywords have to be considered in the whole process of token generation to make sure no keyword other than those of authorised is submitted. However, in our protocol, a new mechanism is proposed to make sure an authorised query is submitted before the main search process starts.

In order to design such a scheme, we leverage set-constrained pseudorandom function (SC-PRF) in [18] to generate query-authorised keys for users and propose a new mechanism, QUAuth, for authorisation based on queries. Specifically, in our construction, we employ lookup tables for different types of queries for checking the submitted tag by the user. It incurs less storage overhead than the multiple databases (naive) solution. The dominant part of the storage cost is related to a set being generated to keep the (record, keyword) pairs. Therefore, multiplying the storage in naive solution leads to multiplying this high amount of storage cost. Lookup tables, on the other hand, need only a limited amount of storage. Therefore, for each query submission, the data server checks the submitted tag against the related lookup table, and if that particular user is allowed to execute the submitted query, the server processes the query. To incorporate extra features, such as authorisation updates, the users’ ID has been exploited in QUAuth, while a naive solution would need one storage per user, which is highly impractical. QUAuth, on the other hand, provides this by increasing the minimal amount of storage overhead as the number of users grows.

In addition, our construction achieves an enhanced security against untrusted clients in comparison to [18]. It is proved that our construction is secure not only against colluding attacks among untrusted users, but also against search token forgery using other users’ unique IDs through untrusted users. This is achieved by considering user’s unique ID in key generation, and the need for using that key and unique ID to generate search token in the next phase for starting search.

Appendix 2

The security of SC-PRF is officially captured by the game outlined below.

• Setup: Challenger selects \(k {\mathop {\leftarrow }\limits ^{\$}} \mathcal {K}\) and \(b {\mathop {\leftarrow }\limits ^{\$}} \{0,1\}\), and initialises empty sets \(E, \mathcal {Q}\) and C.

• Query Phase: In this phase, the adversary adaptively issues the following queries: (i) Evaluation query: on input \(x \in \mathcal {X}\), the challenger returns F(k, x) and adds x to E. (ii) Key query: on input a set \(S \subseteq \mathcal {X}\), the challenger returns a set-constrained key F.Cons (k, S), and adds S to \(\mathcal {Q}\).

• Challenge Phase: on input a challenge query \(x^{*} \in \) \(\mathcal {X}\), the challenger outputs \(F\left( k, x^{*}\right) \) if \(b=1\), otherwise returns \(u {\mathop {\leftarrow }\limits ^{\$}} \mathcal {Y}\), and then adds \(x^{*}\) to C.

• Guess: the adversary outputs a guess \(b'\) of b.

\(\mathcal {A}\) wins in the above game if all the following conditions hold: (1) \(b'=b\); (2) \(E \cap C=\emptyset \); (3) for all \(x^{*} \in C\), \(x^{*} \notin \bigcup _{S \in \mathcal {Q}} S.\)

Definition 5

(Secure Set-Constrained PRF). A set-constrained PRF \(F: \mathcal {K} \times \mathcal {X} \leftarrow \mathcal {Y}\) is secure if for all PPT adversary \(\mathcal {A}\), the advantage of \(\mathcal {A}\) winning in the above game is negligible in \(\lambda \).

That is, \(A d v_{\mathcal {A}, F}^{\mathrm {SC}-\mathrm {PRF}}(\lambda )=\mid {\text {Pr}}[\mathcal {A}\) wins\(]-\frac{1}{2} \mid \le {\text {negl}}(\lambda )\)

Appendix 3

System Design Overview of NIMUPrivGenDB See Fig. 3.

Fig. 3.

System design overview of NIMUPrivGenDB

Appendix 4

Syntax of Our Proposed Non-interactive Multi-user SSE

• \(\mathsf {Initialisation}(\lambda , \mathsf {MU}\mathsf {GDB}, \varGamma , \mathsf {ACL}, \mathcal {U})\): Trustee runs this algorithm. Given the security parameter \(\lambda \), the multi-user genomic database \(\mathsf {MUGDB}\), types of the queries \(\varGamma \), the access list \(\mathsf {ACL}\), and the users \(\mathcal {U}\), this algorithm outputs the encrypted database \(\mathsf {EMUGDB}\) and a key \(\mathsf {sk_{\varGamma _i}}\) for each user \(\mathcal {U}_i\). Trustee uses below sub-algorithms to complete the initialisation:

  • \(\mathsf {G}\leftarrow \mathbf{MUGeEncode} (\mathsf {MU}\mathsf {GDB})\): To encode the genotypes in the database, trustee runs this algorithm that constructs keywords related to genotypes by concatenating each SNP index to all genotypes of that particular SNP.

