Efficient Multi-client Order-Revealing Encryption and Its Applications

Abstract

Order-revealing encryption (ORE) is a cryptographic primitive that enables ciphertext comparison while leaking nothing about the underlying plaintext beyond their lexicographic ordering. However, how to achieve efficient and secure ciphertext comparison for multi-user settings is still a challenging problem. In this work, we propose an efficient multi-client order-revealing encryption scheme (named m-ORE) by introducing a new token-based comparison method. Specifically, data owner is enabled to delegate token generation ability to some authorized users without revealing his secret key, and then each authorized user can perform comparison on ciphertexts from multiple data owners by generating the associated comparison tokens. Benefiting from our new method, m-ORE can not only reduce ciphertext size but also improve comparison efficiency, compared with the state-of-the-art (Cash et al. Asiacrypt 2018). Further, we present a non-interactive multi-client range query scheme by extending m-ORE. Finally, we show a formal security analysis and implement our scheme. The evaluation result demonstrates that m-ORE outperforms the scheme by Cash et al. in terms of both query and storage cost while achieving the same level of security.

Appendices

Appendix

A Security Analysis of Range Query Scheme

To define the security of multi-client range query scheme in Sect. 5.1, we first introduce a slight modification to the security notions that by our m-ORE scheme from Sect. 4. Recall that an m-ORE scheme is secure with respect to a leakage profile \(\mathcal {L}_f(\cdot )\) if for any adversarially-chosen sequence of messages \((m_1,\cdots ,m_q)\), there is an efficient simulator \(\mathcal {S}\) that can simulate the real m-ORE ciphertext and token given the leakage \(\mathcal {L}_f(m_1,\cdots ,m_q)\).

Similar to [16], we define a leakage function \(\mathcal {L}_f(\cdot ,\cdot )\) that if there exists an efficient simulator such that for any two adversarially-chosen collections of plaintexts \((m_1,\cdots ,m_q)\) and \((m_1,\cdots ,m_k)\), the simulator can simulate the outputs of \(\textsf {m-ORE.Enc}(\cdot ,m_i)\) and \(\textsf {m-ORE.TGen}(\cdot ,m_j)\) for all \(i\in [q], j\in [k]\) given only the leakage \(\mathcal {L}_f((m_1,\cdots ,m_q),\) \((m_1,\cdots ,m_k))\). That is:

$$\begin{aligned} \mathcal {L}_f((m_1,\cdots ,m_q),(m_1,\cdots ,m_k))=&(\forall 1 \le i,l \le q,1 \le j \le k | \mathbf{1} (m_i<m_j), \\&\mathbf{1} (\textsf {msdb}(m_j,m_i)=\textsf {msdb}(m_j,m_l))) \end{aligned}$$

in which \(q=k\). We argue that this leakage profile is essentially the same as \(\mathcal {L}_f(m_1,\cdots ,m_q)\).

We then define the security of our range query scheme \(\varSigma \) in two different aspects, online and offline security. Online security models the information revealed to a malicious server during Update and Search, while offline security considers the situation of an adversary obtains a one-time snapshot of the encrypted database from the server which was studied by Naveed et al. [19] and Grubbs et al. [13]. First, we formalize the online security as follows:

Theorem 3

For a database \(\mathbf{DB} _i\) containing user i’s data which is essentially a set of m-ORE ciphertext \((c_1,\cdots ,c_q)\) on the server and a sequence of queries \(\mathbf{q} _i\) from user i which is a set of m-ORE token \((t_1,\cdots ,t_k)\). Let \(\mathcal {L}_{RQ}\) be the leakage function.

$$\mathcal {L}_{RQ}(\mathbf{DB} _i,\mathbf{q} _i)=\mathcal {L}_f((m_1,\cdots ,m_q),(m_1,\cdots ,m_k))$$

We say that the range query scheme \(\varSigma \) achieves online security with respect to the leakage function \(\mathcal {L}_{RQ}\).

Proof

The proof follows the proof of Theorem 2 except the leakage profile were substituted by \(\mathcal {L}_f((m_1,\cdots ,m_q),(m_1,\cdots ,m_k))\) which is very similar. And the simulator \(\mathcal {S}\) only needs to output the ciphertexts for \(m_i\) where \(\forall i\in [q]\) and token for \(m_j\) where \(\forall j\in [k]\).

Note that we define the leakage function \(\mathcal {L}_{RQ}\) under a condition that \(\mathbf{DB} \) and \(\mathbf{q} \) are from the same user. It is clear that the leakage will be none if these are from different users. The reason is that m-ORE.Cmp will not work in this case and \(\textsf {msdb}(m_j,m_i)=\textsf {msdb}(m_j,m_l)\) will always hold for all i and j.

The offline security of our range query scheme follows directly from the fact that the encrypted database stored on the server only contains a collection group elements from \(\mathbb {G}_1\) and were generated with random factor, which is simulatable given just the size of the collection.

Theorem 4

The range query scheme \(\varSigma \) is offline secure.

Proof

The proof follows the proof of Theorem 2 except the simulator \(\mathcal {S}\) only needs to simulate the ciphertext for all the messages.