aws
diff --git a/‎Examples/runtimes/java/DynamoDbEncryption/src/main/java/software/amazon/cryptography/examples/searchableencryption/BasicSearchableEncryptionExample.java
Lines changed: 123 additions & 88 deletions b/‎Examples/runtimes/java/DynamoDbEncryption/src/main/java/software/amazon/cryptography/examples/searchableencryption/BasicSearchableEncryptionExample.java
Lines changed: 123 additions & 88 deletions
@@ -34,22 +34,21 @@
 /*
   This example demonstrates how to set up a beacon on an encrypted attribute,
   put an item with the beacon, and query against that beacon.
-  This example follows a use case of a database that stores customer location data.
+  This example follows a use case of a database that stores unit inspection information.
 
-  Running this example requires access to a DDB table  with the
-  following primary key configuration:
-    - Partition key is named "customer_id" with type (S)
-    - Sort key is named "create_time" with type (S)
-  This table must have a Global Secondary Index (GSI) configured named "state-zip-index":
-    - Partition key is named "aws_dbe_b_state" with type (S)
-    - Sort key is named "aws_dbe_b_zip" with type (S)
+  Running this example requires access to a DDB table with the
+  following key configuration:
+    - Partition key is named "work_id" with type (S)
+    - Sort key is named "inspection_date" with type (S)
+  This table must have a Global Secondary Index (GSI) configured named "last4-unit-index":
+    - Partition key is named "aws_dbe_b_inspector_id_last4" with type (S)
+    - Sort key is named "aws_dbe_b_unit" with type (S)
 
-  In this example for storing customer location data, this schema is utilized for the data:
-   - "customer_id" stores a unique customer identifier
-   - "create_time" stores a Unix timestamp
-   - "state" stores an encrypted 2-letter US state or territory abbreviation
-         (https://www.faa.gov/air_traffic/publications/atpubs/cnt_html/appendix_a.html)
-   - "zip" stores an encrypted 5-digit US zipcode (00000 - 99999)
+  In this example for storing unit inspection information, this schema is utilized for the data:
+   - "work_id" stores a unique identifier for a unit inspection work order (v4 UUID)
+   - "inspection_date" stores an ISO 8601 date for the inspection (YYYY-MM-DD)
+   - "inspector_id_last4" stores the last 4 digits of the ID of the inspector performing the work
+   - "unit" stores a 12-digit serial number for the unit being inspected
 
   The example requires the following ordered input command line parameters:
     1. DDB table name for table to put/query data from
@@ -61,10 +60,9 @@ This table must have a Global Secondary Index (GSI) configured named "state-zip-
  */
 
 public class BasicSearchableEncryptionExample {
-
-  static String GSI_NAME = "state-zip-index";
-
-  public static void PutItemQueryItemWithBeacon(String ddbTableName, String branchKeyId, String branchKeyWrappingKmsKeyArn, String branchKeyDdbTableName) {
+  static String GSI_NAME = "last4-unit-index";
+  public static void PutItemQueryItemWithBeacon(String ddbTableName, String branchKeyId,
+      String branchKeyWrappingKmsKeyArn, String branchKeyDdbTableName) {
 
     // 1. Configure Beacons.
     //    The beacon name must be the name of a table attribute that will be encrypted.
@@ -73,56 +71,90 @@ public static void PutItemQueryItemWithBeacon(String ddbTableName, String branch
     //        https://docs.aws.amazon.com/database-encryption-sdk/latest/devguide/choosing-beacon-length.html
     List<StandardBeacon> standardBeaconList = new ArrayList<>();
 
