Practical OrderRevealing Encryption with Limited Leakage
 45 Citations
 1.3k Downloads
Abstract
In an orderpreserving encryption scheme, the encryption algorithm produces ciphertexts that preserve the order of their plaintexts. Orderpreserving encryption schemes have been studied intensely in the last decade, and yet not much is known about the security of these schemes. Very recently, Boneh et al. (Eurocrypt 2015) introduced a generalization of orderpreserving encryption, called orderrevealing encryption, and presented a construction which achieves this notion with bestpossible security. Because their construction relies on multilinear maps, it is too impractical for most applications and therefore remains a theoretical result.
In this work, we build efficiently implementable orderrevealing encryption from pseudorandom functions. We present the first efficient orderrevealing encryption scheme which achieves a simulationbased security notion with respect to a leakage function that precisely quantifies what is leaked by the scheme. In fact, ciphertexts in our scheme are only about 1.6 times longer than their plaintexts. Moreover, we show how composing our construction with existing orderpreserving encryption schemes results in orderrevealing encryption that is strictly more secure than all preceding orderpreserving encryption schemes.
Keywords
Encryption Scheme Range Query Security Parameter Pseudorandom Function Security Notion1 Introduction
A symmetric encryption scheme is orderpreserving if the ciphertexts preserve the numeric ordering of their underlying plaintexts. The notion of orderpreserving encryption (OPE) was introduced by Agrawal et al. [1] who showed how it could be used to efficiently answer range queries over encrypted data, as well as sorting queries, searching queries, and more. Indeed, existing OPE solutions have been implemented in practice [43, 46] for these exact purposes. Since the introduction of OPE, there has been a plethora of work on analyzing the security of various OPE schemes, found both in the cryptography community and the database community. However, it is troubling that in spite of the numerous practical applications of OPE, the security of the best candidate OPE schemes is still not well understood.
Prior Work. The first OPE construction by Agrawal et al. [1] relied on heuristics and lacked a formal security analysis. Subsequently, Boldyreva et al. [7] gave the first formal security definitions for OPE schemes. Boldyreva et al. introduced two primary notions for security of an OPE scheme. The first notion of security for an OPE scheme is called indistinguishability under an ordered chosen plaintext attack (INDOCPA). The INDOCPA definition can be viewed as a generalization of semantic security [31], and effectively says that encryptions of a sequence of messages should reveal nothing about the underlying messages other than their ordering. However, in the same work, Boldyreva et al. showed that no efficient orderpreserving encryption scheme can be INDOCPA secure, even in settings where the size of the ciphertext space is exponentially larger than the size of the plaintext space.
In light of this lower bound for OPE schemes that satisfy INDOCPA security, Boldyreva et al. introduced a weaker notion of security (POPFCCA security) where the encryption function for the OPE scheme is compared to a random orderpreserving function—that is, the encryption algorithm for an OPE scheme behaves like a truly random orderpreserving function. Under this definition, an OPE scheme inherits the properties of a random orderpreserving function.^{1} In the same work, Boldyreva et al. gave an explicit construction of an OPE scheme that satisfies POPFCCA security. However, the POPFCCA security definition does not precisely specify the information that is leaked by an OPE scheme that achieves this definition. In fact, a scheme that achieves this notion of security does not even satisfy semantic security for a single encryption, and indeed, in subsequent work, Boldyreva et al. [8] showed that ciphertexts in their OPE scheme leak approximately the first half of the bits of the underlying plaintexts. In addition, they introduce several new security definitions in order to better quantify the information leakage of OPE schemes that are POPFCCA secure.
Recently, Boneh et al. [9] proposed a generalization of OPE called orderrevealing encryption (ORE). In an OPE scheme, the ciphertexts are numericvalued, and the ordering of the underlying plaintexts is determined by numerically comparing the ciphertexts. In contrast, in an ORE scheme, the ciphertexts are not constrained to any particular form, and instead, there is a publicly computable comparison function which takes two ciphertexts and outputs the numeric ordering of the underlying plaintexts^{2}. Although this generalization may at first seem subtle, Boneh et al. constructed an ORE scheme from multilinear maps that achieves the “bestpossible” notion of security, which is equivalent to the INDOCPA security notion for orderpreserving encryption.
The main drawback of the Boneh et al. ORE construction is that it relies on complicated tools and strong assumptions on these tools, and as such, is currently impractical to implement.
1.1 Our Contributions
We now summarize the main contributions of this work, which include a new simulationbased security notion for ORE, along with a practical construction of an ORE scheme which achieves this security notion. We also show how our new construction can be used to achieve a strictly stronger notion of security compared to other stateless and efficiently implementable (e.g., constructions that do not rely on powerful primitives such as multilinear maps and indistinguishability obfuscation) OPE and ORE encryption schemes.
Security Model. In our work, we take the general approach of Boneh et al. in constructing an ORE scheme, except we take a more efficient route. Our first contribution is a new security definition for orderrevealing encryption schemes that both allows for and explicitly models the leakage in the scheme. Our design goals for introducing this new security model are twofold: first, the security model should enable constructions that are efficiently implementable, and second, it should provide a precise quantification of any information leaked by the scheme. The two primary notions of security, INDOCPA and POPFCCA, introduced by Boldyreva et al. [7] each satisfy one of these two properties. In particular, all noninteractive, stateless^{3} ORE schemes that achieve INDOCPA security require strong cryptographic primitives such as multilinear maps or indistinguishability obfuscation [9, 29], and thus, are not efficiently implementable today. At the other end of the spectrum, it is difficult to precisely quantify the leakage of schemes that satisfy POPFCCA security. The work by Boldyreva et al. [8] provides some concrete lower and upper bounds for the leakage under the strong assumption that the plaintexts are drawn from a uniform distribution. For more general distributions, the leakage remains unclear.
In our work, we give a simulationbased definition of security for ORE with respect to a leakage function \(\mathcal {L}\). In other words, our definition states that whatever an adversary is able to deduce from seeing encryptions of messages \(m_1, \ldots , m_t\), it could also deduce given only the leakage \(\mathcal {L}(m_1, \ldots , m_t)\). The “bestpossible” security for ORE would correspond to the case where the leakage function simply outputs whether \(m_i < m_j\) for all pairs of messages \(m_i\) and \(m_j\). By allowing for the possibility of additional leakage, it becomes possible to construct practical ORE schemes from standard assumptions. Thus, our constructions provide a concrete tradeoff between security and efficiency. Our security definitions are similar to the simulationbased definitions that have been considered previously in the searchable symmetric encryption literature [14, 22].
