## Order Preserving Encryption for Numeric Data (2004)

### Cached

### Download Links

Citations: | 115 - 2 self |

### BibTeX

@MISC{Agrawal04orderpreserving,

author = {Rakesh Agrawal and Jerry Kiernan and Ramakrishnan Srikant and Yirong Xu},

title = { Order Preserving Encryption for Numeric Data},

year = {2004}

}

### Years of Citing Articles

### OpenURL

### Abstract

Encryption is a well established technology for protecting sensitive data. However, once encrypted, data can no longer be easily queried aside from exact matches. We present an order-preserving encryption scheme for numeric data that allows any comparison operation to be directly applied on encrypted data. Query results produced are sound (no false hits) and complete (no false drops). Our scheme handles updates gracefully and new values can be added without requiring changes in the encryption of other values. It allows standard database indexes to be built over encrypted tables and can easily be integrated with existing database systems. The proposed scheme has been designed to be deployed in application environments in which the intruder can get access to the encrypted database, but does not have prior domain information such as the distribution of values and cannot encrypt or decrypt arbitrary values of his choice. The encryption is robust against estimation of the true value in such environments.

### Citations

1011 |
Applied Cryptography
- Schneier
- 1995
(Show Context)
Citation Context ...c permission and/or a fee. SIGMOD 2004 June 13-18, 2004, Paris, France. Copyright 2004 ACM 1-58113-859-8/04/06 ::: $5.00. Encryption is a well established technology for protecting sensitive data [7] =-=[22]-=- [24]. Unfortunately, the integration of existing encryption techniques with database systems causes undesirable performance degradation. For example, if a column of a table containing sensitive infor... |

669 |
Cryptography: Theory and Practice
- Stinson
- 1995
(Show Context)
Citation Context ...mission and/or a fee. SIGMOD 2004 June 13-18, 2004, Paris, France. Copyright 2004 ACM 1-58113-859-8/04/06 ::: $5.00. Encryption is a well established technology for protecting sensitive data [7] [22] =-=[24]-=-. Unfortunately, the integration of existing encryption techniques with database systems causes undesirable performance degradation. For example, if a column of a table containing sensitive informatio... |

502 | Cryptography and Data Security
- Denning
- 1982
(Show Context)
Citation Context ...cific permission and/or a fee. SIGMOD 2004 June 13-18, 2004, Paris, France. Copyright 2004 ACM 1-58113-859-8/04/06 ::: $5.00. Encryption is a well established technology for protecting sensitive data =-=[7]-=- [22] [24]. Unfortunately, the integration of existing encryption techniques with database systems causes undesirable performance degradation. For example, if a column of a table containing sensitive ... |

498 |
Stochastic Complexity
- Rissanen
- 1989
(Show Context)
Citation Context .... 3 We also allow the width of value ranges to vary across buckets. However, unlike [16], we do not have a given fixed number of buckets. Rather, we use the minimum description length (MDL) principle =-=[20]-=- to determine the number of buckets. 4.1 Bucket Boundaries The bucket boundaries are determined in two phases: 4 1. Growth phase. The space is recursively split into finer partitions. Each partitionin... |

219 | Practical techniques for searches on encrypted data - Song, Wagner, et al. - 2000 |

204 | S.: Executing SQL over encrypted data in the database-service-provider model
- Hacıgümü¸s, Iyer, et al.
(Show Context)
Citation Context ...s of query processing over data encrypted using OPES are exact. They neither contain any false positives nor miss any answer tuple. This feature of OPES sharply differentiates it from schemes such as =-=[13]-=- that produce a superset of answer, necessitating filtering of extraneous tuples in a rather expensive and complex post-processing step. OPES handles updates gracefully. A value in a column can be mod... |

192 | Hippocratic databases
- Agrawal, Kiernan, et al.
- 2002
(Show Context)
Citation Context ...ting its contents. Drawing upon privacy legislations and guidelines worldwide, Hippocratic databases also identify the protection of personal data from unauthorized acquisition as a vital requirement =-=[1]-=-. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial a... |

