Here, we show that any order preserving encryption (OPE) scheme cannot achieve parameter hiding. The intuition is that in OPE, one can take the differ- ence of ciphertexts, and use this as a proxy for the difference between plaintexts. Because we need the indistinguishability of both very small differences and very large differences, we cannot hope to fully hide the scale.
Warm-up. First, we show that OPE cannot have ideal security for even two messages, improving on [6] which required three messages, and re-proving [15]. Our proof is also much simpler, which will allow us to later extend it to the parameter-hiding setting.
Theorem 20. For any OPE scheme with message space[0, M−1]and cipher- text space [0, C −1], there is an two-message attack with advantage at least
Ω(loglogMC)that runs in timepoly(logM,logC).
Since logC is the bit-length of ciphertexts, this means that the bit-length must be super-polynomial in order to get a non-negligible advantage.
Proof. Our attack is as follows. First, choose two random adjacent messages (i, i+1) fori∈[0, M−2]. Then submit the following two pairs (i, i+1),(0, M−1). In response, we receive c0, c1, which are either then encryptions of i, i+ 1, or encryptions of 0, M−1. For now, we will consider a non-uniform attacker, which
is given some adviceL∈[0, C−1]. The attacker simply computes c1−c0, and outputs 1 if and only if the result is greater thanL.
We now analyze the scheme. LetW be the random variable forc1−c0in the case where (i, i+ 1) are encrypted for a randomi. LetRibe the random variable that representsc1−c0in the case where i, i+ 1 are encrypted for a giveni. Let V be the random variable representing c1−c0 when 1, M are encrypted.
We immediately observe thatV =PM−1
i=1 Ri. We also observe that
E[logW] = 1 M −1 M−1 X i=1 E[logRi] =E[ 1 M −1 X i logRi] ≤E[log 1 M −1 X i Ri ! ] =E[logV]−log(M −1)
We now use the following lemma:
Lemma 21. LetX, Y be two random variables in[0,1]such thatE[Y]−E[X]≥ δ. Then there is a threshold αsuch thatPr[Y ≥α]−Pr[X≥α]≥δ
Proof. Let PX(t), PY(t) be the PDFs for X, Y, and let CX(t), CY(t) be the CDFs. We know that
δ≤E[Y]−E[X] =
Z 1
0
t(PY(t)−PX(t))dt Using integration by parts, we see that
Z
t(PY(t)−PX(t))dt=t(CY(t)−CX(t))−
Z
(CY(t)−CX(t))dt SinceCX(1) =CY(1) = 1, we have that
δ≤
Z 1
0
(CX(t)−CY(t))dt
By the mean value theorem, there is some valueαsuch thatCX(α)−CY(α)≥δ. AsCX(t) = 1−Pr[X ≥t], CX(t) = 1−Pr[X≥t], the lemma follows.
We now apply this lemma to the variables logW/logC and logV /logC, which satisfy the conditions for the lemma with δ = log(M −1)/logC. We therefore setL= 2α, and the attack succeeds with the desired probability.
We can easily turn this into a uniform attacker by estimatingL. We simply estimateCX, CY offline by choosing several random keys and encrypting either a randomi, i+ 1 or 1, M, and measuring the difference of the two ciphertexts. We can obtain estimates to withinδ, and then we can choose theαthat maximizes the differenceCX(α)−CY(α), which will be a reasonably good threshold. This completes the proof.
The Full Impossibility. We now show how to extend the impossibility above to work for parameter-hiding ORE.
Theorem 22. Fix an OPE scheme with message space[0, M−1]and ciphertext space[0, C−1]. Consider a distributionDover[0,1], and letγbe the minimum scaling allowed forD. LetD1=bDM,0scalee. SupposeD1 has the property that, with overwhelming probability over independent samples x, y from D1, we have that
|x−y| ≥3γ.
Then there is a two-message attack for the(γ, D)-parameter hiding OPE with advantage at leastΩ(loglog 2C)that runs in time poly(logM,logC), whereγ is the minimum scaling allowed by the scheme.
We note that the conditions on D are met for smoothD, providedM is expo- nentially larger thanγ.
Proof. The theorem is a simple extension of the attack above. LetD0=bD γ,0 scalee and letD1=bDM,0scalee
Consider the following adversary: choose random x, y according to D1. If x≥ y, flip xand y. Then choose a random ` ∈[x, y−γ] (which will be non- empty whp by our condition onD1). Let the left challenge parameters be (γ, `), and the right be (M,0). Obtain the two ciphertexts, take the difference, and then compare toL.
Our goal, as before, is to show that an L exists that distinguishes these two distributions. LetW be the random variable for c1−c0 in the case where the distribution is (γ, `) for a random ` as sampled above. Let Wx,y be the corresponding difference conditioned on samplingx, y. LetW` be the difference conditioned on a given `. Let V be the random variable representing c1−c0 when the parameters are (M,0). LetRi be the random variable that represents c1−c0 when encryptingi, i+ 1.
