Download presentation
Presentation is loading. Please wait.
Published byElijah Newman Modified over 8 years ago
1
Practical Order-Revealing Encryption with Limited Leakage Nathan Chenette, Kevin Lewi, Stephen A. Weis, and David J. Wu Fast Software Encryption March, 2016
2
Order-Revealing Encryption [BRLSZZ15] Client Server secret-key encryption scheme
3
Order-Revealing Encryption [BRLSZZ15] Server Application: range queries / binary search on encrypted data
4
Order-Revealing Encryption [BRLSZZ15] given any two ciphertexts there is a publically evaluatable function that evaluates the comparison function
5
Defining Security Starting point: semantic security (IND-CPA) [GM84] challenger adversary
6
Best-Possible Security [BCLO09] must impose restriction on messages: otherwise trivial to break semantic security using comparison operator
7
Best-Possible Security [BCLO09]
8
order of “left” set of messages same as order of “right” set of messages
9
Existing Approaches
10
Multilinear-map-based Solution [BRLSZZ15] Much more efficient than general purpose indistinguishability obfuscation Achieves best-possible security Security of multilinear maps not well-understood Still quite inefficient (e.g., ciphertexts on the order of GB)
11
Existing Approaches
12
Order-preserving encryption (OPE) [BCLO09, BCO11]: No “best-possible” security, so instead, compare with random order-preserving function (ROPF) encryption function implements a random order-preserving function domainrange
13
Existing Approaches Properties of a random order-preserving function [BCO’11]: Each ciphertext roughly leaks half of the most significant bits Each pair of ciphertexts roughly leaks half of the most significant bits of their difference No semantic security for even a single message!
14
Existing Approaches Security Efficiency General-purpose MIFE from iO Direct construction from multilinear maps OPE Something in between? Not drawn to scale
15
A New Security Notion Two existing security notions: IND-OCPA: strong security, but hard to achieve efficiently ROPF-CCA: efficiently constructible, but lots of leakage, and difficult to precisely quantify the leakage
16
A New Security Notion: SIM-ORE ??? Real WorldIdeal World
17
A New Security Notion: SIM-ORE
19
Our Construction 100101100011
20
100101
21
100101 empty prefix
22
Our Construction 100101
23
100101
24
100101100011 same prefix = same ciphertext block different prefix = value computationally hidden first block that differs
25
Our Construction: Efficiency 100101
26
Our Construction: Security 100101 Security follows directly from security of the PRF Proof sketch. Simulator responds to encryption queries using random strings. Maintains consistency using leakage information (first bit that differs).
27
OPE Conversion 100101 100011 In database applications, OPE preferred over ORE since it does not require changes to the DBMS (e.g., supporting custom comparator)
28
OPE Conversion 100101
29
100101 Note: unlike most existing OPE schemes, this OPE scheme is not a ROPF, and does not suffer from many of the security limitations of ROPFs
30
Comparison to Previous OPE Schemes
31
message space ciphertext space guess interval Window one-wayness: Much weaker than semantic security!
32
Comparison to Previous OPE Schemes
34
Composing OPE with ORE Possible to compose OPE with ORE to achieve more secure OPE scheme: Resulting construction strictly stronger than inner OPE scheme, but may not be more secure than directly applying ORE to plaintext
35
General-purpose MIFE from iO Direct construction from multilinear maps The Landscape of OPE/ORE Security Efficiency OPE Our construction Not drawn to scale
36
General-purpose MIFE from iO Direct construction from multilinear maps Directions for Future Research Security Efficiency OPE Our construction Shorter ciphertexts? New leakage functions? Best-possible ORE from standard assumptions? Not drawn to scale
37
Sample Implementation: https://github.com/kevinlewi/fastore Project Website: https://crypto.stanford.edu/ore/
38
Questions? http://eprint.iacr.org/2015/1125
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.