## Order-Preserving Symmetric Encryption

Citations: | 27 - 0 self |

### BibTeX

@MISC{Boldyreva_order-preservingsymmetric,

author = {Ra Boldyreva and Nathan Chenette and Younho Lee},

title = {Order-Preserving Symmetric Encryption},

year = {}

}

### OpenURL

### Abstract

We initiate the cryptographic study of order-preserving symmetric encryption (OPE), a primitive suggested in the database community by Agrawal et al. (SIGMOD ’04) for allowing efficient range queries on encrypted data. Interestingly, we first show that a straightforward relaxation of standard security notions for encryption such as indistinguishability against chosen-plaintext attack (IND-CPA) is unachievable by a practical OPE scheme. Instead, we propose a security notion in the spirit of pseudorandom functions (PRFs) and related primitives asking that an OPE scheme look “as-random-as-possible ” subject to the order-preserving constraint. We then design an efficient OPE scheme and prove its security under our notion based on pseudorandomness of an underlying blockcipher. Our construction is based on a natural relation we uncover between a random order-preserving function and the hypergeometric probability distribution. In particular, it makes black-box use of an efficient sampling algorithm for the latter. 1

### Citations

650 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ...st their ordering, namely some information about their relative distances. We return to this point later. An alternative approach. Instead, we take the approach used in defining security e.g. of PRPs =-=[17]-=- or on-line PRPs [5], where one asks that oracle access to the function in question be indistinguishable from access to the corresponding “ideal” random object, e.g. a random permutation or a random o... |

122 | Order preserving encryption for numeric data
- Agrawal, Kiernan, et al.
- 2004
(Show Context)
Citation Context ...rt codes were used, for example, during World War I [3]. A more formal treatment of the concept of order-preserving symmetric encryption (OPE) was proposed in the database community by Agrawal et al. =-=[1]-=-. The reason for new interest in such schemes is that they allow efficient range queries on encrypted data. That is, a remote untrusted database server is able to index the (sensitive) data it receive... |

119 |
Random Number Generation and Monte Carlo Methods
- Gentle
- 2000
(Show Context)
Citation Context ...stribution. Unfortunately, the existence of such an algorithm seems open. It is known that NHG can be approximated by the negative binomial distribution [26], which in turn can be sampled efficiently =-=[16, 14]-=-, and that the approximation improves as M and N grow. However, quantifying the quality of approximation for fixed parameters seems difficult. Instead, we turn to a related probability distribution, n... |

112 | The security of triple encryption and a framework for code-based game-playing proofs
- Bellare, Rogaway
- 2006
(Show Context)
Citation Context ...dom order-preserving function from a specified domain and range on-the-fly (dynamically as new queries are made). (Here we note a connection to implementing huge random objects [18] and lazy sampling =-=[9]-=-.) But it is not immediately clear how this can be done; blockciphers, our usual tool in the symmetric-key setting, do not seem helpful in preserving plaintext order. Our construction takes a differen... |

89 | Conjunctive, subset, and range queries on encrypted data
- Boneh, Waters
- 2007
(Show Context)
Citation Context ...ver, their use necessitates specialized data structures and query formats, which practitioners would prefer to avoid. Allowing range queries on encrypted data in the public-key setting was studied in =-=[11, 28]-=-. While their schemes provably provide strong security, they are not efficient in our setting, requiring to scan the whole database on every query. Finally, we clarify that [1], in addition to suggest... |

87 | Prefix-preserving IP address anonymization: Measurement-based security evaluation and a new cryptography-based scheme
- Xu, Fan, et al.
- 2002
(Show Context)
Citation Context ...sed in practice (e.g. range queries) has remained open. The work of [24] suggested enabling efficient range queries on encrypted data not by using OPE but so-called prefix-preserving encryption (PPE) =-=[31, 5]-=-. Unfortunately, as discussed in [24, 2], PPE schemes are subject to certain attacks in this context; particular queries can completely reveal some of the underlying plaintexts in the database. Moreov... |

