Abstract
Most of the proposed order-preserving encryption (OPE) schemes in the early stage of development including the first provably secure one are stateless and work efficiently, but guarantee only weak security. Additionally, subsequent works have shown that an ideal security notion IND-OCPA can be achieved using statefulness, ciphertexts mutability, and interactivity between client and server. Though such properties hinder availability of IND-OCPA secure OPE schemes, the only definitively known result is the impossibility of constructing a feasible IND-OCPA secure OPE scheme without ciphertext mutability. In this work, we study the security that can be fulfilled by only statefulness, from a viewpoint different from the existing research. We first consider a new security notion, called \(\delta \)-IND-OCPA, which is a natural relaxation of IND-OCPA. In comparison to IND-OCPA in which ciphertexts reveal no additional information beyond the order of the plaintexts, our notion can quantify the rate of plaintext bits that are leaked. To show achievability of our notion, we construct a new \(\delta \)-IND-OCPA secure OPE scheme. The proposed scheme is stateful and non-interactive, but does not require ciphertext mutation. Through several experiments, we show that our construction is also feasible and that has an advantage in the correlation analysis compared with the IND-OCPA secure scheme.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
See Appendix A.
- 2.
Teranish et al. [18] proved that \((k,\theta )\)-FTG-O-nCPA implies \(\theta \)-lsb-KPA that ensures the secrecy of the least significant \(\log \theta \) bits of a plaintext under the known plaintext attack. Here, \(\theta \) is determined by plaintext distribution and has a maximum value in the uniform distribution.
References
Boost C++ Libraries. http://www.boost.org/
The GNU Multiple Precision Arithmetic Library. https://gmplib.org/
The MariaDB Foundation. https://mariadb.org/
SQLite. https://sqlite.org/
Boldyreva, A., Chenette, N., Lee, Y., O’Neill, A.: Order-preserving symmetric encryption. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 224–241. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_13
Boldyreva, A., Chenette, N., O’Neill, A.: Order-preserving encryption revisited: improved security analysis and alternative solutions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 578–595. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_33
Boneh, D., Lewi, K., Raykova, M., Sahai, A., Zhandry, M., Zimmerman, J.: Semantically secure order-revealing encryption: multi-input functional encryption without obfuscation. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 563–594. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_19
Chenette, N., Lewi, K., Weis, S.A., Wu, D.J.: Practical order-revealing encryption with limited leakage. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 474–493. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-52993-5_24
Grubbs, P., Sekniqi, K., Bindschaedler, V., Naveed, M., Ristenpart, T.: Leakage-abuse attacks against order-revealing encryption. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 655–672. IEEE Press, New York (2017). https://doi.org/10.1109/SP.2017.44
Katz, J., Yung, M.: Characterization of security notions for probabilistic private-key encryption. J. Cryptol. 19(1), 67–96 (2006). https://doi.org/10.1007/s00145-005-0310-8
Kellaris, G., Kollios, G., Nissim, L., O’Neill, A.: Generic attacks on secure outsourced database. In: 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1329–1340. ACM Press, New York (2016). https://doi.org/10.1145/2976749.2978386
Kerschbaum, F.: Frequency-hiding order-preserving encryption. In: 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 656–667. ACM Press, New York (2015). https://doi.org/10.1145/2810103.2813629
Kerschbaum, F., Schröepfer, A.: Optimal average-complexity ideal-security order-preserving encryption. In: 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 275–286. ACM Press, New York (2014). https://doi.org/10.1145/2660267.2660277
Lacharité, M.-S., Minaud, B., Paterson, K.G.: Improved reconstruction attacks on encrypted data using range query leakage. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 19–36. IEEE Press, New York (2018). https://doi.org/10.1109/SP.2018.00002
Naveed, M., Kamara, S., Wright, C.V.: Inference attacks on property-preserving encrypted databases. In: 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 644–655. ACM Press, New York (2015). https://doi.org/10.1145/2810103.2813651
Popa, R.A., Li, F.H., Zeldovich, N.: An ideal-security protocol for order-preserving encoding. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 463–477. IEEE Press, New York (2013). https://doi.org/10.1109/SP.2013.38
Popa, R.A., Redfield, C.M.S., Zeldovich, N., Balakrishnan, H.: CryptDB: protecting confidentiality with encrypted query processing. In: Twenty-Third ACM Symposium on Operating Systems Principles, pp. 85–100. ACM Press, New York (2011). https://doi.org/10.1145/2043556.2043566
Teranishi, I., Yung, M., Malkin, T.: Order-preserving encryption secure beyond one-wayness. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 42–61. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_3
Acknowledgement
This work was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korean government (MSIT) (No. R0101-16-0301).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Ideal Security
The IND-OCPA notion is a generalization of semantic security, and states that no efficient adversary can distinguish between the encryptions of any two sequences of messages, provided that the ordering of the messages in the two sequences is identical. We recall the formal definition here. Specifically, IND-OCPA is defined as the following game between a challenger \(\mathcal {C}\) and an adversary \({{\mathrm{\mathcal {A}}}}\), where \({{\mathrm{\mathcal {A}}}}\) is a probabilistic polynomial-time algorithm:
-
(Setup) \(\mathcal {C}\) runs \(\mathsf {okey}\leftarrow \mathsf {OPE}.\mathsf {Kg}(1^\lambda ,\mathcal {D})\) and chooses a random bit b.
