Order-Preserving Symmetric Encryption

Order-Preserving Symmetric Encryption Alexandra Boldyreva, Nathan Chenette, Younho Lee and Adam O’Neill EUROCRYPT 2009, LNCS 5479, pp. 224-241

Outline • Introduction • OPE and Its Security • Lazy Sampling a Random Order-Preserving Function • OPE Scheme and Its Analysis • Conclusion

Introduction • Order-persevering symmetric encryption, OPE • OPE以one-part codes的形式來使用，具有相當長的歷史，可追朔到第一次世界大戰。 • 明文藉由打亂文字順序或數字順序來得到所對應的密文。 • 近年比較有價值的研究為應用OPE在database community，由Agrawal等學者於2004年提出。

Introduction • OPE機制在加密資料上要有有效率的範圍查詢。 • 這裡的有效率是指O(lg n)時間，n為database的資料量。 • HVE, MRQED是沒有效率的，進行查詢時必須掃描整個database. • 有關OPE的可證明式的安全性證明尚未提出，作者想補強這方面的議題。 • OPE無法滿足所有的安全性定義，如IND-CPA。

OPE and Its Security • IND-CPA • LR(˙,˙,b) : input m0 and m1, return mb. • symmetric encryption scheme SE = (K, ENC, DEC) • Adversary A • b∈{0,1} • We require that each query (m0, m1) that A makes to its oracle satisfies |m0| = |m1|

OPE and Its Security • OPE無法滿足IND-CPA。 • Deterministic. • Leak the order-relations among the plaintext. • IND-CPA無法滿足，作者想弱化IND-CPA試著讓OPE滿足。 • 參考M. Bellare等學者，在”Authenticated encryption in SSH: provably fixing the SSH binary packet protocol, CCS ’02, pp. 1-11, 2002.”一文中所提出的IND-DCPA (indistinguishability distinct chosen-plaintext attack) • 提出IND-OCPA (indistinguishability ordered chosen-plaintext attack)

OPE and Its Security • IND-DCPA • Restricted to make only distinct queries. • Adversary A makes queries (m01, m11), …, (m0q, m1q) • Require that mb1, mb2, …, mbq are all distinct for b∈{0,1}

OPE and Its Security • IND-OCPA • Adversary A makes queries (m01, m11), …, (m0q, m1q) • m0i < m0j iff m1i < m1j for all 1≦i, j≦q.

OPE and Its Security • IND-OCPA看起來可行，實際上無用，除非密文空間大小是明文空間大小的指數倍。 • SE = (K, ENC, DEC) be an order-preserving encryption with plaintext-space [M] and ciphertext-space [N] for M, N∈N s.t. 2k-1≦ N <2k for some k∈N. Then there exists an IND-OCPA adversary A against SE s.t. Furthermore, A run in time O(log N) and makes 3 oracle queries.

OPE and Its Security • Big jump and big reverse-jump • For an order-preserving function f : [M] →[N] • i∈{3, …, M-1} is a big jump if the f-distance to the next point is as big as the sum of all the previous. • f(i + 1) - f(i) ≧ f(i) - f(1) • i∈{2, …, M-2} is a big reverse-jump if f(i) - f(i-1) ≧ f(M) - f(i)

OPE and Its Security • Big jump and big reverse-jump Big Jump

OPE and Its Security • Big jump attack • Consider IND-OCPA adversary A against SE

OPE and Its Security • Big jump and big reverse-jump m = 5 c1 = 24 or 35 c2 = 35 or 36 c3 = 36 or 45 c3 – c2 = 1 or 9 c2 – c1 =11 or 1 if (c3 – c2) > (c2 – c1) adversary A guess b = 1 else adversary A guess b = 0 m = 4 c1 = 24 or 27 c2 = 27 or 35 c3 = 35 or 45 c3 – c2 = 8 or 10 c2 – c1 =3 or 8 if (c3 – c2) > (c2 – c1) adversary A guess b = 1 else adversary A guess b = 0 Big Jump We assume that f has k big jumps.

OPE and Its Security • Big jump attack and OPE scheme • Distinguish between ciphertext that are very close and far apart. • The attack shows that any practical OPE scheme inherently leaks more information about the plaintext than just their ordering. • Some information about their relative distances.

OPE and Its Security • 作者想試著在IND-OCPA中，限制adversary A的能力。 • 透過pseudorandom functions(PRFs)或permutations(PRPs)，讓adversary無法區分oracle access to ENC of the scheme或corresponding ideal object. • Pseudorandom order-preserving function against chosen-ciphertext attack, POPF-CCA.