85 | New proofs for NMAC and HMAC: Security without collision-resistance
- Bellare
- 2006
(Show Context)
Citation Context ...ic symmetric encryption this was done by [8], which formalizes a notion called indistinguishability under distinct chosen-plaintext attack or IND-DCPA. (The notion was subsequently applied to MACs in =-=[4]-=-.) Since deterministic encryption leaks equality of plaintexts, they restrict the adversary in the IND-CPA experiment to make queries to its left-right-encryption-oracle of the form (x1 0 , x11 ), . .... |

73 |
Deterministic and efficiently searchable encryption
- Bellare, Boldyreva, et al.
- 2007
(Show Context)
Citation Context ...work extends a recent line of research in the cryptographic community addressing efficient (sub-linear time) search on encrypted data, which has been addressed by [2] in the symmetric-key setting and =-=[6, 10, 7]-=- in the public-key setting. However, these works focus mainly on simple exact-match queries. Development and analysis of schemes allowing more complex query types that are used in practice (e.g. range... |

54 |
Discrete-Event Simulation Modeling, Programming and Analysis
- Fishman
- 2001
(Show Context)
Citation Context ...stribution. Unfortunately, the existence of such an algorithm seems open. It is known that NHG can be approximated by the negative binomial distribution [26], which in turn can be sampled efficiently =-=[16, 14]-=-, and that the approximation improves as M and N grow. However, quantifying the quality of approximation for fixed parameters seems difficult. Instead, we turn to a related probability distribution, n... |

54 |
An efficient method for generating discrete random variables with general distributions
- WALKER
- 1977
(Show Context)
Citation Context ... is not an approximation by a related distribution. It is implemented in Wolfram Mathematica and other libraries, and is fast even for large parameters. However, on small parameters the algorithms of =-=[29]-=- perform better. Since the parameter size to HGD in our LazySample algorithms shrinks across the recursive calls from large to small, it could be advantageous to switch algorithms at some threshold. W... |

50 | Locality-Preserving Hashing in Multidimensional Spaces
- Indyk, Motwani, et al.
- 1997
(Show Context)
Citation Context ...ption (ESE) in [6]). Our security notion (in the CPA case) can also be applied to such H. In fact, there has been some work on hash functions that are order-preserving or have some related properties =-=[25, 15, 20]-=-. But none of these works are concerned with security in any sense. Since our 4OPE scheme is efficient and already invertible, we have not tried to build any secure order-preserving hash separately. ... |

50 | MultiDimensional Range Query over Encrypted Data
- Shi, Bethencourt, et al.
- 2007
(Show Context)
Citation Context ...ver, their use necessitates specialized data structures and query formats, which practitioners would prefer to avoid. Allowing range queries on encrypted data in the public-key setting was studied in =-=[11, 28]-=-. While their schemes provably provide strong security, they are not efficient in our setting, requiring to scan the whole database on every query. Finally, we clarify that [1], in addition to suggest... |

49 | On notions of security for deterministic encryption, and efficient constructions without random oracles
- Boldyreva, Fehr, et al.
- 2008
(Show Context)
Citation Context ...work extends a recent line of research in the cryptographic community addressing efficient (sub-linear time) search on encrypted data, which has been addressed by [2] in the symmetric-key setting and =-=[6, 10, 7]-=- in the public-key setting. However, these works focus mainly on simple exact-match queries. Development and analysis of schemes allowing more complex query types that are used in practice (e.g. range... |

43 | Concealed Data Aggregation for Reverse Multicast Traffic
- Westhoff, Girao, et al.
- 2006
(Show Context)
Citation Context ...deed, subsequent to its publication, [1] has been referenced widely in the database community, and OPE has also been suggested for use in in-network aggregation on encrypted data 1in sensor networks =-=[30]-=- and as a tool for applying signal processing techniques to multimedia content protection [13]. Yet a cryptographic study of OPE in the provable-security tradition never appeared. Our work aims to beg... |

