cipherPath: Efﬁcient Traversals over Homomorphically Encrypted Paths

Georg Bramm

and Julian Sch

utte

Fraunhofer AISEC, Lichtenbergstrasse 11, Garching near Munich, Germany

Keywords:

Somewhat Homomorphic Encryption, Structured Encryption, Order Preserving Encryption,

Geospatial Encryption, Dijkstra, Floyd, Shortest Path.

Abstract:

We propose cipherPath, a novel graph encryption scheme that enables exact shortest distance queries on

encrypted graphs. Shortest distance queries are very useful in a vast number of applications, including medical,

social or geospatial. Our approach using somewhat homomorphic encryption in combination with structured

encryption enables exact shortest distance queries on outsourced and encrypted graph data. Our approach

upholds provable security against a semi-honest provider. We demonstrate our framework by means of two

different shortest path algorithms on encrypted graphs: Dijkstra and Floyd. Finally, we evaluate the leakage

proﬁle of cipherPath.

1 INTRODUCTION

Nowadays service online map service providers tend

to offer public and free services in order to be able

to collect data from users trusting such a service. A

very prominent example is Google Maps. While of-

fering routing and shortest path services, they collect

various information about your request. By collect-

ing and aggregating those requests, an attacker might

be able to identify your work or home place. Us-

ing cipherPath, we enable users to query such ser-

vices without revealing the precise location. In or-

der to achieve this, various new cryptographic tech-

niques have been combined like structured encryption

(SE), order preserving encryption (OPE) and some-

what homomorphic encryption (SHE). Utilizing these

techniques, we can provide conﬁdentiality for users in

location-based services against an honest-but-curious

provider. We want users being able to calculate short-

est paths in real world applications without giving up

their privacy concerns. We therefore present cipher-

Path, a new shortest path query processing algorithm

over encrypted graphs in unstructured databases. Our

algorithm guarantees the conﬁdentiality of both the

encrypted graph data and the query history against

an honest-but-curious provider. To this end, we pro-

pose a structured encryption scheme utilizing some-

what homomorphic order preserving ciphertexts. Our

contribution can be summarized as follows:

https://orcid.org/0000-0002-9020-5856

https://orcid.org/0000-0002-3007-6538

• We devise an interactive, yet very efﬁcient SHE-

OPE scheme, capable of adding, subtracting, mul-

tiplying, dividing, and comparing encrypted num-

bers.

• We present a generic framework of protocols for

the generation, outsourcing and computation on

an encrypted graph.

• We apply our framework to implement a classic

shortest path ﬁnding technique by Dijkstra.

• We evaluate and discuss the information leakage

of our framework.

After introducing some preliminaries we present our

OPE-SHE scheme ehOPE in section 2. Building

upon eHOPE, we introduce our framework cipher-

Path in section 3. After presenting a secure protocol

for path ﬁnding in section 4, we discuss the leakage

of our construction in section 5 and conclude in sec-

tion 6.

2 FOUNDATION AND

EXTENSIONS

We give a description of our notation and foundational

preliminaries for this paper, followed by an introduc-

tion into ehOPE, an OPE-SHE scheme used in our

framework.

Bramm, G. and Schütte, J.

cipherPath: Efﬁcient Traversals over Homomorphically Encrypted Paths.

DOI: 10.5220/0009777802710278

In Proceedings of the 17th International Joint Conference on e-Business and Telecommunications (ICETE 2020) - SECRYPT, pages 271-278

ISBN: 978-989-758-446-6

271

2.1 Notation

[n] donates the set of integers from zero up to n. A

graph G = (V,E) consists of a set of vertices V and

a set of edges E =

{

(i, j)

}

where i, j ∈ V . Any edge

e = (i, j) with i, j /∈ V is called ∞ and is represented

by randomly chosen integer values from a range that

is invalid in the respective application domain

2.1.1 Distance Norm

As a distance metric we use the L

norm on en-

crypted nodes, as it requires less computational and

interaction overhead, compared to the L

norm. For a

real number p ≥ 1, the p-norm or L

distance norm of

is deﬁned by

= (|x

+ |x

+ · ·· + |x

)

1/p

When we calculate the L

distance d between the two

nodes a and b, we write d = L

(a,b). When we calcu-

late the L

distance between a node b and the starting

node, then we abbreviate this by writing d = dist(b).

2.2 Cryptographic Preliminaries

We now introduce all necessary cryptographic prelim-

inaries.

