Databases Reference
In-Depth Information
confidential (disease) and non-confidential (name,zip-code) values. In the fol-
lowing, only the predicate
md
() - associating antibiotics with diseases - will
operate on confidential data:
SELECT patients.name,antibiotics.name FROM patients,antibiotics
WHERE md(patients.disease,antibiotics.name)
AND patients.zipcode = 10128
This will be achieved (as discussed above) by encrypting the
patients
.
disease
attribute and generating metadata for the
antibiotics
relation (which con-
tains a list of diseases that each antibiotic is recommended for).
Additional predicate instances and applications of this solution are ex-
plored in [42], including mechanisms for Hamming distance evaluations and
DNA fuzzy match predicates. Moreover, we show that the computation over-
heads of the solution are small. In initial evaluations, throughputs of well
beyond
0
.
5
million predicate evaluations per second can be accommodated.
Future Work: Arbitrary Predicates. Policies. Query Composability.
In future work, we believe it is important to pursue arbitrary query types
and multi-assurance compositions. For example we would like to understand
how to endow the above method with correctness assurances and data access
privacy as discussed in sections 2.2, 2.4 respectively.
Moreover, it is important to analyze the applicability of the protocols for
general types of predicates. We believe a recursive decomposition approach
can be applied to handle multiple argument EFM predicates. Transformations
from arbitrary predicates to a canonical EFM form should be explored. In a
first stage this is easy to achieve by simply discretizing queries over continuous
data domains. As this will introduce small errors in results (of a magnitude
inverse proportional to the quantization), this process needs to be designed
such that the errors will result only in the
addition
of a small, controllable,
number of non-matching tuples. These will then be pruned by the client.
To fully leverage the potential offered by confidentiality assurances, it is
important to investigate an integration with security policy frameworks [60,
111]. This will allow for more complex specifications over the space of data
sets, access rights, confidentiality policies and principals. For example, such
specifications could include relaxation of expensive DBMS - maintained access
control for data sets that are already encrypted.
Exploring novel notions of confidential query “composability” in the pres-
ence of multiple confidential data sources and associated secrets (e.g., cryp-
tographic keys) is another avenue of future research. We believe this can be
achieved by deploying intra-server secure multi-party computation (SMC) pro-
tocols [55, 58, 59, 63, 78] mediated by secure hardware. The presence of secure
hardware will result in more ecient, practical SMC. This will ultimately
allow for multi-source confidential data integration.
