SLIDE 1
Improved Security Analysis and Alternative Solutions
8/22/2011 9:26:56 PM Order-Preserving Encryption Revisited 1
8/22/2011 9:26:58 PM Order-Preserving Encryption Revisited 2
Improved Security Analysis and Alternative Solutions Alexandra - - PowerPoint PPT Presentation
Improved Security Analysis and Alternative Solutions Alexandra - - PowerPoint PPT Presentation
Improved Security Analysis and Alternative Solutions Alexandra Boldyreva Nathan Chenette Adam ONeill Georgia Tech Georgia Tech UT Austin 8/22/2011 9:26:56 PM Order-Preserving Encryption Revisited 1 8/22/2011 9:26:58 PM Order-Preserving
SLIDE 2
SLIDE 3
8/22/2011 9:26:58 PM Order-Preserving Encryption Revisited 3
Example OPE function for :
A symmetric encryption scheme is order-preserving if encryption is deterministic and strictly increasing
plaintexts ciphertexts
SLIDE 4
8/22/2011 9:26:58 PM Order-Preserving Encryption Revisited 4
A symmetric encryption scheme is order-preserving if encryption is deterministic and strictly increasing
Example OPE function for :
SLIDE 5
[AKSX04] suggested OPE as a protocol to support efficient range queries for outsourced databases
8/22/2011 9:26:59 PM Order-Preserving Encryption Revisited 5
Client Server
(encrypted database)
I’d like records of people with salaries between $60k and $80k…
SLIDE 6
[BCLO09] defined a secure OPE to be a
pseudorandom order-preserving function (POPF)
Experiment:
8/22/2011 9:26:59 PM Order-Preserving Encryption Revisited 6
OPE with random key Random OPF A B
- r
?
queries
Ideal object They designed a
POPF-secure scheme
SLIDE 7
Practitioners want to implement the OPE scheme
right away as it has been proven POPF-secure and is in any case better than no encryption
But, as emphasized by [BCLO09], we must first
establish security guarantees of the ideal object, a random OPF
- What information is necessarily leaked?
- What information is secure?
To elaborate…
8/22/2011 9:26:59 PM Order-Preserving Encryption Revisited 7
SLIDE 8
The security properties of a random OPF are unclear
- Compare to the case of PRF/random function
8/22/2011 9:26:59 PM Order-Preserving Encryption Revisited 8
Random OPF
Output leaks…
- order
- approx.
location
- approx.
distance
- more?
Input
Random function
Input
GUARANTEE: Output leaks
- nly equality
SLIDE 9
8/22/2011 9:26:59 PM Order-Preserving Encryption Revisited 9
SLIDE 10
We suggest several notions of one-wayness to analyze
OPE security
We analyze the one-wayness of a random OPF (and
thus by extension the POPF-secure scheme of [BLCO09])
We introduce two generalizations/modifications of the
OPE primitive that support range queries in (only) particular circumstances with improved one-wayness
- Modular order-preserving encryption (modular range
queries)
- Committed order-preserving encryption (static database)
8/22/2011 9:26:59 PM Order-Preserving Encryption Revisited 10
SLIDE 11
8/22/2011 9:26:59 PM Order-Preserving Encryption Revisited 11
SLIDE 12
Central concern: what do ROPF ciphertexts
reveal/hide about…
- location of plaintexts?
- distance between plaintexts?
We propose several varieties of one-wayness
8/22/2011 9:26:59 PM Order-Preserving Encryption Revisited 12
SLIDE 13
- = window size
- = challenge set size
8/22/2011 9:26:59 PM Order-Preserving Encryption Revisited 13
Adversary
Adversary’s advantage is the probability of the event that
SLIDE 14
- = distance window size
- = challenge set size
8/22/2011 9:26:59 PM Order-Preserving Encryption Revisited 14
Adversary
Adversary’s advantage is the probability of the event that
SLIDE 15
8/22/2011 9:26:59 PM Order-Preserving Encryption Revisited 15
SLIDE 16
Small Window Large window Window One-wayness “Secure” (upper bound on any adversary’s advantage) “Insecure” (lower bound on constructed adversary’s advantage) Distance Window One-wayness “Secure” (upper bound on any adversary’s advantage) “Insecure” (lower bound on constructed adversary’s advantage)
8/22/2011 9:26:59 PM Order-Preserving Encryption Revisited 16
Size of message space
SLIDE 17
We prove an upper bound on -WOW advantage
against ROPF
Theorem: If for , Interpretation:
- Any adversary’s probability of inverting one of
encryptions of random plaintexts is bounded by (approx) a constant times
- For reasonable , this is small.
