Paper 2017/1086

Order-Revealing Encryption: File-Injection Attack and Forward Security

Xingchen Wang and Yunlei Zhao

Abstract

Order-preserving encryption (OPE) and order-revealing encryption (ORE) are among the core ingredients for encrypted database (EDB) systems as secure cloud storage. In this work, we study the leakage of OPE and ORE and their forward security. We propose generic yet powerful file-injection attacks (FIAs) on OPE/ORE, aimed at the situations of possessing order by and range queries. The FIA schemes only exploit the ideal leakage of OPE/ORE (in particular, no need of data denseness or frequency). We also improve its efficiency with the frequency statistics using a hierarchical idea such that the high-frequency values will be recovered more quickly. Compared with other attacks against OPE/ORE proposed in recent years, our FIA attacks rely upon less demanding conditions and are more effective for attacking the systems with the function of data sharing or transferring like encrypted email system. We executed some experiments on real datasets to test the performance, and the results show that our FIA attacks can cause an extreme hazard on most of the existing OPE and ORE schemes with high efficiency and 100% recovery rate. In order to resist the perniciousness of FIA, we propose a practical compilation framework for achieving forward secure ORE. The compilation framework only uses some simple cryptographical tools like pseudo-random function, hash function and trapdoor permutation. It can transform most of the existing OPE/ORE schemes into forward secure ORE schemes, with the goal of minimizing the extra burden incurred on computation and storage. We also present its security proof and execute some experiments to analyze its performance.

Metadata
Available format(s)
PDF
Publication info
Published elsewhere. Major revision. ESORICS 2018
DOI
10.1007/978-3-319-98989-1
Keywords
Order-revealing EncryptionOrder-preserving EncryptionFile-injection AttackForward Security
Contact author(s)
xingchenwang16 @ fudan edu cn
History
2018-11-12: last of 2 revisions
2017-11-10: received
See all versions
Short URL
https://ia.cr/2017/1086
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2017/1086,
      author = {Xingchen Wang and Yunlei Zhao},
      title = {Order-Revealing Encryption: File-Injection Attack and Forward Security},
      howpublished = {Cryptology {ePrint} Archive, Paper 2017/1086},
      year = {2017},
      doi = {10.1007/978-3-319-98989-1},
      url = {https://eprint.iacr.org/2017/1086}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.