2.2.1 Pairing

Our work is partly based on the notion of bilinear

pairing maps: suppose G is an additive cyclic group

and H is a multiplicative cyclic group, both of the

same order q. A bilinear pairing map ˆe : G × G → H

satisﬁes the following properties:

• Bilinearity, i.e. for any P,Q ∈ G and any a,b ∈ Z

∗

we have ˆe(P

) = ˆe(P

) = ˆe(P,Q)

• Non-degeneracy, which means that there exists a

P, Q ∈ G, such that ˆe(P,Q) 6= I ∈ H, where I is

the identity element.

• Computable, which means that for any P,Q ∈

G, there exists an efﬁcient algorithm to compute

ˆe(P,Q) ∈ H.

2.2.2 Induced Permutation

Let π be the permutation over [n] such that ∀i ∈

[n],m

= Dec



π(i)



, then we refer to π as the per-

mutation induced by m and c. Accordingly, we re-

fer to Φ as the permutation induced by M and C,

if Φ is the permutation over [λ

] × [λ

] such that

For earth-bound navigation applications an integer in

the interval ]40075000,2

− 1] cloud be used, which is the

earth’s radius in meter and Integer max value.

Sometimes also called Manhattan distance

∀(i, j) ∈ [λ

] × [λ

],M

(i, j)

= Dec



Φ(i, j)



. By in-

ducing a pseudorandom permutation between m and

c our construction is able to hide parts of the access

pattern, as (Chase and Kamara, 2010) describe.

2.2.3 Somewhat Homomorphic Encryption

Besides hiding the structure of the graph we also need

to hide the sequence of data values along a path from

the server while doing calculations on it. We there-

fore integrated Pailliers scheme together with the El-

Gamal scheme into our own adoption of hOPE origi-

nally written by (Peng et al., 2017).

Paillier. The Paillier scheme (Paillier, 1999) allows

additive homomorphic operations on ciphertexts in

a probabilistic asymmetric encryption scheme. The

scheme can be modiﬁed to allow signed values and

subtraction by reducing the range of m to −

< m <

. The modiﬁed Paillier cryptosystem has the follow-

ing properties:

• Addition: The product of two ciphertexts ct

) and ct

= E

) results in the encryp-

tion of the sum of their plaintexts: (ct

× ct

)

mod n

= E

+ m

)

• Subtraction: The product of a ciphertext ct

) with the modular inverse of another ci-

phertext ct

= E

) computed modulo n

re-

sults in the encryption of the subtraction of their

plaintexts: (ct

× ct

−1

) mod n

= E

− m

)

• Constant multiplication: The b

power of ci-

phertext ct

= E

) results in the encryption of

the product of b and m

: E

× b) = E

)

mod n

• Semantic security: The generated ciphertexts are

non-deterministic.

ElGamal. In 1985 Taher ElGamal published a

schme with multiplicative homomorphic properties

(ElGamal, 1985). Besides multiplication, ElGamal

also allows division by multiplying with the modu-

lar inverse. As (Lipmaa, 2010) state, the ElGamal

cryptosystem is IND − CCA1 and has the following

properties:

• Multiplication: The product of two ciphertexts

= E

) and ct

= E

) results in the en-

cryption of the product of their plaintexts: (ct

) = E

· m

• Division: The product of a ciphertext

= E

) with the multiplicative inverse

of another ciphertext ct

= E

) results in the

encryption of the division of their plaintexts:



· (ct

)

−1



= E

(

)

SECRYPT 2020 - 17th International Conference on Security and Cryptography

272

• Semantic security: The generated ciphertexts are

non-deterministic.

2.3 homomorphic Order Preserving

Encryption (hOPE)

A new technique called hOPE was introduced by

(Peng et al., 2017). The authors combine Pailliers

scheme with an OPE approach based on a B

code

tree. In cipherPath we need to compute additions,

subtractions, multiplications, as well as inequality

tests, so we extend hOPE by also incorporating El-

Gamal. The additional interactivity with the client in

our scheme is needed when translating values from

one SHE to the other, like in Add(SP,L

) (5). The

encrypted value is given to the client, who decrypts it

using K, encrypts it into the opposite SHE scheme and

uploads it again to the server. We achieve the same

mathematical expressiveness as the Peng’s PhOPE,

but without integrating a fully homomorphic encryp-

tion (FHE) scheme. Instead we integrate two SHE

schemes. Our construction ehOPE is given by:

Select a bilinear pairing e : G × G → H with the

order q ∈ Z

∗

for G and H. Pick an additive

∏

= (Gen,Enc,Dec,Add,Sub) and a multiplicative SHE

scheme

∏

∗

= (Gen, Enc,Dec,Mul). Then ehOPE =

(Setup,Gen,Enc, Dec,Add,Sub, MulDiv,Comp) is deﬁned

by:

Gen(): Generate key pairs for both SHE schemes



,DK



←

∏

Gen

) and.