191 | SLIQ : A fast scalable classifier for data mining
- Mehta, Agrawal, et al.
- 1996
(Show Context)
Citation Context ...uities may cause undesirable breaks in the uniformity when we flatten plaintext values. 4 This procedure is reminiscent of the procedure for building decision tree classifiers, and in particular SLIQ =-=[17]-=-, but the details are quite different. 4.2 Growth Phase We are given a bucket [pl;ph), with h , l , 1 (sorted) points: fpl+1;pl+2;::: ;ph,1g. We first find the linear spline for this bucket. Next, for... |

114 |
On data banks and privacy homomorphisms
- Rivest, Adleman, et al.
- 1978
(Show Context)
Citation Context ...ge is that the B-tree traversal can now be performed by the front-end only by executing a sequence of queries that retrieve tree nodes at progressively deeper level. Other Relevant Work Rivest et al. =-=[21]-=- suggest that the limit on manipulating encrypted data arises from the choice of encryption functions used, and there exist encryption functions that permit encrypted data to be operated on directly f... |

83 | The history of histograms (abridged
- Ioannidis
- 2003
(Show Context)
Citation Context ...unters for a specified number of buckets, and parametric that approximate a distribution by fitting the parameters of a given type of function. We experimented with several histogram-based techniques =-=[15]-=-, including equi-depth, equi-width, and wavelet-based methods, but found that the flattened values obtained were not uniformly distributed unless the number of buckets was selected to be unreasonably ... |

73 |
P.: Balancing confidentiality and efficiency in untrusted relational DBMSs
- Damiani, Vimercati, et al.
(Show Context)
Citation Context ...ng is used for bucketization. On the other hand, a fine partitioning makes the scheme vulnerable to estimation exposure, particularly if an equi-width partitioning is used. It has been pointed out in =-=[6]-=- that the indexes proposed in [13] can open the door to interference and linking attacks. Instead, they build a B-tree over plaintext values, but then encrypt every tuple and the B-tree at the node le... |

42 | An optimal algorithm for generating minimal perfect hash functions
- Czech, Havas, et al.
- 1992
(Show Context)
Citation Context ...le to be encrypted [18]. However, the encrypted column can no longer participate in indexing as the encryption is not order-preserving. Related work also includes research on order-preserving hashing =-=[5]-=- [11]. However, protecting the hash values from cryptanalysis is not the concern of this body of work. Similarly, the construction of original values from the hash values is not required. 3. PROPOSED ... |

36 |
Processing Encrypted Data
- Ahituv, Lapid, et al.
- 1987
(Show Context)
Citation Context ...s that permit encrypted data to be operated on directly for many sets of interesting operations. They call these functions “privacy homomorphisms”. The focus of [21] and the subsequent follow-up work =-=[2]-=- [8] [9] has been on designing privacy homomorphisms to enable arithmetic on encrypted data, but the comparison operations were not investigated in this line of research. In [10], a simple but effecti... |

34 | Chip-Secured Data Access: Confidential Data on Untrusted Servers
- Bouganim, Pucheral
- 2002
(Show Context)
Citation Context ...his work is the efficient retrieval of encrypted email messages. Naturally, they do not discuss relational queries and it is not clear how their techniques can be adapted for relational databases. In =-=[4]-=-, a smart card with encryption and query processing capabilities is used to ensure the authorized and secure retrieval of encrypted data stored on untrusted servers. Encryption keys areNumber of poin... |

30 | Combining histograms and parametric curve fitting for feedback-driven query result-size estimation
- Konig, Weikum
- 1999
(Show Context)
Citation Context ...STRIBUTIONS Techniques for modeling data distributions have been studied extensively in the database literature in the context of estimating the costs of different query execution plans. As stated in =-=[16]-=-, there are two broad categories of techniques: histogram-based that capture statistical information about a distribution by means of counters for a specified number of buckets, and parametric that ap... |

27 | Order-preserving minimal perfect hash functions and information retrieval
- FOX, CHEN, et al.
- 1991
(Show Context)
Citation Context ...o be encrypted [18]. However, the encrypted column can no longer participate in indexing as the encryption is not order-preserving. Related work also includes research on order-preserving hashing [5] =-=[11]-=-. However, protecting the hash values from cryptanalysis is not the concern of this body of work. Similarly, the construction of original values from the hash values is not required. 3. PROPOSED ORDER... |

