Order-Preserving Symmetric
Encryption
Alexandra Boldyreva, Nathan Chenette,
Younho Lee and Adam O’Neill
EUROCRYPT 2009, LNCS 5479, pp. 224-241
1
Outline
 Introduction
 OPE and Its Security
 Lazy Sampling a Random Order-Preserving
Function
 OPE Scheme and Its Analysis
 Conclusion
2
Introduction
 Order-persevering symmetric encryption, OPE
 OPE以one-part codes的形式來使用，具有相
當長的歷史，可追朔到第一次世界大戰。
 明文藉由打亂文字順序或數字順序來得到所對
應的密文。
 近年比較有價值的研究為應用OPE在
database community，由Agrawal等學者於
2004年提出。
3
Introduction
 OPE機制在加密資料上要有有效率的範圍查詢。
 這裡的有效率是指O(lg n)時間，n為database的資料
量。
 HVE, MRQED是沒有效率的，進行查詢時必須掃描整個
database.
 有關OPE的可證明式的安全性證明尚未提出，作者
想補強這方面的議題。
 OPE無法滿足所有的安全性定義，如IND-CPA。
4
Outline
 Introduction
 OPE and Its Security
 Lazy Sampling a Random Order-Preserving
Function
 OPE Scheme and Its Analysis
 Conclusion
5
IND CPAb
Exp SE
( A)
R
K 
K
OPE and Its Security
R
d 
 AENC ( K , LR (,,b ))
return d
 IND-CPA





LR(˙,˙,b) : input m0 and m1, return mb.
symmetric encryption scheme SE = (K, ENC, DEC)
Adversary A
b∈{0,1}
We require that each query (m0, m1) that A makes to
its oracle satisfies |m0| = |m1|
IND CPA
IND CPA1
IND CPA0
( A)  Pr  Exp SE
( A)  1  Pr  Exp SE
( A)  1
 Adv SE
6
OPE and Its Security
 OPE無法滿足IND-CPA。
 Deterministic.
 Leak the order-relations among the plaintext.
 IND-CPA無法滿足，作者想弱化IND-CPA試著讓
OPE滿足。
 參考M. Bellare等學者，在”Authenticated encryption in
SSH: provably fixing the SSH binary packet protocol,
CCS ’02, pp. 1-11, 2002.”一文中所提出的IND-DCPA
(indistinguishability distinct chosen-plaintext attack)
 提出IND-OCPA (indistinguishability ordered chosenplaintext attack)
7
OPE and Its Security
 IND-DCPA
 Restricted to make only distinct queries.
 Adversary A makes queries (m01, m11), …, (m0q, m1q)
 Require that mb1, mb2, …, mbq are all distinct for
b∈{0,1}
8
OPE and Its Security
 IND-OCPA
 Adversary A makes queries (m01, m11), …, (m0q, m1q)
 m0i < m0j iff m1i < m1j for all 1≦i, j≦q.
9
OPE and Its Security
 IND-OCPA看起來可行，實際上無用，除非密文空
間大小是明文空間大小的指數倍。
 SE = (K, ENC, DEC) be an order-preserving encryption
with plaintext-space [M] and ciphertext-space [N] for
M, N∈N s.t. 2k-1≦ N <2k for some k∈N. Then there
exists an IND-OCPA adversary A against SE s.t.
2k
M and
1 makes 3
Furthermore, A run in time O(log N)
IND CPA
Adv SE
( A)  1 
oracle queries.
10
OPE and Its Security
 Big jump and big reverse-jump
 For an order-preserving function f : [M] →[N]
 i∈{3, …, M-1} is a big jump if the f-distance to the
next point is as big as the sum of all the previous.
 f(i + 1) - f(i) ≧ f(i) - f(1)
 i∈{2, …, M-2} is a big reverse-jump if f(i) - f(i-1) ≧
f(M) - f(i)
11
i is big jump if f (i  1)  f (i)  f (i)  f (1)
i is big reverse-jump if f (i)  f (i  1)  f (M )  f (i)
OPE and Its Security
 Big jump and big reverse-jump

