Order-Revealing Encryption: New Constructions, Applications, and Lower Bounds

Authors:
Kevin Lewi

Stanford University, Stanford, CA, USA

Stanford University, Stanford, CA, USA
View Profile

,
David J. Wu

Stanford University, Stanford, CA, USA

Stanford University, Stanford, CA, USA
View Profile

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityOctober 2016Pages 1167–1178https://doi.org/10.1145/2976749.2978376

Published:24 October 2016Publication History

CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Pages 1167–1178

ABSTRACT

In the last few years, there has been significant interest in developing methods to search over encrypted data. In the case of range queries, a simple solution is to encrypt the contents of the database using an order-preserving encryption (OPE) scheme (i.e., an encryption scheme that supports comparisons over encrypted values). However, Naveed et al. (CCS 2015) recently showed that OPE-encrypted databases are extremely vulnerable to "inference attacks."

In this work, we consider a related primitive called order-revealing encryption (ORE), which is a generalization of OPE that allows for stronger security. We begin by constructing a new ORE scheme for small message spaces which achieves the "best-possible" notion of security for ORE. Next, we introduce a "domain extension" technique and apply it to our small-message-space ORE. While our domain-extension technique does incur a loss in security, the resulting ORE scheme we obtain is more secure than all existing (stateless and non-interactive) OPE and ORE schemes which are practical. All of our constructions rely only on symmetric primitives. As part of our analysis, we also give a tight lower bound for OPE and show that no efficient OPE scheme can satisfy best-possible security if the message space contains just three messages. Thus, achieving strong notions of security for even small message spaces requires moving beyond OPE.

Finally, we examine the properties of our new ORE scheme and show how to use it to construct an efficient range query protocol that is robust against the inference attacks of Naveed et al. We also give a full implementation of our new ORE scheme, and show that not only is our scheme more secure than existing OPE schemes, it is also faster: encrypting a 32-bit integer requires just 55 microseconds, which is more than 65 times faster than existing OPE schemes.

