Order-Revealing Encryption Scheme with Comparison Token for Cloud Computing

Guo, Jingjing; Sun, Jiacong

doi:https://doi.org/10.1155/2020/8837904

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Analysis Conclusions Data Availability Conflicts of Interest References Copyright Related Articles

Research Article | Open Access

Volume 2020 | Article ID 8837904 | https://doi.org/10.1155/2020/8837904

Order-Revealing Encryption Scheme with Comparison Token for Cloud Computing

Jingjing Guo¹and Jiacong Sun²

Academic Editor: Prosanta Gope

Received24 Sept 2020

Revised05 Nov 2020

Accepted30 Nov 2020

Published24 Dec 2020

Abstract

Order-preserving encryption (OPE) is a basic paradigm for the outsourced database where the order of plaintexts is kept in ciphertexts. OPE enables efficient order comparison execution while providing privacy protection. Unfortunately, almost all the previous OPE schemes either require numerous rounds of interactions or reveal more information about the encrypted database (e.g., the most significant bit). Order-revealing encryption (ORE) as a generalization is an encryption scheme where the order of plaintexts can be evaluated by running a comparison algorithm. Therefore, it is desirable to design an efficient ORE scheme which addresses above efficiency and security issues. In this paper, we propose a noninteractive ORE scheme from prefix encoding and Bloom filter techniques. The proposed scheme is an encryption scheme where a cloud service provider cannot evaluate the order of plaintexts until a comparison token is provided. The security analysis illustrates that our scheme achieves ideal security with frequency hiding. Furthermore, we illustrate a secure range query scheme through designing an encrypted tree structure named PORE tree from the above ORE scheme. The PORE tree reveals the order between different nodes and leaves encrypted data items in the same node incomparable even after query execution. Finally, the experimental evaluation shows the high efficiency of the proposed ORE scheme and range query scheme.

1. Introduction

The rapid development of cloud computing enables resource-constrained data owners to outsource their data storage and computational tasks to a cloud service provider. The outsourced data could be attacked by outside attackers and the cloud service provider, for example, Verizon cloud leak and Equifax data breach. Thus, sensitive data should be encrypted before outsource, such as CryptDB, CipherCloud, and PRS server. Encryption is a promising approach for protecting sensitive data. However, traditional encryption breaks correlation of plaintexts and brings many difficulties in ordinary services, such as keyword search, numeric operations, and range query. Although some advanced cryptography primitives such as fully homomorphic encryption [1–3] and functional encryption [4–6] are introduced, the existing schemes are somewhat inefficient.

One method to enable efficient query services while meeting privacy requirement is to introduce an encryption scheme that allows only limited services. Searchable encryption [7–9] has been introduced to handle the keyword search in an encrypted database (EDB) [10, 11]. To execute range queries [12, 13], order-preserving encryption (OPE) [14–17] and its generalization order-revealing encryption (ORE) [18–20] have been proposed and developed.

OPE provides a property that the order of ciphertexts retains that of plaintexts. It has many applications in real-world scenarios, such as in SQL queries [16, 21–23], Web applications [24], CRM software [25], and others. The concept of OPE is firstly proposed by Agrawal et al. [14] while without security analysis. As an improvement, Boldyreva et al. [15] introduced a provable OPE scheme called BCLO that provides security models and rigorous analysis from cryptography point. The ideal security of OPE requires that ciphertexts reveal nothing except the order of plaintexts. The BCLO scheme also points out that ideal security is unachievable if an OPE scheme is immutable and stateless. Therefore, the BCLO scheme is later shown to leak half of plaintext bits. To enhance security, Popa et al. [16] introduced a mutable OPE scheme named MOPE by leveraging binary tree. The OPE scheme achieves ideal security especially indistinguishability under an order chosen-plaintext attack (IND-OCPA). Unfortunately, the ideally secure scheme [16] requires -round of interactions.

Different from previous OPE schemes, Boneh et al. [18] proposed a generalization definition of the order-revealing encryption scheme which reveals the order of plaintexts. Due to the heavy computation burden of multilinear maps, the scheme [18] is impractical and remains a theoretical result for most applications. Chenette et al. [26] introduced a practical ORE scheme called CLWW that sacrifices the index of first different bit. Lewi and Wu [27] designed an ORE scheme named Lewi-Wu ORE that makes a trade-off between efficiency and security. But, the scheme [27] scales linearly with the size of domain space and reveals the index of first different block. As security improvement, Cash et al. [19] proposed a parameter-hiding order-revealing encryption by using asymmetric bilinear map to construct property-preserving hash (PPH) as the heart of the scheme. Unfortunately, the parameter-hiding ORE has a heavy computation burden and is vulnerable to frequency attacks.

1.1. Our Contributions

In this work, we focus on the construction of the order-revealing encryption scheme over the encrypted database system in cloud computing. The main contributions are as follows:(i)We introduce a noninteractive ORE scheme over the encrypted database by leveraging Bloom filter and prefix encoding technologies. The security analysis demonstrates that our ORE scheme achieves ideal security and also hides frequency information of data items.(ii)The introduced ORE scheme leaves encrypted data items incomparable until a comparison provided. Since the encrypted data items are incomparable, our ORE scheme can resist file-injection attacks [28].(iii)We further present its application in secure range query on an encrypted database. Specifically, data items are stored in a tree structure (e.g., B-tree) to enhance search efficiency. We apply the introduced ORE scheme to encrypt the data items in the tree node and thus construct an encrypted tree, which is referred as PORE tree.(iv)The presented PORE tree reveals order relation between different tree nodes and leaves encrypted data items in same node incomparable even after query execution.