{

∗

,DK

∗

}

←

∏

∗

Gen

) and return them as key pair {SK, PK}, with

SK =



,DK

∗



and PK =



,EK

∗



Enc(SP, EK, m): Ciphertext CT = hp,e,G,H, oi is ob-

tained as follows:

(1) Using EK compute p =

∏

Enc

(m), e =

∏

∗

Enc

(m), G =

m · P ∈ G and H = ˆe(P,P)

∈ H.

(2) Look up L

= hp

i in L by matching G

or H. If found, skip to (3); otherwise skip to (4).

(3) Return CT = L

= hp

i, where G

= G

or H

= H. The process is now terminated.

(4) o is determined using an interactive code location al-

gorithm based on tree T .

(5) Insert L = hp, e,G, H,oi into the cache L, and insert

c into T . Then update both and go to (2).

Add(SP, L

, L

): Take as input SP, L

i and L

= hp

The sum L = L

+ L

is generated as follows:

(1) Compute p = p

+ p

, G = G

+ G

and H =

ˆe(G,P).

(2) Look up L

= hp

i in L by matching G

or p. If found, skip to (3); otherwise, skip to (4).

(3) ,(4) Same as in Enc (3) and Enc (4).

(5) ask client to translate p to e, i.e. calculate e =

∏

∗

Enc

(

∏

Dec

(p)).

(6) Same as in Enc (5).

Sub(SP, L

, L

): Take as input SP, L

= hp

and L

= hp

i. The subtraction L = L

−

is generated as follows:

(1) Compute p = p

− p

, G = G

+ (G

)

−1

and H =

ˆe(G,P).

(2) Look up L

= hp

i in L by matching G

or H. If found, skip to (3); otherwise, skip to (4).

(3) ,(4) Same as in Enc (3) and Enc (4).

(5) ask client to translate p to e, i.e. calculate e =

∏

∗

Enc

(

∏

Dec

(p)).

(6) Same as in Enc (5).

Mul(SP,L

, L

): Take as input SP, L

= hp

and L

= hp

i. The multiplication L =

· L

is generated as follows:

(1) Compute e = e

· e

and H = ˆe(G

(2) Look up L

= hp

i in L by matching H.

If found, skip to (3); otherwise, skip to (4).

(3) ,(4) Same as in Enc (3) and Enc (4).

(5) Ask client to compute G =

∏

∗

Dec

(e) · P and translate

p =

∏

Enc

(

∏

∗

Dec

(e)).

(6) Same as in Enc (5).

Div(SP,L

, L

): Take as input SP, L

= hp

and L

= hp

i. The division L =

generated as follows:

(1) Compute e = e

· e

−1

and H = ˆe(G

)

−1

(2) Look up L

= hp

i in L by matching H.

If found, skip to (3); otherwise, skip to (4).

(3) ,(4) Same as in Enc (3) and Enc (4).

(5) Ask client to compute G =

∏

∗

Dec

(e) · P and translate

p =

∏

Enc

(

∏

∗

Dec

(e)).

(6) Same as in Enc (5).

COMP(L

, L

): Take as input L

and L

. Output the result

of the binary comparison o

and o

. Return 0 if they

are equal. Returns 1 if L

≥ L

or −1 if L

≤ L

Dec(DK, L

): Take as input L

= hp

i. Out-

put m =

∏

Dec

The security analysis for hOPE is given by (Peng

et al., 2017). As long as we pick at least IND −

O2CPA secure SHE schemes, our modiﬁed scheme

upholds the same security features as the FHE ver-

sion, with the disadvantage of more interactivity and

the advantage of a higher efﬁciency.

2.4 Related Work

Searchable encryption was initially introduced by

(Song et al., 2000). They propose a novel, provably

secure scheme that enables searching on encrypted

data without decrypting it. Their technique is based

on a stream cipher. Many secure searchable encryp-

tion schemes followed like (Curtmola et al., 2011),

(Cash et al., 2014) or (Bost, 2016). The schemes

were mainly focusing on text based queries. (Meng

et al., 2015) proposed GRECS, a encrypted graph

scheme that supported very efﬁcient, but only approx-

imate, shortest distance queries. It was a big step

forward, but parts of the calculation, the intermedi-

ate distance matching, is still calculated on the client

side. Distances were precalculated and only approx-

imate. Other approaches to calculate paths on en-

crypted graphs include attempts to use secure multi-

party computation (SMC), like (Failla, 2010). In this

scenario two parties try to ﬁnd the shortest path in a

cipherPath: Efﬁcient Traversals over Homomorphically Encrypted Paths

273

privacy preserving way. One party knows the weights

on the edges of the graph, the other party knows an

heuristic to ﬁnd the best path and together they try

to solve the quest. As each party must have infor-

mation about the graph or the heuristic, before any

query is sent, this approach is not comparable to ours.