References

R. Abelson and J. Creswell. Data breach at anthem may forecast a trend. The New York Times, 2015.Google Scholar
R. Agrawal, J. Kiernan, R. Srikant, and Y. Xu. Order-preserving encryption for numeric data. In ACM SIGMOD, 2004. Google ScholarDigital Library
P. Ananth and A. Jain. Indistinguishability obfuscation from compact functional encryption. In CRYPTO, 2015.Google ScholarCross Ref
B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. P. Vadhan, and K. Yang. On the (im)possibility of obfuscating programs. J. ACM, 2012. Google ScholarDigital Library
M. Bellare, V. T. Hoang, S. Keelveedhi, and P. Rogaway. Efficient garbling from a fixed-key blockcipher. In IEEE SP, 2013. Google ScholarDigital Library
M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In CCS, 1993. Google ScholarDigital Library
C. Binnig, S. Hildenbrand, and F. Farber. Dictionary-based order-preserving string compression for main memory column stores. In ACM SIGMOD, 2009. Google ScholarDigital Library
T. Boelter, R. Poddar, and R. A. Popa. A secure one-roundtrip index for range queries. Cryptology ePrint Archive, Report 2016/568, 2016.Google Scholar
A. Boldyreva, N. Chenette, Y. Lee, and A. O'Neill. Order-preserving symmetric encryption. In EUROCRYPT, 2009.Google ScholarDigital Library
A. Boldyreva, N. Chenette, and A. O'Neill. Order-preserving encryption revisited: Improved security analysis and alternative solutions. In CRYPTO, 2011. Google ScholarDigital Library
D. Boneh, C. Gentry, S. Halevi, F. Wang, and D. J. Wu. Private database queries using somewhat homomorphic encryption. In ACNS, 2013. Google ScholarDigital Library
D. Boneh, K. Lewi, M. Raykova, A. Sahai, M. Zhandry, and J. Zimmerman. Semantically secure order-revealing encryption: Multi-input functional encryption without obfuscation. In EUROCRYPT, 2015.Google ScholarCross Ref
D. Boneh, A. Sahai, and B. Waters. Functional encryption: Definitions and challenges. In TCC, 2011. Google ScholarDigital Library
D. Boneh and A. Silverberg. Applications of multilinear forms to cryptography. Contemporary Mathematics, 2003.Google Scholar
D. Boneh and B. Waters. Conjunctive, subset, and range queries on encrypted data. In TCC, 2007. Google ScholarDigital Library
Z. Brakerski, I. Komargodski, and G. Segev. From single-input to multi-input functional encryption in the private-key setting. IACR Cryptology ePrint Archive, 2015.Google Scholar
D. Cash, J. Jaeger, S. Jarecki, C. S. Jutla, H. Krawczyk, M. Rosu, and M. Steiner. Dynamic searchable encryption in very-large databases: Data structures and implementation. In NDSS, 2014.Google ScholarCross Ref
D. Cash, S. Jarecki, C. S. Jutla, H. Krawczyk, M. Rosu, and M. Steiner. Highly-scalable searchable symmetric encryption with support for boolean queries. In CRYPTO, 2013.Google ScholarCross Ref
Y. Chang and M. Mitzenmacher. Privacy preserving keyword searches on remote encrypted data. In ACNS, 2005. Google ScholarDigital Library
M. Chase and S. Kamara. Structured encryption and controlled disclosure. In ASIACRYPT, pages 577--594, 2010.Google ScholarCross Ref
S. Chatterjee and M. P. L. Das. Property preserving symmetric encryption revisited. In ASIACRYPT, 2015.Google ScholarDigital Library
N. Chenette, K. Lewi, S. A. Weis, and D. J. Wu. Practical order-revealing encryption with limited leakage. In FSE, 2016.Google ScholarDigital Library
J. Coron, T. Lepoint, and M. Tibouchi. Practical multilinear maps over the integers. In CRYPTO, 2013.Google ScholarCross Ref
R. Curtmola, J. A. Garay, S. Kamara, and R. Ostrovsky. Searchable symmetric encryption: improved definitions and efficient constructions. In ACM CCS, 2006. Google ScholarDigital Library
S. Faber, S. Jarecki, H. Krawczyk, Q. Nguyen, M. Rosu, and M. Steiner. Rich queries on encrypted data: Beyond exact matches. In ESORICS, 2015.Google ScholarCross Ref
J. Finkle and D. Volz. Database of 191 million u.s. voters exposed on internet: researcher. Reuters, 2015.Google Scholar
S. Garg, C. Gentry, and S. Halevi. Candidate multilinear maps from ideal lattices. In EUROCRYPT, 2013.Google ScholarCross Ref
S. Garg, C. Gentry, S. Halevi, M. Raykova, A. Sahai, and B. Waters. Candidate indistinguishability obfuscation and functional encryption for all circuits. In FOCS, 2013. Google ScholarDigital Library
C. Gentry. Fully homomorphic encryption using ideal lattices. In STOC, 2009. Google ScholarDigital Library
E. Goh. Secure indexes. IACR Cryptology ePrint Archive, 2003.Google Scholar
O. Goldreich, S. Goldwasser, and S. Micali. How to construct random functions. J. ACM, 1986. Google ScholarDigital Library
O. Goldreich and R. Ostrovsky. Software protection and simulation on oblivious rams. J. ACM, 1996. Google ScholarDigital Library
S. Goldwasser, S. D. Gordon, V. Goyal, A. Jain, J. Katz, F. Liu, A. Sahai, E. Shi, and H. Zhou. Multi-input functional encryption. In EUROCRYPT, 2014.Google ScholarCross Ref
S. Goldwasser and S. Micali. Probabilistic encryption. J. Comput. Syst. Sci., 1984.Google Scholar
T. Granlund and the GMP development team. GNU MP: The GNU Multiple Precision Arithmetic Library. http://gmplib.org/, 2012.Google Scholar
S. Gueron and N. Mouha. Simpira v2: A family of efficient permutations using the AES round function. IACR Cryptology ePrint Archive, 2016.Google Scholar
S. Jarecki, C. S. Jutla, H. Krawczyk, M. Rosu, and M. Steiner. Outsourced symmetric private information retrieval. In ACM CCS, 2013. Google ScholarDigital Library
H. Kadhem, T. Amagasa, and H. Kitagawa. A secure and efficient order preserving encryption scheme for relational databases. In KMIS, 2010.Google Scholar
G. Kelly. ebay suffers massive security breach, all users must change their passwords. Forbes, 2014.Google Scholar
F. Kerschbaum. Frequency-hiding order-preserving encryption. In ACM CCS, 2015. Google ScholarDigital Library
F. Kerschbaum and A. Schröpfer. Optimal average-complexity ideal-security order-preserving encryption. In ACM CCS, 2014. Google ScholarDigital Library
S. Kim, K. Lewi, A. Mandal, H. W. Montgomery, A. Roy, and D. J. Wu. Function-hiding inner product encryption is practical. IACR Cryptology ePrint Archive, 2016.Google Scholar
K. Lewi and D. J. Wu. Order-revealing encryption: New constructions, applications, and lower bounds. IACR Cryptology ePrint Archive, 2016:612, 2016. Google ScholarDigital Library
M. Luby and C. Rackoff. How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Comput., 1988. Google ScholarDigital Library
C. Mavroforakis, N. Chenette, A. O'Neill, G. Kollios, and R. Canetti. Modular order-preserving encryption, revisited. In ACM SIGMOD, 2015. Google ScholarDigital Library
M. Naveed, S. Kamara, and C. V. Wright. Inference attacks on property-preserving encrypted databases. In ACM CCS, 2015. Google ScholarDigital Library
M. Naveed, M. Prabhakaran, and C. A. Gunter. Dynamic searchable encryption via blind storage. In IEEE SP, 2014. Google ScholarDigital Library
O. Pandey and Y. Rouselakis. Property preserving symmetric encryption. In EUROCRYPT, 2012. Google ScholarDigital Library
V. Pappas, F. Krell, B. Vo, V. Kolesnikov, T. Malkin, S. G. Choi, W. George, A. D. Keromytis, and S. Bellovin. Blind seer: A scalable private DBMS. In IEEE SP, 2014. Google ScholarDigital Library
R. A. Popa, F. H. Li, and N. Zeldovich. An ideal-security protocol for order-preserving encoding. In IEEE SP, 2013. Google ScholarDigital Library
R. A. Popa, C. M. S. Redfield, N. Zeldovich, and H. Balakrishnan. Cryptdb: protecting confidentiality with encrypted query processing. In ACM SOSP, 2011. Google ScholarDigital Library
D. S. Roche, D. Apon, S. G. Choi, and A. Yerukhimovich. POPE: partial order-preserving encoding. IACR Cryptology ePrint Archive, 2015.Google Scholar
D. X. Song, D. Wagner, and A. Perrig. Practical techniques for searches on encrypted data. In IEEE SP, 2000. Google ScholarDigital Library
I. Teranishi, M. Yung, and T. Malkin. Order-preserving encryption secure beyond one-wayness. In ASIACRYPT, 2014.Google ScholarCross Ref
The OpenSSL Project. OpenSSL: The open source toolkit for SSL/TLS. www.openssl.org, 2003.Google Scholar
A. C. Yao. Protocols for secure computations (extended abstract). In FOCS, 1982. Google ScholarDigital Library
M. Yasuda, T. Shimoyama, J. Kogure, K. Yokoyama, and T. Koshiba. Secure pattern matching using somewhat homomorphic encryption. In CCSW, 2013. Google ScholarDigital Library