OPE and Its Security • POPF-CCA • order-preserving encryption scheme SE = (K, ENC, DEC) • plaintext-space D • ciphertext-space R • |D| ≦ |R| • OPFD,R denotes the set of all order-preserving functions from D to R. • adversary A against SE with advantage

Lazy Sampling a Random Order-Preserving Function • Lazy Sampling • POPF-CCA is useful. • Need a way to implement A’s oracles in the “ideal” experiment efficiently. • How to lazy sample a random order-preserving function and its inverse. • A connection between a random order-preserving function and the hypergeometric probability distribution.

Lazy Sampling a Random Order-Preserving Function • The set OPFD,R : all order-preserving functions from a domain D of size M to a range R of size N > M. • The set of all possible combinations of M out of N ordered items.

Lazy Sampling a Random Order-Preserving Function Range set S = {24, 25, 27, 35, 36, 39, 41, 42, 44, 45} Domain

Lazy Sampling a Random Order-Preserving Function

Lazy Sampling a Random Order-Preserving Function • Hypergeometric distribution • Hypergeometric experiment • A random sample of size M is selected without replacement from N items. • y of the N items may be classified as success and N-y are classified as failures.

Lazy Sampling a Random Order-Preserving Function • Hypergeometric distribution

Lazy Sampling a Random Order-Preserving Function • Hypergeometric distribution • 有一批40顆燈泡，品管檢查出3顆瑕疵燈泡就驗退。假設品管隨機挑選5顆檢查，請問被檢查出有只有1個瑕疵品的機率是多少？ • N = 40, M = 5, y = 3 • X = 檢查出有瑕疵的燈泡數 ~ h(x; N, M, y) = h(x; 40, 5, 3)

Lazy Sampling a Random Order-Preserving Function

Lazy Sampling a Random Order-Preserving Function • The LazySample algorithm • Algorithms LazySample, LazySampleInv that lazy sample a random order-preserving function from domain D to range R, |D| ≦ |R|, and its inverse, respectively.

Lazy Sampling a Random Order-Preserving Function • The LazySample algorithm • Two subroutines • HGD(D, R, y∈R) = x∈D s.t. for each x*∈D we have x=x* with probability h(x - d; |R|, |D|, y - r), where d = min(D) – 1, r = min(R) – 1. • GetCoins(1l, D, R, b||z) = cc∈{0,1}l, where b∈{0,1} and z∈R if b = 0 and z∈D otherwise.

Lazy Sampling a Random Order-Preserving Function • The LazySample algorithm • Joint state: array F and I • Array I: the number of points in D are mapping to range point y • Arrray F: the image of m under the lazy-sampled function.

Lazy Sampling a Random Order-Preserving Function • The LazySample algorithm • LazySample meploys a strategy • Mapping range gaps to domain gaps in a recursive, binary search manner. • By range gap or domain gap • An imaginary barrier between two consecutive points in the range or domain.

Introduction

Lazy Sampling a Random Order-Preserving Function • The LazySample algorithm • Support GetCoins returns truly random coins on each new input. The for any algorithm A we have where g, g-1 denote an order-preserving function picked at random from OPFD,R and its inverse.

OPE Scheme and Its Analysis • The TapeGen PRF • LazySample, LazySampleInv 無法直接使用在ENC與DEC上，LS與LSI分享及更新joint state，array F與I，用來儲存HGD的output。 • 修改GetCoins，當呼叫HGD時，透過TapeGen PRF的輸出結果當seed，讓HGD產生F與I的entries。 • TapeGen PRF有3個RPFs組成，VIL-PRF、VOL-PRF、LF-PRF，以LF-PRF為主要關鍵。

OPE Scheme and Its Analysis • The TapeGen PRF • For an adversary A, define its LF-PRF-advantage against TapeGen as

Introduction

OPE Scheme and Its Analysis • Let OPE[TapeGen] be the OPE scheme define above with plaintext-space of size M and ciphertext-space of size N. Then for any adversary A against OPE[TapeGen] making at most q queries to its oracles combined, there is an adversary B against TapeGen s.t.

OPE Scheme and Its Analysis • Adversary B makes at most q1 = q(log N + 1) queries if size at most 5logN + 1 to its oracle, whose responses total q1λ’ bits on average, and its running time is that of A. Above, λ and λ’ are constants depending only on HGD.

OPE Scheme and Its Analysis • On choosing N • 當[M]跟[N]很大時，大於280，random order-preserving function才會洩漏訊息

Conclusion • 作者做了許多推論，從IND-CPA一路改進到提出POPF-CCA • 利用LazySample與Hypergeometric distribution的巧妙組合，提出了一個OPE scheme可證明式的安全性證明POPE-CCA • 如何套用到我的scheme • 作者的OPE是數字到數字 • 我的OPE是數字到辮群 • 直接套用？修改證明方式？修改scheme？

Order-Preserving Symmetric Encryption