Cryptology ePrint Archive: Report 2016/661

Reducing the Leakage in Practical Order-Revealing Encryption

David Cash and Feng-Hao Liu and Adam O'Neill and Cong Zhang

Abstract: We study practical order-revealing encryption (ORE) with a well-defined leakage profile (the information revealed about the plaintexts from their ciphertexts), a direction recently initiated by Chenette, Lewi, Weis, and Wu (CLWW). ORE, which allows public comparison of plaintext order via their ciphertexts, is a useful tool in the design of secure outsourced database systems. We first show a general construction of ORE with reduced leakage as compared to CLWW, by combining ideas from their scheme with a new type of ''property-preserving'' hash function. We then show how to construct such a hash function efficiently based on bilinear maps. Our resulting ORE scheme is fairly practical: for n-bit plaintexts, ciphertexts consists of about 4n group elements, and order comparison requires about n^2 pairings. The leakage is, roughly speaking, the ''equality pattern'' of the most-significant differing bits, whereas CLWW's is the location and values of the most-significant differing bits. We also provide a generalization of our scheme that improves the leakage and/or efficiency.

To analyze the quality of our leakage profile, we show several additional results. In particular, we show that order-\emph{preserving} (OPE) encryption, an important special case of ORE scheme in which ciphertexts are ordered, cannot be secure wrt.our leakage profile. This implies that our ORE scheme is the first one without multilinear maps that is proven secure wrt.a leakage profile unachievable by OPE. We also also show that our generalized scheme meets a ''semantically meaningful'' one-wayness notion that schemes with the leakage of CLWW do not.

Category / Keywords: applications /

Date: received 27 Jun 2016

Contact author: cz200 at cs rutgers edu, david cash@cs rutgers edu, adam@cs georgetown edu, fenghao liu@fau edu

Available format(s): PDF | BibTeX Citation

Version: 20160628:211406 (All versions of this report)

Short URL: ia.cr/2016/661

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]