1. Practical Order-Revealing Encryption with Limited Leakage Nathan Chenette, Kevin Lewi, Stephen A. Weis, and David J. Wu Fast Software Encryption March, 2016

2. Order-Revealing Encryption [BRLSZZ15] Client Server secret-key encryption scheme

3. Order-Revealing Encryption [BRLSZZ15] Server Application: range queries / binary search on encrypted data

4. Order-Revealing Encryption [BRLSZZ15] given any two ciphertexts there is a publically evaluatable function that evaluates the comparison function

5. Defining Security Starting point: semantic security (IND-CPA) [GM84] challenger adversary

6. Best-Possible Security [BCLO09] must impose restriction on messages: otherwise trivial to break semantic security using comparison operator

7. Best-Possible Security [BCLO09]

8. order of “left” set of messages same as order of “right” set of messages

9. Existing Approaches

10. Multilinear-map-based Solution [BRLSZZ15] Much more efficient than general purpose indistinguishability obfuscation Achieves best-possible security Security of multilinear maps not well-understood Still quite inefficient (e.g., ciphertexts on the order of GB)

11. Existing Approaches

12. Order-preserving encryption (OPE) [BCLO09, BCO11]: No “best-possible” security, so instead, compare with random order-preserving function (ROPF) encryption function implements a random order-preserving function domainrange

13. Existing Approaches Properties of a random order-preserving function [BCO’11]: Each ciphertext roughly leaks half of the most significant bits Each pair of ciphertexts roughly leaks half of the most significant bits of their difference No semantic security for even a single message!

14. Existing Approaches Security Efficiency General-purpose MIFE from iO Direct construction from multilinear maps OPE Something in between? Not drawn to scale

15. A New Security Notion Two existing security notions: IND-OCPA: strong security, but hard to achieve efficiently ROPF-CCA: efficiently constructible, but lots of leakage, and difficult to precisely quantify the leakage

16. A New Security Notion: SIM-ORE ??? Real WorldIdeal World

17. A New Security Notion: SIM-ORE

19. Our Construction 100101100011

20. 100101

21. 100101 empty prefix

22. Our Construction 100101

23. 100101

24. 100101100011 same prefix = same ciphertext block different prefix = value computationally hidden first block that differs

25. Our Construction: Efficiency 100101

26. Our Construction: Security 100101 Security follows directly from security of the PRF Proof sketch. Simulator responds to encryption queries using random strings. Maintains consistency using leakage information (first bit that differs).

27. OPE Conversion 100101 100011 In database applications, OPE preferred over ORE since it does not require changes to the DBMS (e.g., supporting custom comparator)

28. OPE Conversion 100101

29. 100101 Note: unlike most existing OPE schemes, this OPE scheme is not a ROPF, and does not suffer from many of the security limitations of ROPFs

30. Comparison to Previous OPE Schemes

31. message space ciphertext space guess interval Window one-wayness: Much weaker than semantic security!

32. Comparison to Previous OPE Schemes

34. Composing OPE with ORE Possible to compose OPE with ORE to achieve more secure OPE scheme: Resulting construction strictly stronger than inner OPE scheme, but may not be more secure than directly applying ORE to plaintext

35. General-purpose MIFE from iO Direct construction from multilinear maps The Landscape of OPE/ORE Security Efficiency OPE Our construction Not drawn to scale

36. General-purpose MIFE from iO Direct construction from multilinear maps Directions for Future Research Security Efficiency OPE Our construction Shorter ciphertexts? New leakage functions? Best-possible ORE from standard assumptions? Not drawn to scale

37. Sample Implementation: https://github.com/kevinlewi/fastore Project Website: https://crypto.stanford.edu/ore/

38. Questions? http://eprint.iacr.org/2015/1125