Order-Revealing Encryption: New Constructions, Applications, and Lower Bounds

In the last few years, there has been significant interest in developing methods to search over encrypted data. In the case of range queries, a simple solution is to encrypt the contents of the database using an order-preserving encryption (OPE) scheme (i.e., an encryption scheme that supports comparisons over encrypted values). However, Naveed et al. (CCS 2015) recently showed that OPE-encrypted databases are extremely vulnerable to "inference attacks." In this work, we consider a related primitive called order-revealing encryption (ORE), which is a generalization of OPE that allows for stronger security. We begin by constructing a new ORE scheme for small message spaces which achieves the "best-possible" notion of security for ORE. Next, we introduce a "domain extension" technique and apply it to our small-message-space ORE. While our domain-extension technique does incur a loss in security, the resulting ORE scheme we obtain is more secure than all existing (stateless and non-interactive) OPE and ORE schemes which are practical. All of our constructions rely only on symmetric primitives. As part of our analysis, we also give a tight lower bound for OPE and show that no efficient OPE scheme can satisfy best-possible security if the message space contains just three messages. Thus, achieving strong notions of security for even small message spaces requires moving beyond OPE. Finally, we examine the properties of our new ORE scheme and show how to use it to construct an efficient range query protocol that is robust against the inference attacks of Naveed et al. We also give a full implementation of our new ORE scheme, and show that not only is our scheme more secure than existing OPE schemes, it is also faster: encrypting a 32-bit integer requires just 55 microseconds, which is more than 65 times faster than existing OPE schemes.

[1]  Ramakrishnan Srikant,et al.  Order preserving encryption for numeric data , 2004, SIGMOD '04.

[2]  Arkady Yerukhimovich,et al.  POPE: Partial Order Preserving Encoding , 2016, CCS.

[3]  Eu-Jin Goh,et al.  Secure Indexes , 2003, IACR Cryptol. ePrint Arch..

[4]  David J. Wu,et al.  Practical Order-Revealing Encryption with Limited Leakage , 2016, FSE.

[5]  Hari Balakrishnan,et al.  CryptDB: protecting confidentiality with encrypted query processing , 2011, SOSP.

[6]  Hugo Krawczyk,et al.  Highly-Scalable Searchable Symmetric Encryption with Support for Boolean Queries , 2013, IACR Cryptol. ePrint Arch..

[7]  Torbjrn Granlund,et al.  GNU MP 6.0 Multiple Precision Arithmetic Library , 2015 .

[8]  Michael Mitzenmacher,et al.  Privacy Preserving Keyword Searches on Remote Encrypted Data , 2005, ACNS.

[9]  Ilan Komargodski,et al.  Multi-input Functional Encryption in the Private-Key Setting: Stronger Security from Weaker Assumptions , 2016, EUROCRYPT.

[10]  Mihir Bellare,et al.  Efficient Garbling from a Fixed-Key Blockcipher , 2013, 2013 IEEE Symposium on Security and Privacy.

[11]  Nicky Mouha,et al.  Simpira v2: A Family of Efficient Permutations Using the AES Round Function , 2016, ASIACRYPT.

[12]  Cong Zhang,et al.  Reducing the Leakage in Practical Order-Revealing Encryption , 2016, IACR Cryptol. ePrint Arch..

[13]  Craig Gentry,et al.  Candidate Multilinear Maps from Ideal Lattices , 2013, EUROCRYPT.

[14]  Abhishek Jain,et al.  Indistinguishability Obfuscation from Compact Functional Encryption , 2015, CRYPTO.

[15]  Hugo Krawczyk,et al.  Outsourced symmetric private information retrieval , 2013, IACR Cryptol. ePrint Arch..

[16]  Ran Canetti,et al.  Modular Order-Preserving Encryption, Revisited , 2015, SIGMOD Conference.

[17]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[18]  Marc Joye,et al.  Practical Trade-Offs for Multi-Input Functional Encryption , 2016, IACR Cryptol. ePrint Arch..

[19]  Carl A. Gunter,et al.  Dynamic Searchable Encryption via Blind Storage , 2014, 2014 IEEE Symposium on Security and Privacy.

[20]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[21]  Takeshi Koshiba,et al.  Secure pattern matching using somewhat homomorphic encryption , 2013, CCSW.

[22]  Melissa Chase,et al.  Structured Encryption and Controlled Disclosure , 2010, IACR Cryptol. ePrint Arch..

[23]  Rishabh Poddar,et al.  A Secure One-Roundtrip Index for Range Queries , 2016, IACR Cryptol. ePrint Arch..