This paper is an extended and enhanced version of the conference paper presented at ISPEC 2018 [17]. Compared with the conference version, we design a new ORE scheme which achieves ideal security with frequency hiding as an enhanced security of conference version with leakage function. The detailed description is depicted in Section 4. Furthermore, we modify the stored contents of PORE tree in Section 5. The proposed PORE tree achieves better security and efficiency. Moreover, formal security definition is presented in Section 3.2, and revised analysis according to the improved ORE scheme is introduced in Section 6. Finally, we add the experimental evaluation to evaluate the performance of MOPE [16], Lewi-Wu ORE [27], and our ORE scheme in Section 7.

1.2. Related Work

Order comparison [29] is one of the most popular operation in database-as-a-service (DaaS). In order to protect sensitive data, encryption is introduced as a prevailing consensus method. Numerous researchers have studied the problem of designing a secure and efficient encryption scheme which allows untrusted cloud servers to perform order comparison operation over ciphertexts. Due to heavy computation time and ciphertext size, fully homomorphic encryption and functional encryption are still impractical to handle order comparison [1, 2, 30]. Therefore, practical OPE schemes have proposed in the past few years [14–16, 31].

Agrawal et al. [14] formalized the definition of order-preserving encryption and designed an OPE scheme. It transforms plaintexts into ciphertexts which retain the order and follow a target distribution provided by the client. In [14], the authors gave no security analysis and their scheme only applies for the static system. As an improvement, Boldyreva et al. [15] proposed the ideal security definition and further proved that an OPE scheme with immutable and stateless is impossible to achieve ideal security. The illustrated BCLO scheme in [15] is indistinguishable from a ROPF and later shows that it leaks more than half of plaintext bits [32, 33]. Moving a step forward, Dyer et al. [34] introduced an OPE scheme by using approximate integer common divisor problem. However, Dyer et al.’s scheme achieves window one-wayness security. There exist other OPE schemes [21–23, 33] with weaker security guarantee by making some impractical assumptions.

Popa et al. [16] firstly introduced an ideally secure order-preserving encoding scheme named MOPE by using a balanced search tree and mutable ciphertexts. Mutable ciphertexts mean that encodings for several plaintext change with a deletion and insertion operation. The security on MOPE shows it is, in principle, possible to reveal no additional information besides orders. Kerschbaum [35] indicated each (deterministic) OPE scheme suffers a simple frequency attack from ciphertexts. For this reason, he provided a stronger security definition and indistinguishability under frequency analysis ordered chosen-plaintext attack (IND-FAOCPA). Based on random ciphertexts, the scheme [35] hides frequency information and achieves IND-FAOCPA security. Enlightened by a buffer tree [36], Roche et al. [37] constructed an order-preserving tree and further proposed a partial order-preserving encoding (POPE) scheme which supports the insert-heavy database and leaks partial orders. Unfortunately, all above schemes limit by multiple round of interactions between clients and cloud servers.

Boneh et al. [18] provided a generalization definition of ORE. Different from traditional OPE, ORE reveals the order of plaintexts. They designed an ORE scheme by using multilinear maps. Because of the heavy computation burden of multilinear maps, the scheme [18] is impractical in most applications. The CLWW scheme [26] is the first practical ORE scheme by using PRFs. For each bit of data items, a keyed PRF takes this bit concatenated with all more significant bits as input. Thus, the ciphertexts include n elements which are the numerically sum of the keyed PRF and the next less significant bit. But, the CLWW scheme leaks the index of first different bit of two plaintexts. In order to balance security and efficiency, Lewi and Wu [27] introduced a generalization of the ORE scheme by using the left/right framework. The scheme of the small domain in [27] scales linearly with the size of message space and large domain reveals the first differing block. Based on bilinear map techniques, Cash et al. [19] proposed a more secure ORE scheme which leaks the equality pattern of the most significant bit.

Several related works about multiclient have been introduced. Xiao et al. [33] gave a method to extend the OPE scheme to multiclient scenario which only supports the OPE system not ORE. As an improvement, two multiclient order-revealing encryption (MC-ORE) schemes [38] have been proposed by using the design principle of the CLWW scheme. Obviously, MC-ORE schemes are proven secure with different leakage functions. Li et al. [20] introduced and designed the delegatable order-revealing encryption (DORE) scheme for the multiclient system. The DORE scheme reveals the index of the first different bit between two plaintexts. Latest, some attack schemes have been introduced, such as inference attack [39], file-injection attack [28], and multicolumn attack [40]. However, most of these attack schemes require auxiliary information which limits the application in practical.

1.3. Organization

The rest of this paper is organized as follows. In Section 2, we introduce some preliminaries. The system model and ORE definition are illustrated in Section 3. Then, in Section 4, we propose a PORE scheme by leveraging prefix encoding and Bloom filter techniques. We demonstrate its application on secure range query in Section 5. The security and efficiency analysis are illustrated in Section 6. In Section 7, we provide a performance evaluation of our scheme. Finally, the conclusions are presented in Section 8.

2. Preliminaries

In this section, we provide some preliminaries and definitions for the design of the ORE scheme and secure range query scheme.

2.1. Bloom Filter

As a space-efficient data structure, Bloom filter [41] is always used to test whether an element is a member of a set . The detailed description of Bloom filter is illustrated in the following.

