Reducing the Leakage in Practical Order-Revealing Encryption

We study practical order-revealing encryption (ORE) with a well-defined leakage profile (the information revealed about the plaintexts from their ciphertexts), a direction recently initiated by Chenette, Lewi, Weis, and Wu (CLWW). ORE, which allows public comparison of plaintext order via their ciphertexts, is a useful tool in the design of secure outsourced database systems. We first show a general construction of ORE with reduced leakage as compared to CLWW, by combining ideas from their scheme with a new type of“propertypreserving” hash function. We then show how to construct such a hash function efficiently based on bilinear maps. Our resulting ORE scheme is fairly practical: for n-bit plaintexts, ciphertexts consists of about 4n group elements, and order comparison requires about n pairings. The leakage is, roughly speaking, the “equality pattern” of the mostsignificant differing bits, whereas CLWW’s is the location and values of the most-significant differing bits. We also provide a generalization of our scheme that improves the leakage and/or efficiency. To analyze the quality of our leakage profile, we show several additional results. In particular, we show that orderpreserving (OPE) encryption, an important special case of ORE scheme in which ciphertexts are ordered, cannot be secure wrt. our leakage profile. This implies that our ORE scheme is the first one without multilinear maps that is proven secure wrt. a leakage profile unachievable by OPE. We also also show that our generalized scheme meets a “semantically meaningful” one-wayness notion that schemes with the leakage of CLWW do not.