1 research outputs found
Order-Revealing Encryption: New Constructions, Applications, and Lower Bounds
In the last few years, there has been significant interest in developing
methods to search over encrypted data. In the case of range queries, a simple
solution is to encrypt the contents of the database using an order-preserving
encryption (OPE) scheme (i.e., an encryption scheme that supports comparisons
over encrypted values). However, Naveed et al. (CCS 2015) recently showed that
OPE-encrypted databases are extremely vulnerable to inference attacks.
In this work, we consider a related primitive called order-revealing
encryption (ORE), which is a generalization of OPE that allows for stronger
security. We begin by constructing a new ORE scheme for small message spaces
which achieves the best-possible notion of security for ORE. Next, we
introduce a domain-extension technique and apply it to our
small-message-space ORE. While our domain-extension technique does incur
a loss in security, the resulting ORE scheme we obtain is more secure than all
existing (stateless and non-interactive) OPE and ORE schemes which are
practical. All of our constructions rely only on symmetric primitives. As part
of our analysis, we also give a tight lower bound for OPE and show that no
efficient OPE scheme can satisfy best-possible security if the message space
contains just three messages. Thus, achieving strong notions of security for
even small message spaces requires moving beyond OPE.
Finally, we examine the properties of our new ORE scheme and show how to use
it to construct an efficient range query protocol that is robust against the
inference attacks of Naveed et al. We also give a full implementation of our
new ORE scheme, and show that not only is our scheme more secure than existing
OPE schemes, it is also faster: encrypting a 32-bit integer requires just 55
microseconds, which is more than 65 times faster than existing OPE schemes