-    // The configured DDB table has a GSI on the `aws_dbe_b_state` AttributeName
-    // Since this field is assumed to hold a well-distributed US 2-letter state abbreviation
-    //   (56 = 50 states + 6 territories),
-    //   we follow the guidance in the link above to determine acceptable bounds for beacon length:
-    //    - min: log(sqrt(56))/log(2) ~= 2.9, round up to 3
-    //    - max: log((56/2))/log(2) ~= 4.8, round up to 5
-    // We can safely choose a beacon length between 3 and 5:
-    //  - Closer to 3, the underlying data is better obfuscated, but more "false positives" are returned in
-    //    queries, leading to more decrypt calls and worse performance
-    //  - Closer to 5, fewer "false positives" are returned in queries, leading to fewer decrypt calls and
-    //    better performance, but it is easier to distinguish unique plaintext values
-    // As an example, we will choose 4.
-    // Values stored in aws_dbe_b_state will be 4 bits long (0x0 - 0xf)
-    // There will be 2^4 = 16 possible HMAC values.
-    // With well-distributed plaintext data (56 values), we expect (56/16) = 3.5 abbrevations sharing the same beacon
-    //   value.
-    // NOTE: This example assumes that the field values are well-distributed. In practice, this will not be true.
-    //       Some flaws in this assumption:
-    //        - More populous states would be expected to have more records; those beacons will be overused
-    //        - States where a business is not operating would expect no customer records for that state; those
-    //          beacons will be underused
-    //       This is a streamlined example and should not be used as a basis for determining beacon length
-    //       in production. Users should analyze their specific dataset to determine acceptable beacon length bounds.
-    StandardBeacon stringBeacon = StandardBeacon.builder()
-        .name("state")
-        .length(4)
-        .build();
-    standardBeaconList.add(stringBeacon);
-
-    // The configured DDB table has a GSI on the `aws_dbe_b_zip` AttributeName
-    // Since this field holds a well-distributed zipcode (100,000 possible values, of which ~42,000 are valid;
-    //   see: https://facts.usps.com/42000-zip-codes/),
-    //  we follow the guidance in the link above to determine acceptable bounds for beacon length:
-    //    - min: log(sqrt(42,000))/log(2) ~= 7.7, round up to 8
-    //    - max: log((42,000/2))/log(2) ~= 14.3, round up to 15
-    // We can safely choose a beacon length between 8 and 15:
-    //  - Closer to 8, the underlying data is better obfuscated, but more "false positives" are returned in
-    //    queries, leading to more decrypt calls and worse performance
-    //  - Closer to 15, fewer "false positives" are returned in queries, leading to fewer decrypt calls and
-    //    better performance, but it is easier to distinguish unique plaintext values
+    // The configured DDB table has a GSI on the `aws_dbe_b_inspector_id_last4` AttributeName.
+    // This field holds the last 4 digits of an inspector ID.
+    // For our example, this field may range from 0 to 9,999 (10,000 possible values).
+    // For our example, we assume a full inspector ID is an integer
+    //     ranging from 0 to 99,999,999. We do not assume that the full inspector ID's
+    //     values are uniformly distributed across its range of possible values.
+    //     In many use cases, the prefix of an identifier encodes some information
+    //     about that identifier (e.g. zipcode and SSN prefixes encode geographic
+    //     information), while the suffix does not and is more uniformly distributed.
+    //     We will assume that the inspector ID field matches a similar use case.
+    //     So for this example, we only store and use the last
+    //     4 digits of the inspector ID, which we assume is uniformly distributed.
+    // Since the full ID's range is divisible by the range of the last 4 digits,
+    //     then the last 4 digits of the inspector ID are uniformly distributed
+    //     over the range from 0 to 9,999.
+    // See our documentation for why you should avoid creating beacons over non-uniform distributions
+    //  https://docs.aws.amazon.com/database-encryption-sdk/latest/devguide/searchable-encryption.html#are-beacons-right-for-me
+    // A single inspector ID suffix may be assigned to multiple `work_id`s.
+    //
+    // This link provides guidance for choosing a beacon length:
+    //    https://docs.aws.amazon.com/database-encryption-sdk/latest/devguide/choosing-beacon-length.html
+    // We follow the guidance in the link above to determine reasonable bounds
+    // for the length of a beacon on the last 4 digits of an inspector ID:
+    //  - min: log(sqrt(10,000))/log(2) ~= 6.6, round up to 7
+    //  - max: log((10,000/2))/log(2) ~= 12.3, round down to 12
+    // You will somehow need to round results to a nearby integer.
+    // We choose to round to the nearest integer; you might consider a different rounding approach.
+    // Rounding up will return fewer expected "false positives" in queries,
+    //    leading to fewer decrypt calls and better performance,
+    //    but it is easier to identify which beacon values encode distinct plaintexts.
+    // Rounding down will return more expected "false positives" in queries,
+    //    leading to more decrypt calls and worse performance,
+    //    but it is harder to identify which beacon values encode distinct plaintexts.
+    // We can choose a beacon length between 7 and 12:
+    //  - Closer to 7, we expect more "false positives" to be returned,
+    //    making it harder to identify which beacon values encode distinct plaintexts,
+    //    but leading to more decrypt calls and worse performance
+    //  - Closer to 12, we expect fewer "false positives" returned in queries,
+    //    leading to fewer decrypt calls and better performance,
+    //    but it is easier to identify which beacon values encode distinct plaintexts.
     // As an example, we will choose 10.
-    // Values stored in aws_dbe_b_zip will be 10 bits long (0x000 - 0x3ff).
-    // There will be 2^10 = 1024 possible HMAC values.
-    // With well-distributed plaintext data (100,000 values), we expect (42,000/1024) ~= 41 zipcodes sharing the same
-    //   beacon value.
-    StandardBeacon numberBeacon = StandardBeacon.builder()
-        .name("zip")
+    //
+    // Values stored in aws_dbe_b_inspector_id_last4 will be 10 bits long (0x000 - 0x3ff)
+    // There will be 2^10 = 1,024 possible HMAC values.
+    // With a sufficiently large number of well-distributed inspector IDs,
+    //    for a particular beacon we expect (10,000/1,024) ~= 9.8 4-digit inspector ID suffixes
+    //    sharing that beacon value.
+    StandardBeacon last4Beacon = StandardBeacon.builder()
+        .name("inspector_id_last4")
         .length(10)
         .build();
-    standardBeaconList.add(numberBeacon);
+    standardBeaconList.add(last4Beacon);
+
+    // The configured DDB table has a GSI on the `aws_dbe_b_unit` AttributeName.
+    // This field holds a unit serial number.
+    // For this example, this is a 12-digit integer from 0 to 999,999,999,999 (10^12 possible values).
+    // We will assume values for this attribute are uniformly distributed across this range.
+    // A single unit serial number may be assigned to multiple `work_id`s.
+    //
+    // This link provides guidance for choosing a beacon length:
+    //    https://docs.aws.amazon.com/database-encryption-sdk/latest/devguide/choosing-beacon-length.html
+    // We follow the guidance in the link above to determine reasonable bounds
+    // for the length of a beacon on a unit serial number:
+    //  - min: log(sqrt(999,999,999,999))/log(2) ~= 19.9, round up to 20
+    //  - max: log((999,999,999,999/2))/log(2) ~= 38.9, round up to 39
+    // We can choose a beacon length between 20 and 39:
+    //  - Closer to 20, we expect more "false positives" to be returned,
+    //    making it harder to identify which beacon values encode distinct plaintexts,
+    //    but leading to more decrypt calls and worse performance
+    //  - Closer to 39, we expect fewer "false positives" returned in queries,
+    //    leading to fewer decrypt calls and better performance,
+    //    but it is easier to identify which beacon values encode distinct plaintexts.
+    // As an example, we will choose 30.
+    //
+    // Values stored in aws_dbe_b_unit will be 30 bits long (0x00000000 - 0x3fffffff)
+    // There will be 2^30 = 1,073,741,824 ~= 1.1B possible HMAC values.
+    // With a sufficiently large number of well-distributed inspector IDs,
+    //    for a particular beacon we expect (10^12/2^30) ~= 931.3 unit serial numbers
+    //    sharing that beacon value.
+    StandardBeacon unitBeacon = StandardBeacon.builder()
+        .name("unit")
+        .length(30)
+        .build();
+    standardBeaconList.add(unitBeacon);
 