Bloom filter (BF) contains an array of cells which store or and different hash functions . The hash function is defined as , . In the initial phase, we set all cells of the array to . When embedding an element into the Bloom filter BF, we compute its hash functions and set all these chosen cells to . To test whether an element belongs to a set S, we compute its hash functions and check whether the indicated cells of set S are all 1. If all these corresponding cells are , then is an element of set with allowable errors. Otherwise, does not belong to the set . The allowable error is called as false positive which satisfies . It reaches its minimum value when , where n is the size of the Bloom filter, is the number of hash functions, and denotes the number of elements in Bloom filter BF. An example of a Bloom filter is shown in Figure 1.

2.2. Prefix Encoding Technique

Prefix encoding technique converts the testing of whether an element falls into a range to the testing of whether two sets have common elements [42]. The details are demonstrated as follows.

Given a -bit number , we evaluate its prefix family as It is easy to see that the size of is . Given a range , we compute the minimum cover set of prefixes such that the union of prefixes is , denoted . The number of prefixes in is at most . In this condition, the testing of whether an element belongs to a range can be translated to the testing . The element belongs to a range if , otherwise not. As shown in Figure 2, the prefix family of 3 with 5-bit is and minimum cover set of [0, 6] is . Owing to that , it is easy to draw the conclusion that

3. Problem Formulation

3.1. System Model

As shown in Figure 3, the introduced ORE scheme consists of three main parties, data owner (DO), search user (SU), and cloud service provider (CSP).

(i)Data owner: the data owner is the entity who owns the database, encrypts the database, and delegates the encrypted database to a powerful cloud service provider. During the encryption phase, the data owner encrypts the data items from the symmetric encryption scheme to protect its privacy and generates the encrypted search indexes to facilitate data utilization.(ii)Search user: search users receive system parameter and secret keys from the data owner and generate search requests according to their requirements. Then, search users send search requests with the corresponding trapdoor to the cloud service provider and receive the search results on ciphertext. Finally, they decrypt the ciphertexts and obtain the results.(iii)Cloud service provider: the cloud service provider owns the powerful storage resources and unlimited computation resources. Thus, the cloud service provider always provides the storage, computation, and query services for the data owner and search user.

To protect the private sensitive information, the data owner encrypts the database, generates the indexes, and sends them to the cloud service provider. Search users compute the search trapdoor according to their request and send search trapdoor to the cloud service provider. The cloud service provider stores the encrypted database and then searches the encrypted database for the search users. In our paper, we assume the data owner and search users are fully trusted and the cloud service provider is “honest-but-curious.” It means the cloud service provider follows protocol and returns answers faithfully but intends to learn additional information about the encrypted database. The assumption is very common in other work, such as [12, 13, 43].

3.2. Order-Revealing Encryption Scheme

An ORE scheme is defined by four probabilistic polynomial-time (PPT) algorithms ORE.KeyGen, ORE.Enc, ORE.TokenGen, and ORE.OrderComp. These algorithms are defined as follows:(i)ORE.KeyGen (): DO runs this algorithm to output a secret key . The secret key will be secretly stored by the data owner. Furthermore, the data owner will send the secret key to search users through the access control technique.(ii)ORE.Enc() : DO runs the data encryption algorithm to encrypt data item . The data encryption algorithm takes as input a secret key and a data item and outputs the ORE ciphertext as .(iii)ORE.TokenGen () : SU runs this algorithm to generate the comparison token. It takes as input a secret key and a data item and outputs the comparison token .(iv)ORE.OrderComp()ans: CSP runs the order comparison algorithm to output the order relation. The algorithm takes as input the ciphertext of data item and comparison token for another data item. The order comparison algorithm outputs the order relation for data item and . If ans, it means ; otherwise, ans means .

In the following, the correctness and security definitions were introduced in the ORE scheme [27].

Definition 1. (Correctness). An ORE scheme over a well-domain is correct if for ORE.KeyGen() such that, for any , if , ORE.Enc(), ORE.TokenGen() then ORE.OrderComp(, ).
Consider an experiment defined for the ORE scheme as follows. In the experiment, we introduce the random variable as the success of adversary .
The IND-OCPA indistinguishability experiment ExpA,OPE is as follows:(i)The client runs the ORE.KeyGen() algorithm to produce the secret key and chooses a random bit ;(ii)The client and adversary engage in polynomial rounds of interaction. At round , The adversary chooses and in adaptive and sends both of them to the client; After receiving and , the client runs the encryption algorithm ORE.Enc() and returns to the adversary ;(iii)The adversary outputs a bit , its guess for . The output is defined as 1 if and 0 otherwise.

Definition 2. (Security). An ORE scheme is IND-OCPA secure, if for all PPT adversaries and sequences and with the same order relations, there is a negligible function satisfying

4. The Proposed ORE Scheme

4.1. High Description

Before describing the details of our ORE scheme, we introduce the construction principle in brief. Different from the existing works, we partition a ciphertext into two parts and , where = DET.Enc() refers to the ciphertext which is produced by the symmetric encryption scheme DET with the strongest security (e.g., AES a DES) and is an index which indicates the order of plaintexts. Comparison is only proceeded between the index of one plaintext and the search token of another data item . Thus, CSP proceeds the query request until a search token provided by SU.

In the following, we focus on the construction of index . The order comparison between value and is equal to check whether a value falls into a range. By using prefix encoding technique which is proposed in [42], we compute the data prefix and range prefix . Thus, the checking of whether a value falls into a range converts to the checking of whether two sets and have common elements. The basic method is to check whether an element of one set falls into another set. Trivially, the checking is done by leveraging Bloom filter technique in [41].

