## Abstract

Order-revealing encryption (ORE) is a cryptographic primitive that enables ciphertext comparison while leaking nothing about the underlying plaintext beyond their lexicographic ordering. However, how to achieve efficient and secure ciphertext comparison for multi-user settings is still a challenging problem. In this work, we propose an efficient multi-client order-revealing encryption scheme (named m-ORE) by introducing a new token-based comparison method. Specifically, data owner is enabled to delegate token generation ability to some authorized users without revealing his secret key, and then each authorized user can perform comparison on ciphertexts from multiple data owners by generating the associated comparison tokens. Benefiting from our new method, m-ORE can not only reduce ciphertext size but also improve comparison efficiency, compared with the state-of-the-art (Cash et al. Asiacrypt 2018). Further, we present a non-interactive multi-client range query scheme by extending m-ORE. Finally, we show a formal security analysis and implement our scheme. The evaluation result demonstrates that m-ORE outperforms the scheme by Cash et al. in terms of both query and storage cost while achieving the same level of security.

### Keywords

- Order-revealing encryption
- Property-presering hash
- Range query
- Multi-client searchable encryption

This is a preview of subscription content, access via your institution.

## Buying options

## References

OpenSSL: Cryptography and SSL/TLS toolkit. https://www.openssl.org/

Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Order preserving encryption for numeric data. In: Proceedings of the 2004 ACM SIGMOD International Conference on Management of Data, SIGMOD 2004, pp. 563–574 (2004)

Boldyreva, A., Chenette, N., Lee, Y., O’Neill, A.: Order-preserving symmetric encryption. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 224–241. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_13

Boldyreva, A., Chenette, N., O’Neill, A.: Order-preserving encryption revisited: improved security analysis and alternative solutions. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 578–595. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_33

Boneh, D., Lewi, K., Raykova, M., Sahai, A., Zhandry, M., Zimmerman, J.: Semantically secure order-revealing encryption: multi-input functional encryption without obfuscation. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 563–594. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_19

Cash, D., Grubbs, P., Perry, J., Ristenpart, T.: Leakage-abuse attacks against searchable encryption. In: Ray, I., Li, N., Kruegel, C. (eds.) Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, pp. 668–679. ACM (2015)

Cash, D., Liu, F.-H., O’Neill, A., Zhandry, M., Zhang, C.: Parameter-hiding order revealing encryption. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11272, pp. 181–210. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03326-2_7

Chenette, N., Lewi, K., Weis, S.A., Wu, D.J.: Practical order-revealing encryption with limited leakage. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 474–493. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-52993-5_24

Durak, F.B., DuBuisson, T.M., Cash, D.: What else is revealed by order-revealing encryption? In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 1155–1166 (2016)

Dyer, J., Dyer, M., Djemame, K.: Order-preserving encryption using approximate common divisors. J. Inform. Secur. Appl.

**49**, 102391 (2019)Eom, J., Lee, D.H., Lee, K.: Multi-client order-revealing encryption. IEEE Access

**6**, 45458–45472 (2018)Granlund, T., the GMP development team: GNU MP: the GNU multiple precision arithmetic library. https://gmplib.org/

Grubbs, P., Sekniqi, K., Bindschaedler, V., Naveed, M., Ristenpart, T.: Leakage-abuse attacks against order-revealing encryption. In: Proceedings of the 2017 IEEE Symposium on Security and Privacy, S&P 2017, pp. 655–672. IEEE (2017)

Kerschbaum, F.: Frequency-hiding order-preserving encryption. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, pp. 656–667 (2015)

Kerschbaum, F., Schröpfer, A.: Optimal average-complexity ideal-security order-preserving encryption. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 2014, pp. 275–286 (2014)

Lewi, K., Wu, D.J.: Order-revealing encryption: new constructions, applications, and lower bounds. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 1167–1178 (2016)

Li, Y., Wang, H., Zhao, Y.: Delegatable order-revealing encryption. In: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, AsiaCCS 2019, pp. 134–147 (2019)

Lynn, B., other contributors: The pairing-based cryptography library. https://crypto.stanford.edu/pbc/

Naveed, M., Kamara, S., Wright, C.V.: Inference attacks on property-preserving encrypted databases. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015, pp. 644–655 (2015)

Popa, R.A., Li, F.H., Zeldovich, N.: An ideal-security protocol for order-preserving encoding. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy, S&P 2013, pp. 463–477. IEEE (2013)

Roche, D.S., Apon, D., Choi, S.G., Yerukhimovich, A.: POPE: partial order preserving encoding. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 1131–1142 (2016)

Tang, Q.: Nothing is for free: security in searching shared and encrypted data. IEEE Trans. Inf. Forensics Secur.