     // 2. Configure Keystore.
     //    The keystore is a separate DDB table where the client stores encryption and decryption materials.
@@ -196,18 +228,18 @@ public static void PutItemQueryItemWithBeacon(String ddbTableName, String branch
     //      - DO_NOTHING: The attribute is not encrypted and not included in the signature
     //    Any attributes that will be used in beacons must be configured as ENCRYPT_AND_SIGN.
     final Map<String, CryptoAction> attributeActionsOnEncrypt = new HashMap<>();
-    attributeActionsOnEncrypt.put("customer_id", CryptoAction.SIGN_ONLY); // Our partition attribute must be SIGN_ONLY
-    attributeActionsOnEncrypt.put("create_time", CryptoAction.SIGN_ONLY); // Our sort attribute must be SIGN_ONLY
-    attributeActionsOnEncrypt.put("state", CryptoAction.ENCRYPT_AND_SIGN); // Beaconized attributes must be encrypted
-    attributeActionsOnEncrypt.put("zip", CryptoAction.ENCRYPT_AND_SIGN); // Beaconized attributes must be encrypted
+    attributeActionsOnEncrypt.put("work_id", CryptoAction.SIGN_ONLY); // Our partition attribute must be SIGN_ONLY
+    attributeActionsOnEncrypt.put("inspection_date", CryptoAction.SIGN_ONLY); // Our sort attribute must be SIGN_ONLY
+    attributeActionsOnEncrypt.put("inspector_id_last4", CryptoAction.ENCRYPT_AND_SIGN); // Beaconized attributes must be encrypted
+    attributeActionsOnEncrypt.put("unit", CryptoAction.ENCRYPT_AND_SIGN); // Beaconized attributes must be encrypted
 