35 | Deterministic encryption: Definitional equivalences and constructions without random oracles
- Bellare, Fischlin, et al.
- 2008
(Show Context)
Citation Context ...work extends a recent line of research in the cryptographic community addressing efficient (sub-linear time) search on encrypted data, which has been addressed by [2] in the symmetric-key setting and =-=[6, 10, 7]-=- in the public-key setting. However, these works focus mainly on simple exact-match queries. Development and analysis of schemes allowing more complex query types that are used in practice (e.g. range... |

32 |
Decrypted Secrets - Methods and maxims of Cryptology, 1st ed
- Bauer
- 1997
(Show Context)
Citation Context ...ding ciphertexts, both arranged in alphabetical or numerical order so only a single copy is required for efficient encryption and decryption. One-part codes were used, for example, during World War I =-=[3]-=-. A more formal treatment of the concept of order-preserving symmetric encryption (OPE) was proposed in the database community by Agrawal et al. [1]. The reason for new interest in such schemes is tha... |

29 | Non-expansive hashing
- Linial, Sasson
- 1996
(Show Context)
Citation Context ...ption (ESE) in [6]). Our security notion (in the CPA case) can also be applied to such H. In fact, there has been some work on hash functions that are order-preserving or have some related properties =-=[25, 15, 20]-=-. But none of these works are concerned with security in any sense. Since our 4OPE scheme is efficient and already invertible, we have not tried to build any secure order-preserving hash separately. ... |

29 | A provable-security treatment of the key-wrap problem
- Rogaway, Shrimpton
- 2006
(Show Context)
Citation Context ... the target-applications require. (Such an approach was taken previously in the case of deterministic public-key encryption [6, 10, 7], on-line ciphers [5], and deterministic authenticated encryption =-=[27]-=-.) Weakening IND-CPA. One approach is to try to weaken the IND-CPA definition appropriately. Indeed, in the case of deterministic symmetric encryption this was done by [8], which formalizes a notion c... |

28 | Order preserving minimal perfect hash functions and information retrieval
- Fox, Chen, et al.
- 1991
(Show Context)
Citation Context ...ption (ESE) in [6]). Our security notion (in the CPA case) can also be applied to such H. In fact, there has been some work on hash functions that are order-preserving or have some related properties =-=[25, 15, 20]-=-. But none of these works are concerned with security in any sense. Since our 4OPE scheme is efficient and already invertible, we have not tried to build any secure order-preserving hash separately. ... |

25 |
Computer generation of hypergeometric random variates
- Kachitvichyanukul, Schmeiser
- 1985
(Show Context)
Citation Context ...s seems difficult. Instead, we turn to a related probability distribution, namely the hypergeometric (HG) distribution, for which a very efficient exact (not approximated) sampling algorithm is known =-=[22, 23]-=-. In our balls-and-bin model with M black and N − M white balls, the random variable X specifying the number of black balls in our sample as soon as y balls are picked follows the HG distribution. The... |

22 | Authenticated encryption in SSH: Provably Fixing the SSH Binary Packet Protocol
- Bellare, Kohno, et al.
- 2002
(Show Context)
Citation Context ...ic authenticated encryption [27].) Weakening IND-CPA. One approach is to try to weaken the IND-CPA definition appropriately. Indeed, in the case of deterministic symmetric encryption this was done by =-=[8]-=-, which formalizes a notion called indistinguishability under distinct chosen-plaintext attack or IND-DCPA. (The notion was subsequently applied to MACs in [4].) Since deterministic encryption leaks e... |

18 | OMAC: One-Key CBC MAC
- Iwata, Kurosawa
- 2003
(Show Context)
Citation Context ...bove for a VOL-PRG adversary making 1 query, and then the proposition follows by a standard hybrid argument. Now, to instantiate the VIL-PRF F in the TapeGen construction, we suggest OMAC (aka. CMAC) =-=[21]-=-, which is also blockcipher-based and introduces no additional assumption. Then the secret-key for TapeGen consists only of that for OMAC, which in turn consists of just one key for the underlying blo... |