Constructions. In our main construction, we show how to construct an ORE scheme from oneway functions (more precisely, from pseudorandom functions (PRFs) [28]). This particular ORE scheme reveals slightly more information than just the ordering of the underlying messages. Specifically, two ciphertexts encrypting messages \(m_1\) and \(m_2\) also reveal the index of the first bit in \(m_1\) and \(m_2\) that differ. In other words, our ORE scheme leaks some information about the relative distance between the underlying messages.
To compare encryptions \(\mathsf{ct}= (u_1, \ldots , u_n)\) and \(\mathsf{ct}' = (u_1', \ldots , u_n')\) of messages m and \(m'\), the evaluator first finds the first index i for which \(u_i \ne u_i'\). Since \(u_i\) and \(u_i'\) are functions of just the first i bits of m and \(m'\), respectively, the first index i for which \(u_i \ne u_i'\) is the first bit of m and \(m'\) that differ. After identifying the \({i}^{\mathrm {{th}}}\) bit that differs, the evaluator uses \(u_i\) and \(u_i'\) to determine which message has 0 as the \(i^\mathrm{{th}}\) bit and which message has 1^{4}. Conversely, if \(u_i = u_i'\) for all i, then \(\mathsf{ct}_i = \mathsf{ct}_i'\), and so \(m = m'\). Security of this construction follows from the security of the PRF (Theorem 3.2).
Ciphertexts in our candidate scheme are \(\lceil n \cdot \log _2 3 \rceil \approx \lceil 1.6\, n \rceil \) bits, where n is the bitlength of the message. As a point of comparison, ciphertexts in the OPE scheme of Boldyreva et al. [7] are only \(n+1\) bits long. While the ciphertexts in our scheme are longer (by a multiplicative factor \(\log _2 3\)), the authors of [8] note that even if the size of the ciphertext space is increased beyond \(n+1\) bits in the Boldyreva et al. scheme, the security of their construction does not improve by any noticeable amount.
We then explain in Sect. 3.2 how to convert our ORE scheme into an OPE scheme, at the expense of longer ciphertexts. This is useful for applications where it is more convenient to have a numeric ciphertext space and for order relations to be computable without a “custom” comparison function. The transformation we describe is natural and does not reduce the security of the original ORE scheme. In particular, we note that the resulting OPE scheme does not behave like a random orderpreserving function (the ideal object from the POPFCCA security notion). Thus, the scheme is able to achieve stronger security than the Boldyreva et al. OPE scheme.
Comparison with Existing Schemes. First, we note in Sect. 2.3 that the security of any OPE scheme can be “augmented” by applying ORE encryption on top of OPE encryption. The resulting scheme is at least as secure as the underlying OPE scheme, and moreover, inherits the security properties of the ORE scheme. Hence, by composing our ORE construction with existing OPE constructions, we obtain ORE schemes that are at least as secure.
While composing an OPE scheme with an ORE scheme yields a scheme that is at least as secure as the underlying OPE scheme, we show that even without this composition, our basic ORE scheme still achieves stronger security guarantees according to the onewayness metrics introduced by Boldyreva et al. [8] for analyzing the leakage of random orderpreserving functions (and by extension, any OPE scheme that is POPFCCA secure). In our work, we introduce two generalized onewayness notions and show that under a uniform plaintext distribution,^{5} our basic ORE scheme achieves strictly stronger security compared to OPE schemes that are POPFCCA secure. Specifically, Boldyreva et al. [8] show that a random orderpreserving function leaks half of the mostsignificant bits of the messages with probability close to 1. In contrast, under the same settings, we can show that our basic ORE scheme will not leak any constant fraction of the message bits with overwhelming probability.
1.2 Related Work
In recent years, there have been numerous works on orderpreserving encryption and related notions [1, 7, 8, 35, 36, 38, 41, 42, 44, 47]. In this section, we survey some of these works.
Security Definitions. Though the POPFCCA security definition introduced by Boldyreva et al. [7] is similar in flavor to PRF security, it is not immediately evident what kind of information the output of a random orderpreserving function leaks about its input. In a followup work [8], Boldyreva et al. introduce several notions (based on definitions of onewayness [27] for oneway functions) to capture the information leakage in schemes that are POPFCCA secure. They show that a random orderpreserving function leaks at least half of the bits in each message.
Teranishi et al. [47] also introduce a stronger indistinguishabilitybased notion (stronger than the onewayness definitions from [8], but weaker than INDOCPA) for OPE schemes, as well as a construction that achieves these stronger notions. Notably, their definition ensures that under a uniform message distribution, any fraction of the loworder bits of the messages being encrypted are hidden.
Recently, Naveed et al. [40] analyzed the information leaked by orderpreserving encryption used in practical scenarios.
Modular OPE. Boldyreva et al. also introduced the notion of modular OPE as a possible extension of standard OPE [8]. In modular OPE, a modular shift is applied to each plaintext before applying OPE—so the scheme is not orderpreserving, but naturally supports “wraparound” range queries. Their modular OPE scheme adds an extra layer of security to vanilla OPE, but it is worth noting that leakage of a small amount of information (say, a single plaintextciphertext pair) reveals the shift value and nullifies this added security. Subsequently, Mavroforakis et al. [38] designed several protocols to avoid leaking the shift value while using modular OPE schemes in practice.
Mutable OPE. Popa et al. [42] introduced a related notion of a mutable orderpreserving encoding scheme which can be viewed as a twoparty protocol that allows a user to insert and store encrypted values in a database such that the database is able to perform comparisons and range queries on the encrypted values without learning anything more about the values. Their construction is interactive and leverages stateful encryption. By working in this setting, the authors are able to circumvent the Boldyreva et al. [7] lower bound for orderpreserving encryption and show that their scheme is INDOCPA secure.
In subsequent work, Kerschbaum and Schröpfer [36] improved on the communication complexity of the Popa et al. construction at the expense of increasing the amount of clientside state. Specifically, in their construction, the amount of persistent state the client has to maintain increases linearly in the number of elements inserted into the database. More recently, Kerschbaum [35] introduced a new notion of frequencyhiding OPE that introduces additional randomness to hide whether multiple ciphertexts encrypt the same value. Their notions provide a strictly stronger guarantee than INDOCPA.
Very recently, Roche et al. [44] introduced the notion of partial orderpreserving encodings, which optimizes for the setting where there are a huge number of insertion queries but only a moderate number of range queries. Their protocol improves upon the roundcomplexity for insertions compared to the Popa et al. protocol [42], and requires the client to maintain less state than the KerschbaumSchröpfer construction [36]. All of the schemes described here require stateful encryption and employ an interactive encryption procedure.