In 2015, (Samanthula et al., 2015) also tried to ap-

proach this problem by applying SHE to adjacency

lists, instead of a adjacency matrix as in our case. An-

other huge difference in their approach is the calcu-

lation of path subsets on the client side, instead of

the server side. (Chase and Kamara, 2010) showed

a novel way to construct a scheme that was taking

care not only of the data values, but the structure

of the adjacency matrix as well. The structured en-

cryption scheme showed a way how to efﬁciently and

privately query encrypted graphs, while at the same

time keeping the data and the structure hidden. Struc-

tured encryption, which generalizes previous work on

symmetric searchable encryption (SSE) to the setting

of arbitrarily-structured data is, besides ehOPE, is a

foundational building block of this paper.

3 FRAMEWORK

Our framework cipherPath is based on multiple mod-

iﬁcations of the associative structured encryption

scheme for labeled data by Chase. It was modiﬁed

in order to incorporate SHE operations on ciphertexts

instead of simple symmetrically encrypted cipher-

texts. Besides changes in the token and lookup algo-

rithms, the replacement of symmetrically encrypted

ciphertexts with ehOPE ciphertexts is a fundamental

change. This allows us to keep path lengths conﬁden-

tial, while still being able to compute on them.

3.1 Scheme Setting

The intention of our work is to keep the graph, the

shortest path queries as well as the results hidden from

an attacker. If some client itself holds the entire graph,

he could run various path searching algorithms lo-

cally, way faster. But this implies that he holds all the

necessary resources, including the graph data as well

as the computational power. In a setting with mul-

tiple mobile lightweight clients, like smartphones or

tablets, we advise the following procedure: A honest

but curious provider sets up the scheme and generates

SP using cipherPath.Setup. Afterwards the provider

makes SP publicly available. A trusted entity gener-

ate a single key K using cipherPath.Gen and encrypts

the routing graph G regularly using cipherPath.Enc.

The trusted entity uploads the generated CT regularly

to the provider. The trusted entity gives out key K to

multiple, eligible users over a secure channel. The el-

igible users generate queries Q

using K and SP and

query the scheme using Di j(Q

). Finally the eligible

users can decrypt the routing result locally using K.In

such a setting the query leakage is kept low by reg-

ularly renewing CT and thus rendering older leakage

useless. The users are able to query the system efﬁ-

ciently and their privacy concerns is taken care of.

3.2 Information Model

We need a way to not only store our permutated and

encrypted edges, but also information on the permu-

tated and encrypted nodes. Therefore we use the en-

crypted edge matrix C and an encrypted node vec-

tor D. The message space of our main framework

takes as input a matrix M and a set of nodes N

together with two sequence m and n consisting of

((x

),. ..,(x

)), with a data item x

and a label

. In case of m, a data item is composed of an identi-

ﬁer and a length. In case of n, a data item is composed

of an identiﬁer and a coordinate composed of a longi-

tude and latitude value.

3.3 Scheme Architecture

In order to enable queries for both edges and nodes,

we adopted the corresponding algorithms that are ei-

ther index based (T

) or label based (T

). Likewise,

lookup algorithms are also available for both types of

token requests. In a real world location-based sce-

nario, we are dealing with two different kinds of arith-

metic data in a navigation graph, namely node coor-

dinates, composed of longitude and latitude values,

given as double precision ﬂoating point values on the

one hand and edge lengths in meters or minutes as

integer values on the other hand. As there is no rea-

son to compare lengths and coordinates, we decided

to include in our framework two ehOPE schemes for

each data type.ehOPE

for ﬂoating point values and

ehOPE

for integer values.

3.3.1 Setup

This algorithm runs once on the provider side and

generates the system parameters (SP) for the ehOPE

schemes depending on security parameter k. Setup is

run by the provider, as he has to sets up cache L and

code tree T . The random value of P might also be

chosen by the client, but this is irrelevant, as SP is

public knowledge.

SECRYPT 2020 - 17th International Conference on Security and Cryptography

274

N =

M =

0 1 2 3 4

0 2 ∞ 7 8

2 0 5 ∞ ∞

∞ 5 0 1 ∞

∞ 6 ∞ 0 3

8 ∞ ∞ 3 0













D =

d =

C =

c =

) H

)

.E(l o

) Π

.E(l o

) Π

.E(l o

) ... Π

.E(l a

) Π

.E(l a

)

) H

)

) H

)

) H

)

) H

)

) H

)













.E(∞) Π

.E(8) ... Π

.E(5) Π

.E(0)

Figure 1: A graphical representation of steps (1), (3) and (4) during the encryption of a graph in cipherPath.