8/22/2011 9:27:00 PM Order-Preserving Encryption Revisited 17
= Size of message space = Size of ciphertext space
SLIDE 18
Reduce to problem of bounding -WOW-advantage Each ciphertext has a most likely plaintext (m.l.p.)
given that encryption is a random OPF
- Given , adversary’s best option is to output
- Upper bound on advantage: the average m.l.p. probability
- = (area under curve) / (#ciphertexts)
8/22/2011 9:27:01 PM Order-Preserving Encryption Revisited 18
m.l.p. probabilities
SLIDE 19
8/22/2011 9:27:01 PM Order-Preserving Encryption Revisited 19
For , write as a function of Integrate this function over the ciphertext range and divide by to find the approx. avg. m.l.p. prob. For general , , write as a function of Start with for , small and fixed Let 1 2 3 4
SLIDE 20
We prove a lower bound on an adversary’s -
WOW advantage against ROPF
Theorem: For any there exists
an adversary such that for ,
Interpretation:
- Given encryptions of random plaintexts, adversary can
(with high probability) invert one of them to within a size window, where is a medium-sized constant (say, 8)
8/22/2011 9:27:01 PM Order-Preserving Encryption Revisited 20
= Size of message space = Size of ciphertext space
SLIDE 21
Analogous to the WOW case, we show:
- Upper bound on -DWOW advantage of any
adversary
- Lower bound on an adversary’s -DWOW
advantage for
Interpretation:
- Guessing the exact distance between encryptions
- f two random plaintexts is hard.
- Guessing the approximate distance is easy.
8/22/2011 9:27:02 PM Order-Preserving Encryption Revisited 21
SLIDE 22
- Choosing ciphertext space size :
should be sufficient for analysis to hold
- Assumption alert!
- Our analysis is limited to uniformly
random challenge messages
- Open problem to extend otherwise
If some plaintext/ciphertext pairs are known, the
adversary’s view (and our analysis) applies to the subspaces between these points
8/22/2011 9:27:02 PM Order-Preserving Encryption Revisited 22
Known plaintext/ ciphertext pairs
SLIDE 23
8/22/2011 9:27:02 PM Order-Preserving Encryption Revisited 23
SLIDE 24
Generalization of OPE in which “modular order”
is preserved, supports modular range queries
The OPE scheme of [BCLO09] can be extended to
an MOPE scheme by prepending a random (secret) shift
8/22/2011 9:27:02 PM Order-Preserving Encryption Revisited 24
- Now optimally -WOW secure
- -DWOW security is equivalent to
that of the OPE scheme
- Knowledge of a single plaintext/ciphertext
pair essentially reduces the MOPE to an OPE
SLIDE 25
Past results [AKSZ04] have implemented schemes for range
queries on predetermined static databases
- Key generation takes database as input, all ciphertexts revealed
- OP version of secure searchable index schemes ([CGKO06], etc.)
We straightforwardly construct an optimally-secure OPE
tagging scheme using monotone minimal perfect hash functions (MMPHFs) [BBPV09]
8/22/2011 9:27:02 PM Order-Preserving Encryption Revisited 25
= message space (static database) Outputs a key corresponding to the MMPHF sending the ith element of to i
SLIDE 26
8/22/2011 9:27:02 PM Order-Preserving Encryption Revisited 26
SLIDE 27
We made significant progress in addressing the
[BCLO09] open question of analyzing the security of a random OPF
- Introduced new security models using one-wayness
notions
- Analyzed ROPF under those models
We introduced two variations of OPE that could be
useful in some settings
Taken with certain precautions, we hope our results
will help practitioners determine whether the security
- vs. functionality tradeoff of OPE is acceptable for their
applications
8/22/2011 9:27:02 PM Order-Preserving Encryption Revisited 27
SLIDE 28
8/22/2011 9:27:02 PM Order-Preserving Encryption Revisited 28