Practical OrderRevealing Encryption with Limited Leakage Nathan Chenette
- Slides: 38
Practical Order-Revealing Encryption with Limited Leakage Nathan Chenette, Kevin Lewi, Stephen A. Weis, and David J. Wu Fast Software Encryption March, 2016
Order-Revealing Encryption [BRLSZZ 15] Client Server secret-key encryption scheme
Order-Revealing Encryption [BRLSZZ 15] Server Application: range queries / binary search on encrypted data
Order-Revealing Encryption [BRLSZZ 15] given any two ciphertexts there is a publically evaluatable function that evaluates the comparison function
Defining Security Starting point: semantic security (IND-CPA) [GM 84] challenger adversary
Best-Possible Security [BCLO 09] must impose restriction on messages: otherwise trivial to break semantic security using comparison operator
Best-Possible Security [BCLO 09]
Best-Possible Security [BCLO 09] order of “left” set of messages same as order of “right” set of messages
Existing Approaches
Existing Approaches Multilinear-map-based Solution [BRLSZZ 15] • • Much more efficient than general purpose indistinguishability obfuscation Achieves best-possible security Security of multilinear maps not well-understood Still quite inefficient (e. g. , ciphertexts on the order of GB)
Existing Approaches
Existing Approaches Order-preserving encryption (OPE) [BCLO 09, BCO 11]: • No “best-possible” security, so instead, compare with random order-preserving function (ROPF) encryption function implements a random order-preserving function domain range
Existing Approaches Properties of a random order-preserving function [BCO’ 11]: • • Each ciphertext roughly leaks half of the most significant bits Each pair of ciphertexts roughly leaks half of the most significant bits of their difference No semantic security for even a single message!
Existing Approaches Efficiency OPE Not drawn to scale Something in between? Direct construction from multilinear maps Security General-purpose MIFE from i. O
A New Security Notion Two existing security notions: • • IND-OCPA: strong security, but hard to achieve efficiently ROPF-CCA: efficiently constructible, but lots of leakage, and difficult to precisely quantify the leakage
A New Security Notion: SIM-ORE ? ? ? Real World Ideal World
A New Security Notion: SIM-ORE
A New Security Notion: SIM-ORE
Our Construction 1 0 0 1 1 0 0 0 1 1
Our Construction 1 0 0 1
Our Construction 1 0 0 1 0 empty prefix 1
Our Construction 1 0 0 1 0 1
Our Construction 1 0 0 1 0 1
Our Construction 1 0 0 1 first block that differs 1 0 same prefix = same ciphertext block 1 0 0 different prefix = value computationally hidden 0 1 1
Our Construction: Efficiency 1 0 0 1
Our Construction: Security 1 0 0 1 Security follows directly from security of the PRF Proof sketch. Simulator responds to encryption queries using random strings. Maintains consistency using leakage information (first bit that differs).
OPE Conversion In database applications, OPE preferred over ORE since it does not require changes to the DBMS (e. g. , supporting custom comparator) 1 0 0 1 1 0 0 0 1 1
OPE Conversion 1 0 0 1
OPE Conversion 1 0 0 1 Note: unlike most existing OPE schemes, this OPE scheme is not a ROPF, and does not suffer from many of the security limitations of ROPFs
Comparison to Previous OPE Schemes
Comparison to Previous OPE Schemes Window one-wayness: message space guess interval ciphertext space Much weaker than semantic security!
Comparison to Previous OPE Schemes
Comparison to Previous OPE Schemes
Composing OPE with ORE Possible to compose OPE with ORE to achieve more secure OPE scheme: Resulting construction strictly stronger than inner OPE scheme, but may not be more secure than directly applying ORE to plaintext
The Landscape of OPE/ORE Efficiency OPE Not drawn to scale Our construction Direct construction from multilinear maps Security General-purpose MIFE from i. O
Directions for Future Research Efficiency OPE Not drawn to scale Shorter ciphertexts? Our construction Best-possible ORE from standard assumptions? New leakage functions? Direct construction from multilinear maps Security General-purpose MIFE from i. O
Sample Implementation: https: //github. com/kevinlewi/fastore Project Website: https: //crypto. stanford. edu/ore/
Questions? http: //eprint. iacr. org/2015/1125
- Applications for homomorphic encryption
- Perfusion limited vs diffusion limited
- Microshock and macroshock
- Physiological effect of electricity
- Leakage point
- The air leakage rate for a combination vehicle
- Leakage current and temperature relationship
- What are the leakages of multiplier
- Nfpa 99 leakage current limits
- Define revenue leakage
- Smacna duct leakage calculator
- Spectral leakage
- Analogy between electric and magnetic circuit
- Gate induced drain leakage
- Spectral leakage
- Definition of elcb
- Symptoms of preterm labor
- Megger dcm 305e
- Claims leakage technology
- Cable signal leakage causes
- Touch current vs leakage current
- Iec 60601 leakage current limits
- Pericatheter leakage
- Synchronous dynamic pass transistor circuits
- Subthreshold leakage current
- What are the maximum leakage rates for air brakes
- Gate-induced drain leakage
- Mutualism in the tropical rainforest
- L512 pill
- Nathan conroy
- Dr wegner nathan
- Nathan seiberg
- Alan nathan baseball
- Nathan tinning
- Nathan matza
- Nathan baugh
- Edward f. norbeck
- Glenn nathan
- Nathan edwards georgetown