ORE. Orderrevealing encryption schemes, as introduced by Boneh et al. [9] provide another method of circumventing the Boldyreva et al. lower bound [7]. In an ORE scheme, the public comparison operation is not required to correspond to numerically comparing the ciphertexts, and in fact, the ciphertexts themselves need not be elements of a numeric, wellordered set. This type of relaxation was previously considered by Pandey and Rouselakis [41] in the context of propertypreserving encryption. In a propertypreserving encryption scheme, there is a publicly computable function that can be evaluated on ciphertexts to determine the value of some property on the underlying plaintexts. Orderrevealing encryption can thus be viewed as a propertypreserving encryption scheme for the comparison operation. Pandey and Rouselakis introduce and explore several indistinguishabilitybased notions of security for propertypreserving encryption; however, they do not construct an orderrevealing encryption scheme.
To the best of our knowledge, all existing ORE schemes that provide INDOCPA security either rely on very strong (and currently impractical) cryptographic primitives such as indistinguishability obfuscation [29] and cryptographic multilinear maps [9], or only achieve a weaker notion of security [3, 12] when instantiated with simple cryptographic primitives such as public key cryptography. For the constructions based on indistinguishability obfuscation or multilinear maps [9, 29], security of the ORE scheme is conditional on the conjectured security of cryptographic multilinear maps [2, 10, 20, 21, 23, 26, 37]^{6}. However, in the last few months, numerous attacks [11, 16, 17, 18, 19, 33, 39] on these multilinear maps have emerged, raising some doubts about the security of constructions that leverage them.
To avoid multilinear maps in favor of more wellstudied numbertheoretic or latticebased assumptions, one can apply arityamplification techniques [3, 12] to a singleinput functional encryption scheme based on simpler assumptions such as learning with errors [30] or semanticallysecure publickey encryption [32, 45]. However, due to limitations of the underlying functional encryption schemes, the resulting ORE scheme only provides “boundedmessage” security—that is, security only holds if there is an a priori (polynomial) bound on the maximum number of messages that will be encrypted. Moreover, the length of the ciphertexts in this scheme grows polynomially in the bound on the number of messages that will be encrypted. These constraints severely limit the practicality of the resulting ORE scheme. To obtain full semantic security, it would be necessary to apply the arityamplification transformation to a more powerful functional encryption scheme, but to date, the only known candidates of such schemes rely again on indistinguishability obfuscation [24] or multilinear maps [25].
Recently, Bun and Zhandry [13] investigated the connection between orderrevealing encryption and problems in learning theory.
Other schemes. Numerous ad hoc or heuristic orderpreserving encryption schemes [6, 34, 48] have been proposed in the literature, but most lack formal security analysis.
2 OrderRevealing Encryption
In this section, we establish and review some conventions that we use in this work, and also formally define our security notions for our encryption schemes.
Preliminaries. For \(n \in \mathbb {N}\), we write [n] to denote the set of integers \(\left\{ 1, \ldots , n\right\} \), and \(\mathbb {Z}_n\) to denote the additive group of integers modulo n. If \(\mathcal {P}(x)\) is a predicate on x, we write \({\mathbf {1}}(\mathcal {P}(x))\) to denote the indicator function for \(\mathcal {P}\): that is, \({\mathbf {1}}(\mathcal {P}(x)) = 1\) if and only if \(\mathcal {P}(x) = 1\), and 0 otherwise. If \(x,y \in \{0,1\}^*\) are bitstrings, we write \(x \Vert y\) to denote the concatenation of x and y. For a finite set S, we write \(\mathsf {Unif}(S)\) to denote the uniform distribution on S. We say a function \(f(\lambda )\) is negligible in a security parameter \(\lambda \) if \(f = o(1/\lambda ^c)\) for all \(c \in \mathbb {N}\). We write \(\mathrm {{negl}}(\lambda )\) to denote a negligible function in \(\lambda \) and \(\mathrm {{poly}}(\lambda )\) to denote a polynomial in \(\lambda \). We say an event occurs with negligible probability if the probability of the event is \(\mathrm {{negl}}(\lambda )\), and it occurs with overwhelming probability if the complement of the event occurs with negligible probability. Finally, we review the definition of a pseudorandom function (PRF) [28]. Let \(\mathsf {Funs}[\mathcal {D}, \mathcal {R}]\) denote the set of all functions from a domain \(\mathcal {D}\) to a range \(\mathcal {R}\). In this paper, we specialize the domain of our PRFs to \(\{0,1\}^n\).
Definition 2.1
2.1 OrderRevealing Encryption

\(\mathsf {ORE.Setup}(1^\lambda ) \rightarrow \mathsf {sk}\). On input a security parameter \(\lambda \), the setup algorithm \(\mathsf {ORE.Setup}\) outputs a secret key \(\mathsf {sk}\).

\(\mathsf {ORE.Encrypt}(\mathsf {sk}, m) \rightarrow \mathsf {ct}\). On input the secret key \(\mathsf {sk}\) and a message \(m \in \mathcal {D}\), the encrypt algorithm \(\mathsf {ORE.Encrypt}\) outputs a ciphertext \(\mathsf {ct}\).

\(\mathsf {ORE.Compare}(\mathsf {ct}_1, \mathsf {ct}_2) \rightarrow b\). On input two ciphertexts \(\mathsf {ct}_1\), \(\mathsf {ct}_2\), the compare algorithm \(\mathsf {ORE.Compare}\) outputs a bit \(b \in \{0,1\}\).
Remark 2.2
(Public Parameters). In general, the setup algorithm of an ORE scheme can also output public parameters \(\mathsf {pp}\) which are then passed as an additional input to the comparison algorithm, as is done in Boneh et al. [9]. However, none of our constructions require these public parameters, so we omit them in this work for simplicity.
Remark 2.3
(Support for Decryption). As described, our definition of an orderrevealing encryption scheme does not include a “decryption” function. However, this omission is without loss of generality. To decrypt a message, the holder of the secret key can use the secret key to encrypt messages of her choosing, apply the comparison algorithm, and perform binary search to recover the message. An alternative method that avoids the need for binary search is to augment each ORE encryption of a message m with an encryption of m under a CPAsecure symmetric encryption scheme. The secret key of the ORE scheme would also include the key for the symmetric encryption scheme. As long as the underlying encryption scheme is CPAsecure, including this additional ciphertext does not compromise security. For the remainder of this work, we use the schema described above that does not explicitly specify a decryption function.
Security. We now give our simulationbased notion of security for an ORE scheme. As described in Sect. 1.1, our security definition is parameterized by a leakage function \(\mathcal {L}\), which exactly specifies what is leaked by an ORE scheme.