Since frequency information leads some simple attacks which were pointed out by Naveed et al. [39], DO should also hide the frequency (i.e., hide equality) in the ciphertext and the index . Owing to DET is an IND-CPA secure encryption scheme, the frequency is hidden in the ciphertext . To hide the frequency in index, DO randomizes a data item as to break the equality before constructing the index.

4.2. The Main Construction

In this section, we introduce the ORE scheme from four processes: key generation, data encryption, token generation, and order comparison.

For the sake of clarity, we assume that all data items are -bit and greater than 0, and DET = (DET.Key, DET.Enc, DET.Dec) is an IND-CPA secure encryption scheme. The details of our ORE scheme are illustrated as follows:(i)ORE.KeyGen(): on input a security parameter , DO computes ← DET.Key() as a secret key. It also chooses random numbers as secret keys to compute hash for a Bloom filter BF. Thus, DO has the secret key .(ii)ORE.Enc(): on input a secret key and a data item , DO firstly leverages privacy-preserving techniques to protect the privacy of data items. To keep the functionality of order comparison, DO illustrates an index for each data item. The following processes need to be performed:(1)Data encryption: DO encrypts data items in the database as = DET.Enc().(2)Index construction: to facilitate look-ups, DO constructs a secure Bloom filter as index structure for each data item . The secure Bloom filter BF algorithm is depicted in Algorithm 1.(iii)ORE.TokenGen(): on input a secret key and a data item , SU wants to compute the comparison token for it.(1)Data randomization: for a data item , SU uniformly samples a -bit random number and computes its randomization as .(2)Token computation: the search user first computes range prefix with prefixes. Next, SU computes hashes for each prefix as . The comparison token for the data item is a hash matrix:(iv)ORE.OrderComp(): after receiving the ciphertext and comparison token , the cloud service provider checks whether . The checking is done by checking whether there exists a row in such that all the positions of Bloom filter are 1. That is, there exists prefix in such that . If , set ans = 1; otherwise, ans = 0.

	Input:
	hash function:
	secret keys:
	data item:
	Output:
	–Bloom filter:
(1)	In order to hide the frequency, DO adds a random fractional part for the data item as , where has the same number of bits with the data item and is a -bit number;
(2)	DO computes prefix family of as ;
(3)	for to do
(4)	To remove the correlation among different nodes, DO chooses a random number which has the same size with secret keys ;
(5)	for j←1 to s do
(6)	DO first computes hash value and then sets 1 on the position ;
(7)	end for
(8)	end for
(9)	After inserting the prefix family, we have a secure Bloom filter .

The ciphertext of data item is .

5. Encrypted Range Queries

In this section, we describe the application of the introduced ORE in range queries over the encrypted database. In our model, the resource-constraint data owner outsources the storage and computation tasks to the cloud service provider. Subsequently, search users submit the range query requests and obtain the query results. In outsourcing scenario, the cloud service provider needs to learn the order information for the range query. In this work, the above ORE scheme is introduced to help it in the operation of order comparison. To enhance the efficiency, the data owner stores data items in tree structure, such as B-tree. We describe the secure range query scheme with the proposed ORE scheme in the following algorithms(i)RQ.Setup(): takes as input a security parameter, it outputs the secret key SK = {sk1, sk2}, where secret key is the same with that in the ORE scheme.(ii)RQ.TreeBuild(): takes as input a database , the data owner stores the data items in a B-tree data structure and obtains tree: where are data items in database and is a set of pointers to cover the parent-child relations of tree.(iii)RQ.TreeEnc(): takes as input the secret key and the tree , the data owner runs the ORE.Enc algorithm in the ORE scheme to encrypt tree as where = ORE.Enc( ). Since tree reveals order of data items in different nodes and leaves data items in same node incomparable, the encrypted tree is named as PORE tree.(iv)RQ.RangeQuery(, , ): the range query algorithm consists of two phases. In the first phase, search users compute and send the encrypted ranges to CSP. In the second phase, CSP proceeds the search process over the encrypted tree structure .(1)Token generation: SU partitions the range into and two parts and uniformly samples two random numbers and to randomize the ranges and as . Next, search users proceed the token computation algorithm in ORE.TokenGen to generate search token and . Finally, search users send the search token and to CSP.(2)After receiving search token, CSP searches the tree from root to the leaf and finds the leftmost and the rightmost leaf node intersecting with the range. The details of the search algorithm are illustrated in Algorithm 2.(v)RQ.Update(,): to update the outsourced database, the data owner generates the ciphertext , index , and token and submits (, , ) to the cloud service provider CSP. After receiving the update request, CSP updates the database by leveraging (, , ). In the following, we introduce the insertion, deletion, and modification algorithms in detail:(1)Suppose that DO wants to insert a data into the encrypted database. DO firstly computes and sends the ciphertext , index , and comparison token to CSP. Upon receiving the insertion token, CSP takes this new data as a split point and inserts it into the parent node . For a data item (, ) in the leaf node , CSP checks whether data item satisfying . CSP stores (, ) into the left node if . Otherwise, CSP stores it into the right node .(2)Suppose that DO wants to delete a data from the encrypted database. The deletion algorithm finds data items in the range , which is similar to the range query algorithm and deletes these data items.(3)Suppose that DO wants to modify a data item to in the encrypted database. The modification is converted to deletion and insertion operation. Thus, it can be done using above two steps.(vi)RQ.Dec(, ): on input the secret key and encrypted results Res, DO firstly runs DET.Dec to decrypt and then removes random numbers to obtain final results.

