Abstract
Order-revealing encryption (ORE) is a cryptographic primitive that enables ciphertext comparison while leaking nothing about the underlying plaintext beyond their lexicographic ordering. However, how to achieve efficient and secure ciphertext comparison for multi-user settings is still a challenging problem. In this work, we propose an efficient multi-client order-revealing encryption scheme (named m-ORE) by introducing a new token-based comparison method. Specifically, data owner is enabled to delegate token generation ability to some authorized users without revealing his secret key, and then each authorized user can perform comparison on ciphertexts from multiple data owners by generating the associated comparison tokens. Benefiting from our new method, m-ORE can not only reduce ciphertext size but also improve comparison efficiency, compared with the state-of-the-art (Cash et al. Asiacrypt 2018). Further, we present a non-interactive multi-client range query scheme by extending m-ORE. Finally, we show a formal security analysis and implement our scheme. The evaluation result demonstrates that m-ORE outperforms the scheme by Cash et al. in terms of both query and storage cost while achieving the same level of security.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
OpenSSL: Cryptography and SSL/TLS toolkit. https://www.openssl.org/
Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Order preserving encryption for numeric data. In: Proceedings of the 2004 ACM SIGMOD International Conference on Management of Data, SIGMOD 2004, pp. 563–574 (2004)
Boldyreva, A., Chenette, N., Lee, Y., O’Neill, A.: Order-preserving symmetric encryption. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 224–241. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_13
Boldyreva, A., Chenette, N., O’Neill, A.: Order-preserving encryption revisited: improved security analysis and alternative solutions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 578–595. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_33
Boneh, D., Lewi, K., Raykova, M., Sahai, A., Zhandry, M., Zimmerman, J.: Semantically secure order-revealing encryption: multi-input functional encryption without obfuscation. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 563–594. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_19
Cash, D., Grubbs, P., Perry, J., Ristenpart, T.: Leakage-abuse attacks against searchable encryption. In: Ray, I., Li, N., Kruegel, C. (eds.) Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, pp. 668–679. ACM (2015)
Cash, D., Liu, F.-H., O’Neill, A., Zhandry, M., Zhang, C.: Parameter-hiding order revealing encryption. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11272, pp. 181–210. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03326-2_7
Chenette, N., Lewi, K., Weis, S.A., Wu, D.J.: Practical order-revealing encryption with limited leakage. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 474–493. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-52993-5_24
Durak, F.B., DuBuisson, T.M., Cash, D.: What else is revealed by order-revealing encryption? In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 1155–1166 (2016)
Dyer, J., Dyer, M., Djemame, K.: Order-preserving encryption using approximate common divisors. J. Inform. Secur. Appl. 49, 102391 (2019)
Eom, J., Lee, D.H., Lee, K.: Multi-client order-revealing encryption. IEEE Access 6, 45458–45472 (2018)
Granlund, T., the GMP development team: GNU MP: the GNU multiple precision arithmetic library. https://gmplib.org/
Grubbs, P., Sekniqi, K., Bindschaedler, V., Naveed, M., Ristenpart, T.: Leakage-abuse attacks against order-revealing encryption. In: Proceedings of the 2017 IEEE Symposium on Security and Privacy, S&P 2017, pp. 655–672. IEEE (2017)
Kerschbaum, F.: Frequency-hiding order-preserving encryption. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, pp. 656–667 (2015)
Kerschbaum, F., Schröpfer, A.: Optimal average-complexity ideal-security order-preserving encryption. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 2014, pp. 275–286 (2014)
Lewi, K., Wu, D.J.: Order-revealing encryption: new constructions, applications, and lower bounds. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 1167–1178 (2016)
Li, Y., Wang, H., Zhao, Y.: Delegatable order-revealing encryption. In: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, AsiaCCS 2019, pp. 134–147 (2019)
Lynn, B., other contributors: The pairing-based cryptography library. https://crypto.stanford.edu/pbc/
Naveed, M., Kamara, S., Wright, C.V.: Inference attacks on property-preserving encrypted databases. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, pp. 644–655 (2015)
Popa, R.A., Li, F.H., Zeldovich, N.: An ideal-security protocol for order-preserving encoding. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy, S&P 2013, pp. 463–477. IEEE (2013)
Roche, D.S., Apon, D., Choi, S.G., Yerukhimovich, A.: POPE: partial order preserving encoding. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 1131–1142 (2016)
Tang, Q.: Nothing is for free: security in searching shared and encrypted data. IEEE Trans. Inf. Forensics Secur. 9(11), 1943–1952 (2014)
Acknowledgments
This work was supported by the National Natural Science Foundation of China (Nos. 62072357 and 61960206014), the Preferential Funding for Scientific and Technological Activities of Overseas Students in Shaanxi Province (No. 2019-25), the Fundamental Research Funds for the Central Universities (No. JB211503), and Innovation Fund of Xidian University (No. YJS2114).
