1

Order-Preserving Symmetric Encryption

Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill

EUROCRYPT 2009, LNCS 5479, pp. 224-241

2

Outline

Introduction OPE and Its Security Lazy Sampling a Random Order-Preserving

Function OPE Scheme and Its Analysis Conclusion

3

Introduction

Order-persevering symmetric encryption, OPE OPE 以 one-part codes 的形式來使用，具有

相當長的歷史，可追朔到第一次世界大戰。 明文藉由打亂文字順序或數字順序來得到所對

應的密文。 近年比較有價值的研究為應用 OPE 在 databa

se community ，由 Agrawal 等學者於 2004 年提出。

4

Introduction

OPE 機制在加密資料上要有有效率的範圍查詢。 這裡的有效率是指 O(lg n) 時間， n 為 database 的

資料量。 HVE, MRQED 是沒有效率的，進行查詢時必須掃描整個

database.

有關 OPE 的可證明式的安全性證明尚未提出，作者想補強這方面的議題。

OPE 無法滿足所有的安全性定義，如 IND-CPA 。

5

Outline

Introduction OPE and Its Security Lazy Sampling a Random Order-Preserving

Function OPE Scheme and Its Analysis Conclusion

6

OPE and Its Security

IND-CPA LR(˙,˙,b) : input m0 and m1, return mb. symmetric encryption scheme SE = (K, ENC, DEC) Adversary A b {0,1} ∈ We require that each query (m0, m1) that A makes to

its oracle satisfies |m0| = |m1|

( , ( , , ))

Exp ( )

K

return

IND CPA bSE

R

R ENC K LR b

A

K

d A

d

1 0Adv ( ) Pr Exp ( ) 1 Pr Exp ( ) 1 IND CPA IND CPA IND CPASE SE SEA A A

7

OPE and Its Security OPE 無法滿足 IND-CPA 。

Deterministic. Leak the order-relations among the plaintext.

IND-CPA 無法滿足，作者想弱化 IND-CPA 試著讓OPE 滿足。 參考 M. Bellare 等學者，在” Authenticated encryption in

SSH: provably fixing the SSH binary packet protocol, CCS ’02, pp. 1-11, 2002.” 一文中所提出的 IND-DCPA (indistinguishability distinct chosen-plaintext attack)

提出 IND-OCPA (indistinguishability ordered chosen-plaintext attack)

8

OPE and Its Security

IND-DCPA Restricted to make only distinct queries. Adversary A makes queries (m0

1, m11), …, (m0

q, m1q)

Require that mb1, mb

2, …, mbq are all distinct for b∈

{0,1}

9

OPE and Its Security

IND-OCPA Adversary A makes queries (m0

1, m11), …, (m0

q, m1q)

m0i < m0

j iff m1i < m1

j for all 1≦i, j≦q.

10

OPE and Its Security IND-OCPA 看起來可行，實際上無用，除非密文空

間大小是明文空間大小的指數倍。 SE = (K, ENC, DEC) be an order-preserving encryptio

n with plaintext-space [M] and ciphertext-space [N] for M, N∈N s.t. 2k-1 ≦ N <2k for some k∈N. Then there exists an IND-OCPA adversary A against SE s.t.

Furthermore, A run in time O(log N) and makes 3 oracle queries.

2Adv ( ) 1

1

IND CPASE

kA

M

11

OPE and Its Security

Big jump and big reverse-jump For an order-preserving function f : [M] →[N] i {3, …, ∈ M-1} is a big jump if the f-distance to the

next point is as big as the sum of all the previous. f(i + 1) - f(i) ≧ f(i) - f(1)

i {2, …, ∈ M-2} is a big reverse-jump if f(i) - f(i-1) ≧ f(M) - f(i)

12

OPE and Its Security

Big jump and big reverse-jump

Big Jump

is big jump if ( 1) ( ) ( ) (1) i f i f i f i f

is big reverse-jump if ( ) ( 1) ( ) ( ) i f i f i f M f i

13

OPE and Its Security

Big jump attack Consider IND-OCPA adversary A against SE

( , ( , , ))

1

2

3

3 2 2 1

Adversary

{1,..., 1}

( , (1, , ))

( , ( , 1, ))

