Beyond the Ideal Object:Towards Disclosure-Resilient

Order-Preserving Encryption Schemes

Sander Wozniak Michael Rossberg Sascha Grau Ali Alshawish Guenter Schaefer

Technische Universität IlmenauCCSW 2013

S. Wozniak – Beyond the Ideal Object: Towards Disclosure-Resilient Order-Preserving Encryption Schemes 2

• Domain of plaintexts:• Range of ciphertexts:

• For an encryption function an OPE scheme satisfies:

• Application in the context of cloud computing: – Users may not fully trust their service providers– Need to encrypt the outsourced data– OPE enables efficient range queries in standard DBMS

Order-Preserving Encryption (OPE)

S. Wozniak – Beyond the Ideal Object: Towards Disclosure-Resilient Order-Preserving Encryption Schemes 3

OPE based on Order-Preserving Functions• OPF-based Schemes:

– Rely on Order-Preserving Functions (OPFs) drawn from:

– OPE scheme based on a chosen OPF

• Choosing Order-Preserving Functions– Standard model: “Ideal Object” (Boldyreva et al., 2009):

OPFs are drawn uniformly at random– In this work: alternative OPF construction schemes

S. Wozniak – Beyond the Ideal Object: Towards Disclosure-Resilient Order-Preserving Encryption Schemes 4

Weaknesses of the “Ideal Object”• One-wayness of “ideal object” is not satisfying

– Existing research highlights the significance of the most likely plaintext (m.l.p.) of a given ciphertext

– Empiric frequency distributions for 108 OPFs:

S. Wozniak – Beyond the Ideal Object: Towards Disclosure-Resilient Order-Preserving Encryption Schemes 5

Disclosure-Resilience of OPE• Given: OPF construction scheme• Attacker model:

– and the plaintext space is known to adversaries– Adversaries have limited additional information:

• Known ciphertexts• Known/chosen plaintext-ciphertext pairs

– Given a challenge ciphertext , adversaries have to accurately estimate the plaintext producing

• is referred to as disclosure-resilient if it:– provides a sufficient number of plaintexts producing– maintains this property in case of disclosed information

S. Wozniak – Beyond the Ideal Object: Towards Disclosure-Resilient Order-Preserving Encryption Schemes 6

Plaintext p

Prob

abili

ty o

f bei

ng

assig

ned

to c

iphe

rtex

t cAverage Number of Significant Plaintexts• Measures the number of plaintexts that an attacker has

to consider as candidates for a challenge ciphertext

Weighted average over all ciphertexts:

Number of significant plaintexts for a ciphertext:

Threshold

Note: this is not a quantile!

S. Wozniak – Beyond the Ideal Object: Towards Disclosure-Resilient Order-Preserving Encryption Schemes 7

Average Expected Estimation Error• Measures the error of a maximum-likelihood estimator

using the most likely plaintexts of a challenge ciphertextExpected estimator error:

Weighted average over all ciphertexts:

Error Plaintext p

Prob

abili

ty o

f bei

ng

assig

ned

to c

iphe

rtex

t c

S. Wozniak – Beyond the Ideal Object: Towards Disclosure-Resilient Order-Preserving Encryption Schemes 8

Random Offset Addition• Draw a random offset• Encryption function:

• Disclosure-resilient for very few known ciphertexts• No resilience against known plaintext-ciphertext pairs

Plaintext p

Ciph

erte

xt c

Random

offset

OPF1

OPF4

OPF5

OPF3

OPF2

108 OPFs

S. Wozniak – Beyond the Ideal Object: Towards Disclosure-Resilient Order-Preserving Encryption Schemes 9

Random Uniform Sampling• Choose a splitting element:

– Random selection / median of the (sub)domain• Randomly assign ciphertext to chosen plaintext• Recursively sample subspaces

Plaintext p

Ciph

erte

xt c

Splitting elementp1p2

p3

c1

c3

c2

108 OPFs

S. Wozniak – Beyond the Ideal Object: Towards Disclosure-Resilient Order-Preserving Encryption Schemes 10

Random Subrange Selection• Randomly decide whether to draw or first

– Lower bound first: ;– Upper bound first: ;

• Sample OPF from subrange(alternative constr. scheme)

Plaintext p

Ciphertext c

S. Wozniak – Beyond the Ideal Object: Towards Disclosure-Resilient Order-Preserving Encryption Schemes 11

Evaluation and Results• Empiric evaluation using 108 randomly generated OPFs

The suggested OPF construction schemes reduce the significance of specific plaintexts

S. Wozniak – Beyond the Ideal Object: Towards Disclosure-Resilient Order-Preserving Encryption Schemes 12

Average Number of Significant Plaintexts108 OPFs

A B

C D B: Disclosure of ciphertexts affects all approaches; novel schemes more effective than “ideal object”

D: Chosen pairs render all schemes ineffective

A: Novel schemes increase ;offset addition and subrange selection most effective

C: Known pairs strongly decrease ; offset add. ineffective ; subrange selection less effective

S. Wozniak – Beyond the Ideal Object: Towards Disclosure-Resilient Order-Preserving Encryption Schemes 13

Average Expected Estimation Error108 OPFs

A B

C D

confirms the results of ;subrange selection using the “ideal object” shows a smaller error (dominant peak of m.l.p.)

S. Wozniak – Beyond the Ideal Object: Towards Disclosure-Resilient Order-Preserving Encryption Schemes 14

Conclusion & Outlook• Conclusion

– The suggested OPF construction schemes are able to reduce the significance of specific plaintexts when compared to the “ideal object”

– However, the resilience against the disclosure of additional information is not yet sufficient for practical applications

• Future work– Consider the impact of an increasing range size– Investigate alternative OPF construction schemes with high

disclosure-resilience in case of well-informed adversaries

Sander Wozniaksander.wozniak@tu-ilmenau.de

Thank you for your attention!

Telematics and Computer Networks GroupTechnische Universität Ilmenau, Germany