Index Terms

Order-Revealing Encryption: New Constructions, Applications, and Lower Bounds
1. Security and privacy
  1. Cryptography
    1. Symmetric cryptography and hash functions
  2. Database and storage security
    1. Management and querying of encrypted data
2. Theory of computation
  1. Computational complexity and cryptography
    1. Cryptographic primitives

Recommendations

What Else is Revealed by Order-Revealing Encryption?
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

The security of order-revealing encryption (ORE) has been unclear since its invention. Dataset characteristics for which ORE is especially insecure have been identified, such as small message spaces and low-entropy distributions. On the other hand, ...
Read More
Order-Revealing Encryption: File-Injection Attack and Forward Security
Computer Security
Abstract
Order-preserving encryption (OPE) and order-revealing encryption (ORE) are among the core ingredients for encrypted databases (EDBs). In this work, we study the leakage of OPE and ORE and their forward security.
We propose generic yet powerful file-...
Read More
Order-Revealing Encryption: File-Injection Attack and Forward Security
Abstract
Order-preserving encryption (OPE) and order-revealing encryption (ORE) are among the core ingredients for encrypted databases (EDBs). In this work, we study the leakage of OPE and ORE and their forward security. We propose generic yet powerful ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
October 2016
1924 pages
ISBN:9781450341394
DOI:10.1145/2976749
General Chairs:
Edgar Weippl
SBA Research, Austria
,
Stefan Katzenbeisser
TU Darmstadt, CYSEC, Germany
,
Program Chairs:
Christopher Kruegel
University of California, Santa Barbara, USA
,
Andrew Myers
Cornell University, USA
,
Shai Halevi
IBM Research, USA
Copyright © 2016 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 24 October 2016
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
order-preserving encryption
order-revealing encryption
range queries
searching on encrypted data
Qualifiers
- research-article
Conference

Acceptance Rates
CCS '16 Paper Acceptance Rate137of831submissions,16%Overall Acceptance Rate1,261of6,999submissions,18%
More
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 129
  Total Citations
  View Citations
- 1,780
  Total Downloads
- Downloads (Last 12 months)282
- Downloads (Last 6 weeks)41
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.