Big Jump
12
OPE and Its Security
 Big jump attack
 Consider IND-OCPA adversary A against SE
Adversary AENC ( K , LR (,,b ))
R
m 
{1,..., M  1}
c1  ENC ( K , LR (1, m, b))
c2  ENC ( K , LR (m, m  1, b))
c3  ENC ( K , LR (m  1, M , b))
return 1 if (c3  c2 )  (c2  c1 )
else return 0
13
Adversary AENC ( K , LR (,,b ))
R
m 
{1,..., M  1}
c1  ENC ( K , LR (1, m, b))
OPE and Its Security
c2  ENC ( K , LR (m, m  1, b))
c3  ENC ( K , LR (m  1, M , b))
return 1 if (c3  c2 )  (c2  c1 )
 Big jump and big reverse-jump
Big Jump
m=5
c1 = 24 or 35
c2 = 35 or 36
c3 = 36 or 45
c3 – c2 = 1 or 9
c2 – c1 = 11 or 1
if (c3 – c2) > (c2 – c1)
adversary A guess b = 1
else
adversary A guess b = 0
else return 0
m=4
c1 = 24 or 27
c2 = 27 or 35
c3 = 35 or 45
c3 – c2 = 8 or 10
c2 – c1 = 3 or 8
if (c3 – c2) > (c2 – c1)
adversary A guess b = 1
else
adversary A guess b = 0
IND OCPA1
Pr  Exp SE
( A)  1 
( M  1)  k
k
1
M 1
M 1
We assume that f has k big jumps.
14
OPE and Its Security
 Big jump attack and OPE scheme
 Distinguish between ciphertext that are very close
and far apart.
 The attack shows that any practical OPE scheme
inherently leaks more information about the
plaintext than just their ordering.
 Some information about their relative distances.
15
OPE and Its Security
 作者想試著在IND-OCPA中，限制adversary
A的能力。
 透過pseudorandom functions(PRFs)或
permutations(PRPs)，讓adversary無法區分
oracle access to ENC of the scheme或
corresponding ideal object.
 Pseudorandom order-preserving function
against chosen-ciphertext attack, POPF-CCA.
16
OPE and Its Security
 POPF-CCA
 order-preserving encryption scheme SE = (K, ENC,
DEC)
 plaintext-space D
 ciphertext-space R
 |D| ≦ |R|
 OPFD,R denotes the set of all order-preserving
functions from D to R.
 adversary A against SE with advantage
Adv
POPF CCA
SE
R
R
( A)  Pr K 
 K | AENC (K,), DEC (K,)   Pr K 
 K | Ag (), g


17 
1
( )
Outline
 Introduction
 OPE and Its Security
 Lazy Sampling a Random Order-Preserving
Function
 OPE Scheme and Its Analysis
 Conclusion
18
Lazy Sampling a Random Order-Preserving
Function
 Lazy Sampling
 POPF-CCA is useful.
 Need a way to implement A’s oracles in the “ideal”
experiment efficiently.
 How to lazy sample a random order-preserving
function and its inverse.
 A connection between a random order-preserving
function and the hypergeometric probability
distribution.
19
Lazy Sampling a Random Order-Preserving
Function
 The set OPFD,R : all order-preserving functions
from a domain D of size M to a range R of size
N > M.
 The set of all possible combinations of M out of
N ordered items.
20
Lazy Sampling a Random Order-Preserving
Function

Range
set S = {24, 25, 27, 35, 36,
39, 41, 42, 44, 45}
Domain
21
Lazy Sampling a Random Order-Preserving
Function
 M,N 
and any x, x  1  M , y   N 
y Ny
C
R
x CM  x
Pr  f ( x)  y  f ( x  1) | f 
 OPFD , R  
CMN
22
Lazy Sampling a Random Order-Preserving
Function
 Hypergeometric distribution
 Hypergeometric experiment
 A random sample of size M is selected without
replacement from N items.
 y of the N items may be classified as success and N-y
are classified as failures.
y Ny

Cx CM  x
h( x; N , M , y) 
N
CM
23
Lazy Sampling a Random Order-Preserving
Function
 Hypergeometric distribution

24
Lazy Sampling a Random Order-Preserving
Function
 Hypergeometric distribution
 有一批40顆燈泡，品管檢查出3顆瑕疵燈泡
就驗退。假設品管隨機挑選5顆檢查，請問
被檢查出有只有1個瑕疵品的機率是多少？
 N = 40, M = 5, y = 3
 X = 檢查出有瑕疵的燈泡數 ~ h(x; N, M, y) =
h(x; 40, 5, 3)