3.3.2 Key Generation

While SP is public knowledge, K must be kept secret.

K is composed of K

, the controlled disclosure key, K

the permutation key, and K

the object keys. The

key K is used to encrypt a graph at the client side, as

well as to decrypt single object values, i.e. lengths or

coordinates. As mentioned in section 2.2.3, the range

of m is reduced to −

< m <

3.3.3 Encryption

Encryption in cipherPath means to encrypt and per-

mutate edges and nodes of a graph in such a way

that only L

Enc

and L

Query

will be leaked to the server.

Further information about the graph, the query shell

be hidden from the provider completely. The length

of an edge is encrypted using an ehOPE scheme re-

sponsible for integer values called Π

and is linked

to an permutated entry in C, as in the algorithm

cipherPath.Enc(SP, K,M,N) step (3). The longi-

tude (lo) and latitude (la) values are encrypted using

.Enc a second ﬂoating point instance of ehOPE.

Nodes are then linked to two permutated entries in D

for the lo and la value, as can be seen in step (4).

Note, that permutation Q of vector D and permutation

P of matrix D result in the same arrangement, when

comparing the order of the vector to the order of the

rows. Finally all ciphertext elements, matrix C and

its values c

as well as vector D and its values d

are

returned as ciphertext (CT ).

3.3.4 Token

In a real world scenario no one will know the exact

index of a speciﬁc edge or node of a graph, whilst

street (edge) or building (node) names are easy to re-

member. Therefore we introduce a trapdoor T

for

label based searches. By embedding an object identi-

ﬁer together with a hashed and row- and column-wise

encrypted label inside the matrix C we are able to in-

dex all edges. The node vector also embeds two iden-

tiﬁers (lo,la) together with a hashed and index-wise

encrypted label in D.

3.3.5 Lookup

In the lookup algorithms we parse the index (T

) or

label based (T

) token calculate the pointer i to the

correct position in c respectively d. Afterwards we

return the pointer together with the object ciphertext

(

{

}

). This behavior can be seen in Figure 2. The

matrix C and the vector D can be thought of a kind

of a searchable encrypted index with pointers to the

corresponding data items c

and d

3.3.6 Decryption

To decrypt c

or d

the client utilizes the corresponding

decrypt functions Dec

(SP,K, c

) for integer values or

Dec

(SP,K, d

) for ﬂoating point values.

4 SHORTEST PATH

The shortest path problem is sometimes also called

single-source shortest path problem (SSSP), to dis-

tinguish it from other variations like the single-

destination shortest path (SDSP) or the all-pairs short-

est path problem (APSP). Before we inspect (Dijkstra

et al., 1959) on cipherPath, we want to make clear that

it is also possible to take the APSP approach, for ex-

ample using (Floyd, 1962) on cipherPath. Additional

sets d for distances, p for predecessors as well as Q

are needed to run the algorithm by Dijkstra, as can be

seen in Figure 3. First of all the label based trapdoors

for start (1) and end (2) need to be looked up. After an

initialization of d (1,3), p (3,4) and Q (4) we look for

the shortest path of the current node to another node u

(4.a) until we reached our target (4.b) or there are no

more nodes left (4).

Otherwise we inspect each neighbor of u by ask-

ing the client to disclose the u

row in CT.C (5.c.I)

and looking up the corresponding lengths (5.c.II).

Using the disclosed information we are able to run

update (5.c.III). As we are proceeding to disclose

nodes on the path between T

and T

, we are leak-

ing information that is helping the attacker.

cipherPath: Efﬁcient Traversals over Homomorphically Encrypted Paths

275

Let H :

{

0,1

}

{

0,1

}

∗

→

{

0,1

}

and F :

{

0,1

}

{

0,1

}

∗

→

{

0,1

}

be pseudo-random func-

tions, Q :

{

0,1

}

× [n] → [n] and P :

{

0,1

}

× [λ

] × [λ

] → Q (K,[λ

]) × Q



−1

,[λ

]



be pseudo-

random permutations and let Π

= (Setup,Gen,Enc,Dec,Add, Sub,Mul,Comp) be an ehOPE

and Π

(Setup,Gen, Enc,Dec,Add,Sub, Mul,Comp) be an ehOPE

encryption scheme. Our encrypted shortest path

framework cipherPath = (Setup,Gen, Enc,Token

,Token

,Lookup

,Dec) is then deﬁned as follows:

{SP} ← Setup(1

,h): Setup both ehOPE schemes

{

}

←



.Setup(1

),Π

.Setup(1

),h, h



with k be-

ing the security parameter and h = h

+,h

(with h

and h

being the bit length of pointers to d and c) Return

the SP.