(i)	Input:
(ii)	encrypted PORE tree:
(iii)	search token: = ( )
(iv)	Output:
(v)	encrypted results:
(1)	CSP proceeds the search algorithm twice, once for to find the leftmost leaf node and once for to find the rightmost leaf node;
(2)	fordo
(3)	CSP checks whether by checking whether there exists a row in matrix such that the positions of are equal to 1;
(4)	Afterwards, CSP finds the largest value satisfying and updates its corresponding child as the new value for ;
(5)	end for
(6)	CSP obtains the leftmost leaf node and the rightmost leaf node;
(7)	Finally, CSP returns results which include data items in leaf nodes between the two leaf nodes, in the leftmost leaf node satisfying and in the rightmost leaf node satisfying .

6. Analysis

In this section, we demonstrate the security analysis and efficiency analysis.

6.1. Security Analysis

Theorem 1. The proposed ORE scheme over a well-domain is correct.

Proof. Suppose that are two -bit random numbers, is the ciphertext for data item, and is the comparison token for data item . We prove the correctness through if and only if without considering the false positive of Bloom filter.
First, we prove if , then . If , we have the relation. Owing to the fact that a data item falls into a range if and only if , we can compute and draw the conclusion that . That means, , namely, .
Moreover, if we do not take false positive of Bloom filter into consideration, we can prove the correctness. That is, if , then . Since , we have the conclusion that there exists a row in such that all the corresponding positions of Bloom filter are equal to 1. Namely, that means . Because = and, we have the conclusion that (if , then ).

Theorem 2. The proposed secure range query scheme over a well-domain is correct.

Proof. Suppose that a data item , a range , and their randomization , , where are three -bit random numbers. We proof the correctness through if and only if .
First, we prove if , then . If , we have the relation . Owing to the fact that for a data item d and range if and only if, we can compute . That means, , namely, .
Moreover, if we do not take false positive of Bloom filter into consideration, we can prove the correctness. That is, if , then . If , we can draw the conclusion thatThat is, , namely,After derandomization, we can draw the conclusion thatThat means

Theorem 3. The proposed ORE scheme is IND-OCPA secure in the random oracle model.

Proof. For the convenience of understanding, we first introduce the concept of computationally indistinguishable. Let and be ensembles of distributions. and are said to be computationally indistinguishable (written ), if for all PPT adversaries,Next, we will prove the theorem in the following hybrid games:(i)Hybrid 1: The IND-OCPA game for an adversary and the proposed scheme. Let be the random variable indicating the output of in the IND-OCPA game, namely, ’s guess bit.(ii)Hybrid 2: The IND-OCPA game for an adversary , where the proposed scheme is revised to instead the DET with a random oracle (a random oracle refers to an oracle which outputs a random value when given a value for the first time, and the same value returns when is given again.). Let be the random variable indicating the output of in the IND-OCPA game, namely, ’s guess bit.(iii)Hybrid 3: The IND-OCPA game for adversary , where the scheme in Hybrid 2 is revised to instead hash function with a random oracle . Let be the random variable indicating the output of , namely, ’s guess bit.Because DET is a pseudo-random function, it is obvious that . We give a proof by contradiction for this conclusion. If these two hybrids are distinguishable, then we construct a simulator which distinguishes pseudo-random numbers from random numbers.
The distinguisher :(1)Adversary is given a security parameter and outputs ({} and {}) with the same order relation;(2)A uniform bit is chosen, and then a ciphertext {} = {} is computed and given to the adversary ;(3)The adversary outputs a bit its guess for . The distinguisher outputs 1 if (meaning pseudo-random sequence) and 0 (meaning random sequence) otherwise.If adversary can distinguish these two hybrids, namely,then we conclude thatThus, we can draw the conclusion that . Since is a pseudo-random function, it draws the same conclusion that. Following, we prove the probability adversary guesses correctly in Hybrid 3 is 1/2. That is, the winning advantage of can be at most . The data owner stores in the cloud service provider for a data item . Because is replaced with a random oracle, the adversary cannot distinguish the ciphertexts of and , namely, .
Moreover, recall that every value is assigned a different random number , and random oracle uses to compute hash functions for the secure Bloom filter . Thus, given two different Bloom filters and , it is infeasible for any PPT adversary to distinguish whether a same string or two different strings are mapped to them. From this, it is easy to draw the conclusion thatAs a result, the adversary cannot distinguish with nonnegligible probability. That is,We complete the proof of Theorem 3.

6.2. Efficiency Analysis

For the convenience of discussion, some marks are introduced in this section. We denote by an encryption/decryption algorithm of the DET scheme with IND-CPA secure, is a PRF, is a hash function, is the number of hashes in a Bloom filter, is the bits of our data item, is the size of the database, is the size of message space, and is the size of results. We omit other operations such as comparison of plaintexts and uniformly random permutation in Lewi-Wu ORE.