  • \(\mathsf {IINX} \leftarrow \mathbf{MUBInv} (\mathsf {G}, \mathsf {MU}\mathsf {GDB})\): This algorithm gets as input the keywords in \(\mathsf {G}\) and generates an inverted index.

  • (\(\mathsf {EMU}\mathsf {GDB}, \mathsf {K}, \mathsf {K}_q) \leftarrow \mathbf{EMUGDB.Setup }(\lambda ,\) \(\mathsf {IINX},\) \(\mathsf {MU}\mathsf {GDB},\) \(\varGamma ,\) \(\mathcal {U}_i,\) \(\mathsf {ACL})\): The inputs to this algorithms are the security parameter \(\lambda \), the generated inverted index \(\mathsf {IINX}\), types of queries \(\varGamma \), the access list \(\mathsf {ACL}\), and the users \(\mathcal {U}\), and outputs are the encrypted multi-user database \(\mathsf {EMU}\mathsf {GDB}= (\mathsf {Inv}_{\mathsf {G}}, \mathbb {S}_{\mathsf {G}}, \mathsf {QSets})\), and a set of keys \(\mathsf {K}, \mathsf {K}_q\). \({\mathsf {TSet.Setup}}(\mathbf{\mathsf {IINX}})\) is used in EMUGDB.Setup algorithm and resembles TSet in OXT scheme.

  • \(\mathsf {sk}_{{\varGamma _i}} \leftarrow \mathbf{User.Auth }(\varGamma , \mathsf {ACL}, {\mathcal {U}_i}, \mathsf {K}_q)\): Trustee runs this algorithm by using \(\mathsf {K}_q\), types of queries and access list for a particular user \(\mathcal {U}_i\) to generate a specific key \(\mathsf {sk}_{\varGamma _i}\) for each user of the system. Each user has its own key and can later submit the queries using this key.

• \(\mathsf {TokenGeneration}(\mathsf {q}\)(\(g_{1},\ldots ,g_{n}),\) \(\mathsf {K},\) \(\mathsf {sk}_{\varGamma _i})\): A user runs this algorithm with inputs being the desired query (with encoded keywords, if they are genotype-related keywords), the set of key \(\mathsf {K}\), and its own specific key \(\mathsf {sk}_{\varGamma _i}\), and outputs being the tokens \(\mathsf {qtag}_{\mathcal {U}_i,j}\) and \(\mathsf {gToK}\). The input threshold \(\mathsf {T}\) is used for limiting the number of records returned as the result of the submitted count query. \({\mathsf {TSet.GetTag}}(\mathsf {K}_T,g_1)\) is used in \(\mathsf {TokenGeneration}\) algorithm and resembles TSet in OXT scheme.

• \(\mathsf {Search}(\mathsf {qtag}_{\mathcal {U}_i,j},\) \(\mathsf {gToK},\) \(\mathsf {EMU}\mathsf {GDB},\) \(\mathsf {T})\): This algorithm inputs the search tokens \(\mathsf {qtag}_{\mathcal {U}_i,j}\) (that specifically lets the server to authorise the user and the type of the query submitted through this user), \(\mathsf {gToK}\) and the encrypted database \(\mathsf {EMU}\mathsf {GDB}\), then outputs the search result. The algorithm \(\mathsf {TSet.Retrieve}\) \((\mathsf {Inv}_{\mathsf {G}},\tau _{\rho })\) is used in \(\mathsf {Search}\) and resembles TSet in OXT scheme.

• \(\mathsf {Retrieve}(\mathsf {RSet}, g_1, \mathsf {K})\): The user runs this algorithm when the submitted query response is a set of record IDs. This algorithm takes the \(\mathsf {RSet}\), \(g_1\) and key \(\mathsf {K}\) as inputs and outputs the set of \(\mathsf {ID}_O\) by decrypting all the \(\mathsf {ID}_O'\) in the \(\mathsf {RSet}\) and puts them in a new set \(\mathsf {IDSet}\).

Appendix 5

Proof of Theorem 1. Let \(\mathcal {A}\) be an honest-but-curious data server who performs an adaptive attack against our protocol. Then we can construct an algorithm \(\mathcal {B}\) that breaks the server privacy of protocol OXT in [17] by running \(\mathcal {A}\) as a subroutine with non-negligible probability.

• Algorithm \(\mathcal {B}\) passes the selected \(\mathsf {GDB}\) by \(\mathcal {A}\) to the OXT challenger.

• The OXT challenger runs (K,E\(\mathsf {DB})\leftarrow \) OXT.Setup(\(\mathsf {G}\mathsf {DB}\)) and returns E\(\mathsf {DB}\) to the algorithm \(\mathcal {B}\). Then, algorithm \(\mathcal {B}\) chooses a random key, \(\mathsf {K}_q\) and runs lines 2 to 9 of algorithm EMUGDB.Setup to generate QSet and sets \(\mathsf {EMU}\mathsf {GDB}\) = \(\{\mathsf {E}\mathsf {DB},\mathsf {QSets}\}\).