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Appendices
Appendix
A Security Analysis of Range Query Scheme
To define the security of multi-client range query scheme in Sect. 5.1, we first introduce a slight modification to the security notions that by our m-ORE scheme from Sect. 4. Recall that an m-ORE scheme is secure with respect to a leakage profile \(\mathcal {L}_f(\cdot )\) if for any adversarially-chosen sequence of messages \((m_1,\cdots ,m_q)\), there is an efficient simulator \(\mathcal {S}\) that can simulate the real m-ORE ciphertext and token given the leakage \(\mathcal {L}_f(m_1,\cdots ,m_q)\).
Similar to [16], we define a leakage function \(\mathcal {L}_f(\cdot ,\cdot )\) that if there exists an efficient simulator such that for any two adversarially-chosen collections of plaintexts \((m_1,\cdots ,m_q)\) and \((m_1,\cdots ,m_k)\), the simulator can simulate the outputs of \(\textsf {m-ORE.Enc}(\cdot ,m_i)\) and \(\textsf {m-ORE.TGen}(\cdot ,m_j)\) for all \(i\in [q], j\in [k]\) given only the leakage \(\mathcal {L}_f((m_1,\cdots ,m_q),\) \((m_1,\cdots ,m_k))\). That is:
in which \(q=k\). We argue that this leakage profile is essentially the same as \(\mathcal {L}_f(m_1,\cdots ,m_q)\).
We then define the security of our range query scheme \(\varSigma \) in two different aspects, online and offline security. Online security models the information revealed to a malicious server during Update and Search, while offline security considers the situation of an adversary obtains a one-time snapshot of the encrypted database from the server which was studied by Naveed et al. [19] and Grubbs et al. [13]. First, we formalize the online security as follows:
Theorem 3
For a database \(\mathbf{DB} _i\) containing user i’s data which is essentially a set of m-ORE ciphertext \((c_1,\cdots ,c_q)\) on the server and a sequence of queries \(\mathbf{q} _i\) from user i which is a set of m-ORE token \((t_1,\cdots ,t_k)\). Let \(\mathcal {L}_{RQ}\) be the leakage function.
We say that the range query scheme \(\varSigma \) achieves online security with respect to the leakage function \(\mathcal {L}_{RQ}\).
Proof
The proof follows the proof of Theorem 2 except the leakage profile were substituted by \(\mathcal {L}_f((m_1,\cdots ,m_q),(m_1,\cdots ,m_k))\) which is very similar. And the simulator \(\mathcal {S}\) only needs to output the ciphertexts for \(m_i\) where \(\forall i\in [q]\) and token for \(m_j\) where \(\forall j\in [k]\).
Note that we define the leakage function \(\mathcal {L}_{RQ}\) under a condition that \(\mathbf{DB} \) and \(\mathbf{q} \) are from the same user. It is clear that the leakage will be none if these are from different users. The reason is that m-ORE.Cmp will not work in this case and \(\textsf {msdb}(m_j,m_i)=\textsf {msdb}(m_j,m_l)\) will always hold for all i and j.
The offline security of our range query scheme follows directly from the fact that the encrypted database stored on the server only contains a collection group elements from \(\mathbb {G}_1\) and were generated with random factor, which is simulatable given just the size of the collection.
Theorem 4
The range query scheme \(\varSigma \) is offline secure.
Proof
The proof follows the proof of Theorem 2 except the simulator \(\mathcal {S}\) only needs to simulate the ciphertext for all the messages.
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Lv, C., Wang, J., Sun, SF., Wang, Y., Qi, S., Chen, X. (2021). Efficient Multi-client Order-Revealing Encryption and Its Applications. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12973. Springer, Cham. https://doi.org/10.1007/978-3-030-88428-4_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-88428-4_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-88427-7
Online ISBN: 978-3-030-88428-4
eBook Packages: Computer ScienceComputer Science (R0)