{K} ← Gen(SP): generate two random k-bit strings K

and key K

= (EK, DK) ← Π

.Gen() and K

(EK,DK) ← Π

.Gen(). Output K = (K

{CT } ← Enc(SP, K,M,N): Construct ciphertext CT as follows:

(1) Parse the edge matrix M as m with label l

and parse the node vector N as n with label l

(2) Choose a k-bit random key K

(3) Generate matrix C and vector c by:

(a) Choose a pseudo-random permutation G :

{

0,1

}

× [m] → [m].

(b) Generate a λ

× λ

matrix C as follows:

∀(α,β) ∈ [λ

] × [λ

]: store hG

(i),H

)i ⊕ F

(α,β) where i = M

α,β

at (α

,β

) = P

(α,β) in C.

α,β

=⊥, then hG

(i),H

)i is replaced with a random, large enough value h∞,H

(∞)i.

(d) ∀(i) ∈ [m]: Let j = G

(i) and set c

← Π

.Enc

(4) Generate index vector D of length n and data vector d of length 2n:

(a) Choose a pseudo-random permutation I :

{

0,1

}

× [n] → [n].

(b) Generate vector D of length n as follows:

∀(i) ∈ [n]: store hI

(i),I

(i + n),H

)i ⊕ F

(i) at location n

= Q

(i) in D

∀(i) ∈ [n]: Let j = I

(i) and set d

← Π

.Enc

∀(i) ∈ [n]: Let j = I

(i + n) and set d

← Π

.Enc

(5) Output CT =

{

C, c, D,d

}

} ← Token

(SP,K, l): generate ∀(i) ∈ [n]: set t

= h0,0,H

(l)i ⊕ F

(i). Output T

{

,. ..,t

}

} ← Token

(SP,K, l): generate ∀(α,β) ∈ [λ

] × [λ

]: set t

= h0, 0,H

(l)i ⊕ F

(α,β). Output T

{

,. ..,t

}

} ← Token

(SP,K, α,β): output T

= (s,α

,β

), where s = F

(α,β) and (α

,β

) = P

(α,β).

} ← Token

(SP,K, α): output T

= (s,α

,⊥), where s = F

(α) and α

= Q

(α).

{CT

∗

,i} ← Lookup

(SP,CT,T

): parse T

as (s,α

,β

);

(1) If β

==⊥, this is a node token:

compute i = (s ⊕CT .D

)  (h

+ h

) and j = (s ⊕CT .D

)  h

and output



{

CT .d

}



CT .d

, j



(2) If there is a β

value, compute j =



s ⊕CT .C

,β



 h and output



CT .c

, j



{CT

∗

,i} ← Lookup

(SP,CT,T

): parse T

as (t

,. ..t

);

(1) If x == n, this is a node lookup. Compute ∀(i) ∈ [n]:

(a) compute h = CT .D

 (k − h).

(b) if h == (t

 (k − h)) compute j = (t

⊕CT .D

)  (h

+ h

) and k = (t

⊕CT .D

)  h

and output



CT .c

, j



{

CT .c

}



{

⊥,⊥

}

(2) Otherwise this is an edge lookup. Compute ∀(i) ∈ [m]:

(a) compute α

= (i mod n) and β

= b

(b) compute h = CT .C

,β

 (k − h).

 (k − h): compute j =



⊕CT .C

,β



 h and output



CT .c

, j



{PT

,PT

} ← Dec

(SP,K,CT

): Decrypt vertex coordinates PT

= Π

.Dec





and PT

.Dec

(CT

{PT

} ← Dec

(SP,K,CT

): Decrypt edge length CT

using Π

.Dec

(CT

Figure 2: Steps Setup, Gen, Enc, Token, Lookup, Dec of our encrypted geospatial framework.

SECRYPT 2020 - 17th International Conference on Security and Cryptography

276



(CT

),.. .,(CT

)



← Di j(SP,CT,T

(1)





= cipherPath.Lookup

(SP,CT,T

d[s] = 0.

(2)





= cipherPath.Lookup

(SP,CT,T

(3) ∀n ∈ CT.D \

{

s,t

}

d[n] = ∞. p[n] =⊥. add n to Q.

(4) While Q 6=

(a) u ← min

q∈p

(Q).

(b) If u == t return p[].

(I) disclose T = {T

,.. .,T

} ← ∀i ∈ [n] :

cipherPath.Token

(SP,K, u,i).

(II) CT =





,.. .,

{

}



← ∀i ∈ T :

cipherPath.Lookup

(SP,CT,T

(III) ∀i

0,...,n

∈ CT : I f n

∈ Q :

a ← Π

.Add(SP,d[u],dist(u,v))

If Π

.Comp(a,d[v]) == −1: Set d[v] := a and

p[v] := u.