In either case, two values x, y are chosen according for D1, and then per- muted to ensure x ≤ y. For the analysis, we will actually slightly change the distributions onx, yto be conditioned ony−x≥3γ. By our conditions onD1, this negligibly affects the distribution. LetPx,y(1)be the PDF for this distribution on pairs.
In the right case,xandyare encrypted; in the left case, a random`is chosen in [x, y−δ], then randomx0, y0are chosen according toD0(swapped if necessary so that x0 ≤y0), andx0+`, y0+` are encrypted. Given that parameter-hiding requires the min-entropy to be high, we note that x0 6=y0 with overwhelming probability. Therefore, we will let Px(0)0,y0 be the PDF for the distribution over
tion. Under our slightly perturbed distributions, we can therefore write: E[logV] =X x,y Px,y(1)E[log y X i=x Ri] E[logW] =X x,y Px,y(1) y−γ X `=x X x0,y0 Px(0)0,y0E[log y0+` X i=x0+` Ri]
We use the concavity of log to bring the average over`inside the log and get
E[logW] =X x,y Px,y(1)X x0,y0 Px(0)0,y0E[ 1 y−x−γ y−γ X `=x log y0+` X i=x0+` Ri] For formula y−x1−γPy−γ `=x Py0+`
i=x0+`Ri, we observe that Ri only has weight for
i∈[x, y], and for any fixed “i, x0, y0”, there are at mosty0−x0 copies appear in the formula,which means
1 y−x−γ y−γ X `=x y0+` X i=x0+` Ri≤ y 0−x0 y−x−γ y X i=x Ri
Therefore, we can bound
E[logW]≤X x,y Px,y(1) X x0,y0 Px(0)0,y0E[log y0−x0 y−x−γ y X i=x Ri ! ] =E[logV]−(E[log(y−x−γ)]−E[log(y0−x0)])
Moreover, the condition that y −x is almost always greater than 3γ means that E[log(y−x−γ)]≥log 2γ. Similarly, we always have that y0−x0 ≤γ, so
E[log(y0−x0)]≤γ. Thus,
E[logW]≤E[logV]−log 2
The rest of the proof is essentially identical to the proof of Theorem 20: under our perturbed distribution, logW/logC and logV /logC are two variables on [0,1] whose expectations differ by at least log 2/logC. Therefore, we can choose a threshold Lto distinguish these two. Since the true distributions ofW, V are statistically close to the perturbed versions,Ldistinguishes these as well.
C
Further reducing leakage
We now give a generalized construction that results in strictly less leakage, and for some parameter settings, a more efficient comparison algorithm and shorter ciphertexts. At a high level, we modify our main constructions to work with blocks of d bits rather than bit-by-bit, and design a generalized type of PPH for our construction. We note that curiously when d = 2, the efficiency also improves.
C.1 Generalized ORE
Fix a security parameterλ∈N, letF :K ×([n]× {0,1}n)→ {0,1}λbe a secure
PRF. Let Pd(x1, x2) = x1 ∈ {x2+ 1, . . . , x2+ 2d −1} let Γ = (Kh,H,T) be a generalized P P H scheme with respect to predicate Pd (a construction from SXDH is given in the follow section).
We define our ORE schemeΠ = (K,E,C) as follows:
– K(1λ): on input the security parameterλ, the algorithm picks a uniform key k∈ Kfor the PRFF and runs the Setup algorithm of the generalizedP P H Γ.Kh to obtain the hash and test keys (hk,tk). It sets the comparison key ck=tkand secret keysk= (k,hk).
– E(sk, m): on input a secret key sk and a message m ∈ {0,1}n, encryption parsesmasm=b1||. . .||bn/d (later we denote`=n/d), wherebi∈ {0,1}d Then it computes
ui=F(k,(i, b1b2· · ·b(i−1)d||0n−(i−1)d)) +bi, ti =Γ.H(hk, ui). (Here we abuse the notationbi as an integer value according to its binary representation.) Then it chooses a random permutation π : [`] → [`], and setsvi=tπ(i). The algorithm outputsCT= (v1, . . . , v`).
– C(ck,CT1,CT2): on input the public parameter, two ciphertexts CT1,CT2 where
CT1= (v1, . . . , v`);CT2= (v10, . . . , v0`),
the algorithm runs the test algorithmΓ.T(tk, vi, vj0) and Γ.T(tk, vi0, vj) for everyi, j ∈[`]. If there exists a pair (i∗, j∗) such thatΓ.T(tk, vi∗, v0j∗) = 1,
then the algorithm outputs 1, meaningm1 > m2; else if there exists a pair (i∗, j∗) such thatΓ.T(tk, vi0∗, vj∗) = 1, then the algorithm outputs 0, meaning
m1< m2; otherwise it outputs it outputs⊥, meaningm1=m2.
Correctness of the generalized ORE.For two messagesm1, m2, let (b1, . . . b`)
and (b01, . . . , b0`) be theird-bit block representations. We know that ifm1> m2, then there must exists a unique indexi∗∈[`] such that the prefixes of theird-bit block representations up toi∗, sayu= (b1, . . . , bi∗),u0= (b01, . . . , b0i∗), satisfy the
following relation:u=u0+i, i= 1, . . . ,2d. By the correctness of the generalized PPH, we know that, with overwhelming probability:
Γ.T(Γ.H(hk, u), Γ.H(hk, u0)) = 1 We can use the same argument for the casem1< m2.