( , ( 1, , ))

return 1 if ( ) ( )

else return 0

ENC K LR b

R

A

m M

c ENC K LR m b

c ENC K LR m m b

c ENC K LR m M b

c c c c

14

OPE and Its Security

Big jump and big reverse-jump

Big Jump

( , ( , , ))

1

2

3

3 2 2 1

Adversary

{1,..., 1}

( , (1, , ))

( , ( , 1, ))

( , ( 1, , ))

return 1 if ( ) ( )

else return 0

ENC K LR b

R

A

m M

c ENC K LR m b

c ENC K LR m m b

c ENC K LR m M b

c c c c

m = 5c1 = 24 or 35c2 = 35 or 36c3 = 36 or 45c3 – c2 = 1 or 9c2 – c1 = 11 or 1if (c3 – c2) > (c2 – c1) adversary A guess b = 1else adversary A guess b = 0

m = 4c1 = 24 or 27c2 = 27 or 35c3 = 35 or 45c3 – c2 = 8 or 10c2 – c1 = 3 or 8if (c3 – c2) > (c2 – c1) adversary A guess b = 1else adversary A guess b = 0

1 ( 1)Pr Exp ( ) 1 1

1 1

IND OCPASE

M k kA

M M

We assume that f has k big jumps.

15

OPE and Its Security

Big jump attack and OPE scheme Distinguish between ciphertext that are very close a

nd far apart. The attack shows that any practical OPE scheme in

herently leaks more information about the plaintext than just their ordering. Some information about their relative distances.

16

OPE and Its Security

作者想試著在 IND-OCPA 中，限制 adversary A 的能力。

透過 pseudorandom functions(PRFs) 或 permutations(PRPs) ，讓 adversary 無法區分 oracle access to ENC of the scheme 或 corresponding ideal object.

Pseudorandom order-preserving function against chosen-ciphertext attack, POPF-CCA.

17

OPE and Its Security

POPF-CCA order-preserving encryption scheme SE = (K, ENC,

DEC) plaintext-space D ciphertext-space R |D| |≦ R| OPFD,R denotes the set of all order-preserving functi

ons from D to R. adversary A against SE with advantage

1(K, ), (K, ) ( ), ( )Adv ( ) Pr K | Pr K |

R RPOPF CCA ENC DEC g gSE A K A K A

18

Outline

Introduction OPE and Its Security Lazy Sampling a Random Order-Preserving

Function OPE Scheme and Its Analysis Conclusion

19

Lazy Sampling a Random Order-Preserving Function

Lazy Sampling POPF-CCA is useful. Need a way to implement A’s oracles in the “ideal”

experiment efficiently. How to lazy sample a random order-preserving functio

n and its inverse. A connection between a random order-preserving f

unction and the hypergeometric probability distribution.

20

Lazy Sampling a Random Order-Preserving Function

The set OPFD,R : all order-preserving functions from a domain D of size M to a range R of size N > M.

The set of all possible combinations of M out of N ordered items.

21

Lazy Sampling a Random Order-Preserving Function

Domain

Range

set S = {24, 25, 27, 35, 36, 39, 41, 42, 44, 45}

22

Lazy Sampling a Random Order-Preserving Function

,

, and any , 1 ,

Pr ( ) ( 1) | OPFy N y

R x M xD R N

M

M N x x M y N

C Cf x y f x f

C

23

Lazy Sampling a Random Order-Preserving Function

Hypergeometric distribution Hypergeometric experiment

A random sample of size M is selected without replacement from N items.

y of the N items may be classified as success and N-y are classified as failures.

( ; , , )

y N yx M x

NM

C Ch x N M y

C

24

Lazy Sampling a Random Order-Preserving Function

Hypergeometric distribution

25

Lazy Sampling a Random Order-Preserving Function

Hypergeometric distribution 有一批 40 顆燈泡，品管檢查出 3 顆瑕疵燈

泡就驗退。假設品管隨機挑選 5 顆檢查，請問被檢查出有只有 1 個瑕疵品的機率是多少？ N = 40, M = 5, y = 3 X = 檢查出有瑕疵的燈泡數 ~ h(x; N, M, y) =

h(x; 40, 5, 3) 3 37

1 4405

Pr( 1) 0.301y N yx M x

NM

C C C CX

C C

26

Lazy Sampling a Random Order-Preserving Function

,

, and any , 1 ,

Pr ( ) ( 1) | OPFy N y

R x M xD R N

M

M N x x M y N

C Cf x y f x f

C

( ; , , )y N yx M x

NM

C Ch x N M y

C

27

Lazy Sampling a Random Order-Preserving Function

The LazySample algorithm Algorithms LazySample, LazySampleInv that

lazy sample a random order-preserving function from domain D to range R, |D| |≦ R|, and its inverse, respectively.