We now describe the efficiency analysis among MOPE [16], Lewi-Wu ORE [27], and the proposed range query scheme with PORE tree, shorted for the PORE scheme. The security in Table 1 demonstrates that all schemes achieve IND-OCPA security which reveals nothing besides the order relation. Furthermore, the PORE scheme hides data frequency and data items in leaf nodes of our PORE scheme which remain incomparable. Stored information in MOPE [16] only consists of the ciphertexts, that is, produced by an IND-CPA secure DET scheme. Therefore, the order comparison is achieved by the interaction with a DO/SU. In this condition, there is about -round communication between DO/SU and CSP during the range query and update operation. Ciphertexts in Lewi-Wu ORE [27] consist of the left ciphertexts and the right ciphertexts. It is possible to proceed the comparison algorithm with the left of one ciphertext and the right of another ciphertext. To enhance the storage efficiency, CSP only stores the left ciphertexts (about bits long) in the sorted order instead of the complete ciphertexts (about bits long). When proceeding a range query or an update operation, DO generates the right ciphertexts and sends them to the CSP.

The basic idea of our PORE is inspired by Lewi-Wu ORE. We split stored information into a ciphertext produced by DET and an index . The index is a Bloom filter storing with the size of . Compared with the MOPE and Lewi-Wu ORE scheme, the cost of encryption in our PORE scheme is a little higher. While encryption is one-time in the initialization phase, the cost is acceptable. In range query and update phases, CSP obtains order comparison by communicating with the DO and SU in MOPE. SU decrypts ciphertexts and returns the order information. The cost in Lewi-Wu ORE [27] is linear with the message space for the DO/SU and logarithm with the database for CSP. MOPE and Lewi-Wu ORE have a better efficiency for CSP in both phases. Both schemes do not use the tremendous compute power of CSP violating the definition of cloud computing. Finally, we observe from decryption cost that all these schemes have a high efficiency.

7. Performance Evaluation

In this section, we introduce a formal experimental simulation among MOPE [16], Lewi-Wu ORE [27], and the proposed PORE scheme in order to test the practical utility. Specifically, the code is run with Python3 language on a machine with an Intel Xeon (R) CPU i7-8565U processor running at 16 GHz and 1 T memory. We instantiate the hash function with SHA-256 in the Lewi-Wu ORE scheme. The symmetric cipher used is AES-ECB-128 as provided by the PyCrypto library, and the scalable Bloom filer is provided in pybloom live library. Furthermore, we set error rate of Bloom filter as 0.001 and storage limitation of B-tree to store ciphertexts.

7.1. Database Size

In the following experiment, we use the Gowalla database which lists 6,442,890 check-in locations collected from 196,591 users. We sample 1,000,000 data items of 48 bit in the database to test the performance of the MOPE and PORE scheme. Figure 4 demonstrates that Lewi-Wu ORE [27] is only suitable in the small domain. In this condition, we cut 12 bit from data items in the Gowalla database to simulate the performance of search and update.

7.2. Network

For these experiments, we simulate all the data owner, search users, and cloud service provider on the same machine. Therefore, we test performance by measuring the theoretical communication cost instead of the realistic network with latency and bandwidth restrictions. In the theoretical experimental simulation, we assume that the network is slower than 5 ms of latency and 20 Mbps bandwidth.

Figures 5(a) and 5(b) show the time cost and storage cost on tree construction of MOPE, Lewi-Wu ORE, and our PORE scheme. We can easily see that time cost of MOPE is similar to that of Lewi-Wu ORE since the AES-ECB-128 is used to encrypt data items in MOPE and to instantiate the PRF in Lewi-Wu ORE. Furthermore, the time cost from 80s at 100,000 data items and 1082s at 1,000,000 data items of our PORE scheme is greater than that of the MOPE and Lewi-Wu ORE scheme. Meanwhile, the storage cost from 10.5 M to 105 M of the PORE scheme is a little greater than that of the MOPE and Lewi-Wu ORE scheme, from 8.2 M to 82M and 7.5 M to 75 M, respectively. The time cost and storage cost are acceptable of our PORE scheme because of one-time on tree construction.

(a)

(b)

In our main experiments, we test the performance of range query and update operation (insertion and deletion) with 1,000 operations in MOPE and our PORE scheme and that with 100 operations in the Lewi-Wu ORE scheme. The time cost of range query is shown in Figure 6. It demonstrates that our PORE scheme is far less than MOPE-latency and the Lewi-Wu ORE scheme. Furthermore, our scheme achieves about 18 ms per-range query on the database with million data items vs. about 50 ms per-operation for MOPE-latency with communication latency.

Figures 7(a) and 7(b) show the time cost on insertion and deletion operation. As these figures present, the cost is dominated by communication on range query and insertion and deletion of the MOPE-latency scheme with 5 ms latency. The runtime is linear with the round of communication. Moreover, the time cost of MOPE-latency and Lewi-Wu ORE is about 5x greater than our scheme on insertion and 2x on deletion operation. We can see that our scheme is well-suited for range query and update operation.

(a)

(b)

8. Conclusions

In this paper, we introduce a noninteractive order-revealing encryption scheme with comparison token to execute privacy-preserving order comparison in cloud computing. The introduced ORE scheme requires that the cloud service provider could not perform order comparison until a search token provided. The security analysis shows that our ORE scheme achieves IND-OCPA security. Furthermore, we design a secure range query over the encrypted database through designing PORE tree structure from the proposed ORE scheme. The designed PORE tree reveals partial order information of plaintexts and leaves results incomparable even after query execution. Finally, the experimental result shows the high efficiency of our PORE scheme based on the designing of the ORE scheme.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that they have no conflicts of interest regarding the publication of this paper.