Figure 3: Dijkstra based on cipherPath.

5 LEAKAGE

We now present our simulation-based security def-

inition against malicious adversaries. Please recall

the deﬁnition of (L

Enc

Query

) −CQA2 security. In

a CQA2 attack, we assume that the adversary is al-

lowed to make multiple adaptive queries to the data

structure. We seek to guarantee that the adversary

can only learn what was accessed and the result of

the query. All other information is to be kept secret.

Theorem 5.1.

Let Λ = (Setup,Gen,Enc,Token

∗

,Lookup

∗

,Dec

∗

) be

an cipherPath scheme for message space m, query

space q, result space r and the query F : m × q → r.

Consider the following two experiments for the leak-

age functions L

Enc

and L

Query

, adversary A, chal-

lenger C, and simulator S:

Real

A,C

(λ): C begins by running Λ.Gen(1

) to gener-

ate K. A outputs a graph G. C runs Λ.Enc(K, G)

to generate CT . Afterwards he sends CT to A. A

adaptively makes a polynomial number of Dijk-

stra queries q

,. ..,q

. For each query q

, A inter-

acts with C. C plays the part of the client in the

protocol with input (K,q

) and sends its output to

A. Finally, A outputs a bit b.

Ideal

A,C,S

(λ): Initially, A outputs graph G. S is given

Enc

(G), and outputs CT . A adaptively makes a

polynomial number of queries q

,. ..,q

. For each

query q

, S is given L

Query

(m,q

,. ..,q

) and inter-

acts with A. S produces a ﬂag f ; i f f =

0 ,the chal-

lenger sends

0 to A, otherwise it sends F(m,q

Finally, A outputs a bit b.

We say that Λ is (L

Enc

Query

)−CQA2 secure against

malicious adversaries if, for all PPT adversaries A,

there exists a simulator S such that:

|Pr[Real

A,C

(λ) = 1] − Pr[Ideal

A,C,S

(λ) = 1]| ≤ negl(λ)

The information that is leaked about the message

m is given by L

Enc

(m) and is analyzed in subsec-

tion 5.1. The shortest path query also leaks informa-

tion, which is given by L

Query

(m,q

,. ..,q

). It do-

nates the leakage of L

Enc

(m) in combination with all

executed queries from (q

) up to now (q

). This be-

havior is analyzed in subsection 5.2.

5.1 Leakage Analysis of Encryption

The encryption leakage L

Enc

of our construction out-

puts (N,O

(CT.d),O

(CT.c)), which is deﬁned

by:

• the total number of encrypted nodes N = |d| in the

underlying graph G.

• the 1D order of all edges by length, given as

(CT.c) = Ord

< ... < c

• the 1D order of all coordinate values lo and la ,

given as O

(CT.d) = Ord

< ... < d

The order of all values of Π

and Π

is leaked on the

server, but as long as the server is not able to correlate

those values to nodes or edges we are safe.

5.2 Leakage Analysis for Queries

The probability to reconstruct G is higher, when ad-

ditional leakage by the query algorithms can be corre-

lated to leaked information by L

Enc

(G). As Dijkstra

and Floyd both intentionally leak the 2D as well as

the path pattern, including the L

distance between

multiple nodes along the path, an honest but curi-

ous adversary could collect this information to fur-

ther reﬁne his knowledge about the plaintext graph

G. The query leakage L

Query

of our construction gives

(s,O

(n),e), which is deﬁned by:

• the length pattern s, which is the number of edges

and nodes between the start and the target node.

• the 2D order of all nodes n along

a path P, given as by O

(n) =

Ord

(

{

,. ..,n

}

) = Ord



< ... < n



Ord



< ... < n



. This is leaked, because

the server is now able to correlate the 2D order of

nodes along P by their lo and la order.

• the edge pattern e along a path P , which allows an

attacker to link the 1D order of edges to speciﬁc

nodes. This information helps the attacker to even

further reﬁne his information about G.

As there is no frequency in Π

and Π

∗

, we leak the

ideal proﬁle according to (Durak et al., 2016). The

order of the coordinates may be abused to reconstruct

G in a 2-D sort attack. By the metrics of (Naveed

cipherPath: Efﬁcient Traversals over Homomorphically Encrypted Paths

277

et al., 2015), such an attack does not work a hundred

percent, yet it is obvious that much of the structural

behavior is revealed, including relatively ﬁne details

like the density of points in speciﬁc areas of the graph.

In order to prevent such an attack, we can restrict the

number of nodes. As CT is only used for routing and

not display purposes, we can reduce the attack vec-

tor by limiting the number of encrypted nodes, while

parsing an OSM map. This can be done by throw-

ing away unnecessary intermediate nodes, for exam-

ple nodes with a degree ≤ 2.