Definition 2.4
We say that \(\varPi _\mathsf{ore}\) is a secure ORE scheme with leakage function \(\mathcal {L}(\cdot )\) if for all polynomialsize adversaries \(\mathcal {A}= (\mathcal {A}_1, \ldots , \mathcal {A}_q)\) where \(q = \mathrm {{poly}}(\lambda )\), there exists a polynomialsize simulator \(\mathcal {S}= (\mathcal {S}_0, \mathcal {S}_1, \ldots , \mathcal {S}_q)\) such that the outputs of the two distributions \(\mathsf {REAL}^{\textsc {ore}}_{\mathcal {A}}(\lambda )\) and \(\mathsf {SIM}^{\textsc {ore}}_{\mathcal {A}, \mathcal {S}, \mathcal {L}}(\lambda )\) are computationally indistinguishable.
Remark 2.5
2.2 OrderPreserving Encryption (OPE)

\(\mathsf {ORE.Setup}(1^\lambda ) \rightarrow \mathsf {sk}\). On input a security parameter \(\lambda \), the setup algorithm \(\mathsf {ORE.Setup}\) outputs a secret key \(\mathsf{sk}\).

\(\mathsf {ORE.Encrypt}(\mathsf {sk}, m) \rightarrow \mathsf {ct}\). On input the secret key \(\mathsf{sk}\) and a message \(m \in \mathcal {D}\), the encrypt algorithm \(\mathsf{OPE.Encrypt}\) outputs a ciphertext \(\mathsf{ct}\in \mathcal {R}\).
2.3 Composing OPE with ORE

\(\mathsf{ORE.Setup}({1^{\lambda }})\). The setup algorithm runs \({\mathsf {sk}}_{1} \leftarrow {\mathsf{OPE.Setup}}({{1}^{\lambda }})\) and \({\mathsf {sk}}_{2} \leftarrow \mathsf{ORE^{in}.Setup}({1}^{\lambda })\). The secret key is \({\mathsf {sk}} = ({\mathsf {sk}}_{1}, {\mathsf {sk}}_{2})\).

\(\mathsf{ORE.Encrypt}({\mathsf {sk}}, \mathsf{{m}})\). The encryption algorithm outputs \(\mathsf{ORE^{in}.Encrypt}({\mathsf {sk}_{2}}, {\mathsf{OPE.Encrypt}}({\mathsf {sk}}_{1}, \mathsf{{m}}))\).

\(\mathsf{ORE.Compare}({\mathsf {ct}_{1}}, {\mathsf {ct}_{2}})\). The compare algorithm computes and outputs the value \(\mathsf{ORE^{in}.Compare}({\mathsf {ct}_{1}}, {\mathsf {ct}_{2}})\).
Correctness of \(\varPi _\mathsf{ore}\) follows immediately from the correctness of \(\varPi ^\mathsf{in}_\mathsf{ore}\) and \(\varPi _\mathsf{ope}\). Furthermore, we note that under our simulationbased definition of security, the composed scheme \(\varPi _\mathsf{ore}\) is at least as secure as \(\varPi _\mathsf{ope}\). This intuition is formalized in the following remark, whose proof follows immediately by construction.
Remark 2.6
(Security of Composed Scheme). For any leakage function \(\mathcal {L}(\cdot )\), if the OPE scheme \(\varPi _\mathsf{ope}\) is secure with leakage function \(\mathcal {L}(\cdot )\), then the ORE scheme \(\varPi _\mathsf{ore}\) is also secure with leakage function \(\mathcal {L}(\cdot )\).
3 Main Construction

\(\mathsf {ORE.Setup}(1^\lambda )\). The setup algorithm chooses a uniformly random PRF key k for F. The secret key is \(\mathsf {sk}= k\).
 \(\mathsf {ORE.Encrypt}(\mathsf {sk}, m)\). Let \(b_1 \cdots b_n\) be the binary representation of m and let \(\mathsf {sk}= k\). For each \(i \in [n]\), the encryption algorithm computesand outputs the tuple \((u_1, u_2 \ldots , u_n)\).$$ u_i = F(k, (i, b_1 b_2 \cdots b_{i  1} \Vert 0^{ni})) + b_i \pmod {M}, $$
 \(\mathsf {ORE.Compare}(\mathsf {ct}_1, \mathsf {ct}_2)\). The compare algorithm first parseswhere \(u_1, \ldots , u_n, u_1', \ldots , u_n' \in \mathbb {Z}_M\). Let i be the smallest index where \(u_i \ne u_i'\). If no such index exists, output 0. If such an index exists, output 1 if \(u_i' = u_i + 1 \pmod {M}\), and 0 otherwise.$$\begin{aligned} \mathsf{ct}_1&= (u_1, u_2, \ldots , u_n) \\ \mathsf{ct}_2&= (u_1', u_2', \ldots , u_n), \end{aligned}$$
3.1 Correctness and Security
We now show that the above ORE scheme \(\varPi _\mathsf{ore}\) is correct and secure against the leakage function \(\mathcal {L}_{\mathsf {f}}\) from Eq. (3.1). We give the proof of the following theorem in the full version of this paper [15].
Theorem 3.1
The ORE scheme \(\varPi _\mathsf{ore}\) is correct.
Next, we state and prove the security theorem for \(\varPi _\mathsf{ore}\).
Theorem 3.2
The orderrevealing encryption scheme \(\varPi _\mathsf{ore}\) is secure with respect to leakage function \(\mathcal {L}_{\mathsf {f}}\) (Definition 2.4) under the PRF security of F.
Proof
Fix a security parameter \(\lambda \) and let \(\mathcal {A}= (\mathcal {A}_1, \ldots , \mathcal {A}_q)\) where \(q = \mathrm {{poly}}(\lambda )\) be an efficient adversary for the ORE security game (Definition 2.4). To prove security, we give an efficient simulator \(\mathcal {S}= (\mathcal {S}_0, \ldots , \mathcal {S}_q)\) for which the outputs of the distributions \(\mathsf {REAL}^{\textsc {ore}}_{\mathcal {A}}(\lambda )\) and \(\mathsf {SIM}^{\textsc {ore}}_{\mathcal {A}, \mathcal {S}, \mathcal {L}_{\mathsf {f}}}(\lambda )\) are computationally indistinguishable.

Hybrid \(\mathsf {H}_0\): This is the real experiment \(\mathsf {REAL}^{\textsc {ore}}_{\mathcal {A}}(\lambda )\).