23 | Anti-tamper databases: Querying encrypted databases
- Özsoyoglu, Singer, et al.
- 2003
(Show Context)
Citation Context ... 0 0 1 Scaled Domain 500 (b) Input: Gaussian Original Encrypted 0 0 1 Scaled Domain Figure 3: Polynomial functions: Encryption of different input distributions look different. Polynomial Functions In =-=[12]-=-, a sequence of strictly increasing polynomial functions is used for encrypting integer values while preserving their order. These polynomial functions can simply be of the first or second order, with... |

19 | GnatDb: A Small-Footprint, Secure Database System
- Vingralek
- 2002
(Show Context)
Citation Context ...ch is infeasible for real data values. The smart card implementation could benefit from our encryption scheme in that range queries could be translated into equivalent queries over encrypted data. In =-=[25]-=-, the security and tamper resistance of a database stored on a smart card is explored. They consider snooping attacks for secrecy, and spoofing, splicing, and replay attacks for tamper resistance. Ret... |

18 | Cryptographic Protection of Databases and Software," Distributed Computing and Cryptography
- Feigenbaum, Liverman, et al.
- 1991
(Show Context)
Citation Context ...sequent follow-up work [2] [8] [9] has been on designing privacy homomorphisms to enable arithmetic on encrypted data, but the comparison operations were not investigated in this line of research. In =-=[10]-=-, a simple but effective scheme has been proposed to encrypt a look-up directory consisting of (key, value) pairs. The goal is to allow the corresponding value to be retrieved if and only if a valid k... |

10 | A privacy homomorphism allowing field operations on encrypted data. I Jornades de Matematica Discreta i Algorismica, Universitat Politecnica de Catalunya
- Domingo-Ferrer, Herrera-Joancomarti
- 1998
(Show Context)
Citation Context ...at permit encrypted data to be operated on directly for many sets of interesting operations. They call these functions “privacy homomorphisms”. The focus of [21] and the subsequent follow-up work [2] =-=[8]-=- [9] has been on designing privacy homomorphisms to enable arithmetic on encrypted data, but the comparison operations were not investigated in this line of research. In [10], a simple but effective s... |

6 |
Anti-tamper database research: Inference control techniques
- Bebek
- 2002
(Show Context)
Citation Context ...rmance measurements from a DB2 implementation. We conclude with a summary and directions for future work in Section 9. 2. RELATED WORK Summation of Random Numbers A simple scheme has been proposed in =-=[3]-=- that computes the encrypted value c of integer p as c = Pp j=0 Rj, whereRjis the jth value generated by a secure pseudo-random number generator R. Unfortunately, the cost of making p calls to R for e... |

5 |
i Ferror. A new privacy homomorphism and applications
- Domingo
(Show Context)
Citation Context ...ermit encrypted data to be operated on directly for many sets of interesting operations. They call these functions “privacy homomorphisms”. The focus of [21] and the subsequent follow-up work [2] [8] =-=[9]-=- has been on designing privacy homomorphisms to enable arithmetic on encrypted data, but the comparison operations were not investigated in this line of research. In [10], a simple but effective schem... |

4 |
Database Encryption in Oracle 8i
- Corporation
- 2000
(Show Context)
Citation Context ...f their techniques apply to general purpose databases not stored in specialized devices. Amongst commercial database products, Oracle 8i allows values in any of the columns of a table to be encrypted =-=[18]-=-. However, the encrypted column can no longer participate in indexing as the encryption is not order-preserving. Related work also includes research on order-preserving hashing [5] [11]. However, prot... |

2 |
Error sends bank files to eBay. The Toronto Star
- Hamilton
- 2003
(Show Context)
Citation Context ...romised if an unauthorized user simply gains access to the raw database files, bypassing the database access control mechanism altogether. For instance, a recent article published in the Toronto Star =-=[14]-=- describes an incident where a disk containing the records of several hundred bank customers was being auctioned on eBay. The bank had inadvertently sold the disk to the eBay re-seller as used equipme... |