Security of Stateful Order-Preserving Encryption

Abstract

Most of the proposed order-preserving encryption (OPE) schemes in the early stage of development including the first provably secure one are stateless and work efficiently, but guarantee only weak security. Additionally, subsequent works have shown that an ideal security notion IND-OCPA can be achieved using statefulness, ciphertexts mutability, and interactivity between client and server. Though such properties hinder availability of IND-OCPA secure OPE schemes, the only definitively known result is the impossibility of constructing a feasible IND-OCPA secure OPE scheme without ciphertext mutability. In this work, we study the security that can be fulfilled by only statefulness, from a viewpoint different from the existing research. We first consider a new security notion, called \(\delta \)-IND-OCPA, which is a natural relaxation of IND-OCPA. In comparison to IND-OCPA in which ciphertexts reveal no additional information beyond the order of the plaintexts, our notion can quantify the rate of plaintext bits that are leaked. To show achievability of our notion, we construct a new \(\delta \)-IND-OCPA secure OPE scheme. The proposed scheme is stateful and non-interactive, but does not require ciphertext mutation. Through several experiments, we show that our construction is also feasible and that has an advantage in the correlation analysis compared with the IND-OCPA secure scheme.

Appendices

A Ideal Security

The IND-OCPA notion is a generalization of semantic security, and states that no efficient adversary can distinguish between the encryptions of any two sequences of messages, provided that the ordering of the messages in the two sequences is identical. We recall the formal definition here. Specifically, IND-OCPA is defined as the following game between a challenger \(\mathcal {C}\) and an adversary \({{\mathrm{\mathcal {A}}}}\), where \({{\mathrm{\mathcal {A}}}}\) is a probabilistic polynomial-time algorithm:

• (Setup) \(\mathcal {C}\) runs \(\mathsf {okey}\leftarrow \mathsf {OPE}.\mathsf {Kg}(1^\lambda ,\mathcal {D})\) and chooses a random bit b.

• (Query) At round \(i\in [1, n]\), \({{\mathrm{\mathcal {A}}}}\) queries adaptively the i-th message pair (\(m^0_i,m^1_i)\) to \(\mathcal {C}\), and then \(\mathcal {C}\) returns \(c_i^b\leftarrow \mathsf {OPE}.\mathsf {Enc}(\mathsf {okey},m_i^b)\) to as its answer. Here, the left and right messages should have the same order relation, i.e., for all \(1\le i,j\le n\), \(m^0_i<m^0_j \text{ iff } m^1_i<m^1_j\).

• (Guess) \({{\mathrm{\mathcal {A}}}}\) outputs \(b^\prime \), its guess for b.

We say that an OPE scheme guarantees the IND-OCPA security if the probability of \(b^\prime =b\) is \(1/2+{{\mathrm{\mathsf {negl}}}}(\lambda )\).

B Further Correlation Coefficients Evaluation

To confirm consistency in the pattern of change, we further vary the number n of inputs from \(2^{10}\) to \(2^{20}\) by 2 times interval and compute the correlation coefficients for uniform and normal datasets. Figures 8 and 9 depict correlation coefficients of 32-bit normally distributed (with \(\rho =0.5\)) and uniformly distributed datasets, respectively. In other two normal distribution cases, the same trend is shown in Fig. 8 based on Fig. 6, and the result is omitted. Conclusively, they show the same pattern of change depicted in Fig. 6 for each case.

Fig. 8.

Correlation coefficients for 32-bit normal datasets with \(\rho =0.5\)

Fig. 9.

Correlation coefficients for 32-bit uniform datasets

In general, it is predicted that as d increases, the correlation coefficient of our sOPE scheme will be lowered due to the influence of d-th powering or d-th root operation. But in this experiment we can observe that it decreases until the specific d, and then increases again. Figures 6, 8 and 9 show that such specific d is 5 when the size of the plaintext domain is 32. Considering that the larger d, the less efficient or our sOPE scheme, this particular d is considered optimal. We further examined for the other cases of \(l\in \{16,24,32,48\}\), and found that the optimal expansion factor d for each l is 3, 4, 5, and 6, respectively.

Despite that we need more experiments to reliably recommend a choice of d, we observe that our sOPE scheme with optimal choice of d performs better than the ideal-secure KS scheme under normal distribution. And the performance of both our sOPE scheme with optimal d and KS scheme are similar under uniform distribution.

C Implementation of the KS Scheme

The update algorithm of the KS scheme updates the state managed by the client. It newly generates a ciphertext for all plaintexts up to the present in order by creating a balanced tree. The updated ciphertexts needs to be sent to the server-side DB. Apart from the communication overhead that is generally pointed out, such procedure shows realistic problems in our experiment. To implement the update algorithm in MariaDB (including MySQL), we need to combine a specific UDF (User-Defined Function) and table manipulation procedures. Such approach to invoking cryptographic operations to the DBMS can be seen more specifically in [17]. But native MariaDB (or MySQL) functions to manipulate table have a data size constraint. Though there may be a way to suppress update operations through parameter setting as stated in [13], but in this experiment, we tried to solve the problem through implementation optimization.

In the KS scheme, the state that is represented as a binary tree plays the role of the key. And the encryption procedure for a new plaintext using this key can be interpreted as assigning a new node in the binary tree. In the update process, all plaintext encrypted up to the present must be sorted first. And a new balanced binary tree based only on the order of the sorted plaintexts is derived through the recursive procedure. This binary tree is used as a key for encrypting the next plaintext. Since the DMBS in the server can sort ciphertexts up to the present in order, it can perform an update operation itself by creating the same balanced binary tree with the client. Thus, we can update ciphertexts stored in the server-side DB without sending renewal ciphertexts. Instead, it is sufficient to send only basic sink information for the same balanced binary tree creation.