Hybrid \(\mathsf {H}_1\): Same as \(\mathsf {H}_0\), except during \(\mathsf {ORE.Setup}\), a random function \(f \xleftarrow {\textsc {r}}\mathsf {Funs}[([n] \times \{0,1\}^{n1}), \mathbb {Z}_M]\) is chosen. In all invocations of \(\mathsf {ORE.Encrypt}\), the function \(F(k, \cdot )\) is replaced by \(f(\cdot )\).
Hybrids \(\mathsf {H}_0\) and \(\mathsf {H}_1\) are computationally indistinguishable under the PRF security of F. Thus, it suffices to show that there exists a simulator \(\mathcal {S}\) such that the distribution of outputs in \(\mathsf {H}_1\) is computationally indistinguishable from \(\mathsf {SIM}^{\textsc {ore}}_{\mathcal {A}, \mathcal {S}, \mathcal {L}_{\mathsf {f}}}(\lambda )\).

Case 1: There exists a \(j \in [t1]\) such that \(\mathsf{ind_{diff}}(m_j, m_t) > s\). If there are multiple j for which \(\mathsf{ind_{diff}}(m_j, m_t) > s\), let j be the smallest one. Then, the simulator sets \(\overline{u}_s= \mathsf {L}(j, s)\).

Case 2: For each \(\ell \in [t1]\), \(\mathsf{ind_{diff}}(m_\ell , m_t) \le s\), and there exists a \(j \in [t1]\) for which \(\mathsf{ind_{diff}}(m_j, m_t) = s\). If there are multiple j for which \(\mathsf{ind_{diff}}(m_j, m_t) = s\), let j be the smallest one. Then, the simulator sets \(\overline{u}_s= \mathsf {L}(j, s)  (1  2 \cdot {\mathbf {1}}(m_j < m_t)) \pmod {M}.\)

Case 3: For each \(\ell \in [t1]\), \(\mathsf{ind_{diff}}(m_\ell , m_t) < s\). In this case, the simulator samples \(y \xleftarrow {\textsc {r}}\mathbb {Z}_M\) and sets \(\overline{u}_s= y\).
For each \(s\in [n]\), the simulator adds the mapping \((t, s) \mapsto \overline{u}_s\) to \(\mathsf {L}\). Finally, the simulator \(\mathcal {S}_t\) outputs the ciphertext \(\overline{\mathsf{ct}}_t= (\overline{u}_1, \overline{u}_2, \ldots , \overline{u}_n)\) and the updated state \({\mathsf {st}_{\mathcal {S}}} = \mathsf {L}\). This completes the description of the simulator \(\mathcal {S}\).
Correctness of the Simulation. We show that the simulator \(\mathcal {S}= (\mathcal {S}_0, \ldots , \mathcal {S}_q)\) perfectly simulates the distribution in hybrid \(\mathsf {H}_2\). Let \((\mathsf{ct}_1, \ldots , \mathsf{ct}_q)\) be the joint distribution of the ciphertexts output in hybrid \(\mathsf {H}_2\), and let \((\overline{\mathsf{ct}}_1, \ldots , \overline{\mathsf{ct}}_q)\) be the joint distribution of the ciphertexts output by the simulator. We proceed inductively in the number of queries q. The base case (\(q = 0\)) follows trivially.
 Case 1: There exists a \(j \in [t1]\) such that \(\mathsf{ind_{diff}}(m_j, m_t) > s\). If there are multiple j for which \(\mathsf{ind_{diff}}(m_j, m_t) > s\), let j be the smallest one. This means that \(m_j\) and \(m_t\) share a prefix of length at least \(s\). Let \(p \in \{0,1\}^{s 1}\) be the first \(s 1\) bits of this common prefix. Then, in hybrid \(\mathsf {H}_1\), we haveIn the simulation, \(\overline{u}_{t,s} = \mathsf {L}(j, s) = \overline{u}_{j,s}\). Since \(j < t\), we conclude from the induction hypothesis that \(u_{t,s}\) and \(\overline{u}_{t,s}\) are identically distributed.$$\begin{aligned} u_{t,s} = f(s, p \Vert 0^{n  s}) + b_{t,s}= u_{j,s}. \end{aligned}$$
 Case 2: For each \(\ell \in [t1]\), \(\mathsf{ind_{diff}}(m_\ell , m_t) \le s\), and there exists a \(j \in [t1]\) such that \(\mathsf{ind_{diff}}(m_j, m_t) = s\). If there are multiple j for which \(\mathsf{ind_{diff}}(m_j, m_t) = s\), let j be the smallest one. This means that \(m_j\) and \(m_t\) share a prefix \(p \in \{0,1\}^{s 1}\) of length \(s 1\). Then, in hybrid \(\mathsf {H}_1\), we haveIn the simulation,$$\begin{aligned} u_{t,s} = f(s, p \Vert 0^{n  s}) + b_{t,s} \pmod {M}. \end{aligned}$$In hybrid \(\mathsf {H}_2\), \(u_{j,s} = f(s, p \Vert 0^{ns}) + b_{j,s}\). By assumption, \(b_{j,s} \ne b_{t,s}\), so we can write \(b_{t,s} = b_{j,s}  (1  2 \cdot {\mathbf {1}}(m_j < m_t))\). Thus, in hybrid \(\mathsf {H}_2\), we have$$\overline{u}_{t,s} = \mathsf {L}(j, s)  (1  2 \cdot {\mathbf {1}}(m_j< m_t)) = \overline{u}_{j,s}  (1  2 \cdot {\mathbf {1}}(m_j < m_t)) \pmod {M}. $$By the inductive hypothesis, \(u_{j,s}\) and \(\overline{u}_{j,s}\) are identically distributed, so we conclude that \(u_{t,s}\) and \(\overline{u}_{t,s}\) are identically distributed.$$ u_{t,s} = f(s, p \Vert 0^{n  s+ 1}) + b_{t,s} = u_{j,s}  (1  2 \cdot {\mathbf {1}}(m_j < m_t)) \pmod {M}. $$
 Case 3: For each \(\ell \in [t1]\), \(\mathsf{ind_{diff}}(m_\ell , m_t) < s\). Let \(p \in \{0,1\}^{s1}\) be the first \(s  1\) bits of \(m_t\). In hybrid \(\mathsf {H}_1\), we havewhile in the simulation \(\overline{u}_{t,s}\) is a uniformly random string. By assumption, none of the messages \(m_1, \ldots , m_{t 1}\) begin with the prefix p. Since f is a truly random function, the value of \(f(s, p \Vert 0^{n  s})\) is uniform in \(\mathbb {Z}_M\) and independent of all other ciphertexts. Thus, \(u_{t,s}\) and \(\overline{u}_{t,s}\) are identically distributed.$$ u_{t,s} = f(s, p \Vert 0^{n  s}) + b_{t,s} \pmod {M}, $$
We conclude that for all \(s\in [n]\), \(u_{t,s} \equiv \overline{u}_{t,s}\). Since the components of each ciphertext are constructed independently in both hybrid \(\mathsf {H}_1\) and in the simulation, this suffices to show that \(\mathsf{ct}_t\) and \(\overline{\mathsf{ct}}_t\) are identically distributed. The claim then follows by induction on \(t\). \(\square \)
Space usage. The orderrevealing encryption scheme \(\varPi _\mathsf{ore}\) on nbit inputs produces encryptions of size \(\lceil n \cdot \log _2 M\rceil \). By setting \(M= 3\), an encryption of an nbit message under \(\varPi _\mathsf{ore}\) consists of only \(\lceil n \cdot \log _2 3 \rceil \approx 1.59 \, n\) bits. In the full version, we describe a “dary” generalization of \(\varPi _\mathsf{ore}\) that further reduces the size of the ciphertexts in the ORE scheme, but with a slight loss in security. Specifically, we construct an ORE scheme where an encryption of an nbit message has length approximately \(n \cdot \log _d (2d1)\) for any integer \(d \ge 2\). Since \(\log _d (2d1)\) is a monotonically decreasing function in d, larger values of d yield shorter ciphertexts, but increased leakage.