References

C. Gentry, “Fully homomorphic encryption using ideal lattices,” in Proceedings of the International Symposium of Theory of Computing (STOC), pp. 169–178, Bethesda, MD, USA, May 2009.
View at: Google Scholar
C. Gentry, S. Halevi, and N. P. Smart, “Homomorphic evaluation of the AES circuit,” in Proceedings of the International Conference on Cryptology (CRYPTO), pp. 850–867, Santa Barbara, CA, USA, August 2012.
View at: Google Scholar
M. Li, “Leveled certificateless fully homomorphic encryption schemes from learning with errors,” IEEE Access, vol. 8, pp. 26749–26763, 2020.
View at: Publisher Site | Google Scholar
D. Boneh, A. Sahai, and B. Waters, “Functional encryption: definitions and challenges,” in Proceedings of the International Conference on Theory of Cryptography (TCC), pp. 253–273, Providence, RI, USA, March 2011.
View at: Google Scholar
S. Goldwasser, S. D. Gordon, V. Goyal et al., “Multi-input functional encryption,” in Proceedings of the International Conference on Theory and Applications of Cryptographic Techniques (EUROCRYPT), pp. 578–602, Copenhagen, Denmark, May 2014.
View at: Google Scholar
A. Jain, N. Manohar, and A. Sahai, “Combiners for functional encryption, unconditionally,” in Proceedings of the International Conference on Theory and Applications of Cryptographic Techniques (EUROCRYPT), pp. 141–168, Zagreb, Croatia, May 2020.
View at: Publisher Site | Google Scholar
D. X. Song, D. A. Wagner, and A. Perrig, “Practical techniques for searches on encrypted data,” in Proceedings of the International Conference on Security and Privacy (SP), pp. 44–55, Berkeley, CA, USA, May 2000.
View at: Publisher Site | Google Scholar
D. Boneh, G. D. Crescenzo, R. Ostrovsky et al., “Public key encryption with keyword search,” in Proceedings of the International Conference on Theory and Applications of Cryptographic Techniques (EUROCRYPT), pp. 506–522, Interlaken, Switzerland, May 2004.
View at: Google Scholar
J. Wang, X. Chen, X. Huang, I. You, and Y. Xiang, “Verifiable auditing for outsourced database in cloud computing,” IEEE Transactions on Computers, vol. 64, no. 11, pp. 3293–3303, 2015.
View at: Publisher Site | Google Scholar
X. Chen, J. Li, X. Huang, J. Ma, and W. Lou, “New publicly verifiable databases with efficient updates,” IEEE Transactions on Dependable and Secure Computing, vol. 12, no. 5, pp. 546–556, 2015.
View at: Publisher Site | Google Scholar
X. Chen, J. Li, J. Weng, J. Ma, and W. Lou, “Verifiable computation over large database with incremental updates,” IEEE Transactions on Computers, vol. 65, no. 10, pp. 3184–3195, 2016.
View at: Publisher Site | Google Scholar
X. Wang, J. Ma, X. Liu et al., “Search me in the dark: privacy-preserving boolean range query over encrypted spatial data,” in Proceedings of the International Conference on Computer Communications (INFOCOM), pp. 2253–2262, Toronto, Canada, July 2020.
View at: Publisher Site | Google Scholar
Y. Peng, L. Wang, J. Cui et al., “LSRQ: A lightweight and forward-secure range query on geographically encrypted data,” IEEE Transactions on Dependable and Secure Computing, vol. 99, Article ID 2974218, 2020.
View at: Google Scholar
R. Agrawal, J. Kiernan, R. Srikant et al., “Order-preserving encryption for numeric data,” in Proceedings of the International Conference on Management of Data (SIGMOD), pp. 563–574, Paris, France, June 2004.
View at: Publisher Site | Google Scholar
A. Boldyreva, N. Chenette, Y. Lee et al., “Order-preserving symmetric encryption,” in Proceedings of the International Conference on Theory and Applications of Cryptographic Techniques (EUROCRYPT), pp. 224–241, Cologne, Germany, April 2009.
View at: Google Scholar
R. A. Popa, F. Li, and N. Zeldovich, “An ideal-security protocol for order-preserving encoding,” in Proceedings of the International Conference on Security and Privacy, pp. 463–477, (SP), Berkeley, CA, USA, May 2013.
View at: Publisher Site | Google Scholar
J. Guo, J. Wang, Z. Zhang et al., “An almost non-interactive order preserving encryption scheme,” in Proceedings of the International Conference on Information Security Practice and Experience (ISPEC), pp. 87–100, Tokyo, Japan, September 2018.
View at: Google Scholar
D. Boneh, K. Lewi, M. Raykova et al., “Semantically secure order-revealing encryption: multi-input functional encryption without obfuscation,” in Proceedings of the International Conference on Theory and Applications of Cryptographic Techniques (EUROCRYPT), pp. 563–594, Sofia, Bulgaria, April 2015.
View at: Google Scholar
D. Cash, F. Liu, A. ONeill et al., “Parameter-hiding order revealing encryption,” in Proceedings of the International Conference on Theory and Application of Cryptology and Information Security (Asia CRYPT), pp. 181–210, Brisbane, Australia, December 2018.
View at: Google Scholar
Y. Li, H. Wang, and Y. Zhao, “Delegatable order-revealing encryption,” in Proceedings of the International Conference on Computer and Communications Security (AsiaCCS), pp. 134–147, Auckland, New Zealand, July 2019.
View at: Publisher Site | Google Scholar
H. Kadhem, T. Amagasa, and H. Kitagawa, “A secure and efficient order preserving encryption scheme for relational databases,” in Proceedings of the International Conference on Knowledge Management and Information Sharing (KMIS), pp. 25–35, Valencia, Spain, October 2010.