For the case m1 =m2, we know that all prefixes of the two messages are identical. For this case, the Test of Γ outputs ⊥ (for all possible pairs) with overwhelming probability. This proves the correctness of our ORE scheme.
Leakage profile. Next, we present the leakage profile. For two messages
denote bymsddb(m1, m2) their most significant differentd-bit-block. More pre- cisely,
msddb(m1, m2) = min{i:bi6=b0i} ∪ {n/d+ 1}.
The leakage profile takes in input a vector of messagesm = (m1, . . . , mn) and produces the following:
L∗f(m1, . . . , mt) := 1(mi< mj), 1(msddb(mi, mj) =msddb(mi, mk)) for 1≤i, j, k≤q .
Theorem 23. The generalized ORE schemeΠ isL∗
f-non-adaptively-simulation
secure, assumingF is a secure PRF andΓ is augmented-restricted-chosen-input secure.
The proof this theorem is of little change to that of Theorem 14, and we skip it here.
C.2 Generalized PPH
In this section, we present a PPH for a family of predictsPd,d≥1 that gener- alizes the predicateP above as follows. We letPd(x, y) = 1 ifx∈ {y+ 1, . . . , y+ 2d−1} and 0 otherwise.
Construction.As before, we use a PRFF :{0,1}λ× {0,1}λ→ {0,1}λ, and
we will sometimes view the output of F as the binary representation of a λ- bit integer. We now describe our PPH Γd = (Kd
h,Hd,Td) for the generalized predicatePd, whered≥1 is a parameter to adjusted.
– Kd h(1
λ). This algorithm is identical toK
h given inΓ.
– Hd(hk, x) This algorithm takes as input the hash keyhk, an inputx. Fori= 0, . . . ,2d−1 it picks randomr
i←Zp, then it samples a random permutation πon [2d] , and then it computes
(A, B) = (gr0, gr0·F(K,x))∈
G×G.
Then, fori= 1, . . . , T it computes
(Xi, Yi) = (ˆgri,ˆgri·F(K,x+π(i)))∈Gˆ ×Gˆ.
It outputs (A0, B0, X1, Y1, . . . , X2d−1, Y2d−1).
– Td(tk, h1, h2). The test algorithm parses eachhj as (Aj, Bj, X1j, Y1j, . . . , X2jd−1, Y
j 2d−1) Then it tests if there exists ani∈ {1, . . . ,2d−1} such that
e(A1, Yi2) =e(B1, Xi2).
Game INDpphΓ,P−aug(A): (hk,tk)← K$ h(1λ) ; x∗, y∗ $ ←D (x1, y1), . . . ,(xs, ys) $ ← {(x, y) :∀i, j∈[s], P(x∗, xi) =P(y∗, yi) = 1 ;P(xi, xj) =P(yi, yj)} h0= (H(hk, x∗),H(hk, x1), . . . ,H(hk, xs)) ;h1= (H(hk, y∗),H(hk, y1), . . . ,H(hk, ys)) b0← A$ Hash(tk, x∗ , y∗, x1, . . . , xs, y1, . . . , ys,hb) Return (b=? b0) Hash(x): If∃z∈ {x, y, x1, . . . , xs, y1, . . . , ys},P(z, x) = 1 orP(x, z) = 1 Thenh← ⊥,Elseh← H$ (hk, x) Returnh
Fig. 7:Game INDpphΓ,P−aug(A).
And the domainD is{0,1}λ and the rangeR is
G2×Gˆ2
d+1−2 .
Correctness. It is easy to show that Γd is computationally correct for the predicatePd, via the same methods as withΓ, assuming that F is a PRF.
Security.Our ORE construction will require a slightly stronger version of PPH
security illustrated in Figure 7. We call this version of PPH securityaugmented- restricted-chosen-input security, and define the advantage of an adversary A against PPH schemeΓ via
AdvpphΓ,P,−Aaug(λ) = 2 Pr[INDpphΓ,P−aug= 1]−1.
We say that Γ is augmented-restricted-chosen-input secure if for all efficient adversariesA,AdvpphΓ,P,−Aaug(λ) is negligible.
Theorem 24. For each d ≥ 1, our PPH Γd is augmented-restricted-chosen- input secure, assumingF is a PRF and the SXDH assumption hold with respect to the appropriate groups and pairing.
The proof of this theorem is very similar to that of Theorem 17, despite the augmented security definition. It follows via standard game transitions using the SXDH assumptions.
C.3 Efficiency for smalld
For generalized ORE, whendis small,d= 2,3 for instance, the efficiency (cipher- text size and pairing operations in each single comparison) is better than basic ORE. We measure the ciphertext size by number of group elements, and calcu- late the average number of pairing operations needed in a comparison. When d= 2, the construction is strictly better than basic construction, andd= 3 has some trade-off in ciphertext size and pairing operation with basic ORE.