3.2 Conversion to OPE
In this section, we explain how to convert \(\varPi _\mathsf{ore}\), an ORE scheme, into an OPE scheme. This means that ciphertexts of the resulting OPE scheme can be compared using the normal comparison function on numbers. To do this, we apply a simple transformation of any ciphertext \(\mathsf{ct}\) of \(\varPi _\mathsf{ore}\) into a number c that lies in the range \([0, M^n  1]\) for which direct numeric comparisons of two numbers \(c_1\) and \(c_2\) reveal the order relation of the underlying plaintexts.
Security of the resulting OPE scheme follows identically from security of \(\varPi _\mathsf{ore}\), as the transformation from ciphertexts \(\mathsf{ct}\) to numbers c is bijective. We note that while this scheme is orderpreserving, it does not behave like a random orderpreserving function, and thus, does not inherit the security limitations associated with such OPE schemes [8]. In fact, our simulationbased security model and associated security theorem (Theorem 3.1) enables us to precisely specify the information leakage in this orderpreserving encryption scheme.
In the full version, we describe a “dary” generalization of \(\varPi _\mathsf{ore}\). While this generalization does not reduce the size of the resulting ciphertexts in the ORE scheme, it does yield shorter ciphertexts in the OPE instantiation (by approximately a \(\log _2 d\) multiplicative factor), with a slight loss in security. Correctness in this generalized scheme holds with probability \( 1  d / M\).
4 Comparison to Existing OPE Schemes
We now compare the leakage of our orderrevealing encryption scheme to that of existing orderpreserving encryption schemes by Boldyreva et al. [7, 8]. As explained in Sect. 2.3, composing any existing OPE scheme with an ORE scheme results in a new ORE scheme which is at least as secure as the underlying OPE scheme^{8}. In this section, we show that even without the composition, our construction still achieves stronger security according to the metrics proposed by Boldyreva et al.
The security definition achieved by an orderpreserving encryption scheme is that the encryption function behaves like a random orderpreserving function (ROPF) from the plaintext space to the ciphertext space. While this definition has the same flavor as that for PRFs, the behavior of a truly random function is very different from that of a random orderpreserving function. In particular, the output of an orderpreserving function is not independent of its input, and thus, reveals some information about the input. It turns out that quantifying the exact information leakage is a nontrivial task in general. However, under certain assumptions (for example, if the messages are drawn from a uniform distribution), it is possible to obtain concrete upper bounds on the information leakage [8]. In particular, Boldyreva et al. propose two security notions, window onewayness and window distance onewayness, to analyze the security of an OPE scheme. In our setting, the nature of our security definition allows us to analyze the construction under a more generalized set of definitions compared to [8]. We present our analysis for window onewayness here, and defer the analysis of window distance onewayness to the full version.
4.1 OneWayness
One of the most basic requirements of an encryption scheme is that it is oneway. Given a ciphertext, an adversary that does not have the secret key should not be able to recover the underlying message. In the standard definition of onewayness [27], the adversary is given the encryption of a random message, and its goal is to guess the message. This is a very weak notion of security, and even if an encryption is oneway, the adversary might still be able to deduce nontrivial information about the message given only the ciphertext. To address this, Boldyreva et al. [7] introduce a more general notion of onewayness where the adversary is allowed to guess a contiguous interval (a window) in the onewayness challenge. The adversary succeeds if the message is contained within the interval. Moreover, the adversary is given multiple encryptions (of random messages) and succeeds if it outputs an interval that contains at least one of the messages.
The notion of window onewayness is useful for arguing that an adversary does not learn many of the most significant bits of the message, but if all bits of the message are equally sensitive, then this definition is less useful. In our work, we present a more general definition of onewayness, where instead of outputting an interval, the adversary is allowed to specify a set of guesses. To allow the adversary to specify a superpolynomiallysized set of guesses, we instead require the adversary to submit a circuit C that encodes its set (\(C(x) = 1\) if and only if x is in the set). By requiring that the circuit encodes a contiguous interval, we recover the window onewayness definition by Boldyreva et al. [8]. We now give our generalized definition.
Definition 4.1
Remark 4.2
(Comparison with Existing OneWayness Notions). By restricting the parameters (r, z) and the classes of circuits the adversary is allowed to output, Definition 4.1 captures many existing notions of onewayness. For example, when \(r = z = 1\), we recover the usual notion of onewayness [27]. When the underlying plaintext space is the ring \(\mathbb {Z}_M\) for some integer M and we require that the circuit output by the adversary encodes a contiguous interval of length at most r in \(\mathbb {Z}_M\), our definition corresponds to the notion of window onewayness introduced by Boldyreva et al. [8].
We now state our security theorem, but defer the proof to the full version.
Theorem 4.3
Comparison to existing schemes. When discussing the notion of onewayness, we will always assume that the messagespace is superpolynomial in the security parameter. Otherwise, the trivial adversary that just guesses a random point in the message space will succeed with nonnegligible probability.