View at: Google Scholar
D. Liu and S. Wang, “Programmable order-preserving secure index for encrypted database query,” in Proceedings of the International Conference on Cloud Computing (CLOUD), pp. 502–509, Honolulu, HI, USA, June 2012.
View at: Publisher Site | Google Scholar
D. Liu and S. Wang, “Nonlinear order preserving index for encrypted database query in service cloud environments,” Concurrency and Computation: Practice and Experience, vol. 25, no. 13, pp. 1967–1984, 2013.
View at: Publisher Site | Google Scholar
Perspecsys, “The PRS Server: Data Protection for Cloud Applications,” http://www.perspecsys.com/perspecsys-cloud-protection-gateway/.
F. Y. Rashid, “Salesforce.com Acquires SaaS Encryption Provider Navajo Systems”, eWeek.Com, 2011. https://www.cioinsight.com/c/a/Latest-News/Salesforcecom-Acquires-SaaS-Encryption-Provider-Navajo-Systems-331154.
N. Chenette, K. Lewi, S. A. Weis et al., “Practical order-revealing encryption with limited leakage,” in Proceedings of the International Conference on Fast Software Encryption (FSE), pp. 474–493, Bochum, Germany, March 2016.
View at: Publisher Site | Google Scholar
K. Lewi and D. J. Wu, “Order-revealing encryption: new constructions, applications, and lower bounds,” in Proceedings of the International Conference on Computer and Communications Security (CCS), pp. 1167–1178, Vienna, Austria, October 2016.
View at: Google Scholar
X. Wang and Y. Zhao, “Order-revealing encryption: file-injection attack and forward security,” in Proceeding of International Conference on European Symposium on Research in Computer Security (ESORICS), pp. 101–121, Barcelona, Spain, September 2018.
View at: Google Scholar
D. Boneh and B. Waters, “Conjunctive, subset, and range queries on encrypted data,” in Proceedings of the International Conference on Theory of Cryptography (TCC), pp. 535–554, Amsterdam, Netherlands, February 2007.
View at: Google Scholar
X. Boyen, X. Fan, and E. Shi, “Adaptively secure fully homomorphic signatures based on lattices,” IACR Cryptology, Article ID 916, 2014.
View at: Google Scholar
J. Furukawa, “Request-based comparable encryption,” in Proceedings of the International Conference on European Symposium on Research in Computer Security (ESORICS), pp. 129–146, Egham, UK, September 2013.
View at: Google Scholar
A. Boldyreva, N. Chenette, and A. ONeill, “Order-preserving encryption revisited: improved security analysis and alternative solutions,” in Proceedings of the International Conference on Cryptology (CRYPTO), pp. 578–595, Santa Barbara, CA, USA, August 2011.
View at: Publisher Site | Google Scholar
L. Xiao, I. Yen, and D. T. Huynh, “Extending order preserving encryption for multi-user systems,” IACR Cryptology, Article ID 192, 2012.
View at: Google Scholar
J. Dyer, M. Dyer, and J. Xu, “Order-preserving encryption using approximate integer common divisors,” in Proceedings of the International Conference on Data Privacy Management, Cryptocurrencies and Blockchain Technology, pp. 257–274, Oslo, Norway, September 2017.
View at: Google Scholar
F. Kerschbaum, “Frequency-hiding order-preserving encryption,” in Proceedings of the International Conference on Computer and Communications Security (CCS), pp. 656–667, Denver, CO, USA, October 2015.
View at: Publisher Site | Google Scholar
L. Arge, “The buffer tree: a technique for designing batched external data structures,” Algorithm, vol. 37, no. 1, pp. 1–24, 2003.
View at: Google Scholar
D. S. Roche, D. Apon, S. G. Choi, and A. Yerukhimovich, “POPE: partial order preserving encoding,” in Proceedings of the of International Conference on Computer and Communications Security (CCS), pp. 1131–1142, Vienna, Austria, October 2016.
View at: Google Scholar
J. Eom, D. H. Lee, and K. Lee, “Multi-client order-revealing encryption,” IEEE Access, vol. 6, pp. 45458–45472, 2018.
View at: Publisher Site | Google Scholar
M. Naveed, S. Kamara, and C. V. Wright, “Inference attacks on property-preserving encrypted databases,” in Proceedings of the International Conference on Computer and Communications Security (CCS), pp. 644–655, Denver, CO, USA, October 2015.
View at: Publisher Site | Google Scholar
Y. Pan, A. Efrat, M. Li et al., “Data inference from encrypted databases: a multi-dimensional order-preserving matching approach,” 2020, https://arxiv.org/abs/2001.08773v1.
View at: Google Scholar
B. H. Bloom, “Space/time trade-offs in hash coding with allowable errors,” Communications of the ACM, vol. 13, no. 7, pp. 422–426, 1970.
View at: Publisher Site | Google Scholar
P. Gupta and N. McKeown, “Algorithms for packet classification,” IEEE Network, vol. 15, no. 2, pp. 24–32, 2001.
View at: Publisher Site | Google Scholar
R. Li, A. X. Liu, A. L. Wang, and B. Bruhadeshwar, “Fast and scalable range query processing with strong privacy protection for cloud computing,” IEEE/ACM Transactions on Networking, vol. 24, no. 4, pp. 2305–2318, 2016.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2020 Jingjing Guo and Jiacong Sun. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1270

Downloads

1042

Citations