• The algorithm \(\mathcal {B}\) sends \(\mathsf {EMU}\mathsf {GDB}\) to an adversary \(\mathcal {A}\).

• For each \(\mathsf {q}\) query issued by the adversary \(\mathcal {A}\), the algorithm \(\mathcal {B}\) defines \(\mathsf {NIMUPrivGenDB.TokenGeneration}\)(K; \(\mathsf {q}[i]\)), where \(\mathrm {q}[i]= (\mathrm {s}[i], \mathrm {x}[i,\cdot ])\), which computes qtag, (by first computing the key \(\mathsf {sk}_{\varGamma _i}\), and then computing the lines 1 to 9 of algorithm \(\mathsf {NIMUPrivGenDB.TokenGeneration}\) or simply generating qtag by running line 5 of EMUGDB.Setup for requested query type), and then uses the xtoken output of the TokenGeneration oracle of OXT. For count and Boolean queries, it categorises negated/non-negated terms and runs the TokenGeneration algorithm of OXT twice. For \(k'\)-out-of-k matches, it just omits the \(k'\) from query sent by \(\mathcal {A}\), pass the rest to TokenGeneration algorithm of OXT and generate the token by using that output and including \(k'\) to send it to \(\mathcal {A}\).

• Finally, the adversary \(\mathcal {A}\) outputs a bit that the algorithm \(\mathcal {B}\) returns.

Since the core construction of our scheme is exploited from OXT in [17], we use the oracle of OXT to reduce the security of it to that of OXT protocol. Thus, if the security of OXT holds, the security of our scheme is guaranteed.

Simulator 1 (for Count and Boolean queries) By considering \(\mathcal {A}\) as an honest-but-curious server against our protocol, \(\varPi _{\mathsf {MU}\mathsf {G}}\), we construct an algorithm \(\mathcal {B}\) that breaks the server privacy of OXT protocol [17] by running \(\mathcal {A}\). Let \(\mathcal {S}_\mathsf {OXT}\) be the simulator for OXT; then we construct a simulator \(\mathcal {S}_{\mathsf {MU}\mathsf {G}}\) for our scheme. The algorithm \(\mathcal {B}\) uses \(\mathcal {S}_\mathsf {OXT}\) to construct the simulator \(\mathcal {S}_{\mathsf {MU}\mathsf {G}}\) in order to answer the queries issued by \(\mathcal {A}\). Simulator for the initialisation phase, perform the following algorithm apart from using the simulator of OXT. It selects a key, \(\mathsf {K}_q\) and calculates qtag for different queries \(\mathcal {A}\) may submit, and generates QSet.

A sequence of T conjunctive queries is represented by \(\mathrm {q}=(\mathrm {s}, \mathrm {x}),\) where the i-th query is written as \(\mathrm {q}[i]=(\mathrm {s}[i], \mathrm {x}[i, \cdot ])\) for \(i \in [T],\) and \(\mathrm {s}[i], \mathrm {x}[i, \cdot ]\) denote the sterm and xterms in the i -th query, respectively. Then, for the token generation, it first generates query-qtag by using that \(\mathsf {K}_q\) and knowing the type of query \(\mathcal {A}\) submitted. It can use the leakage \(\bar{q}\) to send the relative qtag back to \(\mathcal {A}\). For count and Boolean queries, such a simulator can be constructed by using \(\mathcal {S}_{\mathsf {OXT}}\), a simulator for OXT protocol. By using added \(\mathsf {NP}\), the \(\mathcal {S}_{\mathsf {MU}\mathsf {G}}\) can simulate the two \(\mathcal {G}\mathsf {token}\)s, for negated terms and non-negated terms. Then, it combines them as the \(\mathsf {gToK}\).

For \(k'\)-out-of-k match queries, by using \(\mathcal {S}_{\mathsf {OXT}}\), \(\mathcal {G}\mathsf {token}\) is constructed and then the extra \(\mathsf {QT}\) component is added and \(\mathsf {gToK}\) is simulated. Now we just need to use the simulator of OXT for \(\mathcal {A}_\mathsf {OXT}\), to construct the simulator of our scheme for \(\mathcal {A}_{\mathsf {MU}\mathsf {G}}\). By running \(\mathcal {S}_\mathsf {OXT}\) for EDBSetup and TokenGen queries, we can construct a simulator \(\mathcal {S}_{\mathsf {MU}\mathsf {G}}\) for EDBSetup and TokenGen queries of our scheme.