6 CONCLUSION

We presented cipherPath: Efﬁcient Traversals over

Homomorphically Encrypted Paths, a framework for

the computation of the shortest path in an encrypted

graph. We showed how to construct our framework

based on cryptographic preliminaries and how ﬁnd

the shortest paths between encrypted nodes. Finally

we analyzed the security and the leakage of our con-

struction. A future direction might be the defense

against more sophisticated graph similarity attacks,

like the neural network approach given by (Bai et al.,

2018). Our goal is to ﬁnd an upper barrier on the num-

ber of nodes, from which on neural network attacks

become feasible. Another direction of research might

be the sharding of a CT into multiple subsets spread

accross multiple provider.

ACKNOWLEDGEMENTS

This work has been funded by the Fraunhofer Cluster

of Excellence ’Cognitive Internet Technologies’

REFERENCES

Bai, Y., Ding, H., Sun, Y., and Wang, W. (2018). Convolu-

tional set matching for graph similarity. arXiv preprint

arXiv:1810.10866.

Bost, R. (2016).

∑

oϕoς: Forward secure searchable en-

cryption. In Proceedings of the 2016 ACM SIGSAC

Conference on Computer and Communications Secu-

rity, pages 1143–1154.

Cash, D., Jaeger, J., Jarecki, S., Jutla, C. S., Krawczyk, H.,

Rosu, M.-C., and Steiner, M. (2014). Dynamic search-

able encryption in very-large databases: data struc-

tures and implementation. In NDSS, volume 14, pages

23–26. Citeseer.

https://www.cit.fraunhofer.de

Chase, M. and Kamara, S. (2010). Structured encryption

and controlled disclosure. In International Conference

on the Theory and Application of Cryptology and In-

formation Security, pages 577–594. Springer.

Curtmola, R., Garay, J., Kamara, S., and Ostrovsky, R.

(2011). Searchable symmetric encryption: improved

deﬁnitions and efﬁcient constructions. Journal of

Computer Security, 19(5):895–934.

Dijkstra, E. W. et al. (1959). A note on two problems

in connexion with graphs. Numerische mathematik,

1(1):269–271.

Durak, F. B., DuBuisson, T. M., and Cash, D. (2016). What

else is revealed by order-revealing encryption? In

Proceedings of the 2016 ACM SIGSAC Conference

on Computer and Communications Security, pages

1155–1166.

ElGamal, T. (1985). A public key cryptosystem and a signa-

ture scheme based on discrete logarithms. IEEE trans-

actions on information theory, 31(4):469–472.

Failla, P. (2010). Heuristic search in encrypted graphs.

In 2010 Fourth International Conference on Emerg-

ing Security Information, Systems and Technologies,

pages 82–87. IEEE.

Floyd, R. W. (1962). Algorithm 97: shortest path. Commu-

nications of the ACM, 5(6):345.

Lipmaa, H. (2010). On the cca1-security of elgamal and

damg

ard’s elgamal. In International Conference on

Information Security and Cryptology, pages 18–35.

Springer.

Meng, X., Kamara, S., Nissim, K., and Kollios, G. (2015).

Grecs: Graph encryption for approximate shortest

distance queries. In Proceedings of the 22nd ACM

SIGSAC Conference on Computer and Communica-

tions Security, pages 504–517. ACM.

Naveed, M., Kamara, S., and Wright, C. V. (2015).

Inference attacks on property-preserving encrypted

databases. In Proceedings of the 22nd ACM SIGSAC

Conference on Computer and Communications Secu-

rity, pages 644–655.

Paillier, P. (1999). Public-key cryptosystems based on com-

posite degree residuosity classes. In International

conference on the theory and applications of crypto-

graphic techniques, pages 223–238. Springer.

Peng, Y., Li, H., Cui, J., Zhang, J., Ma, J., and Peng,

C. (2017). hope: improved order preserving en-

cryption with the power to homomorphic operations

of ciphertexts. Science China Information Sciences,

60(6):062101.

Samanthula, B. K., Rao, F.-Y., Bertino, E., and Yi, X.

(2015). Privacy-preserving protocols for shortest path

discovery over outsourced encrypted graph data. In

2015 IEEE International Conference on Information

Reuse and Integration, pages 427–434. IEEE.

Song, D. X., Wagner, D., and Perrig, A. (2000). Practical

techniques for searches on encrypted data. In Pro-

ceeding 2000 IEEE Symposium on Security and Pri-

vacy. S&P 2000, pages 44–55. IEEE.

SECRYPT 2020 - 17th International Conference on Security and Cryptography

278