Order-Revealing Encryption

An order-revealing encryption (ORE) scheme is an encryption scheme where there is a public function that can be used to compare ciphertexts. Because ORE enables comparisons on ciphertexts, it has many applications in searching over and sorting encrypted data. The first constructions of order-revealing encryption relied on either multilinear maps or indistinguishability obfuscation, and thus, are unlikely to be practical in the foreseeable future. This project initiates the study of more practical order-revealing encryption schemes that provide a security/efficiency tradeoff. We give several constructions and implementations of highly practical ORE schemes (based only on pseudorandom functions such as AES). We also explore ways of using order-revealing encryption in encrypted database applications in a way that is robust against inference attacks.

Practical Order-Revealing Encryption with Limited Leakage

Contributors: Nathan Chenette, Kevin Lewi, Stephen A. Weis, and David J. Wu

Abstract:

In an order-preserving encryption scheme, the encryption algorithm produces ciphertexts that preserve the order of their plaintexts. Order-preserving encryption schemes have been studied intensely in the last decade, and yet not much is known about the security of these schemes. Very recently, Boneh et al. (Eurocrypt 2015) introduced a generalization of order-preserving encryption, called order-revealing encryption, and presented a construction which achieves this notion with best-possible security. Because their construction relies on multilinear maps, it is too impractical for most applications and therefore remains a theoretical result.

In this work, we build efficiently implementable order-revealing encryption from pseudorandom functions. We present the first efficient order-revealing encryption scheme which achieves a simulation-based security notion with respect to a leakage function that precisely quantifies what is leaked by the scheme. In fact, ciphertexts in our scheme are only about 1.6 times longer than their plaintexts. Moreover, we show how composing our construction with existing order-preserving encryption schemes results in order-revealing encryption that is strictly more secure than all preceding order-preserving encryption schemes.

Resources:

BibTeX:
@inproceedings{CLWW16,
  author    = {Nathan Chenette and Kevin Lewi and Stephen A. Weis and David J. Wu},
  title     = {Practical Order-Revealing Encryption with Limited Leakage},
  booktitle = {Fast Software Encryption ({FSE})},
  year      = {2016}
}

Order-Revealing Encryption: New Constructions, Applications, and Lower Bounds

Contributors: Kevin Lewi and David J. Wu

Abstract:

In the last few years, there has been significant interest in developing methods to search over encrypted data. In the case of range queries, a simple solution is to encrypt the contents of the database using an order-preserving encryption (OPE) scheme (i.e., an encryption scheme that supports comparisons over encrypted values). However, Naveed et al. (CCS 2015) recently showed that OPE-encrypted databases are extremely vulnerable to “inference attacks.”

In this work, we consider a related primitive called order-revealing encryption (ORE), which is a generalization of OPE that allows for stronger security. We begin by constructing a new ORE scheme for small message spaces which achieves the “best-possible” notion of security for ORE. Next, we introduce a “domain-extension” technique and apply it to our small-message-space ORE. While our domain-extension technique does incur a loss in security, the resulting ORE scheme we obtain is more secure than all existing (stateless and non-interactive) OPE and ORE schemes which are practical. All of our constructions rely only on symmetric primitives. As part of our analysis, we also give a tight lower bound for OPE and show that no efficient OPE scheme can satisfy best-possible security if the message space contains just three messages. Thus, achieving strong notions of security for even small message spaces requires moving beyond OPE.

Finally, we examine the properties of our new ORE scheme and show how to use it to construct an efficient range query protocol that is robust against the inference attacks of Naveed et al. We also give a full implementation of our new ORE scheme, and show that not only is our scheme more secure than existing OPE schemes, it is also faster: encrypting a 32-bit integer requires just 55 microseconds, which is more than 65 times faster than existing OPE schemes.

Resources:

BibTeX:
@inproceedings{LW16,
  author    = {Kevin Lewi and David J. Wu},
  title     = {Order-Revealing Encryption: New Constructions, Applications, and Lower Bounds},
  booktitle = {ACM Conference on Computer and Communications Security ({ACM} {CCS})},
  year      = {2016}
}