\({\text {Pr}}(\text{ Real}_{\mathcal {A}}^{\varPi _{\mathsf {MU}\mathrm {\mathsf {G}}}}=1)-{\text {Pr}}(\text{ Ideal}_{\mathcal {A}, \mathcal {S}_{\mathsf {MU}\mathsf {G}}}^{\varPi _{\mathsf {MU}\mathrm {\mathsf {G}}}}=1)\le \)

\([{\text {Pr}}(\text{ Real}_{\mathcal {B}}^{\varPi _{\mathsf {OXT}}}=1)-{\text {Pr}}(\text {Ideal}_{\mathcal {B}, \mathcal {S}_\mathsf {OXT}}^{\varPi _{\mathsf {OXT}}}=1)]~+~\mathrm {Adv}_{\mathsf {\hat{F}},\mathcal {B}}^{\text{ SC-PRF } }(\lambda )\)

Since OXT is secure, its advantage is negligible. The advantage of SC-PRF is also negligible. Hence, the advantage of our protocol, \(\varPi _\mathsf {MUG}\) is negligible.

Proof of Theorem 2. Suppose that there is an efficient adversary \(\mathcal {A}\) that can generate a new valid search token for a new query type \(\gamma _j^{*}\), which implies that \(\mathcal {A}\) produces a new qtag, then we show that we can construct an efficient algorithm \(\mathcal {B}\) (with \(\mathcal {A}\) as the subroutine) to break the security of set-constrained PRF. For the case that \(\mathcal {A}\) wins by producing a qtag for the new query type \(\gamma ^{*}\), the algorithm \(\mathcal {B}\) is described as below.

\(\mathcal {B}\) has access to constrained key generation oracle \(\mathcal {O}_{K_{q}}^{\mathsf {\hat{F}}}(\cdot )\) of SC-PRF \(\mathsf {\hat{F}}\). \(\mathcal {A}\) selects different \(\mathcal {U}_i\) with different \(\varGamma _{\mathcal {U}_i}\). For the i-th key extraction query where \(\varGamma _{\mathcal {U}_i}=\left\{ \gamma _{1, i}, \ldots , \gamma _{m, i}\right\} ,\) for \(\mathcal {U}_i\), the algorithm \(\mathcal {B}\) concatenates all \(\gamma _j\) with \(\mathcal {U}_i\) and gets \(s k_{\varGamma _{i}}\) by querying her own oracle \(\mathcal {O}_{K_{q}}^{\mathsf {\hat{F}}}\left( \varGamma _{i}\right) \), and then returns \(sk_{\varGamma _i}\) for each requested \(\mathcal {U}_i\). At last, \(\mathcal {A}\) outputs a search token \(\mathsf {qtag}^{*}\) for a query \(Q^{*}\) with a new type \(\gamma ^{*}\) and user \(\mathcal {U}_i\). Then \(\mathcal {B}\) forwards \(\gamma ^{*}||\mathcal {U}_i\) to his own challenger and receives the response \(y^{*}\), such that

$$\begin{aligned} y^{*}=\left\{ \begin{array}{ll} \mathsf {\hat{F}}\left( K_{q}, \gamma ^{*}||\mathcal {U}_i\right) , &{} b=1, \\ u, &{} b=0, \end{array}\right. \end{aligned}$$

where u is randomly chosen from \(\mathcal {Y}\). After that, \(\mathcal {B}\) checks whether or not the event that \(y^{*}=\) qtag\(^{*}\) denoted by experiment E happens. If yes, it outputs 1,  otherwise returns 0. From the simulation, we get that

\( {\text {Pr}}[b^{\prime }=1 \mid b=1]-{\text {Pr}}[b^{\prime }=1 \mid b=0]\)

\(= {\text {Pr}}[ E \mid y^{*}=\mathsf {\hat{F}}\left( K_{q}, \gamma ^{*}||\mathcal {U}_i\right) ]-{\text {Pr}}[E \mid y^{*}=u]\)

\(= {\text {Pr}}[\mathcal {A} \text{ wins } \mid y^{*}=\mathsf {\hat{F}}\left( K_{q}, \gamma ^{*}||\mathcal {U}_i\right) ]-{\text {Pr}}[E \mid y^{*}=u] \ge {\text {Pr}}[\mathcal {A} \text{ wins}]-{\text {negl}}(\lambda ), \) where b is uniformly random and independent of \(\mathcal {A}^{\prime } s\) final output. Therefore, \({\text {Pr}}[\mathcal {A}\) wins\(] \le \) \(\mathrm {Adv}_{\mathsf {\hat{F}},\mathcal {B}}^{\text{ SC-PRF } }(\lambda )+ {\text {negl}}(\lambda )\), which indicates that \(\mathcal {A}\) can generate a valid search token with a fresh query type for user \(\mathcal {U}_i\) except for a negligible probability.