In [8], Boldyreva et al. give an upper bound on the onewayness advantage of any (possibly computationally unbounded) adversary \(\mathcal {A}\) against a random orderpreserving function ROPF. This corresponds to setting \(r = 1\) in our definition. They show [8, Theorem 4.1] that for \(z = \mathrm {{poly}}(\lambda )\), \(\mathsf {Adv}^{\mathsf {gow}}_{1, z, \mathsf {ROPF}, \mathcal {A}} = \mathrm {{negl}}(\lambda )\). The same statement holds for our ORE construction assuming a computationally bounded adversary: simply instantiate Theorem 4.3 with \(\varepsilon = 1\).
In addition to giving an upper bound on an adversary’s ability to guess the plaintext from the ciphertext, Boldyreva et al. also give a lower bound on the advantage for the case when r is large. In particular, they exhibit an efficient adversary \(\mathcal {A}\) against an ROPF such that \(\mathsf {Adv}^{\mathsf {gow}}_{r, z, \mathsf {ROPF}, \mathcal {A}}(1^\lambda ) = 1  2e^{b^2/2}\) for a constant b when \(r = O(\sqrt{2^n})\) and for any z [8, Theorem 4.2]^{9}. In other words, the authors describe a concrete adversary that is able to break the generalized onewayness of any POPFCCAsecure scheme (with probability close to 1) if the adversary is allowed to specify a set with \(r = O(\sqrt{2^n})\) elements, even when \(z = 1\). An intuitive way to understand this result is that given the output of an ROPF, an adversary can deduce roughly half of the bits of the associated input. In contrast, in our ORE scheme, if the adversary only sees a polynomial number of ciphertexts (\(z = \mathrm {{poly}}(\lambda )\)), then invoking Theorem 4.3 with \(\varepsilon = 1/2\), we have that for all efficient adversaries \(\mathcal {A}\), \(\mathsf {Adv}^{\mathsf {gow}}_{r, z, \varPi _\mathsf{ore}, \mathcal {A}}(1^\lambda ) = \mathrm {{negl}}(\lambda )\) where \(r = \sqrt{2^n}\). In fact, as Theorem 4.3 demonstrates, the adversary’s advantage remains negligible even if we further increase the size of the sets the adversary is allowed to submit.
Intuitively, our results show that if the adversary only sees a polynomial number of ciphertexts, then it does not learn any constant fraction \(\varepsilon \) of the bits in the underlying plaintext from each ciphertext. In contrast, with an ROPF, and correspondingly, any OPE scheme that realizes a ROPF, each ciphertext alone leaks half of the mostsignificant bits of the underlying plaintext.
Similarly, while the OPE scheme by Teranishi et al. [47] can be shown to hide any constant fraction of the least significant bits of the plaintext, no such guarantee exists for the other bits of the plaintext. Note though that the security notion proposed in [47] is indistinguishabilitybased and hence, stronger than the onewayness security notions. In fact, our basic ORE construction (by itself) does not achieve their indistinguishabilitybased definition. However, by composing our ORE construction with their OPE construction, we obtain a resulting ORE scheme which is strictly more secure, since it inherits the security properties of the underlying OPE scheme as well as semantic security for a single ciphertext (Sect. 2.3, Remark 2.6).
5 Conclusions
 1.
Can we construct a practical ORE scheme with stronger security guarantees?
 2.
Can we reduce the ciphertext length of our ORE scheme while still maintaining a similar level of security?
 3.
Is it possible to build a practical ORE scheme with bestpossible security from standard assumptions?
Footnotes
 1.
This definition is inspired by the similar definition for PRF security [28], which compares the output of a keyed function to that of a truly random function.
 2.
This application was also observed and independently achieved by Goldwasser et al. [29] using indistinguishability obfuscation.
 3.
 4.
Either \(u_i + 1 = u_i' \pmod {3}\), in which case \(m < m'\), or \(u_i  1 = u_i' \pmod {3}\), in which case \(m > m'\).
 5.
This is the only distribution for which we have concrete analysis of the leakage in any POPFCCA secure scheme.
 6.
 7.
If no reduction modulo \(M\) occurs in the \(\mathsf {ORE.Encrypt}\) encryption, then numerically comparing the transformed ciphertexts is identical to evaluating the \(\mathsf {ORE.Compare}\) procedure (since all relations hold over the integers).
 8.
In most cases, the security of the composed scheme is strictly greater than that of the base OPE scheme since our ORE construction provides semantic security for a single ciphertext, whereas existing OPE schemes generally do not.
 9.
Strictly speaking, the adversary they describe is for the window onewayness experiment, but any adversary that succeeds in the window onewayness experiment also succeeds in the generalized onewayness experiment (Definition 4.1).
Notes
Acknowledgments
We would like to thank Sam Kim for helpful discussions about ORE, and Adam O’Neill for useful insights in shrinking the ciphertext size of our main construction. We also thank the anonymous reviewers for their helpful comments. This work was partially supported by an NSF Graduate Research Fellowship. Opinions, findings and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of Facebook.