28

Lazy Sampling a Random Order-Preserving Function

The LazySample algorithm Two subroutines

HGD(D, R, y∈R) = x∈D s.t. for each x*∈D we have x=x* with probability h(x - d; |R|, |D|, y - r), where d = min(D) – 1, r = min(R) – 1.

GetCoins(1l, D, R, b||z) = cc {0,1}∈ l, where b {0,∈1} and z∈R if b = 0 and z∈D otherwise.

29

Lazy Sampling a Random Order-Preserving Function

The LazySample algorithm Joint state: array F and I

Array I: the number of points in D are mapping to range point y

Arrray F: the image of m under the lazy-sampled function.

30

Lazy Sampling a Random Order-Preserving Function

The LazySample algorithm LazySample meploys a strategy

Mapping range gaps to domain gaps in a recursive, binary search manner.

By range gap or domain gap An imaginary barrier between two consecutive points i

n the range or domain.

31

Introduction

32

Lazy Sampling a Random Order-Preserving Function

The LazySample algorithm Support GetCoins returns truly random coins on

each new input. The for any algorithm A we have

where g, g-1 denote an order-preserving function picked at random from OPFD,R and its inverse.

1( ), ( ) ( , , ), ( , , )Pr 1 Pr 1g g LazySample D R LazySampleInv D RA A

33

Outline

Introduction OPE and Its Security Lazy Sampling a Random Order-Preserving

Function OPE Scheme and Its Analysis Conclusion

34

OPE Scheme and Its Analysis

The TapeGen PRF LazySample, LazySampleInv 無法直接使用在 ENC

與 DEC 上， LS 與 LSI 分享及更新 joint state ， array F 與 I ，用來儲存 HGD 的 output 。

修改 GetCoins ，當呼叫 HGD 時，透過 TapeGen PRF 的輸出結果當 seed ，讓 HGD 產生 F 與 I 的 entries 。

TapeGen PRF 有 3 個 RPFs 組成， VIL-PRF 、 VOL-PRF 、 LF-PRF ，以 LF-PRF 為主要關鍵。

35

OPE Scheme and Its Analysis

The TapeGen PRF For an adversary A, define its LF-PRF-advantag

e against TapeGen as() ()Adv ( ) Pr 1 Pr 1LF PRF TapeGen R

TapeGen A A A

36

Introduction

37

OPE Scheme and Its Analysis

Let OPE[TapeGen] be the OPE scheme define above with plaintext-space of size M and ciphertext-space of size N. Then for any adversary A against OPE[TapeGen] making at most q queries to its oracles combined, there is an adversary B against TapeGen s.t.

[ ]Adv ( ) Adv ( )POPF CCA LF PRFOPE TapeGen TapeGenA B

38

OPE Scheme and Its Analysis

Adversary B makes at most q1 = q(log N + 1) queries if size at most 5logN + 1 to its oracle, whose responses total q1λ’ bits on average, and its running time is that of A. Above, λ and λ’ are constants depending only on HGD.

39

OPE Scheme and Its Analysis

On choosing N 當 [M] 跟 [N] 很大時，大於 280， random order-p

reserving function 才會洩漏訊息

40

Outline

Introduction OPE and Its Security Lazy Sampling a Random Order-Preserving

Function OPE Scheme and Its Analysis Conclusion

41

Conclusion 作者做了許多推論，從 IND-CPA 一路改進到提出

POPF-CCA 利用 LazySample 與 Hypergeometric distribution 的

巧妙組合，提出了一個 OPE scheme 可證明式的安全性證明 POPE-CCA

如何套用到我的 scheme 作者的 OPE 是數字到數字 我的 OPE 是數字到辮群 直接套用？修改證明方式？修改 scheme ？