-
(Query) At round \(i\in [1, n]\), \({{\mathrm{\mathcal {A}}}}\) queries adaptively the i-th message pair (\(m^0_i,m^1_i)\) to \(\mathcal {C}\), and then \(\mathcal {C}\) returns \(c_i^b\leftarrow \mathsf {OPE}.\mathsf {Enc}(\mathsf {okey},m_i^b)\) to as its answer. Here, the left and right messages should have the same order relation, i.e., for all \(1\le i,j\le n\), \(m^0_i<m^0_j \text{ iff } m^1_i<m^1_j\).
-
(Guess) \({{\mathrm{\mathcal {A}}}}\) outputs \(b^\prime \), its guess for b.
We say that an OPE scheme guarantees the IND-OCPA security if the probability of \(b^\prime =b\) is \(1/2+{{\mathrm{\mathsf {negl}}}}(\lambda )\).
B Further Correlation Coefficients Evaluation
To confirm consistency in the pattern of change, we further vary the number n of inputs from \(2^{10}\) to \(2^{20}\) by 2 times interval and compute the correlation coefficients for uniform and normal datasets. Figures 8 and 9 depict correlation coefficients of 32-bit normally distributed (with \(\rho =0.5\)) and uniformly distributed datasets, respectively. In other two normal distribution cases, the same trend is shown in Fig. 8 based on Fig. 6, and the result is omitted. Conclusively, they show the same pattern of change depicted in Fig. 6 for each case.
In general, it is predicted that as d increases, the correlation coefficient of our sOPE scheme will be lowered due to the influence of d-th powering or d-th root operation. But in this experiment we can observe that it decreases until the specific d, and then increases again. Figures 6, 8 and 9 show that such specific d is 5 when the size of the plaintext domain is 32. Considering that the larger d, the less efficient or our sOPE scheme, this particular d is considered optimal. We further examined for the other cases of \(l\in \{16,24,32,48\}\), and found that the optimal expansion factor d for each l is 3, 4, 5, and 6, respectively.
Despite that we need more experiments to reliably recommend a choice of d, we observe that our sOPE scheme with optimal choice of d performs better than the ideal-secure KS scheme under normal distribution. And the performance of both our sOPE scheme with optimal d and KS scheme are similar under uniform distribution.
C Implementation of the KS Scheme
The update algorithm of the KS scheme updates the state managed by the client. It newly generates a ciphertext for all plaintexts up to the present in order by creating a balanced tree. The updated ciphertexts needs to be sent to the server-side DB. Apart from the communication overhead that is generally pointed out, such procedure shows realistic problems in our experiment. To implement the update algorithm in MariaDB (including MySQL), we need to combine a specific UDF (User-Defined Function) and table manipulation procedures. Such approach to invoking cryptographic operations to the DBMS can be seen more specifically in [17]. But native MariaDB (or MySQL) functions to manipulate table have a data size constraint. Though there may be a way to suppress update operations through parameter setting as stated in [13], but in this experiment, we tried to solve the problem through implementation optimization.
In the KS scheme, the state that is represented as a binary tree plays the role of the key. And the encryption procedure for a new plaintext using this key can be interpreted as assigning a new node in the binary tree. In the update process, all plaintext encrypted up to the present must be sorted first. And a new balanced binary tree based only on the order of the sorted plaintexts is derived through the recursive procedure. This binary tree is used as a key for encrypting the next plaintext. Since the DMBS in the server can sort ciphertexts up to the present in order, it can perform an update operation itself by creating the same balanced binary tree with the client. Thus, we can update ciphertexts stored in the server-side DB without sending renewal ciphertexts. Instead, it is sufficient to send only basic sink information for the same balanced binary tree creation.
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Kim, K.S., Kim, M., Lee, D., Park, J.H., Kim, WH. (2018). Security of Stateful Order-Preserving Encryption. In: Kim, H., Kim, DC. (eds) Information Security and Cryptology – ICISC 2017. ICISC 2017. Lecture Notes in Computer Science(), vol 10779. Springer, Cham. https://doi.org/10.1007/978-3-319-78556-1_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-78556-1_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-78555-4
Online ISBN: 978-3-319-78556-1
eBook Packages: Computer ScienceComputer Science (R0)