References
 1.Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Orderpreserving encryption for numeric data. In: SIGMOD, pp. 563–574 (2004)Google Scholar
 2.Albrecht, M.R., Farshim, P., Hofheinz, D., Larraia, E., Paterson, K.G.: Multilinear maps from obfuscation. In: TCC (2016)Google Scholar
 3.Ananth, P., Jain, A.: Indistinguishability obfuscation from compact functional encryption. In: CRYPTO, pp. 308–326 (2015)Google Scholar
 4.Applebaum, B., Brakerski, Z.: Obfuscating circuits via compositeorder graded encoding. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part II. LNCS, vol. 9015, pp. 528–556. Springer, Heidelberg (2015)CrossRefGoogle Scholar
 5.Barak, B., Garg, S., Kalai, Y.T., Paneth, O., Sahai, A.: Protecting obfuscation against algebraic attacks. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 221–238. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 6.Binnig, C., Hildenbrand, S., Färber, F.: Dictionarybased orderpreserving string compression for main memory column stores. In: ACM SIGMOD, pp. 283–296 (2009)Google Scholar
 7.Boldyreva, A., Chenette, N., Lee, Y., O’Neill, A.: Orderpreserving symmetric encryption. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 224–241. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 8.Boldyreva, A., Chenette, N., O’Neill, A.: Orderpreserving encryption revisited: improved security analysis and alternative solutions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 578–595. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 9.Boneh, D., Lewi, K., Raykova, M., Sahai, A., Zhandry, M., Zimmerman, J.: Semantically secure orderrevealing encryption: multiinput functional encryption without obfuscation. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 563–594. Springer, Heidelberg (2015)Google Scholar
 10.Boneh, D., Silverberg, A.: Applications of multilinear forms to cryptography. Contemp. Math. 324(1), 71–90 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
 11.Boneh, D., Wu, D.J., Zimmerman, J.: Immunizing multilinear maps against zeroizing attacks. In: IACR Cryptology ePrint Archive 2014/930 (2014)Google Scholar
 12.Brakerski, Z., Komargodski, I., Segev, G.: From singleinput to multiinput functional encryption in the privatekey setting. In: IACR Cryptology ePrint Archive 2015/158 (2015)Google Scholar
 13.Bun, M., Zhandry, M.: Orderrevealing encryption and the hardness of private learning. In: IACR Cryptology ePrint Archive 2015/417 (2015)Google Scholar
 14.Chang, Y.C., Mitzenmacher, M.: Privacy preserving keyword searches on remote encrypted data. In: Ioannidis, J., Keromytis, A.D., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 442–455. Springer, Heidelberg (2005)CrossRefGoogle Scholar
 15.Chenette, N., Lewi, K., Weis, S.A., Wu, D.J.: Practical orderrevealing encryption with limited leakage. In: IACR Cryptology ePrint Archive 2015/1125 (2015)Google Scholar
 16.Cheon, J.H., Han, K., Lee, C., Ryu, H., Stehlé, D.: Cryptanalysis of the multilinear map over the integers. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 3–12. Springer, Heidelberg (2015)Google Scholar
 17.Cheon, J.H., Lee, C., Ryu, H.: Cryptanalysis of the new CLT multilinear maps. In: IACR Cryptology ePrint Archive (2011) Observation of strains: 934 (2015)Google Scholar
 18.Coron, J.S.: Cryptanalysis of GGH15 multilinear maps (2015)Google Scholar
 19.Coron, J.S., Gentry, C., Halevi, S., Lepoint, T., Maji, H.K., Miles, E., Raykova, M., Sahai, A., Tibouchi, M.: Zeroizing without lowlevel zeroes: new MMAP attacks and their limitations. In: CRYPTO, pp. 247–266 (2015)Google Scholar
 20.Coron, J.S., Lepoint, T., Tibouchi, M.: Practical multilinear maps over the integers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 476–493. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 21.Coron, J.S., de Lepoint, T., Tibouchi, M.: New multilinear maps over the integers. In: CRYPTO, pp. 267–286 (2015)Google Scholar
 22.Curtmola, R., Garay, J.A., Kamara, S., Ostrovsky, R.: Searchable symmetric encryption: improved definitions and efficient constructions. In: ACM CCS, pp. 79–88 (2006)Google Scholar
 23.Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 24.Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS, pp. 40–49 (2013)Google Scholar
 25.Garg, S., Gentry, C., Halevi, S., Zhandry, M.: Fully secure functional encryption without obfuscation. In: IACR Cryptology ePrint Archive 2014/666 (2014)Google Scholar
 26.Gentry, C., Gorbunov, S., Halevi, S.: Graphinduced multilinear maps from lattices. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part II. LNCS, vol. 9015, pp. 498–527. Springer, Heidelberg (2015)CrossRefGoogle Scholar
 27.Goldreich, O.: The Foundations of Cryptography  Volume 1, Basic Techniques. Cambridge University Press, Cambridge (2001)CrossRefzbMATHGoogle Scholar
 28.Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions (extended abstract). In: FOCS, pp. 464–479 (1984)Google Scholar
 29.Goldwasser, S., et al.: Multiinput functional encryption. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 578–602. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 30.Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: Reusable garbled circuits and succinct functional encryption. In: STOC, pp. 555–564 (2013)Google Scholar
 31.Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)MathSciNetCrossRefzbMATHGoogle Scholar
 32.Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption with bounded collusions via multiparty computation. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 162–179. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 33.Hu, Y., Huiwen, J.: Cryptanalysis of GGH map. In: IACR Cryptology ePrint Archive 2015/301 (2015)Google Scholar
 34.Kadhem, H., Amagasa, T., Kitagawa, H.: A secure and efficient order preserving encryption scheme for relational databases. In: KMIS, pp. 25–35 (2010)Google Scholar
 35.Kerschbaum, F.: Frequencyhiding orderpreserving encryption. In: ACM CCS, pp. 656–667 (2015)Google Scholar
 36.Kerschbaum, F., Schröpfer, A.: Optimal averagecomplexity idealsecurity orderpreserving encryption. In: ACM CCS, pp. 275–286 (2014)Google Scholar
 37.Langlois, A., Stehlé, D., Steinfeld, R.: GGHLite: more efficient multilinear maps from ideal lattices. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 239–256. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 38.Mavroforakis, C., Chenette, N., O’Neill, A., Kollios, G., Canetti, R.: Modular orderpreserving encryption, revisited. In: ACM SIGMOD, pp. 763–777 (2015)Google Scholar
 39.Minaud, B., Fouque, P.A.: Cryptanalysis of the new multilinear map over the integers. In: IACR Cryptology ePrint Archive 2015/941 (2015)Google Scholar
 40.Naveed, M., Kamara, S., Wright, C.V.: Inference attacks on propertypreserving encrypted databases. In: CCS (2015)Google Scholar
 41.Pandey, O., Rouselakis, Y.: Property preserving symmetric encryption. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 375–391. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 42.Popa, R.A., Li, F.H., Zeldovich, N.: An idealsecurity protocol for orderpreserving encoding. In: IEEE Symposium on Security and Privacy, pp. 463–477 (2013)Google Scholar
 43.Popa, R.A., Redfield, C.M.S., Zeldovich, N., Balakrishnan, H.: Cryptdb: protecting confidentiality with encrypted query processing. In: SOSP, pp. 85–100 (2011)Google Scholar
 44.Roche, D., Apon, D., Choi, S.G., Yerukhimovich, A.: POPE: Partial orderpreserving encoding. In: Cryptology ePrint Archive, Report 2015/1106 (2015)Google Scholar
 45.Sahai, A., Seyalioglu, H.: Worryfree encryption: functional encryption with public keys. In: ACM CCS, pp. 463–472 (2010)Google Scholar
 46.Skyhigh Networks Inc. https://www.skyhighnetworks.com/. Accessed 11 Dec 2015
 47.Teranishi, I., Yung, M., Malkin, T.: Orderpreserving encryption secure beyond onewayness. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 42–61. Springer, Heidelberg (2014)Google Scholar
 48.Xiao, L., Yen, IL., Huynh, D.T.: Extending order preserving encryption for multiuser systems. In: IACR Cryptology ePrint Archive, (2011) Observation of strains: 192 (2012)Google Scholar
 49.Zimmerman, J.: How to obfuscate programs directly. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 439–467. Springer, Heidelberg (2015)Google Scholar