Cxy CMN  xy C13C437
Pr( X  1) 
N
M
C

40
5
C
 0.301
25
Lazy Sampling a Random Order-Preserving
Function
 M,N 
and any x, x  1  M , y   N 
y Ny
C
R
x CM  x


Pr  f ( x)  y  f ( x  1) | f 
 OPFD , R  
CMN

y
x
Ny
M x
N
M
C C
h( x; N , M , y) 
C
26
Lazy Sampling a Random Order-Preserving
Function
 The LazySample algorithm
 Algorithms LazySample, LazySampleInv that
lazy sample a random order-preserving function
from domain D to range R, |D| ≦ |R|, and its
inverse, respectively.
27
Lazy Sampling a Random Order-Preserving
Function
 The LazySample algorithm
 Two subroutines
 HGD(D, R, y∈R) = x∈D s.t. for each x*∈D we have
x=x* with probability h(x - d; |R|, |D|, y - r), where d
= min(D) – 1, r = min(R) – 1.
 GetCoins(1l, D, R, b||z) = cc∈{0,1}l, where b∈{0,1}
and z∈R if b = 0 and z∈D otherwise.
28
Lazy Sampling a Random Order-Preserving
Function
 The LazySample algorithm
 Joint state: array F and I
 Array I: the number of points in D are mapping to
range point y
 Arrray F: the image of m under the lazy-sampled
function.
29
Lazy Sampling a Random Order-Preserving
Function
 The LazySample algorithm
 LazySample meploys a strategy
 Mapping range gaps to domain gaps in a recursive,
binary search manner.
 By range gap or domain gap
 An imaginary barrier between two consecutive points
in the range or domain.
30
Introduction

31
Lazy Sampling a Random Order-Preserving
Function
 The LazySample algorithm
 Support GetCoins returns truly random coins
on each new input. The for any algorithm A we
have
1
g
(

),
g
( )
LazySample ( D , R ,), LazySampleInv ( D , R ,)



Pr A
 1  Pr  A
 1


where g, g-1 denote an order-preserving
function picked at random from OPFD,R and its
inverse.
32
Outline
 Introduction
 OPE and Its Security
 Lazy Sampling a Random Order-Preserving
Function
 OPE Scheme and Its Analysis
 Conclusion
33
OPE Scheme and Its Analysis
 The TapeGen PRF
 LazySample, LazySampleInv 無法直接使用在ENC與
DEC上，LS與LSI分享及更新joint state，array F與I，
用來儲存HGD的output。
 修改GetCoins，當呼叫HGD時，透過TapeGen PRF
的輸出結果當seed，讓HGD產生F與I的entries。
 TapeGen PRF有3個RPFs組成，VIL-PRF、VOL-PRF、
LF-PRF，以LF-PRF為主要關鍵。
34
OPE Scheme and Its Analysis
 The TapeGen PRF
 For an adversary A, define its LF-PRFadvantage against TapeGen as
LF  PRF
AdvTapeGen
( A)  Pr  ATapeGen ()  1  Pr  AR ()  1
35
Introduction

36
OPE Scheme and Its Analysis
 Let OPE[TapeGen] be the OPE scheme define
above with plaintext-space of size M and
ciphertext-space of size N. Then for any
adversary A against OPE[TapeGen] making at
most q queries to its oracles combined, there is
an adversary B against TapeGen s.t.
POPF CCA
OPE[TapeGen]
Adv
LF PRF
TapeGen
( A)  Adv
( B)  
37
OPE Scheme and Its Analysis
 Adversary B makes at most q1 = q(log N + 1)
queries if size at most 5logN + 1 to its oracle,
whose responses total q1λ’ bits on average, and
its running time is that of A. Above, λ and λ’ are
constants depending only on HGD.
38
OPE Scheme and Its Analysis
 On choosing N
 當[M]跟[N]很大時，大於280，random orderpreserving function才會洩漏訊息
39
Outline
 Introduction
 OPE and Its Security
 Lazy Sampling a Random Order-Preserving
Function
 OPE Scheme and Its Analysis
 Conclusion
40
Conclusion
 作者做了許多推論，從IND-CPA一路改進到提出
POPF-CCA
 利用LazySample與Hypergeometric distribution的巧
妙組合，提出了一個OPE scheme可證明式的安全性
證明POPE-CCA
 如何套用到我的scheme
 作者的OPE是數字到數字
 我的OPE是數字到辮群
 直接套用？修改證明方式？修改scheme？
41