     // 6. Create the DynamoDb Encryption configuration for the table we will be writing to.
     //    The beaconVersions are added to the search configuration.
     final Map<String, DynamoDbTableEncryptionConfig> tableConfigs = new HashMap<>();
     final DynamoDbTableEncryptionConfig config = DynamoDbTableEncryptionConfig.builder()
         .logicalTableName(ddbTableName)
-        .partitionKeyName("customer_id")
-        .sortKeyName("create_time")
+        .partitionKeyName("work_id")
+        .sortKeyName("inspection_date")
         .attributeActionsOnEncrypt(attributeActionsOnEncrypt)
         .keyring(kmsKeyring)
         .search(SearchConfig.builder()
@@ -235,17 +267,17 @@ public static void PutItemQueryItemWithBeacon(String ddbTableName, String branch
     // 9. Put an item into our table using the above client.
     //    Before the item gets sent to DynamoDb, it will be encrypted
     //        client-side, according to our configuration.
-    //    Since our configuration includes beacons for `state` and `zip`,
+    //    Since our configuration includes beacons for `inspector_id_last4` and `unit`,
     //        the client will add two additional attributes to the item. These attributes will have names
-    //        `aws_dbe_b_state` and `aws_dbe_b_zip`. Their values will be HMACs
+    //        `aws_dbe_b_inspector_id_last4` and `aws_dbe_b_unit`. Their values will be HMACs
     //        truncated to as many bits as the beacon's `length` parameter; e.g.
-    //    aws_dbe_b_state = truncate(HMAC("WA"), 4)
-    //    aws_dbe_b_zip = truncate(HMAC("98101"), 10)
+    //    aws_dbe_b_inspector_id_last4 = truncate(HMAC("4321"), 10)
+    //    aws_dbe_b_unit = truncate(HMAC("123456789012"), 30)
     final HashMap<String, AttributeValue> item = new HashMap<>();
-    item.put("customer_id", AttributeValue.builder().s("ABCD-1234").build());
-    item.put("create_time", AttributeValue.builder().n("1681495205").build());
-    item.put("state", AttributeValue.builder().s("WA").build());
-    item.put("zip", AttributeValue.builder().s("98101").build());
+    item.put("work_id", AttributeValue.builder().s("1313ba89-5661-41eb-ba6c-cb1b4cb67b2d").build());
+    item.put("inspection_date", AttributeValue.builder().s("2023-06-13").build());
+    item.put("inspector_id_last4", AttributeValue.builder().s("4321").build());
+    item.put("unit", AttributeValue.builder().s("123456789012").build());
 
     final PutItemRequest putRequest = PutItemRequest.builder()
         .tableName(ddbTableName)
@@ -262,23 +294,26 @@ public static void PutItemQueryItemWithBeacon(String ddbTableName, String branch
     //         and transform the query to use the beaconized name and value.
     //     Internally, the client will query for and receive all items with a matching HMAC value in the beacon field.
     //     This may include a number of "false positives" with different ciphertext, but the same truncated HMAC.
-    //     e.g. if truncate(HMAC("WA"), 4) == truncate(HMAC("DC"), 4), the query will return both items.
+    //     e.g. if truncate(HMAC("123456789012"), 30)
+    //          == truncate(HMAC("098765432109"), 30),
+    //     the query will return both items.
     //     The client will decrypt all returned items to determine which ones have the expected attribute values,
     //         and only surface items with the correct plaintext to the user.
     //     This procedure is internal to the client and is abstracted away from the user;
-    //     e.g. the user will only see "WA" and never "DC", though the actual query returned both.
+    //     e.g. the user will only see "123456789012" and never
+    //        "098765432109", though the actual query returned both.
     Map<String,String> expressionAttributesNames = new HashMap<>();
-    expressionAttributesNames.put("#s", "state");
-    expressionAttributesNames.put("#z", "zip");
+    expressionAttributesNames.put("#last4", "inspector_id_last4");
+    expressionAttributesNames.put("#unit", "unit");
 
     Map<String,AttributeValue> expressionAttributeValues = new HashMap<>();
-    expressionAttributeValues.put(":s", AttributeValue.builder().s("WA").build());
-    expressionAttributeValues.put(":z", AttributeValue.builder().s("98101").build());
+    expressionAttributeValues.put(":last4", AttributeValue.builder().s("4321").build());
+    expressionAttributeValues.put(":unit", AttributeValue.builder().s("123456789012").build());
 
     QueryRequest queryRequest = QueryRequest.builder()
         .tableName(ddbTableName)
         .indexName(GSI_NAME)
-        .keyConditionExpression("#s = :s and #z = :z")
+        .keyConditionExpression("#last4 = :last4 and #unit = :unit")
         .expressionAttributeNames(expressionAttributesNames)
         .expressionAttributeValues(expressionAttributeValues)
         .build();
@@ -291,8 +326,8 @@ public static void PutItemQueryItemWithBeacon(String ddbTableName, String branch
     assert attributeValues.size() == 1;
     final Map<String, AttributeValue> returnedItem = attributeValues.get(0);
     // Validate the item has the expected attributes
-    assert returnedItem.get("state").s().equals("WA");
-    assert returnedItem.get("zip").s().equals("98101");
+    assert returnedItem.get("inspector_id_last4").s().equals("4321");
+    assert returnedItem.get("unit").s().equals("123456789012");
   }
 
   public static void main(final String[] args) {