[24]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[25]  Amit Sahai,et al.  Multi-Input Functional Encryption , 2014, IACR Cryptol. ePrint Arch..

[26]  Sanjit Chatterjee,et al.  Property Preserving Symmetric Encryption Revisited , 2015, ASIACRYPT.

[27]  Donald Ervin Knuth,et al.  The Art of Computer Programming, Volume II: Seminumerical Algorithms , 1970 .

[28]  Nathan Chenette,et al.  Order-Preserving Encryption Revisited: Improved Security Analysis and Alternative Solutions , 2011, CRYPTO.

[29]  Amit Sahai,et al.  On the (im)possibility of obfuscating programs , 2001, JACM.

[30]  Yannis Rouselakis,et al.  Property Preserving Symmetric Encryption , 2012, EUROCRYPT.

[31]  Charles V. Wright,et al.  Inference Attacks on Property-Preserving Encrypted Databases , 2015, CCS.

[32]  Florian Kerschbaum,et al.  Optimal Average-Complexity Ideal-Security Order-Preserving Encryption , 2014, CCS.

[33]  Brent Waters,et al.  Candidate Indistinguishability Obfuscation and Functional Encryption for all Circuits , 2013, 2013 IEEE 54th Annual Symposium on Foundations of Computer Science.

[34]  Brent Waters,et al.  Functional Encryption: Definitions and Challenges , 2011, TCC.

[35]  Craig Gentry,et al.  Private Database Queries Using Somewhat Homomorphic Encryption , 2013, ACNS.

[36]  Rafail Ostrovsky,et al.  Searchable symmetric encryption: improved definitions and efficient constructions , 2006, CCS '06.

[37]  Jean-Sébastien Coron,et al.  Practical Multilinear Maps over the Integers , 2013, CRYPTO.

[38]  George Kollios,et al.  A Comparative Evaluation of Order-Preserving and Order-Revealing Schemes and Protocols , 2018, IACR Cryptol. ePrint Arch..

[39]  Rafail Ostrovsky,et al.  Software protection and simulation on oblivious RAMs , 1996, JACM.

[40]  Florian Kerschbaum,et al.  Frequency-Hiding Order-Preserving Encryption , 2015, CCS.

[41]  Dan Boneh,et al.  Applications of Multilinear Forms to Cryptography , 2002, IACR Cryptol. ePrint Arch..

[42]  Andrew Chi-Chih Yao,et al.  Protocols for Secure Computations (Extended Abstract) , 1982, FOCS.

[43]  Nathan Chenette,et al.  Order-Preserving Symmetric Encryption , 2009, IACR Cryptol. ePrint Arch..

[44]  David J. Wu,et al.  Function-Hiding Inner Product Encryption is Practical , 2018, IACR Cryptol. ePrint Arch..

[45]  Dawn Xiaodong Song,et al.  Practical techniques for searches on encrypted data , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[46]  Nickolai Zeldovich,et al.  An Ideal-Security Protocol for Order-Preserving Encoding , 2013, 2013 IEEE Symposium on Security and Privacy.

[47]  Angelos D. Keromytis,et al.  Blind Seer: A Scalable Private DBMS , 2014, 2014 IEEE Symposium on Security and Privacy.

[48]  Carsten Binnig,et al.  Dictionary-based order-preserving string compression for main memory column stores , 2009, SIGMOD Conference.

[49]  Brent Waters,et al.  Conjunctive, Subset, and Range Queries on Encrypted Data , 2007, TCC.

[50]  Mark Zhandry,et al.  Semantically Secure Order-Revealing Encryption: Multi-input Functional Encryption Without Obfuscation , 2015, EUROCRYPT.

[51]  Hiroyuki Kitagawa,et al.  A Secure and Efficient Order Preserving Encryption Scheme for Relational Databases , 2010, KMIS.

[52]  Moti Yung,et al.  Order-Preserving Encryption Secure Beyond One-Wayness , 2014, IACR Cryptol. ePrint Arch..

[53]  Hugo Krawczyk,et al.  Rich Queries on Encrypted Data: Beyond Exact Matches , 2015, ESORICS.

[54]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[55]  OpenSSL OpenSSL : The open source toolkit for SSL/TSL , 2002 .

[56]  Ilan Komargodski,et al.  From Single-Input to Multi-Input Functional Encryption in the Private-Key Setting , 2015, IACR Cryptol. ePrint Arch..

[57]  Andrew Chi-Chih Yao,et al.  Protocols for secure computations , 1982, FOCS 1982.

[58]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[59]  Hugo Krawczyk,et al.  Dynamic Searchable Encryption in Very-Large Databases: Data Structures and Implementation , 2014, NDSS.