17 |
Provably-secure schemes for basic query support in outsourced databases
- Amanatidis, Boldyreva, et al.
- 2007
(Show Context)
Citation Context ...dy this situation. Related Work. Our work extends a recent line of research in the cryptographic community addressing efficient (sub-linear time) search on encrypted data, which has been addressed by =-=[2]-=- in the symmetric-key setting and [6, 10, 7] in the public-key setting. However, these works focus mainly on simple exact-match queries. Development and analysis of schemes allowing more complex query... |

16 | On-Line Ciphers and the Hash-CBC Constructions
- Bellare, Boldyreva, et al.
- 2001
(Show Context)
Citation Context ...sed in practice (e.g. range queries) has remained open. The work of [24] suggested enabling efficient range queries on encrypted data not by using OPE but so-called prefix-preserving encryption (PPE) =-=[31, 5]-=-. Unfortunately, as discussed in [24, 2], PPE schemes are subject to certain attacks in this context; particular queries can completely reveal some of the underlying plaintexts in the database. Moreov... |

7 | T.: Perfect Block Ciphers with Small Blocks
- Granboulan, Pornin
- 2007
(Show Context)
Citation Context ...GD are the running-times of the sampling algorithms for the respective distributions), but we show that it is O(log M) · THGD on average. We note that the hypergeometric distribution was also used in =-=[19]-=- for sampling pseudorandom permutations and constructing blockciphers for short inputs. The authors of [19] were unaware of the efficient sampling algorithms for HG [22, 23] and provided their own rea... |

7 |
Efficiency and security trade-off in supporting range queries on encrypted databases
- Li, Omiecinski
- 2005
(Show Context)
Citation Context ...e works focus mainly on simple exact-match queries. Development and analysis of schemes allowing more complex query types that are used in practice (e.g. range queries) has remained open. The work of =-=[24]-=- suggested enabling efficient range queries on encrypted data not by using OPE but so-called prefix-preserving encryption (PPE) [31, 5]. Unfortunately, as discussed in [24, 2], PPE schemes are subject... |

5 |
Protection and retrieval of encrypted multimedia content: when cryptography meets signal processing
- Erkin, Piva, et al.
- 2007
(Show Context)
Citation Context ... and OPE has also been suggested for use in in-network aggregation on encrypted data 1in sensor networks [30] and as a tool for applying signal processing techniques to multimedia content protection =-=[13]-=-. Yet a cryptographic study of OPE in the provable-security tradition never appeared. Our work aims to begin to remedy this situation. Related Work. Our work extends a recent line of research in the c... |

4 | Algorithm 668: H2PEC: Sampling from the hypergeometric distribution - Kachitvichyanukul, Schmeiser - 1988 |

1 |
Cem Say and A. Kutsi Nircan. Random generation of monotonic functions for Monte Carlo solution of qualitative differential equations. Automatica
- C
- 2005
(Show Context)
Citation Context ... result may also be of independent interest, since the more general question of what functions can be lazy-sampled is interesting in its own right, and it may find other applications as well, e.g. to =-=[12]-=-. We first uncover a connection between a random order-preserving function and the hypergeometric (HG) probability distribution. 4.1 The Hypergeometric Connection To gain some intuition we start with ... |

1 |
Miño. Exact and approximated relations between negative hypergeometric and negative binomial probabilities
- López-Blázquez, Salamanca
(Show Context)
Citation Context ... an efficient sampling algorithm for the NHG distribution. Unfortunately, the existence of such an algorithm seems open. It is known that NHG can be approximated by the negative binomial distribution =-=[26]-=-, which in turn can be sampled efficiently [16, 14], and that the approximation improves as M and N grow. However, quantifying the quality of approximation for fixed parameters seems difficult. Instea... |