**9**(11), 1943–1952 (2014)

## Acknowledgments

This work was supported by the National Natural Science Foundation of China (Nos. 62072357 and 61960206014), the Preferential Funding for Scientific and Technological Activities of Overseas Students in Shaanxi Province (No. 2019-25), the Fundamental Research Funds for the Central Universities (No. JB211503), and Innovation Fund of Xidian University (No. YJS2114).

## Author information

### Authors and Affiliations

### Corresponding authors

## Editor information

### Editors and Affiliations

## Appendices

### Appendix

### A Security Analysis of Range Query Scheme

To define the security of multi-client range query scheme in Sect. 5.1, we first introduce a slight modification to the security notions that by our m-ORE scheme from Sect. 4. Recall that an m-ORE scheme is secure with respect to a leakage profile \(\mathcal {L}_f(\cdot )\) if for any adversarially-chosen sequence of messages \((m_1,\cdots ,m_q)\), there is an efficient simulator \(\mathcal {S}\) that can simulate the real m-ORE ciphertext and token given the leakage \(\mathcal {L}_f(m_1,\cdots ,m_q)\).

Similar to [16], we define a leakage function \(\mathcal {L}_f(\cdot ,\cdot )\) that if there exists an efficient simulator such that for any two adversarially-chosen collections of plaintexts \((m_1,\cdots ,m_q)\) and \((m_1,\cdots ,m_k)\), the simulator can simulate the outputs of \(\textsf {m-ORE.Enc}(\cdot ,m_i)\) and \(\textsf {m-ORE.TGen}(\cdot ,m_j)\) for all \(i\in [q], j\in [k]\) given only the leakage \(\mathcal {L}_f((m_1,\cdots ,m_q),\) \((m_1,\cdots ,m_k))\). That is:

in which \(q=k\). We argue that this leakage profile is essentially the same as \(\mathcal {L}_f(m_1,\cdots ,m_q)\).

We then define the security of our range query scheme \(\varSigma \) in two different aspects, online and offline security. Online security models the information revealed to a malicious server during **Update** and **Search**, while offline security considers the situation of an adversary obtains a one-time snapshot of the encrypted database from the server which was studied by Naveed et al. [19] and Grubbs et al. [13]. First, we formalize the online security as follows:

### Theorem 3

For a database \(\mathbf{DB} _i\) containing user *i*’s data which is essentially a set of m-ORE ciphertext \((c_1,\cdots ,c_q)\) on the server and a sequence of queries \(\mathbf{q} _i\) from user *i* which is a set of m-ORE token \((t_1,\cdots ,t_k)\). Let \(\mathcal {L}_{RQ}\) be the leakage function.

We say that the range query scheme \(\varSigma \) achieves online security with respect to the leakage function \(\mathcal {L}_{RQ}\).

### Proof

The proof follows the proof of Theorem 2 except the leakage profile were substituted by \(\mathcal {L}_f((m_1,\cdots ,m_q),(m_1,\cdots ,m_k))\) which is very similar. And the simulator \(\mathcal {S}\) only needs to output the ciphertexts for \(m_i\) where \(\forall i\in [q]\) and token for \(m_j\) where \(\forall j\in [k]\).

Note that we define the leakage function \(\mathcal {L}_{RQ}\) under a condition that \(\mathbf{DB} \) and \(\mathbf{q} \) are from the same user. It is clear that the leakage will be none if these are from different users. The reason is that m-ORE.Cmp will not work in this case and \(\textsf {msdb}(m_j,m_i)=\textsf {msdb}(m_j,m_l)\) will always hold for all *i* and *j*.

The offline security of our range query scheme follows directly from the fact that the encrypted database stored on the server only contains a collection group elements from \(\mathbb {G}_1\) and were generated with random factor, which is simulatable given just the size of the collection.

### Theorem 4

The range query scheme \(\varSigma \) is offline secure.

### Proof

The proof follows the proof of Theorem 2 except the simulator \(\mathcal {S}\) only needs to simulate the ciphertext for all the messages.

## Rights and permissions

## Copyright information

© 2021 Springer Nature Switzerland AG

## About this paper

### Cite this paper

Lv, C., Wang, J., Sun, SF., Wang, Y., Qi, S., Chen, X. (2021). Efficient Multi-client Order-Revealing Encryption and Its Applications. In: Bertino, E., Shulman, H., Waidner, M. (eds) Computer Security – ESORICS 2021. ESORICS 2021. Lecture Notes in Computer Science(), vol 12973. Springer, Cham. https://doi.org/10.1007/978-3-030-88428-4_3

### Download citation

DOI: https://doi.org/10.1007/978-3-030-88428-4_3

Published:

Publisher Name: Springer, Cham

Print ISBN: 978-3-030-88427-7

Online ISBN: 978-3-030-88428-4

eBook Packages: Computer ScienceComputer Science (R0)